A previously unidentified threat group uses open source malware and phishing to conduct cyber-espionage on shipping and medical labs associated with COVID-19 treatments and vaccines.

A previously unknown threat actor that exclusively uses a slew of publicly available and living-off-the-land tools has been targeting Asia-based shipping companies and medical laboratories in an intelligence-gathering operation since October, researchers have found.

Dubbed Hydrochasma by researchers at Symantec, which is owned by Broadcom Software, the group as yet does not appear to have stolen any data, but seems to target industries that are involved in COVID-19-related treatments or vaccines for cyberespionage, Symantec's Threat Hunter Team wrote in a blog post published this week.

"While Symantec researchers didn't observe data being exfiltrated from victim machines, some of the tools deployed by Hydrochasma do allow for remote access and could potentially be used to exfiltrate data," researchers wrote.

Judging by its tools and tactics, the group's chief motive appears to be achieving persistent access to victim machines without being detected, "as well as an effort to escalate privileges and spread laterally across victim networks," they noted.

Indeed, the lack of custom malware lends itself to this motive, Brigid O Gorman, senior intelligence analyst with Symantec Threat Hunter team, tells Dark Reading.

"The group's reliance on living-off-the-land and publicly available tools is notable," she says. "This may tell us a number of things about the group, including a desire to stay under the radar and make attribution of their activity more difficult."

**How Hydrochasma Attacks**

Researchers first were alerted to concerning activity on the victim's network when they noticed the presence of SoftEther VPN, a free, open source, and cross-platform VPN software often used by attackers.

Like many other threat groups, Hydrochasma appeared to use phishing as its means of initial access to a targeted network. Indeed, phishing remains one of the most successful ways for attackers to compromise networks, and it continues to grow and evolve at a fast clip.

In this case, the first sign of suspicious activity that researchers found on victim machines was a lure document with a file name in the organization's native language that appeared to be an email attachment for a freight company "product specification," they said. Researchers also found a lure that mimicked a resume for a "development engineer."

Once Hydrochasma gains access to a machine, attackers drop a Fast Reverse Proxy, a tool that can expose a local server protected by a network address translation (NAT) or firewall to the Internet. That in turn drops a legitimate Microsoft Edge update file. That's followed up by another file that's actually a publicly available tool called Meterpreter — which is part of the Metasploit framework — that can be used for remote access, researchers said.

**Everything But the Kitchen Sink**

In fact, in the campaign that researchers observed, the group bombarded the victim organization with what seemed like everything but the kitchen sink in a flurry of publicly available tools aimed to guarantee its presence and persistence on the network.

"It is relatively unusual to see an attack group using only open source malware in an attack chain, so this did make Hydrochasma's activity stand out to us," O Gorman notes.

Other tools being wielded by Hydrochasma in the attack included: Gogo scanning tool, an automated scanning engine; Process Dumper, which allows attackers to dump domain passwords; AlliN scanning tool, which can be used for lateral penetration of the intranet; and Fscan, a publicly available hacktool that can scan for open ports and more.

Researchers also observed Hydrochasma using Cobalt Strike Beacon, a legitimate pen-testing tool that attackers also have widely adopted for executing commands; injecting, elevating, and impersonating processes; and uploading and downloading files on victim networks. The group also deployed a shellcode loader and a corrupted portable executable in the attack.

Their assault on the victim network didn't stop there, however; additional tools that researchers observed being used in the attack included: Procdump, for monitoring an application for CPU spikes and generating crash dumps; BrowserGhost, which can grab passwords from a browser; the tunneling tool Gost proxy; Ntlmrelay for intercepting validated authentication requests to access network services; and HackBrowserData, an open source tool that can decrypt browser data.

**Avoiding Compromise**

Symantec included both file and network indicators of compromise in its blog post to help organizations identify if they're being targeted by Hydrochasma.

The extensive use of dual-use and living-off-the-land tools by the group highlights the need for organizations to have a comprehensive security solution to detect suspicious behavior on network machines, as well as stop malware, O Gorman says: "Organizations should adopt a defense in-depth strategy, using multiple detection, protection, and hardening technologies to mitigate risk at each point of a potential attack chain," she tells Dark Reading. "Organizations should also be aware of and monitor the use of dual-use tools inside their network."

In general, Symantec also advises implementing proper audit and control of administrative account usage, as well as the creation of profiles of usage for admin tools, "as many of these tools are used by attackers to move laterally undetected through a network," O Gorman adds.

Hydrochasma Threat Group Bombards Targets With Slew of Commodity Malware, Tools

A novel threat group, utilizing new malware, is out in the wild. But the who, what, where, and why are yet to be determined, and there's evidence of a false-flag operation.

On Feb. 22, Symantec revealed evidence of a previously undocumented threat actor it's calling "Clasiopa." Clasiopa has been observed deploying a unique malware backdoor called "Atharvan" in its campaign against a materials manufacturer based in Asia.

"From what we can see, the main motivation of the attack was spying or information theft," Dick O'Brien, principal intelligence analyst at the Symantec Threat Hunter Team, tells Dark Reading. Symantec declined to elaborate on the nature of the victim, the files, or whether the attackers were successful.

**Clasiopa's Stealth Tactics**

Clasiopa's initial intrusion vector is not certain, "although," the researchers noted, "there is some evidence to suggest that the attackers gain access through brute-force attacks on public-facing servers."

The report highlights a few hallmarks of the attack, including checking the IP address of target computers, using "multiple backdoors to build lists of file names and exfiltrate them," clearing multiple event logs on the target system, and running a vaguely named task — "network service" — to list file names.

