A complete bypass of the Kyverno security mechanism for container image imports allows cyberattackers to completely take over a Kubernetes pod to steal data and inject malware.

A high-severity security vulnerability in the Kyverno admission controller for container images could allow malicious actors to import a raft of nefarious code into cloud production environments.

The Kyverno admission controller offers a signature-verification mechanism designed to ensure that only signed, validated container images are being pulled into a given Kubernetes cluster. This can ward off any number of bad outcomes, given that boobytrapped container images can contain payloads as varied as cryptominers, rootkits, exploit kits for container escape and lateral movement, credential stealers, and more.

However, the bug (CVE-2022-47633) can be exploited to subvert that mechanism. "The vulnerability enables an attacker … to inject unsigned images into the protected cluster, bypassing the image verification policy," explained researchers at ARMO, in a blog post on Dec. 21. The stakes are high: The attacker can effectively take control of a victim’s pod and use all of its assets and credentials, including the service account token to access the API server, they warned.

"The vulnerability enables a complete bypass of image signature verification. In the case of a Kubernetes cluster, this gives an attack a wide range of targets. Any workload can mount cluster secrets and data volumes," Ben Hirschberg, CTO and co-founder of ARMO, tells Dark Reading. "This means the attacker can inject code that can steal data and credentials from the Kubernetes cluster of the victim. This also enables the attacker to inject his/her own code and use the CPU of the victim for things like cryptocurrency mining."

**Inside the Bug: Subverting the Container Admission Controller**

When a new workload, defined via an image with a tag, is requested from a Kubernetes API server, the API server asks the Kyverno admission controller to validate the new workload. To determine whether a workload can be admitted to the cluster, the admission controller requests the image manifest and a signature from the container registry.

If they check out, the image gets the green light, and the container runtime starts a new workload based on said image.

The vulnerability arises because the controller's signature validation process downloads the image manifest twice — but only verifies a signature for one of the downloads, according to the advisory.

Thus, the attack looks like this: An administrator is social-engineered into pulling a container image from a malicious registry or proxy. When the image is first imported, the malicious registry returns a valid, benign, signed image to the admission controller. So far, so good.

However, then the admission controller requests the manifest of the signed image for a second time, to get the digest for mutation — i.e., to update the container's human-readable tag. This time, no signing validation occurs, allowing the malicious registry to return a different, unsigned and malicious image, which is ultimately the one that is spun up and run.

"This is a classic example of a \[time-of-check-to-time-of-use\] TOCTOU problem that allows the attacker to pull a bait-and-switch," according to ARMO's analysis. "Since the image manifest which will eventually be used is not the same as the one which was verified, this enables the attacker to trick the client."

The vulnerability was introduced in version 1.8.3 and was fixed in version 1.8.5; Kyverno users should update as soon as possible. The patch ensures that the same image hash is used to change the workload specification as was used to verify the signature.

This specific vulnerability affects only Kubernetes with Kyverno, but other image signature verification tools need to take care not to be vulnerable to the same method, Hirschberg warned.

**Social Engineering a Malicious Container Attack**

To carry out a real-world attack, threat actors can use either compromised accounts on existing registries to host malicious images, or they can establish their own private container registry and then set about convincing an admin to trust it.

From a practical standpoint, "creating a malicious registry for an experienced attacker is not a challenge," Hirschberg says. "An attacker can take any open source registry software, make some minor modifications to make the attack work, and run it in the cloud under a custom domain."

The next step is to convince an admin to trust the malicious container, which is also not that difficult. Container images from third parties are often used to spin up ready-made applications, in much the same way that app developers source prebuilt code blocks from open repositories like npm — the idea is to not have to reinvent the wheel for common functions and utilities.

Hirschberg notes that only a fraction of Kubernetes users have strictures on where they can pull container workloads from, so cloud admins are not likely to be immediately on their guard when it comes to using third-party registries — particularly if they have image signature verification in place.

"The attacker could go phishing and publish in multiple forums a notification that there is a new version of software XYZ, and here are the Kubernetes YAML or Helm to run it," he explains. "Since some people feel protected by image signature verification, their guard would be down and would not be afraid to run the image."

**Container Security: A Rising Concern**

Containers are a good target for cybercriminals because they mostly run in the cloud with access to plenty of computational resources, which are precious and expensive, Hirschberg points out — so, this enables attackers to steal computational resources and data, while also going unnoticed for a relatively long period of time.

"We don’t have exact statistics, but it is very clear that with the wide adoption of containers, this is becoming a more prevalent issue," he says. "Security teams are learning how to handle them, and Kubernetes in general. I don't think that it is a true 'blind spot,' but container security teams are still learning the whole environment with many neglected areas."

