Cyberattackers focused on ad fraud and clickjacking stole millions during Black Friday by hijacking shopper accounts and tying up transactions.

Online fraudsters posing as consumers likely siphoned off more than $360 million from the marketing budgets of online businesses by generating fake clicks during Black Friday, while 20% of visits to retail sites on Cyber Monday were bots posing as shoppers and not humans, Web security firms said this week.

The surge in fraud included techniques such ad injection, search engine redirects, and affiliate fraud — and shows the trouble that cybercriminal automation such as bots can cause for online commerce providers. The increase in fraud matched the annual upswing of US holiday sales that start the week of Thanksgiving though the following Monday, also known as Cyber Monday. Overall, online retailers saw a nearly 12% increase in sales during November and a 2.3% increase in purchases on Black Friday.

The lockstep growth of sales and fraud underscores the opportunistic nature of attackers, says Guy Tytunovich, CEO of Cheq.

"Fraud is always there, but it is very seasonal in terms of peak times," he says. "\[The trigger\] could be anything — it could be political, like an election, or it could be like Black Friday or Cyber Monday."

Fraudsters have had a significant impact on online businesses, according to data provided to Dark Reading by Cheq and online network-services provider Akamai. By donning the disguise of legitimate consumers, bots can cost advertisers and retailers real money on marketing — typically a loss of 10% to 15% — that is not being seen by human eyes. In addition, bots can be used to buy out popular items, enable credit card fraud, and tie up inventory.

The largest cost to businesses comes during peak times. During the peak on Cyber Monday, consumers spend $12 million every minute, according to Adobe, which collects information on consumer activity. Yet 46 million of those shoppers were bots, leading to $368 million in fake clicks on retail ads, Cheq estimates.

About 20% of sessions overall are "being distorted" because of something happening on the client side, says Patrick Sullivan, chief technology officer for security strategy at Akamai. While businesses tend to focus on attacks against their own infrastructure — the server side — they pay less attention to what is going on with visitors' systems and browsers, he says.

"In general, we've seen over the last five years that no longer can security be focused on the crown jewels just being on the server side," Sullivan says. "Across a number of industries, we see attackers more focused on the client side. We've seen supply chain attacks where the fraudsters gain control of the javascript running on the client side, for example."

**Scalper Bots & Denial-of-Inventory Attacks**

One major fraud scheme enabled by client-side bots are scalper bots/sneaker bots — automated programs running on clients that scrape retailers' sites looking to buy particularly popular items, sometimes purchasing the items with stolen credit cards, says Cheq's Tytunovich.

While credit card fraud continues to be a significant concern for retailers, the increase in attacks that deplete inventory or make inventory unavailable to legitimate buyers is more worrisome, he says.

"While they are not as malicious as other \[cyberattacks\], retailers are extremely scared about scalper bots," he says. "The bots that are wholly aimed at getting those Jordan Ones or PlayStation 5s or whatever, and get the entire stock."

Another major inventory-impacting attack are bots that abandon shopping carts, which typically puts a hold of 10 to 15 minutes on an items — a small amount, but one that can add up quickly with the intensity that only automation can provide. These denial-of-inventory attacks can cause chaos with retailers' visibility into the state of their stocks, Akamai's Sullivan says.

"There are certain industries that almost engineer scarcity — they want people to queue up for sneakers or handbags — but now we have seen it across multiple industries — groups that have traditionally never seen that," he says. "Because of the supply chain issues now, a lot more industries are impacted by these inventory-grabbing bots out there."

**Unwanted, But Legitimate**

However, most of the invalid traffic, or IVT, that companies such as Akamai and Cheq track are not necessarily fraud, but just unwanted by retailers.

In many cases, the influx of non-human traffic included user-installed price-comparison tools, such as Honey and Rakuten, which retailers might prefer that their visitors did not use, but which are not fraudulent nor malicious. In the US during Cyber Week, for example, retailers saw 25% to 30% more sessions that used browser extensions for price comparison, Akamai stated.

Yet such traffic also skews retailers' understand of consumer demand, which can lead to inefficiencies, according to Cheq. Unique site visits are increased by 22% by automated traffic, while sessions duration can dive 41% and the number of new users overestimated by 21%, the company found.

Fraudsters Siphon $360M From Retailers Using 50M Fake Shoppers

Out of more than 80 flaws fixed this month, the most critical was a system component bug that could allow RCE over Bluetooth.

Android's Framework, Kernel, and Google Play were among components that received security updates this month, but the most severe was a critical bug in the System component that, if exploited, could allow remote code execution (RCE) over Bluetooth, without any escalation privileges required. 