Two commercial programs also made their way into the maelstrom: the Agile File Distribution Management system, from developers Jiangsu Agile Technology in China, and Domino, from HCL software (though the latter may have been included coincidentally).

Altogether, these methods — the backdoors, the erased logs, the commercial software — begin to tell a story. "They're certainly an attempt at stealthy tactics," O'Brien says. "These kinds of tactics are by no means unique and a lot of similar threat actors will do something similar, with varying levels of success depending on their skills and resources."

"In this case," he adds, "they still left enough evidence behind to piece together much of what they'd done."

That said, some of the evidence the group left behind may have been intentional, meant to point researchers in a specific attribution direction.

**Who Is Clasiopa?**

The clues to learning about Clasiopa may lie in its unique malware, Atharvan — "a classic backdoor," as O'Brien says. "It allows the attackers to maintain an open communication channel with the infected computer, install additional tools, and send back information to the attackers."

Function aside, its name may be its most notable feature. The name derives from "SAPTARISHI ATHARVAN-101," a mutual exclusion object ("mutex") the malware creates after infecting a target machine, to ensure multiple copies of itself aren't running at once. "Saptarishi," in ancient Indian astronomy, is the word for the arrangement of stars in the Big Dipper. Atharvan is the name of a mythic Hindu sage.

And there was another breadcrumb indicating Indian origin. One of the passwords Clasiopa used for a zip archive was iloveindea1998^\_^.

However, these clues are actually _so_ obvious that they invite suspicion. "While these details could suggest that the group is based in India," the researchers hypothesized, "it is also quite likely that the information was planted as false flags, with the password in particular seeming to be an overly obvious clue."

Many other details about the group remain undisclosed or unknown. This may be in part due to the stealth tactics utilized in the campaign, some subtle and some overt. For now, threat analysts should stay tuned: To learn anything more about Clasiopa, we may need to wait until it strikes again.

Unanswered Questions Cloud the Recent Targeting of an Asian Research Org

Cybercriminals and hacktivists have joined state-backed actors in using sabotage-bent malware in destructive attacks, new report shows.

The increased use of disk wipers in cyberattacks that began with Russia's invasion of Ukraine early last year has continued unabated, and the malware has transformed into a potent threat for organizations in the region and elsewhere.

Researchers at Fortinet recently analyzed attack data from the second half of 2022 and observed a startling 53% increase in threat actor use of disk wipers between the third and fourth quarters of the year. The trajectory suggests there will be no slowing down any time soon, the security vendor said.

Russia-based advanced persistent threat (APT) groups — working in support of the country's military objectives in Ukraine — accounted for a lot of the initial surge in wiper use and continued activity last year. However, Fortinet's data shows that others, including financially motivated cybercriminals, hacktivist groups, and other individuals fueled the increase as well, especially toward the end of 2022.

Leading up to last year, wiper activity tended to be almost nonexistent, according to Geri Revay, security researcher with Fortinet's FortiGuard Labs. But since the conflict between Russia and Ukraine started, threat actor use of the malware has exploded, he says. 

"In 2022 alone we saw 16 different families targeted at 25 countries around the world," Revay says. "In the second half of the year, we also started seeing a new breed of wipers, with some even open source and on GitHub, making it much more readily available for advanced persistent cybercrime campaigns," he says.

**A Wiper Malware Medley**

Fortinet's report highlights several wiper families that it perceives as presenting a major threat to organizations based on threat actor use over the past year. Among the biggest of them is HermeticWiper, a wiper that erases and overwrites a compromised system's master boot record. The wiper first surfaced in attacks against Ukrainian organizations in 2021. Fortinet said it observed a significant spike in activity last year involving HermeticWiper in November that become even more pronounced in December.

Other wipers that the security vendor observed threat actors using widely in attacks last year include WhisperGate, a malware strain that looks like ransomware on the surface but has no data recovery mechanism; NotPetya; DoubleZero; and IsaacWiper. Analysts have previously identified Russia's military intelligence group as likely being behind WhisperGate. Interestingly, Shamoon, a wiper that was used in an attack that bricked thousands of PCs at Saudi Aramco more than a decade ago, also remained popular among actors last year. Fortinet's data showed Shamoon to be one of the most widely used wipers in destructive attacks last year.

Currently, the main motivation for the use of wiper malware appears to be focused around cyberwar and hacktivism, Revay says. But that doesn't mean threat actors won't use it in other ways, like using wipers to sabotage systems or to destroy evidence of a cybercrime.

"Sabotage is the most obvious reason to deploy a wiper," Revay notes. "Just as Stuxnet was used to destroy centrifuges to slow down Iran's efforts to develop nuclear weapons, wiper malware could be used to destroy data, sabotage development, cause financial loss, or just cause chaos." And using wipers to destroy evidence, while noisy, also gets the job done for attackers and is much simpler than removing all log files and malware, he says.

**New Breed of Wipers**

Fortinet's report is among several that have highlighted a sharp increase both in disk wiper use and disk wiper variety over the past year. While Fortinet's research showed that threat actors used 16 wiper families in attacks last year, another report from Max Kersten, a malware analyst at Trellix, identified more than 20 wiper families that threat actors used in destructive attacks last year.

Ukrainian organizations remain primary targets, as one recent attack against the country's main news agency involving the use of five separate wiper variants demonstrated. But organizations in other countries are under growing risk of attack, too. Fortinet, for instance, found WhisperGate and HermeticWiper were both most prevalent outside Europe. More organizations in Africa and Asia experienced attacks involving the two wiper families than organizations in Europe. And North America, overall, continues to experience the least wiper activity, the security vendor said.