With the adoption of image signature verification still in its early stages, admission controllers represent one of those potentially neglected areas. But they're also part of a broader conversation about supply chain software security, that should be put in the spotlight.

"The SolarWinds attack showed the world how sensitive this issue is when it comes to trusting the security of external code," Hirschberg says. "Kyverno is among the first security tools to implement signature validation, and with new features can come new bugs. Hopefully, this finding makes this a more secure mechanism and will help the industry to overcome the problem of verifying software in Kubernetes."

Container Verification Bug Allows Malicious Images to Cloud Up Kubernetes

The follow-on attack from August's source-code breach could fuel future campaigns against LastPass customers.

LastPass has issued a statement acknowledging that a recent cyberattack has resulted in the theft of customer data, in addition to offering cybercrooks access to encrypted customer vaults.

The attack was a follow-on from a previous breach in August that resulted in the theft of the LastPass source code.

"To date, we have determined that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service," the company statement said.

LastPass added that a backup copy of encrypted customer vault data was also stolen, including website usernames, passwords, secure notes, and form-filled data.

The company warns customers to be on the lookout for phishing, credential stuffing, and brute-force attacks as a result of the compromise.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

LastPass Cops to Massive Breach Including Customer Vault Data

Securing videoconferencing solutions is just one of many IT security challenges small businesses are facing, often with limited financial and human resources.

It's no secret that the acceleration of work-from-home and distributed workforce trends — infamously spurred on by the pandemic — has occurred in tandem with the rise of video communications and collaboration platforms, led by Zoom, Microsoft, and Cisco.

But given that videoconferencing now plays a critical role in how businesses interact with their employees, customers, clients, vendors, and others, these platforms carry significant potential security risks, researchers say.

Organizations use videoconferencing to discuss M&A, legal, military, healthcare, intellectual property and other topics, and even corporate strategies. A loss of that data could be catastrophic for a company, its employees, its clients, and its customers.

However, a recent Aite-Novarica Group report on videoconferencing security showed that 93% of IT professionals surveyed acknowledged security vulnerabilities and gaping risks in their videoconferencing solutions.

Among the most relevant risks is the lack of controlled access to conversations that could result in disruption, sabotage, compromise, or exposure of sensitive information, while use of nonsecure, outdated, or unpatched videoconferencing applications can expose security flaws.

"The risks include the potential for interruptions, unauthorized access, and perhaps most concerning, the opportunity for a bad actor to acquire sensitive information," says Craig Lurey, CTO and co-founder at Keeper Security.

**Threats Targeting Video Communications Platforms Multiply**

The use of videoconferencing software by remote workers makes it an easy target for various types of attacks in the wild. For instance, "Zoom-bombing" and other attacks came to the fore in the wake of the first work-from-home wave during the pandemic.

Other threats include DDoS attacks, according to the FBI's Internet Crime Report, and malware. In May, for instance, threat hunters discovered a vulnerability chain in Zoom's chat functionality that could be exploited to allow zero-click remote code execution (RCE).

Security firm Vectra also recently discovered a vulnerability in Microsoft Teams, which found that the platform stores authentication tokens unencrypted, allowing any user to access the secrets file without the need for special permissions. The weakness gives attackers the ability to move through a company’s network much more easily.

But while zero-day exploits and other high-profile attacks get a lot of attention, Mike Parkin, senior technical engineer at Vulcan Cyber points out that many, if not most, attacks still target the users.

"That usually means phishing emails or other social engineering attacks that lead to compromise, or business email compromise attacks that can lead to direct losses through fraud," he says.

**SMBs at Particular Risk From Videoconferencing Threats**

The risk is especially piquant for small and medium-sized businesses (SMBs), researchers say. This segment relied heavily on video collaboration to cut travel costs even before the pandemic, and now represents a class of superusers.

At the same time, SMBs may not have the security awareness or in-house expertise necessary to shore up their defenses. Parkin says SMBs often wrestle to implement and manage a proper cybersecurity program.

"That lack of resources can manifest in not knowing, or being able to implement, proper security on their videoconferencing usage," he says.

George Waller, co-founder and executive vice president of Zerify, agrees that SMBs typically don't have the financial and technical resources that larger companies have.

"Therefore, they are far more vulnerable to even the most basic attacks such as email, phishing and ransomware," he says. "Post-pandemic, many SMBs are still working with limited staff and budgets. Therefore, it's easier to trip them up and cause a devastating data breach."