In addition to the System vulnerability, tracked under CVE-2022-20411, there are three additional critical flaws addressed by Android this month, including an ID bug in the System component (CVE-2022-20498) and two critical RCE bugs in the Framework component (CVE-2022, 20472 and CVE-2022-20473). 

In total, the Android security update addressed more than 80 vulnerabilities. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Android Serves Up a Slew of Security Updates, 4 Critical

At AWS re:Invent last week, the cloud giant previewed security services including Amazon Security Lake for security telemetry, Verified Permissions for developers, and a VPN bypass service.

Cloud threats will continue to grow and proliferate in 2023, but organizations can meet the challenges head-on with the right security fundamentals in place, Amazon Web Services CISO CJ Moses said during AWS re:Invent 2022 conference last week.

Malicious activity is on the rise: The volume of DDoS events in AWS between January and September of this year rose 35% compared with the same period in 2021. AWS saw a 256% increase in compromised instances compared with the fourth quarter of 2021.

AWS unveiled new security tools to help enterprise security teams with analyzing security telemetry, permissions management, and key management.

**Gathering Threat Telemetry**

First up was Amazon Security Lake to manage threat intelligence data. AWS CEO Adam Selipsky said Amazon Security Lake would allow organizations to gather security telemetry and data from many sources, clean it up, and make it accessible for analysis. The challenge lies in the fact that security data exists in multiple formats. The new Open Cybersecurity Schema Framework standard, announced last August during Black Hat USA, can be used to normalize security logs and events data across a wide range of products and services, Selipsky said.

Asked whether supporting OCSF members have conducted comprehensive interoperability tests or certification efforts, Splunk distinguished engineer Paul Agbabian explained to Dark Reading how the data is normalized. 

"For an event class to be considered in OCSF, there must be a real implementation of the class via one of the member's example logs," he said. "In addition, OCSF uses a server that can test each implementation of the schema for validation, which includes showing notable errors and violations."

"Increasing threats and risks continue driving the shift to the cloud, where security will be built into everything organizations do up and down their technology stack and across their teams," Moses said. "More and more security can be thought of as a data science problem."

AWS said FINRA, Salesforce, and Tinder are the first customers using Amazon Security Lake. Fernando Montenegro, a senior principal analyst at Omdia, said Amazon Security Lake was the most significant new security offering announced at last week's conference.

"Security Lake is obviously notable as it addresses some of the security 'undifferentiated heavy lifting' that AWS likes to address," Montenegro told Dark Reading. "It's still early, but the expectation is that it can help simplify security analytics at scale. The use of the OCSF standard is also notable, as it can herald easier data integration even outside of AWS environments."

**Verified Permissions for Developers**

A preview of Amazon Verified Permissions is now available, which Moses described as a scalable, fine-grained permissions management and authorization service for custom applications. 

"It gives developers a consistent way to define and manage fine-grained permissions across applications, simplifies changing permission roles without a need to change code, while also improving visibility to permissions," he explained.

Amazon Verified Permissions gives application administrators "a comprehensive audit capability that scales millions of policies using automated reasoning," Moses added. "Authorization requests running through Amazon Verified Permissions are evaluated in milliseconds to provide dynamic real-time decisions."

**Remote Access Without a VPN**

Amazon also released the preview of AWS Verified Access, a new connectivity service that provides secure remote access to corporate applications without requiring a VPN. According to AWS, the new service only grants access to applications if users and their devices meet defined security requirements.

AWS noted that Verified Access validates each application request, regardless of user or network, before granting access. 

"AWS Verified Access should help with the burden of accessing AWS resources in a 'zero trust' manner,'" Omdia's Montenegro said.

**External Key Store (XKS) for AWS KMS**

Amazon also announced its AWS Digital Sovereignty Pledge, which the company describes "as its commitment to offering all AWS customers the most advanced set of sovereignty controls and features available in the cloud."

Previously, customers have had to choose between "the full power of AWS and a feature-limited sovereign cloud solution that could hamper their ability to innovate, transform, and grow. We firmly believe that customers shouldn't have to make this choice," explained AWS senior VP Matt Garman in a blog post.

Effectively, AWS is promising to enable its complete offerings to maintain the growing set of digital sovereignty industry and regional regulations. Moses said the new External Key Store (XKS) for the AWS Key Management Service (KMS) supports the pledge because it lets organizations store and utilize their encryption keys outside of AWS.

