A broken access control vulnerability could have led to dangerous follow-on attacks for users of the money-management app.

A finance app called "Money Lover" has been found leaking user transactions and their associated metadata, including wallet names and email addresses.

That’s according to Trustwave, which published its findings in a blog post on Feb. 7.

Money Lover, developed by Vietnam-based Finsify, is a tool for managing personal finances — budgeting, tracking expenses, and so on. It’s available in Google Play for Android, the Microsoft Store for PCs, and the App Store for iOS, where it enjoys a 4.6-star rating from more than 1,000 reviewers, who may or may not have been affected by the vulnerability.

Though the app leaked no actual bank account or credit card details, "the potential danger to their customers’ accounts will surely affect both the financial vendor and customer monetarily," wrote Karl Sigler, a senior security research manager at Trustwave. "And when you have a financial institution that loses a customer's trust, they will likely see a reputation hit."

**The Money Lover Bug**

Troy Driver, a Trustwave security researcher and Money Lover user, became curious about Money Lover's security. So, using its Web interface, he routed its traffic through a proxy server, where he discovered a problem: From the Web sockets tab of his browser’s developer tools window, he could see the email addresses, wallet names, and live transaction data associated with every one of the app's shared wallets (wallets managed by two or more users).

It was a classic case of broken access controls, where he — an otherwise authorized user — was able to view data that should have been kept outside of his permissions.

"Based on the small amount of information in the blog," Stephen Gates, security evangelist at Checkmarx, speculates to Dark Reading, "I would suspect that an API in use has an API1, API2, and/or API3 vulnerability,” aka broken object level authorization, broken user authentication, and excessive data exposure, respectively (all forms of broken access control).

Such vulnerabilities are extremely common. Every few years or so, the Open Web Application Security Project (WASP) releases a Top 10 list, using extensive testing and surveys of industry professionals to track the most common web security vulnerabilities. In its latest 2021 iteration, broken access controls made the No. 1 spot on the list.

Broken access isn’t just prevalent, though — it’s dangerous. "If the app has one or more of the above vulnerabilities," Gates adds, "it’s just a matter of time before attackers craft the perfect request to possibly gain access to even more data."

**The Implications of the Bug**

While the sensitive data in this case isn't all that sensitive (i.e., not payment card details or credentials), users would be advised not to pooh-pooh cases like this, as they can lead to more pointed attacks further down the line. For example, cross-referencing email addresses with past leaks could potentially lead to account takeover or impersonation.

Even the basic metadata leaked by Money Lover could be something to go on, for hackers that like to use every part of the animal, as it were.

"For instance," Sigler explains, "a scenario could occur where an attacker reaches out to one of the users sharing a wallet via email and suggests that funds aren't seen in a specific shared wallet name and transaction ID. The attacker could then recommend the person transfer money to a different account or maybe log in to 'check' the transaction but provide a link to a credential capture webpage."

Sigler puts it bluntly: "There is no reason for any Money Lover user to be able to see the transactions of any other user. Tightening up permission to just authorized users is an important security control."

As of Jan. 27, the Money Lover app patched the vulnerability; users should update their apps to the latest version.

'Money Lover' Finance App Exposes User Data

For the moment, victims can decrypt data without paying a ransom. But Clop is a ransomware variant that has caused havoc on Windows systems, so that's bound to change.

A newly spotted version of the prolific Clop ransomware family holds both good and bad news for security teams.

The good news is the malware is faulty, and victims can relatively easily decrypt any data it encrypts without first having to pay a ransom for a decryption key. The bad news is the new malware also is the first Linux version of Clop, a particularly nasty ransomware variant associated with numerous high-profile attacks that have netted its operators hundreds of millions of dollars.

**Faulty Encryption**

Researchers from SentinelOne's SentinelLabs threat hunting team observed the latest Clop variant targeting Linux systems at a university in Colombia. Samples that the company analyzed showed the Linux code to have a similar logic as its more pernicious Windows relative, with minor differences involving API calls and other features unique to the different operating systems.

SentinelOne's analysis showed Clop's Linux version is still likely only in its initial development stages and missing many of the obfuscation and evasive capabilities that are present in Windows' versions of the malware. The security vendor assessed that the reason for this might have to do with the fact that not one of the 64 virus-detection engines on Virus Total are currently able to detect the Linux Clop variant.