"Most of the wiper attacks were targeting Ukrainian organizations in 2022, but that could easily have a spillover effect on other countries," Revay says. As an example, he points to one incident where an attack that targeted a Ukrainian satellite communication provider ended up taking 5,800 German wind turbines offline.

In terms of how to prepare and how to respond to a wiper attack, "it is very similar to a ransomware incident," Revay tells Dark Reading. "If the ransom is not paid, which is the recommended approach, a ransomware can be also considered a wiper, because without the decryption key the encrypted data is as good as lost."

Wiper Malware Surges Ahead, Spiking 53% in 3 Months

Security Pro File: The old-school hacker traces a path from young hardware tinkerer to senior cybersecurity executive.

Before he was Space Rogue, before L0pht, before testifying in front of Congress about what used to be a very unknown risk of networked computers, and before he embarked on a career in cybersecurity, he was just young Cris Thomas with a homemade flashlight.

Growing up in a mobile home in rural Maine in the 1970s, Thomas didn't have a whole lot of access to technology in his early years. But at the tender age of five, armed with a hammer and a worn-out sealed alkaline flashlight — the kind that you threw away after the batteries lost their juice — he was able to first learn the basics of electrical circuits. Cannibalizing parts from those flashlights and adding C and D cell batteries and wires consisting of garbage bag twist ties, he was in business with his very own lighting device.

That kind of tinkering is the very essence of a hacker's modus operandi, and it was the start of his love affair with hacking and his eventual profession as a cybersecurity leader. Over the years, Thomas has done stints at the likes of Trustwave Security, Tenable, and almost six years now at IBM as Global Lead of Policy and Special Initiatives. But at its root his beginnings have all the same flavor of self-directed experimentation and trial-and-error with his flashlight. His route was circuitous and full of ups and downs, but he says that in some ways it was easier for him to go down that path than those trying to get their break in cybersecurity today without the traditional path straight from college.

"There's still people who are trying to break into the industry with little to no formal education, and the debate of college or certifications is still raging. So, I think getting into the industry, from an austere beginning and maybe even skipping the formal education and being self-taught — it is possible," he says. "It's a lot more difficult today, because I think people put a lot of importance on the college degree and the formal education, and so it's hard to get around that stigma."

After early grade school he moved to a bigger town, was exposed to computers in bits and pieces, and mastered the basics of BASIC from chance encounters, clubs, and high school computer class. But it wasn't until he was in the Army that he was able to buy his very own computer, a Mac SE he bought on credit from a store nearby his base. It was from this machine he dug further into programming and got synced up with his first local user group, a Mac HyperCard user group. From there he branched out into BBSs and began to tap into the burgeoning Internet hacker subculture. After the Army and a brief stint at Boston University, he took the handle Space Rogue, dialing into the Boston BBSs. Many of those had a whole underground world of in-person meet-ups attached to them. Running in those circles — plus holding down a job at a local CompUSA where a number of local hackers worked — is what would eventually lead Space Rogue to the ragtag group of hackers called L0pht.

**Remembering the L0pht**

A collective of elite hackers and a hackerspace rolled into one, the L0pht is one of those storied groups that's inextricably tied in with the infancy of the cybersecurity industry. In a book published this month, _Space Rogue: How the Hackers Known as L0pht Changed the World_, Thomas writes the memoir of his winding journey to hacking and his membership in the group.

Space Rogue was one of the earliest members and was heavily involved in the group's adventures and hacking experimentation. He was there for its evolution into what would become L0pht Heavy Industries, its release of the L0phtCrack password-cracking tool, and its eventual sale to @Stake. Together with hackers like Mudge, Weld Pond, Kingpin, Dildog, tan, and Stefan von Neumann, they were on the bleeding edge of experimentation with hardware and software — partially from scavenging corporate dumpsters for equipment, partially from soliciting donations and picking up cool finds at the MIT Flea Market, where they also sold refurbished gear to partially fund their loft space. The crew ran their own NOC, experimenting with different forms of networking, and they shared files online through the early version of the L0pht.com server. Space Rogue ran the popular Whacked Mac Archives, a collection of software collected from underground systems and BBSs over the years. He did the books and paid the bills as an unofficial chief operating officer and was also instrumental in helping raise the profile of the group by founding and running Hacker News Network and helping to coordinate a lot of its work with the media.

The work the L0pht did for a very long time was simply a labor of love — the hackers had day jobs. In their off-hours time of experimentation they started learning how truly vulnerable systems are to manipulation and exploitation in ways unexpected by their creators. As the team evolved, they started picking up gigs writing custom signatures for the first incarnations of intrusion detection systems, issued advisories about vulnerabilities on their website and Bugtraq, and were courted by firms to do pen testing. For a long time they barely broke even, but their security chops did gain the attention of the federal government, and in 1998 Space Rogue and six other core members of the L0pht stepped in front of a Congressional panel to give one of the earliest public warnings about the state of insecurity of the online world.

Thomas does a great job detailing all of these happenings in his book, which offers a very personal and open account of his perspective on how things unfolded. He does a great job highlighting the personalities and mindsets of the different hackers he worked with or came across over the years, and is very relatable and vulnerable offering thoughts on his maturing perspectives on dealing with not just systems but also people. Readers get to follow along with his close connections with hacker friends, fallouts and reconciliations, and run-ins with difficult bosses, as well as career disillusionment and rebirth.

**What's in a Handle?**

Musing about the L0pht and his book recently, he notes that while his unconventional learnings and rise through cybersecurity could probably be emulated by newcomers, the rise of L0pht itself occurred during a very unique era in time and would be a whole heck of a lot more difficult to recreate.