"Customers can now store AWS KMS customer-managed keys outside of AWS on hardware security modules, whether they operate on-premises or anywhere else they would like to do so," he said. "XKS supports all the critical features of KMS and works with the over 100 AWS services that already integrate with KMS customer keys."

A user can encrypt data with external keys for most AWS services that support AWS KMS customer-managed keys, including Amazon EBS, AWS Lambda, Amazon S3, Amazon DynamoDB, and over 100 more services. The external key store forwards API calls to securely connect with a customer's hardware security module (HSM). According to an AWS blog post, the data describing the key never leaves the HSM.

Key Security Announcements From AWS re:Invent 2022

Cybercrooks allegedly stole personal data, used it to file IRS tax documents, and routed refunds to bank accounts under their control.

Three Nigerian nationals and one UK citizen are facing extradition to the US following their recent arrest for cybercrimes related to a tax refund scam. 

The Department of Justice unsealed indictments of Akinola Taylor, Olayemi Adafin, Olakunle Oyebanjo, and Kazeem Olanrewaju Runsewe, who are accused of breaching US company servers, stealing personal information, and using that data to file fraudulent Internal Revenue Service (IRS) tax documents and collect refunds. 

The group, on at least once occasion, used cybercrime forum xDedic Marketplace to purchase access to compromised servers and users all over the world, which were then leveraged to steal enough information on US citizens to file false tax returns, the DoJ said. The four men would allegedly direct the returns to accounts under their control and convert the proceeds to purchase prepaid debit cards for their use. 

"Adafin and Oyebanjo assisted in the collection fraud proceeds directed to prepaid debit cards in their possession or to addresses or bank accounts they controlled or to which they had access and transferred a share of the fraud proceeds to other conspirators," according to the DoJ announcement. 

If convicted, each will face a maximum penalty of up to 20 years in prison, the DoJ said. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

4 Arrested for Filing Fake Tax Returns With Stolen Data

Learn how BOD 23-01 asset inventory mandates can help all organizations tighten cybersecurity.

Do you know what IT devices are in your business or on your network right now? If not, you may have cybercriminals _and_ the White House knocking on your door very soon.

Binding Operational Directive 23-01, or BOD 23-01, is a new directive from the US Cybersecurity and Infrastructure Security Agency (CISA) that orders federal agencies to keep track of their IT assets and any vulnerabilities on their networks. The guidance is designed to improve the way systems are tracked, managed, and protected against unauthorized access and attacks such as ransomware.

**What Is BOD 23-01?**

The wide-ranging BOD 23-01 cybersecurity directive orders all US Federal Civilian Executive Branch (FCEB) agencies to create a complete and accurate inventory of all software assets. The intention of the new directive is to prevent situations such as the 2020 SolarWinds attack, in which several government agencies and organizations were compromised by malicious code injected into software systems.

BOD 23-01 also is designed to make federal civilian agencies more accountable for their own systems and what resides on their networks, as well as for any cyber breaches or attacks on their systems. The directive covers only federal civilian agencies in the US, but CISA also has urged the private sector and state governments to review and implement similar asset and vulnerability practices.

**What Issues Does BOD 23-01 Address?**

Threat actors continue to target critical infrastructure, networks, and devices to exploit weaknesses within unknown, unprotected, or under-protected assets. Previous and even current methods of preventing infiltration and attacks have had varying levels of success — hence, the need for another layer of protection.

At a basic level, businesses still aren’t tracking the devices and software beneath their own roof, with about one in three IT teams saying they don't actively track the software used by employees within the business.

The hope with the new directive is that, at minimum, agencies and government departments have access to an up-to-date inventory of assets. You can't protect what you can’t see, so by providing this visibility organizations will be one step ahead of the game.

Of course, there's no point in knowing what's under threat if you can't prevent or stop an attack.

The vast majority of companies are vulnerable to external attackers breaching their network perimeters and gaining access to sensitive data.

**What Does the Order Mean for IT Teams?**

The attack surface — the points of entry and vulnerabilities that serve as attack vectors — is expanding rapidly. New technologies, recent changes to implement remote and hybrid workplaces, and the BYOD model again gaining momentum are threatening to overpower IT teams, which is why new methods of cyber asset attack surface management (CAASM) are becoming vital in managing and protecting organizations.

For agencies looking to become compliant with the new directive, creating an IT asset inventory will be seen as a significant administrative challenge. We're talking about having to locate, identify, record, and report on potentially hundreds or thousands of pieces of hardware and software.