Significantly, SentinelOne's researchers found the encryption logic in the Linux variant to be flawed. "The issue boils down to a couple of key differences between the Windows and Linux variants," says Antonis Terefos, threat intelligence researcher at SentinelOne.

The Linux version includes a hardcoded master key, which, when extracted, allows for decryption, he says. "The flaw allows for the simple extraction or discovery of what the RC4 'master key' is for a given sample," he notes, adding that SentinelOne has released a free decryptor for the variant.

The Windows version, on the other hand, contains a number of validation steps, along with a different key generation process, making it hard to retrieve the master key in similar fashion. Specifically, the Windows version generates an RC4 key for each encrypted file on a compromised system and then encrypts the encryption key itself and stores it on the system. Victims who pay the ransom receive a decryption key for decrypting the RC4 key, which is then used to decrypt the actual data.

**Other Differences Between Windows & Linux Clop Versions**

SentinelOne also discovered other differences between the Windows and Linux variants of Clop. The Windows variant, for instance, includes logic that excludes specific files, folders, and extensions on a system from encryption. With the Linux variant, on the other hand, paths targeted for encryption are hardcoded into the malware, Terefos says: "Therefore, there is no need to 'exclude' unwanted locations."

The new Clop version adds to a growing list of ransomware variants targeting Linux systems; other examples include Hive, Smaug, Snake, and Quilin. Researchers from Trend Micro who have been tracking the trend, reported a 75% increase in ransomware attacks that targeted Linux systems in the first half of 2022 compared with the prior year. In a September report, the security vendor reported observing some 1,960 instances where a threat actor used Linux ransomware in an attack attempt, compared with 1,121 in the same period in 2021.

**Mounting Attacker Interest in Linux Malware**

Since then, the situation has only gotten worse for Linux systems. During 2022 as a whole, Trend Micro identified some 27,602 attacks involving Linux malware, says Jon Clay, vice president of threat intelligence at Trend Micro. That represented a 628% increase over 2021, he notes, adding, "we are seeing many more ransomware groups targeting Linux systems."

The attacks are part of a broader increase in all kinds of malware targeting Linux environments, Clay says. As one example, he points to a 61% increase in cryptominers targeting Linux from 2021 to 2022. Others such as VMware have noted an increase in different kinds of malware tools targeting virtual machines and containers via Linux hosts. In a report last year, the company reported identifying more than 14,000 instances where attackers attempted to deploy the Cobalt Strike post-exploit toolkit on a Linux host.

Attacks targeting Windows systems continue to outnumber those directed at Linux environments by orders of magnitude. Still, the growing attacker interest in Linux is something enterprises cannot ignore. 

"Linux and cloud devices offer a rich pool of potential victims," Terefos says. "In recent years, many organizations have shifted toward cloud computing and virtualized environments, making Linux and cloud systems increasingly attractive targets for ransomware attacks."

The rise in cross-platform programming languages such as Rust and Go are another factor in the mix because they have lowered the barrier of porting malware to other platforms, Terefos notes. "We've seen this with other groups like Hive, Royal, LockBit, Agenda, etc. Successfully targeting cloud environments is an operational necessity for the future success of these groups."

Fresh, Buggy Clop Ransomware Variant Targets Linux Systems

Lazarus Group used a known Zimbra bug to steal data from medical and energy researchers.

A recent round of compromises that exploited unpatched Zimbra devices was an effort sponsored by the North Korean government and intended to steal intelligence from a collection of public and private medical and energy sector researchers.

Analysts with W Labs explained in a new report that due to an overlap in techniques — and thanks to a misstep by one of the threat actors — they were able to attribute "with high confidence" the recent round of cyber incidents against unpatched Zimbra devices as the work of Lazarus Group, a well-known threat group sponsored by the North Korean government. Lazarus operated this campaign and other similar intelligence-gathering efforts through the end of 2022.

The researchers named the campaign "No Pineapple" after an error message generated by the malware during their investigation. The threat actors quietly exfiltrated about 100GB of data, without waging any disruptive cyber operations or destroying information.

"The campaign targeted public and private sector research organizations, the medical research, and energy sector as well as their supply chain," the W Labs report added. "The motivation of the campaign is assessed to be most likely for intelligence benefit."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

DPRK Using Unpatched Zimbra Devices to Spy on Researchers

New malware demonstrates how threat actors are pivoting toward payment platform attacks, researchers say.