Meanwhile, this sector often faces financial constraints that could make a cyberattack an extinction-level event. According to a recent IBM breach report, the average size of a data breach in the US is now $9.44 million, and 60% of small businesses go out of business within six months of a data breach.

"When cybercriminals steal sensitive, confidential, or classified data, they can make you pay a ransom to get it back," Waller explains. "They can also sell it to other nefarious people, who can use that data to embarrass or profit from your organization."

Unfortunately, amid the challenges, SMBs are often more of a target than they realize.

"While an attacker’s potential take is smaller, the effort is low, the risk is low, and SMB organizations often have less investment in cybersecurity than a larger organization," Parkin explains. "They can be particularly susceptible to ransomware and business email compromise attacks."

**2FA, Zero Trust Help Secure Video Conferencing**

Fortunately, there are some basic steps that businesses of any size can take to ensure the videoconferencing system they're using doesn't fall into the "low-hanging fruit" category for cybercriminals.

For one, they should ensure their platforms and apps offer two-factor authentication (2FA) for both the meeting creator as well as for the meeting participant, and make sure that login links cannot be shared; most videoconferencing platforms have such basic security features and offer advice on how to use them.

Ricardo Villadiego, CEO and founder of Lumu, says businesses for instance should enable security features such as ID and password and end-to-end encryption that allow SMBs to control access to conversations.

"Avoid repeating passwords, lock down microphones and speakers, and authenticate every user prior to entering a videoconference," he says. "Limit the kind of files and links that can be shared via videoconferencing tools, keep meeting recordings only accessible with a password, and don't discuss information that you wouldn't discuss over the telephone."

Waller adds that snooping on video calls via spyware is a threat that SMBs should be aware of, too.

"Make sure that your camera, microphone, and audio-out data streams are locked down and cannot be spied on with malware," he says. "Organizations should also use an anti-keylogging and anti-screen scraping technology and make sure that AV software is up to date."

Lurey, meanwhile, advises SMBs to protect videoconferencing platforms with a zero-trust security architecture that requires all users be authenticated, authorized, and continuously validated before they can access the application.

"Choose a provider wisely and check that it provides end-to-end encryption," he says. "Most major platforms do."

He adds that it's also imperative to configure the platform correctly by enabling built-in security capabilities and providing consistent enforcement to ensure those security features are never disabled.

Finally, Parkin advises that there are other vulnerabilities in some videoconferencing platforms that require specific steps to counter and stresses the importance of keeping the videoconferencing software up to date. Security teams should also proactively monitor network behavior for anomalous activity and make sure to read terms and conditions of the videoconferencing platform being used.

He adds that with a changing threat landscape, the challenge for SMBs in particular is finding the balance between defending against known threats, being positioned to stay ahead of emerging ones, and managing the risk specific to their environment.

"Small businesses are often resource restricted when it comes to cybersecurity, which means they need to be efficient with the resources they do have," he says. "But focusing on things like user education, which can deliver a lot of value for the investment, can help."

Videoconferencing Worries Grow, With SMBs in Cyberattack Crosshairs

APIs are key to cloud transformation, but two Google surveys find that cyberattacks targeting them are reaching a tipping point, even as general cloud security issues abound.

Web application programming interfaces (APIs) are the glue that holds together cloud applications and infrastructure, but these endpoints are increasingly under attack, with half of companies acknowledging an API-related security incident in the past 12 months.

According to a survey conducted by Google Cloud, the most troublesome security problems affecting companies' use of APIs are security misconfigurations, outdated APIs and components, and spam or abuse bots — with 40% of companies suffering an incident due to misconfiguration and a third coping with the latter two issues. 

Two-thirds of companies (67%) found API-related security issues and vulnerabilities during the testing phase, but most companies — greater than 60% — discovered issues during the software development process, during application deployment, and by using real-time monitoring, according to the survey of more than 500 technology leaders.

Despite these issues, more than three-quarters (77%) have confidence that they will catch issues, saying they have the required API tools and solutions, says Vikas Anand, head of product for business application platforms at Google Cloud.

"There's a perception of confidence with existing tooling that isn’t matched by evidence," Anand says. "The landscape for security has changed — with the dramatic growth in API volume, APIs are the new battleground for application security."

The interest in Web APIs comes as companies have accelerated their digital transformations over the past two years following the business disruptions caused by the coronavirus pandemic. Nearly all (93%) of companies surveyed by Google in a second study of 770 technology leaders characterized their operations as based on "mostly cloud," up from 83% two years ago. 