**Asset Visibility and Vulnerability Detection**

There are two key areas IT teams need to focus on: asset inventory and vulnerability scans. Together, these are seen as vital in gaining the visibility needed to protect federal organizations against outside threats.

By April 3, 2023, asset discovery scans will need to be run every seven days, while vulnerability assessments across those assets every 14 days. Agencies will also have to prove that they have the ability to run such tests on demand, with CISA requesting proof within 72 hours of receiving a written request.

If IT teams don’t have one already, they will need to create and maintain an up-to-date inventory of IT assets on their network, as well as identify vulnerabilities and share relevant information with CISA at regular intervals.

IT teams are already under pressure, and the only realistic and cost-effective way organizations can become compliant is to automate IT inventory. With new devices added on an almost daily basis and current tech needing to be constantly updated, it's virtually impossible to handle this manually.

Knowing what's on your network is necessary for any organization to reduce risk. In today's digital-first world, with more attack surfaces than ever before, taking stock of what you have is the first step in protecting and preventing the worst from taking place.

Will New CISA Guidelines Help Bolster Cyber Defenses?

Data protection company Piiano officially launches a vault for sensitive customer data, the first among a suite of privacy tools for developers.

**TEL AVIV, Israel, Dec. 07, 2022 (GLOBE NEWSWIRE)** — Piiano, a data protection company co-founded by celebrated security experts Gil Dabah, CEO and Ariel Shiftan, CTO, today announced the release of the Piiano Vault, a secure database for enterprises to safely store and use sensitive personal data and comply with evolving privacy regulations. Basic functionality is now available for free. Deployed directly in an enterprise’s own cloud environment, the Vault provides complete control over critical customer data and was designed to be the most secure database on the market.

Enterprises that collect sensitive data face mounting pressure to protect it and maintain customer privacy in the wake of high-profile data leaks and broadening regulations. Gartner findings demonstrate intensifying budgetary spending across data privacy and security by 14.2% and 16.9%, respectively. According to a survey conducted by Piiano on privacy best practices, 80% of companies now attempt to treat sensitive data differently, with 45% highly prioritizing Personal Identifiable Information (PII) protection.

However, operationalizing such practices at scale requires the involvement of developers tasked with embedding security into the very frameworks of their enterprise environments. This is an enormous undertaking, and many developers find themselves scrambling to retrofit privacy and security into existing environments and workflows. In most cases, such a feat requires companies to embark on a years-long, expensive development project even as the underlying risk grows and becomes a moving target. By contrast, Piiano intends to significantly accelerate such transformations and deliver unprecedented ROI on related initiatives.

As enterprise R&D outpaces security efforts, the safety and protection of customer data remains disorganized and consequently highly vulnerable to potential breaches. Piiano’s solution is based on embedding security and de-identifying data as part of product development. The company’s approach starts by isolating customer secrets and similar types of sensitive data in a separate, zero-trust vault. It is a best practice already exercised by large companies like Google, Netflix, USAA and JPMC. Both Dabah and Shiftan assert that keeping sensitive data separate and untouchable can all but nullify the true privacy risk.

“By centralizing sensitive data into one place with Piiano, developers can easily integrate with existing building blocks like field-level encryption, tokenization, masking, data retention and granular access control. Even more exciting are the major breakthroughs we’ve made in providing capabilities to search through encrypted data,” says Shiftan. “In this way, the Piiano Vault simplifies regulatory compliance by providing developers with out-of-the-box support for staples of GDPR and CCPA requirements, such as data subject access rights, consent, retention, minimization, traceability and more.”

In praise of Piiano’s approach, author of "Data Privacy: A Runbook for Engineers" and Piiano board advisor Nishant Bhajaria said, “Gil and Ariel’s groundbreaking technology has the potential to be an incredible service to enterprises in an age where the sale of stolen sensitive customer data has become so widespread and lucrative. I commend them for helping companies seamlessly incorporate privacy into day-to-day operations.”

For more information visit: https://piiano.com/pii-data-privacy-vault/

**About Piiano**

Piiano provides developer infrastructure to protect customer secrets and ensure their privacy — even in the event of a breach. Safely use and store sensitive data in our Vault and leverage our Scanner to quickly identify PII usages across source code for full visibility into your privacy issues. With Piiano’s building blocks, engineers and security leaders can save time, effort and resources while achieving secure and compliant applications.

Piiano Equips Developers to Stop Sensitive Data Breaches

A world of increasingly connected devices has created a vast attack surface for sophisticated adversaries.

The explosion in connected devices, ranging from the Internet of Things to networking devices and operational technology (collectively known as the Extended Internet of Things, or xIoT), has created a vast, diverse, and largely unmapped attack surface that sophisticated adversaries are actively exploiting.