"I mean, you can get a bunch of people together and rent some space and do some stuff, but getting the same attention would be harder because the bugs are harder to find now," he says. He explains that what L0pht did wasn't easy, but they found the low-hanging fruit in security flaws.

They also had a lot less red tape and legal and professional standards to navigate. Doing what they did back in the 1990s today would put most cybersecurity researchers in a lot of hot water.

"There's a lot more risk involved. I mean, there was risk then too, but if you're going to release information about a zero-day vulnerability to the public without a pseudonym, the risk of lawsuits is pretty high. Which is, again, one of the reasons why we were using the handles and the pseudonyms to begin with. But staying pseudonymous is a lot more difficult today than it was."

Thomas still cherishes and uses his Space Rogue handle — it's part of his online and professional persona. For example, his email address at IBM is based on that handle rather than his real name.

"I built a reputation as Space Rogue within the industry. I was the last member of the L0pht to actually start using their given name in professional settings," he says. "So it's only been a few years for me, really, that people have looked at the handle and been able to equate it to the given name easily."

These days, Mudge is known as Peiter Zatko, who worked at DARPA and Google in key roles, and most recently in the news as the Twitter whistleblower who drew attention to the social network's lacking security stance. Weld Pond is Chris Wysopal, who co-founded Veracode. Kingpin is Joe Grand, a well-known security researcher and author who runs Grand Idea Studio. But when they see each other, they'll always be Mudge, Weld, and Kingpin to him.

"And for the most part, people still address me as Space Rogue or SR. At work, people call me Space, and occasionally I'll get Mr. Rogue, but that's usually as a joke," he says. "My wife actually referred herself in a Twitter thread the other day as Mrs. Space Rogue."

**Looking Back at Industry Change**

All kidding aside about handles, Space Rogue is still as much of a concerned industry watcher as those days back at the L0pht, stepping in front of federal lawmakers.

"I've always been interested in policy and how legal ramifications are impacting the online world. Right now, I'm following a lot of actions of CISA, and I have to say that as a nation we're actually doing a great job," he says. "In the past, government has been behind schedule and playing catch-up, but I think CISA's actually taken a very good, proactive approach, which is a welcome change in the industry."

At the same time, though, he says that there's this dichotomy in cybersecurity where over the last 25 years, everything has changed but is also still the same. There's a ton more awareness now, not just from policy makers or industry insiders but just individual workers or non-tech business executives, about things like ransomware or phishing.

"Most people have to go through some sort of security training in their job, so the awareness factor is much higher," he says.

At the same time, though, the cybersecurity world is still knocking its head against the same problems it did decades ago.

"We're making stupid mistakes. We're using default passwords. We're designing flat networks. And these are the same problems that we had 25 years ago," he says. "So, it's a little bit of some and a little less of some other stuff. A lot of things have changed and gotten better, but a lot of things have still stayed the same as well."

**PERSONALITY BYTES**

**What he does for fun:** A lot of treasured hobbies mirror his hacking interests — his fun project at the moment is setting up a Raspberry Pi for his son to help him learn Python and picoCTF. "You can't get Raspberry Pis at the moment, so I've had to cannibalize some of my old projects to get him one that he can use."

**Non-hacking hobbies:** There was a time he was into making hard cider, but he moved and had less room for all of the equipment. Now he's turned his sights to rock tumbling. "My youngest got a rock tumbler last year and never used or was very interested in it. And I was like 'Well, if you're not going to use it, I'm going to.' Now I have four tumblers and I'm rotating rocks in the basement all the time."

**Quirky tidbits:** He says he's kind of an open book, and shares a lot of fun stuff with co-workers via Slack, so there's nothing they'd be surprised to know about him. But like many folks in the industry, he's got his quirky interests. "I'm a big Saturn car aficionado."

**Favorite day-to-day drink:** "I drink a lot of caffeine-free Diet Coke."

**How he tells people what he does for a living:** Per his book, he wrote, "I rarely blurt out 'Hi, I’m a hacker' when I first meet people. Trying to explain to people what I do for work can sometimes be tricky and lead into all sorts of long and sticky conversations, so I usually just say I work in computers."

Cris Thomas: Space Rogue, From L0pht Hacker to IBM Security Influencer

Eliminate passwords in user authentication workflow with Vault Vision's passkey features like facial recognition, fingerprint and pin verification on all modern devices.

**DENVER, Feb. 22, 2023 /PRNewswire-PRWeb/ --** Vault Vision, a leading user  
authentication platform for developers announced the launch of passkey  
authentication technology enabling secure and convenient logins on modern  
devices. Legacy passwords are central to website and app security, but 81% of  
hacking-related breaches leveraged either stolen and/or weak passwords. A Google  
study found that 75% of Americans are frustrated with passwords and 43% have  
shared their password with someone. Passkey auth aims to solve an inherent  
weakness in passwords with support from Apple, Google and Microsoft on all  
modern browsers and devices.  
For application users, passkey is an easier replacement for passwords. With  
passkey, users can sign in to applications with biometric authentication such as  
a fingerprint or facial verification, PIN, or pattern, unlocking them from  
having to remember and manage passwords. A user can sign into applications on  
all modern devices using a passkey, which can be created on a mobile phone and  
used to sign in to a website on a separate laptop. Passkey authentication makes  
it phishing-resistant and brute force attacks, and one the most secure  
authentication methods available today. Vault Vision's one click passwordless  
login drastically improves the user registration and login workflow with the  
addition of passkey.