A new Android banking Trojan called PixPirate is targeting more than 100 million Brazilian Pix instant payment accounts.

The Pix payment platform was created and is operated by the Brazil Central Bank, and it's used to make instant mobile payments across Latin America using a variety of banks.

Researchers with the Cleafy TIR Team — who have been tracking the PixPirate Brazilian banking Trojan since late 2022 — released a report this week detailing PixPirate's intention to steal credentials and deploy its noteworthy automatic transfer system (ATS) used to make automatic fraudulent money transfers. Additionally, by abusing accessibility services, PixPirate also has the flexibility to steal credentials and launch ATS attacks across multiple bank user interfaces using the Pix platform.

The malware also can intercept and delete SMS messages, push malvertising efforts, and contains code protection that attempts to evade detection, the report said.

"PixPirate represents one of the emerging malware that will try and leverage the double edge blade mechanism related to instant payments," the Cleafy team added. "The introduction of ATS capabilities paired with frameworks that will help the development of mobile applications, using flexible and more widespread languages (lowering the learning curve and development time), could lead to more sophisticated malware that, in the future, could be compared with their workstation counterparts."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

New Banking Trojan Targeting 100M Pix Payment Platform Accounts

**SILICON VALLEY, Calif. & SAN SEBASTIÁN, Spain--(****BUSINESS WIRE****)--** Opscura Inc., an innovator in industrial control system (ICS) cybersecurity, announced today it has received $9.4M in Series A funding as it scales to engage further U.S. partners and customers seeking to protect and connect their critical operations. Founded in Spain as Enigmedia, the new global entity Opscura is also launching a new brand, global management team, and product upgrades in addition to the capital infusion led by Anzu Partners, with investments from Dreamit and Mundi Ventures.

Opscura’s technology adds a unique layer to the industrial cybersecurity ecosystem as manufacturers require greater efficiencies to protect thousands of vulnerable legacy devices they cannot take offline, and as the rapid build-out of new renewable energy critical infrastructure continues. To reduce the pervasive risks of ransomware, unauthorized access, and data theft, Opscura’s patented cloaking technology obscures deeper operational technology (OT) Level 2 network and Layer 2 data without disrupting operations.

“We have been impressed with the power and simplicity of Opscura’s security solution as part of our Schneider Electric Exchange™️ Technology Partner program,” says Francesc Juan, CTO Spain of Schneider. “Opscura addresses multiple ICS use cases, and unlike other offerings, simplifies the processes, people, and technology work involved in protecting critical infrastructure in deeper OT layers.”

Worldwide integrator partners such as Telefonica deploy Opscura to their customer segments that need simplified, yet robust, OT security for Zero Trust environments. Opscura works collaboratively within the ICS security ecosystem, and its technology is complementary to solutions from Claroty, Nozomi, Fortinet, and more. Customers across various industries, including renewable energy, transportation, manufacturing, government, and chemical also rely on Opscura to solve industrial cybersecurity, compliance, and digital transformation challenges.

“Throughout our extensive diligence process, we were impressed with Opscura’s foundational approach to ICS and their ability to deliver a frictionless solution that ensures continuity of operations. We believe it has great potential to efficiently and effectively address the myriad unmet security needs that exist in critical brownfield OT networks,” said John Ho, Partner at Anzu Partners. “We look forward to supporting the Opscura team as they continue to scale the company, validate the technology’s capabilities across multiple ICS use cases, and demonstrate how to fully deliver the zero trust model in an OT context.”

Opscura’s funding reflects a shift in the appetite for diversified cybersecurity innovation from the government and investors. Spain, including the Basque region where Opscura’s R&D team is based, continues to invest in EU-wide cybersecurity growth. Opscura has earned multiple grants to continue its novel research into ultra-low latency encryption and data communications across industrial devices.

"The mission to reduce risk for industrial operators has no geographical boundaries, and we are excited to see Opscura's Spanish and U.S. technical talent collaborate to solve ICS security challenges,” said Rajeev Singh-Molares, Founding & Managing Partner at Mundi Ventures. “Opscura solves the immediate concern of protecting vulnerable industrial assets such as PLCs, and it has novel IP that can prepare companies as quantum progresses and data security compliance needs evolve.”