This growing risk is reflected in many recent reports from companies like Microsoft, Intel 471, and Zscaler that have found a significant uptick in both targeted and untargeted attacks on these devices, with a high rate of malware infections.

However, these threats — particularly when they target IoT devices — are often misunderstood or dismissed, as companies tend to view them as less significant than a traditional network attack. Part of the reason for this is the mistaken belief that IoT threats are mostly limited to botnet malware used for cryptomining and distributed denial-of-service (DDoS) attacks. In reality, IoT attacks are becoming much more sophisticated and now pose serious threats to corporate network integrity, data security, and even physical security systems.

Here are three xIoT attacks every company should be aware of:

**Pivoting From the xIoT Device**

Since many xIoT devices lack even basic native cybersecurity protections, disallow the installation of traditional endpoint security software, and are often unmonitored, they are an effective initial access point for attackers looking to gain a beachhead on a company and then move laterally across its network.

Once the xIoT device has been compromised, the adversary can use this foothold to upload tools, sniff network traffic, search for other exploitable devices, and exfiltrate sensitive data. For example, an attacker can transition from an IoT device into the main IT network, as well as the operational technology (OT) network.

This type of "pivot attack" has already been observed in the wild by multiple companies. My company has seen a growing number of corporate cyberattacks, in which the company was first compromised through a security camera, door controller, or other device, then targeted with ransomware, espionage, or data theft through its IT network.

In 2019, Microsoft Threat Intelligence Center detected an adversary that exploited three different IoT devices (a VoIP phone, a printer, and a video decoder), from which the actor established a presence on the network while looking for further access. Researchers also unveiled a proof-of-concept ransomware that can spread from an xIoT device to an IT network.

**Atypical Data Theft**

xIoT devices can also be direct targets of espionage and data theft.

Certain office devices like connected printers and document scanners are storehouses of sensitive corporate information that is largely unprotected. In the healthcare industry, CT scanners and MRI machines also contain valuable personal and medical information. Industrial devices can pose data breach risks too. Certain OT devices, like programmable logic controllers (PLCs), can contain privileged manufacturing and processing details, such as temperature and pressure ranges, chemical mixing.

This type of sensitive data storage in xIoT devices is often overlooked by traditional information security audits, and the devices themselves offer little, if any, data protection. For remote attackers, gaining access to these devices is usually a trivial matter.

My company has found that 50% of xIoT devices use default passwords, 68% of devices have high-risk or critical CVEs in their firmware, and 26% of these devices are end-of-life and no longer supported. This means in literally half of these cases, all an attacker needs to do is enter in a default password to gain access to privileged data.

**xIoT as a Persistence Strategy**

Threat actors who have already breached a corporate IT network through traditional means like phishing may also carry out a second-stage attack on xIoT devices to achieve long-term persistence inside the organization.

One example is the threat actor UNC3524, which Mandiant recently discovered had been installing a backdoor called QuietExit in opaque network appliances and IoT devices like security cameras, remaining undetected on victims' networks for at least 18 months.

xIoT devices are an ideal hiding place for sophisticated adversaries. These devices are poorly monitored, lack anti-malware and intrusion detection coverage, and are not easy to analyze during incident response. My company has found that over 80% of security teams can't even identify the majority of xIoT devices they have in their networks. They also fall into an administrative gray area in terms of who is responsible for managing them (is it the IT team, the security team, the operations team, or the vendor?), which leads to confusion and inaction.

An adversary can easily install a backdoor in any one of these overlooked xIoT devices that will be exceedingly difficult for the security team to detect. The average enterprise has anywhere from tens of thousands to millions of xIoT devices, and typically relies on manual processes for monitoring and maintaining them. Detecting such a backdoor will be like trying to find a needle in an enormous haystack (or haystacks).

**Preventing the Full Range of xIoT Attacks**

In spite of their many risks, xIoT devices can be sufficiently protected without imposing high costs on a company.

Basic measures such as strong password management and keeping firmware up to date will drastically reduce the risk. Accurate inventorying and regular monitoring are also key.

Where companies will be challenged is in terms of the volume of devices they must protect. This is why automation is important, as manually changing passwords and updating firmware on such a vast array of devices isn't feasible for most companies.

3 xIoT Attacks Companies Aren't Prepared For

After an uproar, the city board voted to rescind last week's bill to allow police to use robots to deliver deadly force. The fight isn't over, but there's a good reason it should be.