For developers, Vault Vision's user authentication platform enables easy  
integration of passwordless logins into any website or application built on  
React, Node, Python, Go and low code platforms like Webflow. Developers can  
leverage Vault Vision's open sourced examples available as GitHub repos in  
React, Node, Python and Go, which can be deployed with auto-generated and  
pre-set copy-and-paste environment configuration stanzas. These repos offer an  
implementation insight into the integration flows with auth use cases. "Vault  
Vision is the only passwordless-first auth platform that does not require a  
password during setup." said Neil Proctor, CEO and Founder, Vault Vision. "Our  
technology enables developers to register without passwords and start creating  
local development environments with our user auth in less than a minute. For end  
users, the convenience of passwordless login drives user registration and login  
growth with facial recognition, fingerprint & pin based verification on all  
modern devices".  
The addition of passkey auth and passwordless logins makes Vault Vision's one of  
the most secure authentication platform with its privacy-first architecture.  
Vault Vision is the only authentication platform that protects end user privacy  
from password breaches by eliminating use of third-party scripts and low quality  
sdk's. With the average authentication tool employing an average of eight  
tracking elements, Vault Vision maintains zero third-party dependence  
eliminating vendor breach risk for developers and the ability to operate in  
air-gapped and secure operating environments.  
Vault Vision offers free developer sandboxes and expert help with your free  
trial, learn more here.**About Vault Vision**  
Vault Vision is a no code user authentication platform that enables developers  
to easily deploy user auth & passwordless logins on React, Python, Go, Node  
applications and low code platforms like Webflow. Vault Vision's authentication  
technology increases login engagement and drives user registration growth with  
OpenID Connect (OIDC), FIDO2 and passkey logins. End users benefit from Vault  
Vision's convenient authentication features like passkey facial recognition,  
fingerprint, pin based verification, OIDC logins for Apple, Google and  
Microsoft, two-factor auth (2FA), multi-factor auth (MFA), universal time-based  
one-time password (TOTP) auth, SSO with email and hardware key auth. Vault  
Vision's is a FIDO Alliance member and its user authentication technology is  
OpenID Certified.

Vault Vision Launches One Click Passwordless Logins With Passkey User Authentication

As a data security solution focused solely on SaaS ecosystems, Metomic will use the Series A funding round to expand into the U.S.

**London, England, February 22, 2023 –** Metomic, a next generation data security solution for protecting sensitive data in the new era of collaborative SaaS, announced today it has raised a $20 million Series A funding round. The round is led by Evolution Equity Partners with participation from Resonance and Connect Ventures. The investment will be used for U.S. expansion efforts and research and development initiatives. It will also allow Metomic to double down on its AI technology, furthering its mission to enable safer, more compliant data sharing across collaborative software-as-a-service (SaaS) ecosystems. 

Security, privacy and compliance teams use Metomic’s no-code workflows to automate data policies across their SaaS applications. This includes the ability to deliver real-time notifications directly to employees when they have uploaded sensitive data into the wrong environment, essentially enabling a human firewall across the organization.

Metomic’s funding round comes at a critical time as the SaaS ecosystem continues to grow. Research shows that SaaS app usage was up 18% last year, with businesses using, on average, more than 130 SaaS tools across the organization. The challenge comes from the lack of visibility and control companies have over what data employees are uploading in SaaS apps, and whom they are sharing it with. The result: PII (personally identifiable information), confidential information, and security credentials are being stored and exposed unnecessarily – often by accident. This presents a real risk and pain for organizations that rely on the productivity benefits of SaaS, but need to control and protect their most sensitive data. 

Metomic is giving organizations visibility and control of their data across collaborative SaaS applications, including Google Apps, Slack, Jira, and Zendesk by connecting to the data layer of these popular work tools. It allows security professionals to see what data is being stored, where it is, and who has access to it. Metomic’s automated processes are having a groundbreaking effect on how modern companies protect sensitive data at scale. 

"Security, IT and compliance teams have no visibility into the data employees are storing and sharing across third-party SaaS applications. They are suffering from alert fatigue and are overwhelmed with the amount of notifications they have to address,” said Rich Vibert, CEO and Co-Founder, Metomic. “By triaging critical risks and putting remediation in the hands of employees, we give security teams the most effective, scalable, and modern way to protect their most vulnerable data, without getting in the way of high-value work.” 

In the last 18 months, Metomic’s automated platform has prevented more than two million data leak threats lurking in SaaS ecosystems. Even more astonishing, it has detected hundreds of millions of sensitive data points within SaaS apps and found that 99% of the sensitive data does not need to be there or is accessible to people who shouldn’t have access.

"Businesses adopt SaaS applications at a rapid pace. While SaaS tools increase employees’ productivity and enable collaboration among colleagues and partners, IT security teams have limited visibility and control over sensitive data stored within these apps,” said Yuval Ben-Itzhak, Partner, Evolution Equity Partners. “Metomic gets it. We believe their approach to SaaS data security can fill the gap by helping security teams control sensitive data and remain in compliance with regulations."

"Evolution Equity are great partners for Metomic," added Vibert. "As cybersecurity investors, they not only knew the space, but immediately understood the business value of our technology. We connected on the need to protect information at the data level inside SaaS, one of the fastest growing niches in cybersecurity today."

Currently, Metomic has customers across Europe and North America, with 50% of its customers based in the U.S. It plans to quadruple employee headcount by the end of the year, with its sales and marketing functions headquartered in the U.S. 

**About Metomic:** 

Metomic was born out of the frustration of its leaders trying to implement SaaS applications that make businesses more productive but are off limits because of high-risk security concerns. As a next generation security solution focused on cloud-based applications, Metomic gives security teams clear visibility into their organization’s SaaS network to manage sensitive data and detect security threats, allowing businesses to take full advantage of their SaaS application network. To learn more visit www.metomic.io.