“Opscura is much needed in the ICS security ecosystem, with its focus on protecting and connecting at deeper levels of the network,” said Mel Shakir, Partner at Dreamit Ventures, Securetech. “Their collaborative approach across OT, IT and automation partners will expedite market traction.”

Opscura co-founders Gerard Vidal and Carlos Tomás will take on the Chief Technology Officer and VP Engineering roles, respectively, as part of a new global management team led by new Chief Executive Officer, David Hatchell. The Opscura executive team also includes Chief Product Officer Michael Garrison Stuber, Chief Customer Officer and Chief Information Security Officer Brian Brammeier, and Strategic Advisor Allison J. Taylor, who formerly served as interim Chief Marketing Officer.

“It’s time to take on the most pressing national cybersecurity problems and move the entire ICS ecosystem forward,” said David Hatchell, CEO at Opscura. “Together with our partners and talented technical teams, Opscura can help customers move beyond device visibility to protect our critical industrial assets and data.”

Opscura team members will be attending DISTRIBUTECH International in San Diego from February 7-9, 2023, and S4x23 in Miami from February 13-16, 2023. If you are interested in scheduling a meeting at either event, please reach out to \[email protected\]. For more information on the executive team and Opscura’s ICS security technology, visit https://www.opscura.io.

**About Opscura:** 

Opscura protects and connects industrial networks with easy-to-use innovations that are safe to use deep within operational infrastructure. Validated by global partners such as Schneider Electric, Opscura reduces operational risks by protecting vulnerable legacy industrial assets and data, eliminating deep-level attacker footholds, and enriching threat visibility data. Brownfield and greenfield global customers rely on Opscura for OT cloaking, isolation, and Zero Trust authentication, together with simplified IT-OT connectivity. Learn more about Opscura’s Spanish Basque region roots and follow us through https://www.opscura.io.

Industrial Cybersecurity Innovator Opscura Receives $9.4M in Series A Funding as Critical Operations Transform

The global assault on vulnerable VMware hypervisors may have been mitigated by updating to the latest version of the product, but patch management is only part of the story.

Organizations using older versions of VMWare ESXi hypervisors are learning a hard lesson about staying up-to-date with vulnerability patching, as a global ransomware attack on what VMware has deemed "End of General Support (EOGS) and/or significantly out-of-date products" continues.

However, the onslaught also points out wider problems in locking down virtual environments, the researchers say.

VMware confirmed in a statement Feb. 6 that a ransomware attack first flagged by the French Computer Emergency Response Team (CERT-FR) on Feb. 3 is not exploiting an unknown or "zero-day" flaw, but rather previously identified vulnerabilities that already have been patched by the vendor.

Indeed, it was already believed that the chief avenue of compromise in an attack propagating a novel ransomware strain dubbed "ESXiArgs" is an exploit for a 2-year-old remote code execution (RCE) security vulnerability (CVE-2021-21974), which affects the hypervisor's Open Service Location Protocol (OpenSLP) service.

"With this in mind, we are advising customers to upgrade to the latest available supported releases of vSphere components to address currently known vulnerabilities," VMware told customers in the statement.

The company also recommended that customers disable the OpenSLP service in ESXi, something VMware began doing by default in shipped versions of the project starting in 2021 with ESXi 7.0 U2c and ESXi 8.0 GA, to mitigate the issue.

**Unpatched Systems Again in the Crosshairs**

VMware's confirmation means that the attack by as-yet unknown perpetrators that's so far compromised thousands of servers in Canada, France, Finland, Germany, Taiwan, and the US may have been avoided by something that all organizations clearly need to do better — patch vulnerable IT assets — security experts said.

"This just goes to show how long it takes many organizations to get around to patching internal systems and applications, which is just one of many reasons why the criminals keep finding their way in," notes Jan Lovmand, CTO for ransomware protection firm BullWall.

It's a "sad truth" that known vulnerabilities with an exploit available are often left unpatched, concurs Bernard Montel, EMEA technical director and security strategist for security exposure management firm Tenable**.**

"This puts organizations at incredible jeopardy of being successfully penetrated," he tells Dark Reading. "In this case, with the … VMWare vulnerability, the threat is immense given the active exploitation."

However, even given the risks of leaving vulnerable systems unpatched, it remains a complex issue for organizations to balance the need to update systems with the effect the downtime required to do so can have on a business, Montel acknowledges.

"The issue for many organizations is evaluating uptime, versus taking something offline to patch," he says. "In this case, the calculation really couldn’t be more straightforward — a few minutes of inconvenience, or days of disruption."