In contrast, business decision-makers characterizing their operations as "mostly on-premises" dropped by half to 7%, from 16%, in the same time period.

    

Source: Google Cloud

By one estimate, API-related security incidents caused $12 billion to $23 billion in losses since 2020. And the attack surface is getting bigger: The average large company has three times the number of APIs — 15,600 — as a year ago.

**APIs: Key to Cloud Transformation**

While 46% of organizations surveyed reserved their use of APIs to only within their own organization, more than half (54%) allow partners, customers, and other external developer use the APIs as a way to spur third-party development, Google found.

"APIs are critical to application modernization and digital transformation because, along with microservices, they enable rapid delivery of new experiences to customers, while cutting the cost of development and maintenance," Google Cloud stated in its _"_The Digital Crunch Time: 2022 State of APIs and Applications" report.

Because APIs are critical to their digital transformation, companies have wisely prioritized API security investments, with 60% aiming to improve their ability to proactively identify security threats, and 57% adopting more security automation and orchestration, according to Google Cloud's second report, "API Security: Latest Insights & Key Trends." 

About half of companies also intend to expand their real-time monitoring of API servers and using artificial intelligence and machine learning (AI/ML) systems to better discover flaws and detect attacks.

"As organizations move from being reactionary to proactively addressing these threats, we’ll see AI/ML models become more widely adopted within security tooling," Anand says. "ML-based rules are the natural evolution of this — not just automating, but continuously learning from those experiences."

**API Maturity Brings Cloud Success**

Unsurprisingly, companies that have had more experience with APIs have also found more success with their transition to more cloud-native operations.

About a third of companies (34%) classified themselves as having a mature approach to APIs, pushing an API-first strategy across the organizations and using an API management platform. Those companies also had more success increasing efficiency, better collaboration, and improved agility, compared with organizations with lower API maturity. 

Google Cloud defined low-maturity organizations as those with siloed APIs, no centralized management of APIs, and perhaps an API gateway for security.

"Our study shows that mature API organizations are considerably ahead in their digital transformation efforts compared to low-maturity API organizations," according to the vendor. "Technology leaders already understand the value that APIs bring."

For companies moving to API-based application infrastructure, API security is considered the most significant component of an API program, with 66% of companies considering it important, according to Google's report. Other top concerns included API performance analytics and API governance.

"API security ultimately needs to be part of the overall end-to-end security strategy," Anand says. "Seamless integrations between all security products make enhancing the overall security value from your portfolio easier."

Google: With Cloud Comes APIs & Security Headaches

To stay safer, restrict access to data, monitor for breaches in the supply chain, track relevant data that is sold on the Dark Web, and implement best safety practices.

The danger of being hit by a ransomware attack is scary enough, but in many cases, criminals can still extort your business after the ransom has been paid and things have seemingly returned to normal. Double and even triple extortions are becoming increasingly common, with ransomware gangs now demanding additional payments to keep the private information captured in their attacks from being leaked. These added threats are driving up the collective cost of ransomware, which is forecast to reach $265 billion by 2031, according to some sources.

In traditional ransomware attacks, the attackers hijack and encrypt valuable data to force organizations to pay a ransom in exchange for the safe restoration of data and network functionality. CISOs have responded by adopting stronger cyber protections, such as creating secure offsite backups and segmenting their networks, and attackers have quickly evolved to subvert these methods. 

**One Extortion, Two Extortion, Three**

The cat-and-mouse game that is ransomware took an ugly turn over the past year or so as attackers realized the value that organizations put on not releasing their sensitive information publicly: The brand and reputation hit can sometimes be just as damaging as being locked out of files and systems. Capitalizing on this unfortunate reality, attackers began adding the threat of leaking sensitive data as a follow-up to successful or even unsuccessful ransomware attacks when organizations were able use backups to restore their systems.  

With double extortion being so successful, attackers figured: Why stop there? In cases of triple extortion, attackers threaten to release data about downstream partners and customers to extract additional ransom payments, potentially putting the initial organization at risk of lawsuits or fines.  

Some bad actors have even created a search function that allows victims to find leaked data about partners and clients as proof of the data's damaging value. A ransomware operation known as ALPHV/BlackCat may have started this trend in June, when cybercriminals posted a searchable database containing the data of nonpaying victims. The BlackCat gang went as far as to index the data repositories and give tips on how to best search for information, as if it was providing customer service. These kinds of leaks not only raise ransom costs for victims, but they send a clear message to those who think they are clever enough to avoid paying the ransom.