Metomic Raises $20 Million to Protect Sensitive Data in SaaS Applications

Before adopting SaaS apps, companies should set security guardrails to vet new vendors and check security integration for misconfiguration risks.

    

App bar on Zoom

As you may have noticed on your recent Zoom calls, the latest application update quietly added a slick little app-store sidebar to the right-hand side of your session screen. This feature enables any business user within your organization to integrate the software-as-a-service (SaaS) apps showcased in the sidebar with a click of a button — without so much as disrupting their Zoom session.

While seemingly innocuous, this feature highlights the greatest strength and one of the greatest SaaS security risks — the ability for anyone within an organization to adopt, configure, and manage SaaS applications. While this process may be convenient and conducive to fast business enablement, by design it also bypasses any internal security review processes. This leaves your security team with no means of knowing which apps are being adopted and used, whether they may have security vulnerabilities, if they are being used in a secure way, or how to place security guardrails around their use. Enforcing zero-trust security principles becomes almost impossible.

**Shared Responsibility**

But before you chastise your employees for irresponsibly adopting SaaS applications, you need to realize they're being constantly encouraged by vendors to install more apps and adopt new features. Yes, the applications themselves often serve critical business needs, and yes, your employees inherently want to adopt them quickly, without enduring a protracted security review. Yet, they're doing so because — whether they realize it or not — they're being aggressively marketed to by savvy application vendors, who often mislead users into believing they're following security best practices. Just because users are bombarded during installation with consent screens meant to give them pause and encourage them to read about their rights and responsibilities doesn’t mean users are actually reading these screens, or that the consent language is transparent, accurate, or complete.

Beyond touting their application's brilliant new features, these vendors are also constantly telling your business users and security teams their applications are secure, their infrastructure is secure, that 24/7 uptime is 99.999% assured, and they guarantee that their employees won’t have access to user's data, etc. However, they typically downplay or even fail to mention their shared responsibility model of security, where they're only responsible for the security of the platform infrastructure, and that securing usage against account takeovers and data loss are the customer's responsibility.

This is especially problematic as most security breaches are due to SaaS misconfiguration or user error, not code vulnerabilities, and your users are ill-equipped to defend against these risks by themselves. Even large and respectable vendors such as GitHub, HubSpot, LastPass, Mailchimp, Okta, and others that were recently victims of breaches, are susceptible to misconfigurations and misuse. You should always trust, but verify no matter the vendor.

**Never Assume**

In other cases, security is often just assumed. Take application marketplaces operated by well-known brands, for example. Vendors have neither the desire, nor the financial incentive or capacity, to vet the security posture of every third-party application being sold on their marketplaces. Yet to grow the business they can lead users to believe that anything sold there maintains the same level of security that the marketplace vendor does, often by omission. Likewise, marketplace descriptions may be written in such a way as to imply their application was developed in collaboration with or endorsed by a major, secure brand.

The use of application marketplaces creates third-party integrations that carry the same risks as those that led to many of the recent attacks. During the GitHub attack campaign in April 2022, attackers were able to steal and abuse legitimate Heroku and Travis-CI OAuth tokens issued to the well-known vendors. According to GitHub, the attackers were able to leverage the trust and high access granted to reputed vendors to steal data from dozens of GitHub customers and private repositories.

Similarly in December 2022, CircleCI, a vendor specializing in CI/CD and DevOps tools, confirmed some customer data was stolen in a data breach. The trigger to the investigation was a compromised GitHub OAuth token. Based on the investigation by the CircleCI team, the attackers were able to steal a valid session token of a CircleCI engineer, which allowed them to bypass the two-factor authentication protection and gain unauthorized access to production systems. They were then able to steal customer variables, tokens, and keys.

**Lure of Frictionless Adoption**

Vendors also build their platforms and incentive programs to make adoption as easy as agreeing to a free trial, a perpetual free service tier, or swiping a credit card, often with seductive discounts to try and buy without obligation.

It's in the interest of the vendors to get users hooked quickly on any cool, new functionality by removing all friction to adoption, including bypassing IT and security team reviews in the process. The hope is that even if security teams grow wise to the use of an application, it will prove too popular with business users and too critical to business operations to remove it. However, making adoption overly easy can also lead to a proliferation of unused, abandoned, and exposed apps. Once an app is rejected during a proof of concept (PoC), is abandoned due to waning interest, or the app owner leaves the organization, it can often remain active, providing an expanded and unguarded attack surface that places the organization and data at elevated risk.

While it's important to educate your business users on SaaS security best practices, it's even more important to fight indiscriminate SaaS sprawl by teaching them to evaluate more critically the siren song of SaaS vendors about easy deployment and financial incentives.

Further, security teams should also adopt tools that can assist in managing SaaS misconfiguration risks and SaaS-to-SaaS integrations. These tools enable users to continue to adopt SaaS applications as needed while still vetting new vendors and integrations for security and establishing much-needed security guardrails.

Why Are My Employees Integrating With So Many Unsanctioned SaaS Apps?

**BE'ER SHEVA, Israel, Feb. 23, 2023 /PRNewswire/ --** Rezilion announced today the release of the company's new research, "Hiding in Plain Sight: Hidden Vulnerabilities in Popular Open Source Containers," uncovering the presence of hundreds of docker container images containing vulnerabilities that are not detected by most standard vulnerability scanners and SCA tools.

The research revealed numerous high severity/critical vulnerabilities hidden in hundreds of popular container images, downloaded billions of times collectively. This includes high-profile vulnerabilities with publicly known exploits. Some of the hidden vulnerabilities are known to be actively exploited in the wild and are part of the CISA known exploited vulnerabilities catalog, including CVE-2021\-42013, CVE-2021\-41773, CVE-2019\-17558.