**Virtualization Is Inherently a Risk**

Other security experts don't believe the ongoing ESXi attack is as straightforward as a patching issue. Though lack of patching may solve the problem for some organizations in this case, it's not as simple as that when it comes to protecting virtualized environments in general, they note.

The fact of the matter is that VMware as a platform and ESXi in particular are complex products to manage from a security perspective, and thus easy targets for cybercriminals, says David Maynor, senior director of threat intelligence at cybersecurity training firm Cybrary. Indeed, multiple ransomware campaigns have targeted ESXi in the past year alone, demonstrating that savvy attackers recognize their potential for success.

Attackers get the added bonus with the virtualized nature of an ESXi environment that if they break into one ESXi hypervisor, which can control/have access to multiple virtual machines (VMs), "it could be hosting a lot of other systems that could also be compromised without any additional work," Maynor says.

Indeed, this virtualization that's at the heart of every cloud-based environment has made the task of threat actors easier in many ways, Montel notes. This is because they only have to target one vulnerability in one instance of a particular hypervisor to gain access to an entire network.

"Threat actors know that targeting this level with one arrow can allow them to elevate their privileges and grant access to everything," he says. "If they are able to gain access, they can push malware to infiltrate the hypervisor level and cause mass infection."

**How to Protect VMware Systems When You Can't Patch**

As the latest ransomware attack persists — with its operators encrypting files and asking for around 2 Bitcoin (or $23,000 at press time) to be delivered within three days of compromise or risk the release of sensitive data — organizations grapple with how to resolve the underlying issue that creates such a rampant attack.

Patching or updating any vulnerable systems immediately may not be entirely realistic, other approaches may need to be implemented, notes Dan Mayer, a threat researcher at Stairwell. "The truth is, there are always going to be unpatched systems, either due to a calculated risk taken by the organizations or due to resource and time constraints," he says.

The risk of having an unpatched system in and of itself may be mitigated then by other security measures, such as continuously monitoring enterprise infrastructure for malicious activity and being prepared to respond quickly and segment areas of attack if a problem arises.

Indeed, organizations need to act on the assumption that preventing ransomware "is all but impossible," and focus on putting tools in place "to lessen the impact, such as disaster recovery plans and context-switched data," notes Barmak Meftah, founding partner at cybersecurity venture capital firm Ballistic Ventures.

However, the ongoing VMware ESXi ransomware attack highlights another issue that contributes to an inherent inability for many organizations to take the necessary preventative measures: the skill and income gaps across the globe in the IT security realm, Mayer says.

"We do not have enough skilled IT professionals in nations where wealthy companies are targets," he tells Dark Reading. "At the same time, there are threat actors across the globe who are able to make a better living leveraging their skills to extort money from others than if they took legitimate cybersecurity work."

Mayer cites a report by the international cybersecurity nonprofit (ICS2) that said to secure assets effectively, the cybersecurity workforce needs 3.4 million cybersecurity workers. Until that happens, "we need to ramp up training these workers, and while the gap still exists, pay those with the skills around the world what they are worth, so they don’t turn to being part of the problem," Mayer says.

Ongoing VMware ESXi Ransomware Attack Highlights Inherent Virtualization Risks

Emerging risks and trends need to be monitored, but cybersecurity challenges can be fixed with a focus on the fundamentals.

With reports that more than half of US states have banned or restricted access to TikTok on government devices, many cybersecurity professionals are asking, "How can you take a well-intentioned policy from vision to execution?" The answer is operational governance.

Cybersecurity tends to focus on preventing ransomware and advanced persistent threats. This is essential work, but it can overshadow the foundation of an effective cybersecurity program. Fundamentally, cybersecurity is about enforcing corporate policies. Yet enforcement falls flat far too often because organizations lack visibility into what is happening on their network.

Many policies are intended to prevent attacks, but other traditional examples include preventing access to gambling websites and other illicit content. Governance, risk, and compliance (GRC) programs are intended to demonstrate compliance for audits or to assess the security posture of another organization during a corporate merger or acquisition.

TikTok is just one recent example of banning access to an app. New York City public schools have banned ChatGPT. And there are ongoing concerns that a rogue employee could install cryptomining software on a corporate network. Of course, preventing and detecting these risks and threats has become substantially harder since cloud computing, mobile devices, and the Internet of Things have radically transformed the network perimeter.