**Guarding Against Multiple Extortion Attempts**

For CISOs who want to become more proactive in safeguarding their organizations against such extortion events, the first step is monitoring for breaches within their supply chains and corporate relationships, while tracking relevant data that is sold on the Dark Web or released in breach dumps. 

Regular backup practices provide a strong initial defense against a standard ransomware attack, but backups alone are no longer enough. Because criminals have recognized that backups are a standard option to avoid payment, they will seek to corrupt the backups, in addition to threatening future leaks. This growing problem has created a need for offline backups and out-of-band incident communications: Any system connected during an incident — such as email — should no longer be trusted.  

The trouble with double or triple extortion attempts is that even if the initial pay-for-decryption ploy is unsuccessful (because an organization was able to use backups), the attackers may still gain access to sensitive data and threaten to leak it. These attacks highlight the need to prioritize the protection of the most critical data. 

**Best Practice Defenses**

The only true defense against double and triple extortion is ensuring that attackers don't get access to the most\-sensitive information.  

The top priority should be to categorize critical data so that when malicious actors do get past the first lines of defense, they can't steal the most valuable items in the vault. This oversight process involves restricting who has access to data and what tools directly interact with it. The fewer access points, the easier it is to secure the data.  

Some other best practices include:  

*   Understanding where your data lives and adopting solutions with near-real-time alerts that show when sensitive data is saved, transferred, or stored insecurely. When you focus your efforts to protect your most\-critical information, you help limit alert fatigue and keep a closer watch on exactly who and what interacts with that data.
*   Staying on top of the dynamic risks associated with new devices entering your network when employees get onboarded or when devices associated with former employees should have access or credentials removed.
*   Establishing a baseline understanding of "normal behavior" in your environment so you have a better sense when something untoward is afoot.

**Recommended Post-Breach Behavior**

If you still experience a breach, make sure you limit attackers' chances of accessing private data by:  

*   Vigilantly changing used passwords that may be associated with compromised systems. 
*   Verifying that breach information comes from a legitimate source, as compromised emails may seem official when they are, in fact, fraudulent.
*   Ensuring recovery efforts go beyond "wipe and reimage" to include thorough checks that find residual signs of compromise.

*   Identifying the initial access points that were breached to avoid reintroducing the attack vector during recovery efforts.

The crippling effects of a ransomware attack can be devastating for any business. But now the stakes are much higher due to the expanded attack surface that threatens a company's extended ecosystem of partners, customers, and investors. As a result, all organizations need to develop a game plan to defend their data and protect themselves not only from the initial ransomware attacks, but from double and triple ransomware ploys as well.

Fool Me Thrice? How to Avoid Double and Triple Ransomware Extortion

Vendors and operators attempt to balance power and security, but right now, power is the highest goal.

SUPERCOMPUTING 2022 — How do you keep the bad guys out of some of the world's fastest computers that store some of the most sensitive data?

That was a growing concern at last month's Supercomputing 2022 conference. Achieving the fastest system performance was a hot topic, like it is every year. But the pursuit of speed has come at the cost of securing some of these systems, which run critical workloads in science, weather modeling, economic forecasting, and national security.

Implementing security in the form of hardware or software typically involves a performance penalty, which slows down overall system performance and the output of computations. The push for more horsepower in supercomputing has made security an afterthought.

"For the most part, it's about high-performance computing. And sometimes some of these security mechanisms will reduce your performance because you are doing some checks and balances," says Jeff McVeigh, vice president and general manager of Super Compute Group at Intel.

"There's also a 'I want to make sure I'm getting the best possible performance, and if I can put in other mechanisms to control how this is being securely executed, I'll do that,'" McVeigh says.

**Security Needs Incentivizing**

Performance and data security is a constant tussle between the vendors selling the high-performance systems and the operators who are running the installation.

"Many vendors are reluctant to make these changes if the change negatively impacts the system performance," said Yang Guo, a computer scientist at the National Institutes for Standards and Technology (NIST), during a panel session at Supercomputing 2022.

The lack of enthusiasm for securing high-performance computing systems has prompted the US government to step in, with the NIST creating a working group to address the issue. Guo is leading the NIST HPC Working Group, which focuses on developing guidelines, blueprints, and safeguards for system and data security.

The HPC Working Group was created in January 2016 based on then-President Barack Obama's Executive Order 13702, which launched the National Strategic Computing Initiative. The group's activity picked up after a spate of attacks on supercomputers in Europe, some of which were involved in COVID-19 research.

**HPC Security Is Complicated**

Security in high-performance computing is not as simple as installing antivirus and scanning emails, Guo said.