This finding follows Part I of the research, released in October, which was the first quality assessment for leading open-source and commercial vulnerability scanners and SCA tools. The vulnerability scanner benchmark survey discovered the most common causes for scanner misidentifications, including false positive and negative results.

The new research dives deeper into one of the root causes identified in the assessment - inability to detect software components not managed by package managers. The study explains how the inherent method of operation of standard vulnerability scanners and SCA tools relies on acquiring data from package managers to know what packages exist in the scanned environment, making them susceptible to missing vulnerable software packages in multiple common scenarios in which software is deployed in ways that circumvent these package managers. This research shows precisely how wide this gap is and its impact on organizations using third-party software. The report provides numerous real-world examples of some of the most popular docker container images that contain dozens of such hidden vulnerabilities. The report also offers recommendations on minimizing the risk presented in the research.

According to the report, package managers circumventing deployment methods are extremely common in Docker containers. The research team has identified over 100,000 container images that deploy code in a way that bypasses the package managers, including most of DockerHub's official container images. These containers either already contain hidden vulnerabilities or are prone to have hidden vulnerabilities if a vulnerability in one of these components is identified.

The report identifies four different scenarios in which software is deployed without interaction with package managers, such as the application itself, runtimes required for the operation of the application, dependencies as are necessary for the application to work, and dependencies required for the deployment/build process of the application that are not deleted at the end of the container image build process and shows how hidden vulnerabilities can find their way to the container images.

"We hope this research will educate developers and security practitioners of the existence of this gap so that they will be able to take appropriate actions to minimize the risk as well as push vendors and open-source projects to add support for these types of scenarios," said Yotam Perkal, Director, Vulnerability Research at Rezilion. "It's important to note that as long as vulnerability scanners and SCA tools fail to accommodate for these situations, any container image that installs packages or executables in this manner may eventually contain 'hidden' vulnerabilities if any of these components become vulnerable."

To download the full report, please visit: https://info.rezilion.com/scanner-research-part-ii

**About Rezilion:**

Rezilion's software supply chain security platform automatically assures that the software you use and deliver is free of risk. Rezilion detects third-party software components on any layer of the software stack and understands the actual risk they carry, filtering out up to 95% of identified vulnerabilities. Rezilion then automatically mitigates exploitable risk across the SDLC, reducing vulnerability backlogs and remediation timelines from months to hours, while giving DevOps teams time back to build.

Learn more about Rezilion's platform at www.rezilion.com and get a 30-day free trial.

Rezilion Research Discovers Hidden Vulnerabilities in Hundreds of Docker Container Images

(ISC)2 members and cybersecurity professionals worldwide are encouraged to share their expertise, best practices and experiences with their peers and career hopefuls.

**ALEXANDRIA, Va.****,** **Feb. 23, 2023** **/PRNewswire/ --** (ISC)² – the world's largest nonprofit association of certified cybersecurity professionals – today opened the Call for Presentations for the 13th annual (ISC)² Security Congress 2023. The conference will bring together thousands of cybersecurity leaders for several days of professional development, networking and exploration of the latest cybersecurity best practices at The Gaylord Opryland Resort in Nashville, Tenn., Oct. 25-27. The Call for Presentations is open now and closes on March 23 at 11:59 PST.

"Professional development helps employees advance their skills; this is a critical piece for cybersecurity professionals on their career journey. One of the most exciting and valuable aspects of Security Congress is the spirit of community and helping one another learn and grow as professionals," said Clar Rosso, CEO, (ISC)². "We are looking for speaking proposals that not only encourage thought-provoking discussions around key cybersecurity issues and trends but will provide cybersecurity professionals with practical advice and takeaways to better defend against tomorrow's threats."

Speaking proposals should address industry-specific topics and issues and provide inclusive, unique, and diverse perspectives and experiences that are relatable to a global cybersecurity audience. Successful submissions will align with one of the following domains: 

*   Governance, Risk and Compliance (GRC)
*   Cyber Leadership 
*   Cloud Security
*   Security Operations
*   Software Security
*   Network Security
*   Emerging Technologies

Speakers selected to present will receive a complimentary All Access pass, as well as a VIP Speakers-only reception, CPE credits and more. 

For more information about the speaking requirements, please visit the 2023 (ISC)² Security Congress Call for Presentations Portal.

**About (ISC)²**

(ISC)² is an international nonprofit membership association focused on inspiring a safe and secure cyber world. Best known for the acclaimed Certified Information Systems Security Professional (CISSP®) certification, (ISC)² offers a portfolio of credentials that are part of a holistic, pragmatic approach to security. Our association of candidates, associates and members, nearly 330,000 strong, is made up of certified cyber, information, software and infrastructure security professionals who are making a difference and helping to advance the industry. Our vision is supported by our commitment to educate and reach the general public through our charitable foundation – The Center for Cyber Safety and Education™. For more information on (ISC)², visit www.isc2.org, follow us on Twitter or connect with us on Facebook and LinkedIn.

SOURCE (ISC)2

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

(ISC)² Opens Security Congress 2023 Call for Presentations

CloudNativeSecurityCon North America 2023 was a vendor-neutral cloud-native security conference. Here's why it was important.

Cloud-native technology is growing in importance, and the Cloud Native Computing Foundation (CNCF), part of the Linux Foundation, is a key organization driving collaboration on cloud security throughout the industry.

That collaboration includes events such as KubeCon Americas and Europe, which often feature cloud-native security as a key topic, but seeing the importance of cloud native security, CNCF took the next step and created a separate event.