The network perimeter has been atomized by decades of digital transformation, which means it has become dispersed, ephemeral, encrypted, and diverse. Mobile and remote workers are accessing data and applications scattered across multicloud, hybrid-cloud, and on-premises infrastructure. Legacy application appliances have been retrofitted to interoperate with cloud environments. IT/OT convergence is enabling applications to access physical environments as easily as IT networks.

**A Paper Tiger: Policy Without Enforcement**

As organizations have moved to adopt zero-trust security, network security and identity-based access controls have been lagging behind endpoint and detection and response (EDR) deployments. Unfortunately, identity-based threats can elevate endpoint privileges to disable EDR agents and to access the network, where threat actors can hide between the gaps of disconnected technologies and the teams that manage them.

Furthermore, many endpoint and network devices, such as IoT devices, serverless platforms, routers, switches, and SCADA systems are incapable of running EDR agents in the first place. And all of this assumes that the cybersecurity team is aware of every endpoint connected to the network and has a way to control them, which is not always the case.

Entire classes of devices may be left unprotected, so having an effective network security architecture beyond access control and access brokering is even more important. However, the chaotic nature of network traffic makes visibility difficult. Traditional solutions usually don't support the cloud, and cloud-based approaches tend to focus on specific cloud environments. Detecting and stopping attacks is incredibly difficult, given the opacity and gaps.

One major concern with TikTok and other apps is the potential for unauthorized access to the network and devices through excessive permissions or embedded spyware, which may be used for espionage. To address these concerns, it is important to categorize the types of infrastructure and the traffic that needs to be monitored. By mapping out the infrastructure and analyzing real-time data, it is possible to identify and alert on policy violations and to integrate these alerts into existing workflows.

**Invent the Universe: Comprehensive Visibility and Real-Time Verification**

The famed astrophysicist Carl Sagan once quipped, "If you wish to make an apple pie from scratch, you must first invent the universe." The same goes for enforcing cybersecurity. Without comprehensive visibility of the network and real-time verification of governance policies, it can be difficult to know if they are being enforced. This is especially true when relying on outdated technologies or host-based monitoring, which may not provide a comprehensive view of network activity.

For example, I recently spoke with a company that discovered one of its factory machines — which was in production and should have been isolated from other networks — was browsing TikTok and Facebook. This was a clear indication that policy enforcement had failed, leaving the machine compromised.

And just as you cannot bake without precisely measuring your ingredients and knowing the temperature of the oven, you cannot enforce cybersecurity policy without comprehensive and real-time visibility into endpoint devices and network traffic. Visibility is a foundation of cybersecurity, which is why so many compliance frameworks, such as SOC 2 and ISO 27001 include the creation of an asset inventory among their first requirements.

It can be easy to be drawn in by the allure of shiny new solutions — and certainly cybersecurity professionals do need to monitor emerging risks, threats and trends like these recent TikTok bans — but I would contend that the majority of cybersecurity challenges can be fixed with a focus on the fundamentals: enforcing corporate policy with the visibility needed to do so.

With TikTok Bans, the Time for Operational Governance Is Now

A tax variable in the software implementing the Dingo Token allows the creators to charge 99% in fees per transaction, essentially stealing funds, an analysis finds.

The originator of the Dingo Token — a cryptocurrency with a purported market capitalization of $11 million — has included a backdoor in the code to charge each transaction a fee of up to 99% of the worth of the token.

That's according to cybersecurity firm Check Point Software, which has issued an advisory warning potential investors of what the company calls "a scam." 

While the documents describing the Dingo Token claimed that the scheme charged 10% per transaction, Check Point researchers found 47 transactions where the total fee per transaction had been increased to 99%. The creator had also set the fee to 99% for future transactions, essentially stealing the funds of any traders of the cryptocurrency, according to the analysis published this week.

The Dingo Token creator has already transferred previously collected funds to other accounts, leaving no money for anyone holding Dingo tokens, says Oded Vanunu, head of products vulnerabilities research at Check Point Software.

"The function was called many times by the owners to prevent users from selling their holdings," he says.