On Nov. 29, the San Francisco Board of Supervisors voted to allow the San Francisco Police Department (SFPD) to use armed robots for lethal force, a month after public outcry caused the police in nearby Oakland to rescind a similar request. A week later, the board voted again — this time to explicitly deny permission for deadly force and send the original bill back to committee. Many questions about that original bill remain unanswered, but one obvious one is: If we allow civilian agencies to arm robots, how do we guard against misuse — by police themselves, yes, but also by unauthorized users?

Security researchers Cesar Cerrudo and Lucas Apa tackled those questions as IOActive consultants back in 2017. The issues are still prevalent today, according to Cerrudo, now an independent cybersecurity researcher.

"As any piece of technology, robots could be hacked; it could be easy or extremely difficult, but possibilities are there," he tells Dark Reading. "In order to reduce hacking possibilities, robot technology has to be built with security in mind from the very beginning and then all the robot technology properly audited to identify all potential vulnerabilities and to eliminate them."  

The categories of vulnerabilities Cerrudo and Apa discovered included insecure communications, authentication issues, missing authorization, weak cryptography, privacy concerns, insecure default configurations, and easily probed open source frameworks.

While the researchers didn't test military or police robots, such machines are likely to be similarly vulnerable. "These robots are some of the most dangerous when hacked, since they are often used to manipulate dangerous devices and materials, such as guns and explosives," they wrote in the paper.

One example of the scale of the danger is a 2007 failure in an automatic anti-aircraft cannon in South Africa that killed nine soldiers and wounded a dozen more in a span of 0.8 seconds. Now imagine what would happen if someone successfully turned an armed police robot back toward the officers or toward the public.

The possibility that robots can be hacked is not so far-fetched. Last year hacktivists gained access to a network of 150,000 surveillance cameras, including those inside of prisons, by obtaining the super admin account information. Hackers have successfully seized control of a Jeep Cherokee driving down a highway and grabbing control of other cars via a key fob hack that has gone mainstream. Even entire buildings have been hacked.

**Taking Back Permission to Kill**

"I simply do not feel arming robots and giving them license to kill will make us safer," said Supervisor Eric Mar on Dec. 6 before voting to send the original bill back to committee.

On Nov. 29, the board had voted 8-3 to approve the bill allowing deadly force; on Dec. 6, the vote was 8-3 to rescind it. "It was a rare step," the San Francisco Chronicle reported. "The board's second votes on local laws are typically formalities that don't change anything."

What does change things in San Francisco is public protest. "We've all heard from a lot of constituents ... on the idea that we as a city will have robots deliver deadly force," said Supervisor Dean Preston at the Dec. 6 meeting.

Three of the supervisors — Shamann Walton (also board president), Hillary Ronen, and Preston — attended one such protest at city hall on Monday, organized by the Quakers, where a crowd held placards reading "no killer robots." 

"We will fight this legislatively at the board, we will fight this in the streets and on public opinion, and if necessary, we will fight this at the ballot," Preston said. That last threat might have been the most persuasive; city voters are not afraid to govern directly through ballot initiatives.

The SFPD has about a dozen robots purchased between 2010 and 2017, the department said in a statement. 

"The robots are remotely controlled and operated by SFPD officers who have undergone specialized training," according to the statement. "Our robots are primarily used in EOD/bomb situations, hazardous materials incidents, and other incidents where officers may need to keep a safe distance before rendering a scene secure."

The SFPD statement continued: "In extreme circumstances, robots could be used to deliver an explosive charge to breach a structure containing a violent or armed subject. The charge would be used to incapacitate or disorient a violent, armed, or dangerous subject who presents a risk of loss of life," although such use "could potentially cause injury or be lethal."

While the Dec. 6 vote was a setback for the SFPD, the San Francisco Standard pointed out that the issue isn't necessarily finalized. The rules committee might be able to sit on it long enough that public attention fades, or they could come up with language that lets a majority of supervisors return their support. But for now, murderbots are explicitly forbidden, and it seems decided.

**Not the First Robo-Cops**

Unmanned aerial vehicles (UAV) have been part of military tactics for half a century, and there are several examples of police departments using remotely operated drones. In 2015, North Dakota legalized arming drones with less-than-lethal weapons like tasers. Of course, tasers can be lethal, and drones are notoriously vulnerable to hacking.

Another prominent police use of unmanned robotics was the NYPD's failed Digidog experiment in 2020-2021, which sent remote-controlled Boston Dynamics robots into dangerous situations, such as standoffs and hostage situations, to minimize risk to personnel. Public reaction to the spidery, fast-moving, stair-climbing robots was so negative, however, that the department ended the contract early.