High-performance computers are shared resources, with researchers booking time and connecting into systems to conduct calculations and simulations. Security requirements will vary based on HPC architectures, some of which may prioritize access control, or hardware like storage, faster CPUs, or more memory for calculations. The top focus is on securing the container and sanitizing computing nodes that pertain to projects on HPC, Guo said.

Government agencies dealing in top-secret data take a Fort Knox-style approach to secure systems by cutting off regular network or wireless access. The "air-gapped" approach helps ensure that malware does not invade the system, and that only authorized users with clearance have access to such systems.

Universities also host supercomputers, which are accessible to students and academics conducting scientific research. Administrators of these systems in many cases have limited control over security, which is managed by system vendors who want bragging rights for building the world's fastest computers.

When you place management of the systems in the hand of vendors, they will prioritize guaranteeing certain performance capabilities, said Rickey Gregg, cybersecurity program manager at the US Department of Defense's High Performance Computing Modernization Program, during the panel.

"One of the things that I was educated on many years ago was that the more money we spend on security, the less money we have for performance. We are trying to make sure that we have this balance," Gregg said.

During a question-and answer session following the panel, some system administrators expressed frustration at vendor contracts that prioritize performance in the system and deprioritize security. The system administrators said that implementing homegrown security technologies would amount to breach of contract with the vendor. That kept their system exposed.

Some panelists said that contracts could be tweaked with language in which vendors hand over security to on-site staff after a certain period of time.

**Different Approaches to Security**

The SC show floor hosted government agencies, universities, and vendors talking about supercomputing. The conversations about security were mostly behind closed doors, but the nature of supercomputing installations provided a birds-eye view of the various approaches to securing systems.

At the booth of the University of Texas at Austin's Texas Advanced Computing Center (TACC), which hosts multiple supercomputers in the Top500 list of the world's fastest supercomputers, the focus was on performance and software. TACC supercomputers get scanned regularly, and the center has tools in place to prevent invasions and two-factor authentication to authorize legit users, representatives said.

The Department of Defense has more of a "walled garden" approach, with users, workloads, and supercomputing resources segmented into a DMZ-stye border area with heavy protections and monitoring of all communications.

The Massachusetts Institute of Technology (MIT) is taking a zero-trust approach to system security by getting rid of root access. Instead it uses a command line entry called sudo to provide root privilege to HPC engineers. The sudo command provides a trail of activities HPC engineers undertake on the system, said Albert Reuther, senior staff member in the MIT Lincoln Laboratory Supercomputing Center, during the panel discussion.

"What we're really after is that auditing of who is at the keyboard, who was that person," Reuther said.

**Improving Security at the Vendor Level**

The general approach to high-performance computing has not changed in decades, with a heavy reliance on giant on-site installations with interconnected racks. That is in sharp contrast to the commercial computing market, which is moving offsite and to the cloud. Participants at the show expressed concerns about data security once it leaves on-premises systems.

AWS is trying to modernize HPC by bringing it to the cloud, which can scale up performance on demand while maintaining a higher level of security. In November, the company introduced HPC7g, a set of cloud instances for high-performance computing on Elastic Compute Cloud (EC2). EC2 employs a special controller called Nitro V5 that provides a confidential computing layer to protect data as it is stored, processed, or in transit.

"We use various hardware additions to typical platforms to manage things like security, access controls, network encapsulation, and encryption," said Lowell Wofford, AWS principal specialist solution architect for high performance computing, during the panel. He added that hardware techniques provide both the security and bare-metal performance in virtual machines.

Intel is building confidential computing features like Software Guard Extensions (SGX), a locked enclave for program execution, into its fastest server chips. According to Intel's McVeigh, a lackadaisical approach by operators is prompting the chip maker to jump ahead in securing high-performance systems.

"I remember when security wasn't important in Windows. And then they realized 'If we make this exposed and every time anyone does anything, they're going to worry about their credit card information being stolen,'" McVeigh said. "So there is a lot of effort there. I think the same things need to apply \[in HPC\]."

Security Is a Second-Class Citizen in High-Performance Computing

What is the worst that can happen when a developer's machine is compromised? Depending on the developer's position, attackers gain access to nearly everything: SSH keys, credentials, access to CI/CD pipelines and production infrastructure, the works.

**Question: What kind of data can an attacker steal after compromising a developer?**

**Louis Lang, security researcher, CTO of Phylum**: We have spent a long time convincing people they shouldn’t open email attachments from unknown senders. We have spent considerably less time convincing the wider developer community that installing packages from unknown sources is a terrible idea.