Cryptocurrencies are heavily based on mathematics but also on good marketing, a dose of libertarian ideals, and an influx of gray market cash. Overall, hundreds of cryptocurrencies have been created, and not all will be legitimate, nor will they be free of fraud. In a 2019 report, for example, Alameda Research uncovered significant fraud in many crypto exchanges. That's ironic, given that two years later the firm and its sister company, cryptocurrency exchange FTX, had both declared bankruptcy, and their executives, including FTX and Alameda co-founder Sam Bankman-Fried, have been charged with numerous financial crimes.

While those efforts may have started as legitimate businesses, the Dingo Token scheme likely started as fraud from the start, Check Point stated in its analysis.

"We examined the Dingo smart contract and quickly found it seemed like a scam," the company stated. "The project website contains no real information about the owners of the projects."

**A Quick Jump in Popularity**

While the Dingo Token is far down the lists of popular cryptocurrencies — No. 774, at the time Check Point released its advisory — transactions using the currency had jumped 8,400% in the past year, according to the cybersecurity firm. The meteoric rise in popularity, along with the fact that the description of the cryptocurrency was limited, raised suspicions, leading to Check Point analyzing the digital smart contract on which the token is based.

The analysis uncovered systematic theft of traders' funds, using a variable called "TaxFee" to set the amount to take from each transaction. 

"We don’t believe that it was a mistake due to the nature of crypto-scam projects," Vanunu says. "In this case, \[the\] _setTaxFeePercent_ function code...operates as a backdoor, \[allowing\] the owner to change the fee dynamically, which is not best practice for legitimate projects."

The fake cryptocurrency scheme may be the most technical attack yet, but fraud is increasingly a hazard for cryptocurrency investors and users, surging after a hiatus following numerous cryptocurrencies plunging in value by more than 60%. In 2022, for example, the FBI warned that cryptocurrency scams had once again targeted businesses and consumers, this time with fake investment apps that led to the theft of more than $40 million.

**Know Your Code**

The Dingo Token incident highlights the fact that companies need to conduct due diligence on any cryptocurrency in which they plan to use or allow customers to use. Security gaps, such as the backdoor code used by Dingo Token, need to be identified and cryptocurrency investors need more education on the risks, Vanunu says.

"We recommend that users only use known exchanges and buy from a known token that has several transactions behind it," he says. "In the near future, we believe that more preventative solutions will be available for users to deal with these cyber threats."

The Dingo Token creators did not respond to a request for comment sent to their contact email address by publication time. Check Point believes the creators are gone, but more scams will likely appear to take its place.

"It is important for consumers to be careful with the tokens they buy," the company stated in the analysis, adding that "cryptocurrency is a volatile market. Scammers will always find new ways to steal your money using cryptocurrency, and new forms of crypto are constantly being minted."

Backdoor in Dingo Cryptocurrency Allows Creator to Steal (Nearly) Everything

**WESTMINSTER, Colo.****,** **Feb. 7, 2023** **/PRNewswire/ --** Global cybersecurity pioneer Coalfire announced today major innovations to its Compliance Essentials solution, including advanced automated evidence collection plug-ins, enabling faster time to compliance and greater visibility for clients. In partnership with anecdotes, one of the world's leading security technology engineering firms, Compliance Essentials now enables customers to manage compliance workflows and risks, automatically collect evidence, and execute audits all within the platform – making it one of the most comprehensive compliance and risk management automation solutions in the market.

Introduced in 2022, Compliance Essentials is the next-generation compliance management solution that bundles audit services with its leading Software-as-a-Service (SaaS) compliance platform. Compliance Essentials' newly enhanced automation capabilities enable clients to reduce manual evidence collection by up to 50% and cut internal compliance costs by up to 40%.

"We have true continuous compliance with this solution," said Prabhath Karanth, global head of security & trust at TripActions. "Having anecdotes' automation within Compliance Essentials allows organizations to identify control effectiveness and demonstrate to both leadership and customers the status of our maturing security program."

"The transformation to continuous compliance takes a giant step forward with evidence automation seamlessly integrated into our solution," said Coalfire Chief Product Officer Vineet Seth, who was recently named to anecdotes' advisory board. "Working with the elite anecdotes engineering team, Coalfire Compliance Essentials now pulls evidence automatically from 35+ plug-ins spanning all cloud service providers, including AWS, Azure, and Google Cloud, and maps with more than 40 regulatory frameworks."

"We are excited to unveil a game-changing solution for compliance management from Coalfire with this union of exceptional service and technology providers," said anecdotes CEO Yair Kuznitsov. "The partnership promises to revolutionize how compliance teams operate, bringing a brighter future for compliance programs and setting a new standard in the industry."

In addition to enhanced automation features, Coalfire is also introducing a new risk management module within Compliance Essentials that centralizes an organization's risk management program. The module enables customized risk scoring with robust workflows, empowering organizations to track, manage, and address risks.

Seth added, "Our breakthrough compliance automation solution sets a new standard for organizations with complex environments and multiple compliance frameworks on the path to continuous, automated compliance."

**About Coalfire**

The world's leading organizations – including the top five cloud service providers and leaders in financial services, healthcare, and retail – trust Coalfire to elevate their cyber programs and secure the future of their business. Number one in compliance, FedRAMP®, and cloud penetration testing, Coalfire is the world's largest firm dedicated to cybersecurity, providing unparalleled technology-enabled professional and managed services. To learn more, visit Coalfire.com.

**About anecdotes**

anecdotes is the leading technology provider for Compliance leaders. Powered by data, the anecdotes Compliance Operating System (OS) transforms security Compliance from a box-ticking exercise into a powerful driver of growth. With a variety of applications powered by verified data, Compliance leaders as well as advisory firms and auditors, can turn manual, time-consuming, and siloed tasks into an automated, continuous, and strategic Compliance program. That's why some of the world's fastest growing brands - Unity, TripActions, Amplitude, Babylon and more - use anecdotes. For more information, visit anecdotes.ai.

Coalfire Compliance Essentials Optimized for Automated Evidence Collection

**TEL AVIV, Israel****,** **Feb. 7, 2023** **/PRNewswire/ --** ARMO, creator of open-source Kubernetes security platform Kubescape, announced today that it has integrated ChatGPT's generative AI into ARMO Platform. With ARMO Custom Controls powered by ChatGPT, users can quickly build custom controls based on Open Policy Agent (OPA) to solve their unique security needs. They can then run them to ensure their Kubernetes clusters and CI/CD pipelines are secure, correctly configured and compliant with security policies.

Open Policy Agent (OPA) provides a standard for security policies, which can be constructed using the Rego declarative language. However, Rego is not a widely known language and using it can be complicated and confusing.

ARMO Custom Controls pre-trains ChatGPT with security and compliance Regos and additional context, utilizing and harnessing the power of AI to produce custom made controls requested via natural language. The user gets the completed OPA rule produced by ChatGPT, as well as a natural language description of the rule and a suggested remediation to fix the failed control — quickly, simply and with no need to learn a new language.

Users can then run the new AI-generated control locally to use it live, and will soon be able to save and run it as an ARMO Platform custom control. Custom controls can also be submitted as pull requests to Kubescape's public regolibrary, contributing them to the community so that all Kubescape users can benefit from them.

"We realized that Kubernetes custom controls are a perfect use-case for generative AI," said Shauli Rozen, co-founder and CEO of ARMO. "By giving ChatGPT some important background and context first, ARMO Platform users can harness it to create custom controls and policies in seconds, complete with descriptions and suggested remediations. Users can focus on securing their Kubernetes environments and not on learning new code languages and tools. We look forward to building on new technology like ChatGPT as part of ARMO's mission to make Kubernetes security simple, easy and transparent."

To try ARMO Custom Controls powered by chatGPT, sign up to ARMO Platform for free.

Read more here 

**About ARMO**

ARMO, the creator of Kubescape, is on a mission to create an end-to-end Kubernetes security platform, powered by open source. We cover all Kubernetes security issues without adding to engineers' burden. Our products enforce organizational security and compliance policies without slowing down the business.

ARMO focuses solely on open source based CI/CD & Kubernetes security, allowing organizations to be fully compliant and secure from code to production. Our solution makes security simple and frictionless for DevOps and is embraced by security.

ARMO Platform is the enterprise solution based on Kubescape. It's a multi-cloud Kubernetes and CI/CD security single pane of glass. Features include: risk analysis, security compliance, misconfiguration and image vulnerability scanning, RBAC visualization.

Kubescape is an open-source Kubernetes security platform. It includes risk analysis, security compliance, and misconfiguration scanning. Targeted at the DevSecOps practitioner or platform engineer, it offers an easy-to-use CLI interface, flexible output formats, and automated scanning capabilities. It saves Kubernetes users and admins precious time, effort, and resources.

Source

DARKReading