CloudNativeSecurityCon North America 2023 (CNSC) recently took place in Seattle, and served as the first vendor-neutral, practitioner-driven conference focused exclusively on cloud-native security. The event featured over 800 attendees and 50 sponsors. It had 70-plus sessions for all security levels of technologists.

**Security Is People-Powered; Industry Collaboration Is a Solution**

Security remains a pressing issue for the cloud-native and open source community, said Priyanka Sharma, Executive Director, CNCF. During her keynote, she said there are 7.1 million-plus cloud-native developers according to Slash Data.

She emphasized that the industry needs "a paradigm shift to level up our performance," as cloud usage will continue to grow, and so will the threats related to it.

Though the organizations are doing their part to secure their cloud environments, Sharma indicated that top-down approach may not be the best way, instead having a more bottom-up approach from the community, pointing to software security vendor Snyk's "2022 State of Cloud Security Report," which showed 77% of organizations saw poor training and collaboration as a major cloud security challenge.

    

Source: CNSC

Having siloed teams working in different countries, using different tools, and counting on unmonitored policies are common security challenges in many enterprise security scenarios, but when they involve the cloud, it multiplies difficulties to the security environment further. Hence, Sharma stated, "Security is people-powered," and having industry-level collaboration from all the stakeholders along with a shared asset directory will improve cloud security across the industry. Even after all the talks about innovation and right approach done in the cloud-native space, a skill shortage is something the industry is still facing. CNCF announced Kubernetes and Cloud Associate (KCSA) certification, to address the biggest challenge of lack of technical expertise in cloud-native environment.

CNCF organizes itself with Technical Advisory Groups (TAGs) for different focus areas, and it is looking to a Security TAG to help organizations with facilitating the security for projects across the cloud-native ecosystem. It's a 165-member team that supports CNCF projects through education, partnership, and project engagement. This group will help with security features for any CNCF projects; any incubating project within the organization must now go through a security audit by the Security TAG. The Sigstore project that was adopted by Kubernetes was an example of such open, multivendor collaboration.

**Key Conference Topics**

Themes that popped up during the event — including SBOM, runtime security, infrastructure as-a-code security, code to secure policies and authentication, and ChatGPT — indicated that the adoption of cloud-native applications will continue to grow, and the industry must prioritize security for these applications. The thought of having an open source security tool for securing open source code makes sense. Today, CNCF has 21 security-related open-source projects: Open Policy Agent (OPA) and Update Framework TUF have graduated with five other incubating projects, and the rest are in the sandbox stage.

**Software Supply Chain Security**

    

Source: CNSC

Many sessions at the conference were focused on understanding what the software supply chain means and why securing it remains important.

A talk by a Yahoo representative highlighted how 85% to 97% of enterprise code uses open source components, and any vulnerabilities in these may pose security threats. That issue underscores the importance of having security ingrained at every stage of the software development life cycle (SDLC), from application development to CI/CD pipeline down to production.

Code dependencies have become one of the most common reasons leading to supply chain attacks. According to a recent report on software supply chain security, supply chain attacks have grown 742% year-over-year in the past three years. Therefore, a DevSecOps approach is important to ensure the DevOps workflow is maintained by making security seamless. It means having security as an intrinsic part of application development, integration, and operation in DevOps-centric environments.

**"Shift Right" Is as Important as "Shift Left"**

Deployment of applications in the cloud has been a fast-track initiative for many enterprises, often in support of digital transformation initiatives, but many of the same security challenges, such as software vulnerabilities, managing configuration and permission, compliance, and detecting and responding to threats, plaguing traditional applications also hamper cloud application security.

From the cloud-native point of view, two trends are most visible. The first is the way in which "shift left" corresponds to the usage of CI/CD security, having centralized responsibilities and dependencies that can be monitored. It points to moving security toward an earlier stage in the software development life cycle, namely that security is built in from the time the source code is created.

But the second trend is "shift right," which is gaining equal importance in understanding what is going on in the runtime environment as the workload deployed on microservices and orchestrated by Kubernetes. The Falco project with CNCF (originally started by Sysdig), which is based on eBPF technology, seeks to help organizations understand what every process is doing in its containers and hosts. It is like a security camera for the cloud environment.

**Software Bill of Materials**

Log4j was a top of mind during the show, highlighting how it disrupted the operations of many organizations in so many different ways.

Similar high-profile attacks on the supply chain were the reason for the US federal government to issue an executive order to create guidelines for securing software solutions used for the government. The change of approach to building software using third-party dependencies makes having full transparency in the application important.

So, the approach of maintaining a software bill of materials (SBOM) that will offer a listing all components, modules, and libraries used in the application and also drawing the relationship between supply chain components is becoming increasingly important.

One interesting exchange during the conference tackled how to handle metadata that will be collected over time by each software element. In a panel, a Google representative mentioned its new product, Graph for Understanding Artifact Composition (GUAC), which functions like an aggregator for this metadata in a high-fidelity graph database.

**Sponsor Landscape**

    

Source: Omdia

CNSC was a relatively small-scale conference, but its sponsors represented vendors distributed across the industry. Approximately 55% were security vendors, 18% technology vendors offering some security, 12% were technology vendors that use in-house security product but do not sell the security product as a stand-alone offering, and 15% non-security vendors.

**A Strong Start**

The first-ever CNSC was a strong start for the cloud-native community to create a place to gather each year for a focused look at security challenges and opportunities in cloud-native environments.

CNCF is doing a great job getting different types of vendors together and supporting cloud-native security projects. This is exposing developers to security concerns. On the contrary, traditional security teams also must learn to work better with developers and ensure security approaches align with development priorities and business objectives.

This is just a first step toward solving the problems related to cloud-native security. There is more collaboration with people and process to be done in future.

Source

DARKReading