While phishing campaigns remain effective, they often land the attacker in some unrelated part of the organization and still require a pivot to the final target. Supply chain attacks cut to the heart of the organization, compromising the developer and their privileged accesses. In some cases, like typosquatting and dependency confusion, these attacks are carried out without direct communication between the attacker and the developer. There is no email attachment to open since the developer willingly pulls in the code (which contains the malware).

So what can an attacker steal if they compromise a developer? Depending on the developer's position, nearly everything. Assuming a compromise has occurred, in the absolute best case, the attacker may have gained access to a junior engineer's machine. We’d expect this engineer to, at the very least, have commit access to source code. If the organization has poor software engineering practices (e.g., no code reviews and no limits on who can commit to the main branch), the attacker has free reign to modify the organization's source code at will; to modify and infect the product that you ship to customers.

In the worst and equally likely case, the attacker will gain access to a senior developer with more privileges. This developer will have access to source code, SSH keys, secrets, credentials, CI/CD pipelines, and production infrastructure and likely the ability to bypass certain code checks. This scenario, where this kind of an engineer is compromised, would be devastating for an organization.

This is not hypothetical, either. Malware packages are routinely being published into open-source ecosystems. Nearly all of this malware is tailor-made to exfiltrate credentials and other files deemed sensitive or important. In more recent campaigns, attackers have even attempted to drop ransomware directly onto developer machines as a way to extort cryptocurrency from the organization.

Software developers sit in a privileged position in any technical organization. With their upstream access to the products shipped to customers and access to production systems and infrastructure, they are the lynchpin in any modern organization. A failure to defend the developer is a failure of the security organization as a whole and could lead to catastrophic consequences.

What Kind of Data Gets Stolen When a Developer is Compromised?

Tech Insight report co-produced by Black Hat, Dark Reading, and Omdia examines how cloud security is evolving in a rapid race to beat threat actors to the (cloud) breach.

Cloud services are facing their first real security litmus test since the pandemic's 2020 arrival accelerated cloud adoption. A new category of security flaws and risks in cloud services since has emerged, raising the stakes for providers and adopters alike.

Thankfully cyberattacks targeting the cloud remain rare so far, with mainly cryptojacking campaigns exploiting misconfigured cloud-account settings in order to siphon computing power for monetization. But with security researchers now regularly unearthing new security flaws and weak default security settings in some of the biggest cloud provider services, it's only a matter of time when the attacks become more disruptive and destructive.

Cloud-specific security tools such as cloud workload protection plat­forms (CWPP) for detection and response and cloud security posture management (CSPM) for proactive security are emerging and maturing, as are the security features and functions cloud providers such as Amazon and Microsoft now include in their services.

A newly published report co-authored by Black Hat, Dark Reading, and Omdia, called "The Promise and Reality of Cloud Security," examines the key challenges — and opportunities — for securing cloud services and accounts.

Read the full (free) report, which draws from Black Hat research, Dark Reading reporting, and Omdia research and analysis.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

New Brand of Security Threats Surface in the Cloud

"Largest attack of its kind": A potent Southeast Asian e-commerce fraud ring has declared war on US retailers, targeting billions in goods in just the past month and forcing mules into its scheme.

Fraud rings don't have to fuss with all the mundane details of running a business — the scam _is_ the business.

It's that tidy business model that has enabled a new e-commerce threat group to leave its mark in November with what one researcher calls the largest attack of its kind in the past 20 years.

And they're just getting started.

The particularly prolific Southeast Asian-based e-commerce threat group has been able to build up a sophisticated operation stacked with data science, fraud detection, online payments, and e-commerce expertise that so far has enabled them to rip off an estimated $660 million in stolen laptops, cell phones, computer chips, gaming devices, and more in November, according to a new report from Signifyd researchers.

The threat actors use stolen credentials and account takeover to place orders from unsuspecting consumers' accounts, often using stored payment methods. Then, they re-ship them to Asia for repackaging and resale at a premium. According to a tandem report earlier this month on the ring, the group uses mules to do the dirty work of reshipment, often under duress.

"Additionally, if the MSHT (Modern Slavery & Human Trafficking) connections that have appeared can be confirmed, this fraud ring also manipulates people to coerce them to become part of the attack," according to that analysis, from Chargelytics Consulting.

In all, the group targeted a massive $3.3 billion worth of e-commerce merchandise during November, the busiest shopping month of the year, according Signifyd's team, which has been following the group's illicit activities for more than a year.