Proponents of unmanned mobile equipment usually base the technology's mission on saving lives, whether of hostages or police. Indeed, the SFPD's statement asserted, "Robots equipped in this manner would only be used to save or prevent further loss of innocent lives." We have already seen how that plays out in real life.

**Police Robots Have Already Killed**

American police have already used a robot to deliver lethal force. Dallas PD sent a robot rigged with explosives to kill Micah Johnson back in 2016, ending a standoff after Johnson shot 12 Dallas officers, killing five. A grand jury cleared the police of any wrongdoing in that incident, where the police used the ruse of sending the shooter a phone to get the robot close enough. Some of the SFPD's dozen existing robots are "wheeled bomb-disposal robots with extending arms similar to the one used by Dallas officers in 2016," according to the Washington Post.

After that 2016 Dallas use of force, UC Davis law professor Elizabeth E. Joh wrote in the New York Times: "And a robot is unlike a gun in that a gun may misfire, but it can't be hacked. The market for police robots is emerging, but we as a society — and that includes the police — should be wary of any armed police robot that is vulnerable to takeover by third parties. Experience with the security of electronic devices doesn't inspire confidence: If third parties can hack cars or toy drones, they can certainly hack police robots."

Cerrudo's assessment aligns with that warning. 

"If I were to deploy these robots, I would make sure that they were built with security in mind and that they have been properly security-audited by experts," he says. "Failing to do this is exposing the robots to possible cyberattacks that could turn a robot into a dangerous weapon."

San Francisco Rolls Back Its Plan for Killer Robots

Cisco's annual Security Outcomes Report shows executive support for a security culture is growing. It identifies the top seven success factors that boost enterprise security resilience, with a focus on cultural, environmental, and solution-based factors that businesses leverage to achieve security.

**MELBOURNE, Australia, Dec. 6, 2022 /PRNewswire/** — Cybersecurity resilience is a top priority for companies as they look to defend against a rapidly evolving threat landscape, according to the latest edition of Cisco's annual Security Outcomes Report launched today.

Resilience has emerged as a top priority as a staggering 62 percent of organizations surveyed said they had experienced a security event that impacted business in the past two years. The leading types of incidents were network or data breaches (51.5 percent), network or system outages (51.1 percent), ransomware events (46.7 percent) and distributed denial of service attacks (46.4 percent).  

These incidents resulted in severe repercussions for the companies that experienced them, along with the ecosystem of organizations they do business with. The leading impacts cited include IT and communications interruption (62.6 percent), supply chain disruption (43 percent), impaired internal operations (41.4 percent) and lasting brand damage (39.7 percent).

With stakes this high, it is no surprise that 96 percent of executives surveyed for the report said that security resilience is high priority for them. The findings further highlight that the main objectives of security resilience for security leaders and their teams are to prevent incidents, and mitigate losses when they occur.

"Technology is transforming businesses at a scale and speed never seen before. While this is creating new opportunities, it also brings with it challenges, especially on the security front. To be able to tackle these effectively, companies need the ability to anticipate, identify, and withstand cyber threats, and if breached be able to rapidly recover from one. That is what building resilience is all about," said Helen Patton, CISO, Cisco Security Business Group.

"Security, after all, is a risk business. As companies don't secure everything, everywhere, security resilience allows them to focus their security resources on the pieces of the business that add the most value to an organization, and ensure that value is protected," she added.

**Seven Success Factors of Security Resilience**

This year's report has developed a methodology to generate a security resilience score for the organizations surveyed, and identified seven data-backed success factors. Organizations that had these factors present were among the top 90th percentile of resilient businesses. Conversely, those lacking them placed in the bottom 10th percentile of performers.

The findings of the study underline the fact that security is a human endeavor as leadership, company culture, and resourcing have an oversized impact on resilience:

*   Organizations that report poor security support from the C-suite scored 39 percent lower than those with strong executive support.
*   Businesses that report an excellent security culture scored 46 percent higher on average than those without.
*   Companies that maintain extra internal staffing and resources to respond to incidents resulted in a 15 percent boost in resilient outcomes.

In addition, businesses need to take care to reduce complexity when transitioning from on-premise to fully cloud-based environments:

*   Companies whose technology infrastructures are either mostly on-premise or mostly cloud-based had the highest, and nearly identical, security resilience scores. However, businesses that are in the initial stages of transitioning from an on-premise to a hybrid cloud environment saw scores drop between 8.5 and 14 percent depending on how difficult the hybrid environments were to manage.

Finally, adopting and maturing advanced security solutions has significant impacts to resilient outcomes:

*   Companies that reported implementing a mature Zero Trust model saw a 30 percent increase in resilience score compared to those that had none.
*   Advanced extended detection and response capabilities correlated to an incredible 45 percent increase for organizations over those that report having no detection and response solutions.
*   Converging networking and security into a mature, cloud-delivered secure access services edge boosted security resilience scores by 27 percent.

"The Security Outcomes Reports are a study into what works and what doesn't in cybersecurity. The ultimate goal is to cut through the noise in the market by identifying practices that lead to more secure outcomes for defenders," said Jeetu Patel, executive vice president and general manager of security and collaboration at Cisco. "This year we focused on identifying the key factors that elevate the security resilience of a business to among the very best in the industry."

**Additional Resources:**

*   Report: Security Outcomes Report, Volume 3: Achieving Security Resilience
*   Blog: Cracking the Code to Security Resilience: Lessons from the Latest Cisco Security Outcomes Report

**About Cisco**

Cisco (NASDAQ: CSCO) is the worldwide leader in technology that powers the Internet. Cisco inspires new possibilities by reimagining your applications, securing your data, transforming your infrastructure, and empowering your teams for a global and inclusive future. Discover more on The Newsroom and follow us on Twitter at @Cisco.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company.

SOURCE: Cisco Systems, Inc.

Cybersecurity Resilience Emerges as Top Priority as 62% of Companies Say Security Incidents Impacted Business Operations

The botnet exploits flaws in various routers, firewalls, network-attached storage, webcams, and other products and allows attackers to take over affected systems.

A new botnet is attacking organizations through various vulnerabilities in Internet of Things (IoT) devices from D-Link, Huawei, RealTek, TOTOLink, Zyxel, and more, posing a critical threat that allows attackers to take over vulnerable systems, researchers have found.

The botnet, dubbed Zerobot and written in the Go programming language, includes modules capable of self-replication and self-propagation, as well as attacks for different protocols, a researcher from Fortinet shared in a blog post published Dec. 6.

"Zerobot targets several vulnerabilities to gain access to a device and then downloads a script for further propagation," Fortinet Labs senior antivirus analyst Cara Lin wrote in the post.

So far, researchers have seen two versions of the botnet, one that they began tracking on Nov. 18 and a more sophisticated version that appeared soon after, on Nov. 24, that added a string of new capabilities.

The first version of Zerobot was quite basic, but attackers quickly updated it to include a "selfRepo" module that allows it to reproduce itself and infect more endpoints with different protocols or vulnerabilities, researchers said. The latest version — on which their analysis is based — also includes string obfuscation and a copy file module.

**Attack Mode**

Zerobot initiates an attack by first checking its connection to 1.1.1.1, the DNS resolver server from Cloudflare. It then copies itself onto the targeted device based on the victim's OS type, with different tactics depending on the platform, researchers said.

For Windows, Zerobot copies itself to the "Startup" folder with the filename "FireWall.exe." If the targeted platform is Linux, it has three file paths — "HOME%," "/etc/init/," and "/lib/systemd/system/."

Once it is copied onto the targeted device, Zerobot then sets up an "AntiKill" module to prevent users from disrupting its program once it's started. "This module monitors a particular hex value and uses 'signal.Notify' to intercept any signal sent to terminate or kill the process," Lin wrote.

After initialization, Zerobot starts a connection to its command-and-control (C2) server, ws\[:\]//176\[.\]65\[.\]137\[.\]5/handle, using the WebSocket protocol.

Once it sets up a communication channel, the client waits for a command from the server to unleash any of 21 exploits for various vulnerabilities found in IoT products, as well as some others — including the Java framework vulnerability Spring4Shell, phpAdmin, and F5 Big — "to increase its success rate," Lin wrote.

**Enterprises: Take Immediate Action**

Fortinet included a list of the numerous vulnerabilities that Zerobot exploits, which are found in assorted devices including routers, webcams, network attached storage, firewalls, and other products from a host of well-known manufacturers. 

Lin advised any organization using these devices to update to the latest versions or apply any available patches immediately. Indeed, with businesses losing up to $250 million a year on unwanted botnet attacks, according to a report published last year from Netacea, organizations would be wise to evaluate their environments to discover any device that might be vulnerable to Zerobot, she noted.

"Users should be aware of this new threat, patch any affected systems … running on their network, and actively apply patches as they become available," Lin wrote.

Source

DARKReading