**Holiday Season Scam 'War'**

"What was unique about this fraud ring was that they revved up really quickly. They're fast and strong," said Ping Li, Signifyd vice president of risk and chargeback operations at Signifyd, in its report this week. "They probably had been preparing for it for a long time, and then they launched a war just before our holiday season."

Li, who has studied how to stop e-commerce fraud for two decades, ranks this attack as the most dangerous she's ever seen, because of its ability to attempt large numbers of fraudulent transactions per minute, which in one case Signifyd analysts observed kept up for a full day.

"Normally, when we see an attack on one merchant, the attack has its own characteristics. And then you see a very different kind of attack on another merchant," Li said. "But this one is just universal. It's everywhere. This is the first time I have seen an attack of this size and scale in our network."

The scammers are also apparently not concerned about being caught. "They kind of leave their signature," Li said. "They are not really trying to hide. It's like, 'Catch me if you can.'"

**Excellence in E-Commerce Fraud**

Besides the operation being stacked with technology know-how, Michael Pezely, Signifyd's director of risk intelligence, tells Dark Reading that the e-commerce threat group has sheer speed and volume of scam transactions on its side.

"E-commerce orders — particularly at the enterprise level — arrive at dizzying speed," Pezely says. "Signifyd, for instance, processed as much as $42 million an hour in orders during Cyber Week. It would be virtually impossible for a human team to review that volume of orders for signs of fraud."

Pezely added that merchants are on the lookout for goods being shipped to a foreign country, but this group of scammers places orders that appear to originate from the US and ship to US addresses.

"Furthermore, if a merchant is relying on only its own transaction data, there likely will be a lag between the time a fraud attack begins and when it is recognized," Pezely explains. "Without having the benefit of seeing millions of transactions across thousands of merchants, a novel fraud attack might not be in plain sight for some time."

**Automation Is Part of the Answer**

His recommendation to e-commerce security teams is that they need to rely on a combination of automation and machine learning informed by patterns across the broader online retail sector.

"And so, automation is part of the answer — in particular, machine learning solutions that are able to recognize patterns and associate them with known bad actors and bad events, while constantly improving their performance to suppress new attacks," Pezely explains.

He adds, "To be effective, teams also need to rely on large networks of many merchants, which provide the transaction intelligence that allows machine learning models to identify attack patterns at one merchant and adjust protection across the network to avoid losses among other merchants on the network."

Once the models are created, it's up to human expertise to put the data together and create a plan for cyber-defense.

Merchants would do well to get ahead of the threat, given the billions of dollars in goods already in the crosshairs of this lone e-commerce fraud ring, Pezely advises.

"Given that a fraud ring's cost of inventory is zero, there is plenty of room to plot future endeavors," he says.

Inside the Next-Level Fraud Ring Scamming Billions Off Holiday Retailers

The new law holds the US Office of Budget and Management to a road map for transitioning federal systems to NIST-approved PQC.

On Dec. 21, the US government's plan for transitioning to post-quantum cryptography became law, committing the Office of Management and Budget (OMB) to scope out compliance with the recent NIST guidelines.

US President Joe Biden signed into law HR 7535, the Quantum Computing Cybersecurity Preparedness Act, which has two main components. First, the OMB is required to "prioritize" the switchover to PQC within a year of NIST issuing its new guidelines. That means that by July 5, 2023, OMB should begin moving toward implementing the NIST-approved cryptographic algorithms to protect systems in the executive branch.

The second component of the new law gives the OMB one year from the signing of the bill — so, by Dec. 21, 2023 — to send Congress a report outlining its strategy, asking for funds for the transition to quantum-safe systems, and detailing its efforts to coordinate with international standards organizations and other consortia.

The OMB issued a memorandum on Nov. 18 for agencies to run an audit of systems vulnerable to cryptanalytically relevant quantum computers (CRQCs) by May 4, 2023, which should help the agency reach its deadlines. That memo comports with Biden's national security memorandum from the year before that "directs specific actions for agencies to take as the United States begins the multi-year process of migrating vulnerable computer systems to quantum-resistant cryptography."

Quantum computers will need to become more powerful in order to break current cryptography, but it's not just power that makes CRQCs a threat. Shor's algorithm, which is specific to quantum computing, creates a shortcut that makes decrypting most existing encryption much easier.

The new law also gives the OMB six months from its signing to work with the National Cyber Director and the director of the Cybersecurity and Infrastructure Security Agency (CISA) to "issue guidance on the migration of information technology to post-quantum cryptography." 

The OMB may be working on that with acting cyber director Kemba Eneas Walden, however, since the current director, Chris Inglis, announced on Wednesday that he will be stepping down within the next two months.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading