CI Fuzz CLI, the open source fuzzing tool with just three commands, integrates fuzz testing directly into the software development workflow.

The open source security tool CI Fuzz CLI now supports Java, according to Code Intelligence, the company behind the project.

Back in September, Code Intelligence announced CI Fuzz CLI, which lets developers run coverage-guided fuzz tests directly from the command line to find and fix functional bugs and security vulnerabilities at scale. CI Fuzz CLI can be integrated into common build systems such as Maven and Bazel; integrated development environments (IDEs), and continuous integration/continuous delivery (CI/CD) tools such as Jenkins. Initially, the tool supported C, C++, and CMake. The latest update, which includes the Junit integration, allows Java developers to run fuzz tests directly from the IDE.

Fuzz testing – or fuzzing – refers to when the tester throws a lot of data ("fuzz") against an application to see how the application reacts. Because the input data includes random and invalid inputs, developers can uncover issues which could result in memory corruptions, application crashes, and security issues such as denial-of-service and uncaught exceptions.

The latest guidelines for software verification from the National Institute of Standards and Technology includes fuzzing among the minimum standard requirements. Google recently reported more than 40,500 bugs in 650 open source projects have been uncovered through fuzz testing. The company launched OSS-Fuzz in 2016 in response to the Heartbleed vulnerability, a memory buffer overflow flaw that could have been detected by fuzz testing.

While fuzz testing is slowly gaining traction within the open source community, it is not yet widely used by developers outside open source and information security, Code Intelligence says. Part of that is because fuzzing is a specialized skill and many security teams don't have the knowledge and experience to use fuzz testing tools effectively. Code Intelligence says CI Fuzz CLI lowers the barrier to entry for fuzzing because the tool has only three commands. By allowing developers to run the tool from the command line or within the IDE makes fuzzing more accessible, the company says.

The fact that the tool integrates into the developer workflow means it can automatically fuzz the code whenever there is a new pull or merge request, the company says.

“Code Intelligence helps developers ship secure software by providing the necessary integrations to test their code at each pull request, without ever having to leave their favorite environment. It’s like having an automated security expert always by your side,” Thomas Dohmke, CEO of GitHub, said in a statement.

CI Fuzz CLI Brings Fuzz Testing to Java Applications

If unpatched, a host of GPU Display Driver flaws could expose gamers, graphic designers, and others to code execution, denial of service, data tampering, and more.

A new update from Nvidia for its GPU Display Driver includes fixes for a full 29 security vulnerabilities, seven with a base score of more than 7. 

The company's graphics cards are built to accelerate computing processing to support real-time or data-intensive applications. As such, they're known for their use by gamers, graphic designers, and other creative producers, and for artificial intelligence and machine learning. Impacted software products for the update specifically include GeForce, Studio, Nvidia RTX, Quadro, NVS, and Tesla.

The most serious of the bugs are two flaws that exist in the user mode layer for Windows versions, both of which could allow an unauthorized user to execute code, escalate privileges, launch denial-of-service attacks, and achieve data compromise and disclosure, according to the chipmaker:

*   **CVE‑2022‑34669** (CVSS score of 8.8): An unprivileged regular user can access or modify system files or other files that are critical to the application.
*   **CVE‑2022‑34671** (CVSS score of 8.7): An unprivileged regular user can cause an out-of-bounds write.

The display driver for Linux also received a number of updates in this latest security update. 

"Earlier software branch releases that support these products may also be affected," the Nvidia security update said. "If you are using an earlier branch release for which an update version is not listed above, upgrade to the latest branch release." 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Nvidia GPU Driver Bugs Threaten Device Takeover & More

The framework has ties back to a Spanish exploit broker called Variston IT, and offers a one-stop shop for compromising Chrome, Defender and Firefox.

Google's Threat Analysis Group (TAG) has discovered a cyberattack framework dubbed Heliconia, built to exploit zero-day and n-day vulnerabilities in Chrome, Firefox, and Microsoft Defender. It likely has connections to a gray-market spyware broker called Variston IT, which highlights how this shadowy segment is flourishing.

The Heliconia threat consists of three modules:

*   Heliconia Noise for compromising the Chrome browser, escaping the sandbox, and installing malware;
*   Heliconia Soft, a Web framework that deploys a PDF containing a Windows Defender exploit for CVE-2021-42298 that allows privilege escalation to SYSTEM and remote code execution (RCE);
*   And the Heliconia Files package which contains a fully documented Firefox exploit chain for Windows and Linux, including CVE-2022-26485 for RCE.

TAG became aware of the threat after receiving an anonymous submission to the Chrome bug reporting program. Upon further investigation, the Heliconia framework's source code was found to contain a script that points back to Variston IT, a Barcelona-headquartered entity that claims to provide "custom security solutions."

Commercial spyware is often sold by organizations claiming to be legitimate companies, for "use by law enforcement." However, mounting evidence shows that too often, these brokers don't vet their clients, "putting advanced surveillance capabilities in the hands of governments who use them to spy on journalists, human rights activists, political opposition and dissidents," according to a TAG posting on Wednesday.

Researchers noted that Variston IT is firmly in the middle of this proliferating market — a space that has seen sanctioning by the United States and others against organizations like the infamous NSO Group, creator of the Pegasus spyware.

"The commercial surveillance industry is thriving and has expanded significantly in recent years, creating risk for Internet users around the globe," TAG researchers added. "While surveillance technology may be legal under national or international laws, they are often used in harmful ways to conduct digital espionage against a range of groups."

So far, none of the modules has been seen in current attacks in the wild, but TAG researchers noted that they've likely been deployed in the past, including using the exploits they contain as zero-days before they were fixed.

Google TAG Warns on Emerging Heliconia Exploit Framework for RCE

New protective measures work behind the scenes, with little impact on the customer experience.

Every bank and financial institution is having a serious conversation about security. In 2021, data breaches grew 79%, impacting 300 million people in the US. Simultaneously, more people are banking online than ever before. Today, 67% of banking customers access and manage their accounts digitally, either through a mobile app or a computer. Banks have the salient task of renewing customer confidence and creating secure digital platforms — but it can't come at the cost of customer experience. Through a robust technology platform, best practices, and financial technology (fintech) partnerships, banks can amplify the safety of online banking without derailing the industry's explosive growth.

**Debunking Myths About Digital Banking**

There is an ugly rumor going around that digital banking is less secure than traditional brick-and-mortar banking — but nothing could be further from the truth. Reputable online banking platforms are backed by the same Federal Deposit Insurance Corporation (FDIC) coverage as any other banking institution, meaning individual accounts are protected against fraud for up to $250,000.

Moreover, digital banks are built with sophisticated technology, and they already have the infrastructure in place to implement layered security and data protection. This makes them inherently less vulnerable to cybercrime than traditional banks. In digital banking, two-step authentication and data encryption are already a standard, and online banks are adopting advanced technologies like smart fraud monitoring systems that use machine learning and advanced data gathering to identify fraudulent activity. Financial institutions across the board are making the biggest investment in AI technology as a key to fraud prevention.

Many of these protective measures are happening behind the scenes, and operate with little impact on the customer experience. They work in real time to verify customer identity, protect information, minimize human error, and block fraudulent transactions.

**Creating a Frictionless Experience**

Security must be integrated into the customer journey, from the moment a customer opens a bank account through routine banking activity. Banks collect and store personal information as well as handle transactions with direct parties and counterparties, making it critical to have fraud prevention measures at each touchpoint through the customer experience. Standard best practices start with vendor management, risk assessment, and ongoing compliance monitoring.

Proper vendor management creates a protected platform and mitigates the risk of a cyber breach by securing front-end systems and conducting thorough due diligence of each partner. This process is a natural foray into strong risk assessment practices, which involve a deep review of partners, existing compliance disclosures, and financial risk. Compliance monitoring is the final piece of the puzzle. A survey from Ncontracts found that nearly 90% of financial institutions are concerned about regulatory compliance, but banks should think of regulators as partners in establishing a solid security program. Quality compliance ensures banks better understand and anticipate emerging risks before they have an opportunity to impact security or the customer experience.

**The Importance of Fintech Partnerships**

Fintech partnerships are an optimal way to access the technology infrastructure required to build a secure network. Last year, 65% of banks partnered with a fintech company; 35% of banks invested in a fintech; and 89% of banks said that fintech relationships were important to the institution.

This symbiotic relationship is becoming a mainstay in the industry because banks can leverage existing technology to develop strong data modeling and data governance practices rather than building the technology from scratch — and they work. Among banks that partnered with a fintech to improve fraud losses, 83% said the partnership helped the bank meet that objective. Fintechs also benefit by tapping into the bank's data to create a robust tech stack between the two enterprises.

While fintech partnerships have a lot of benefits, they are not a solution for every organization, and alignment of objectives, culture, and business strategy is critical to making the relationship successful. Vetting prospective fintech partners should explore the mechanics of core and digital systems integration, confirm relevant technology experience in tools like application programming interface (API), and identify key points of contact to ensure there is a dedicated staff to oversee the partnership.

By leveraging technology, pursing fintech partnerships, and establishing best practices, banks can protect their digital platform from cybercrime and data breaches without diminishing quality service and convenience. Security will become a seamless part of the customer experience. The only hint it's happening will be missing fraud alerts in your inbox.

How Banks Can Upgrade Security Without Affecting Client Service

Signal messaging app zero-day vulnerabilities have sparked a $1.5M bidding match, as gray-market exploit brokers flourish in today's geopolitical climate.

Gray-market exploit brokers are alive and kicking, with the latest sign of this flourishing market coming in the form of a bidding war for Signal messaging app zero-days from a relatively new entrant. 

Russia-based OpZero went on the record recently with a $1.5 million offer for Signal remote code execution (RCE) exploits, more than tripling the relatively stable high-water mark for that app offered by American firm Zerodium.

Cybersecurity experts say that this particular bidding war indicates the Russian government's desperation to gain surveillance capabilities over Ukrainians utilizing Signal to communicate. But the price movement on this front also offers a microcosmic look into the broader reliance of gray-market customers (most typically governments) on intermediary brokers.

**The Shadowy "Gray Hat" World of Cybersecurity Exploit Brokers

These brokers are sometimes independent dealers, other times thinly cloaked fronts for nation-state intelligence agencies, who buy from security researchers interested in cashing in on their exploit work. 

The market works on an "ask me no questions, and I'll tell you no lies" basis, researchers say. Brokers have no scruples in working with both white- and black-hat security experts — and exploit developers don't ask how or by whom their exploits will be used. The arrangements put this market in a swampy middle ground between the vendor-oriented, highly structured vulnerability bug-bounty market and the chaotic and overtly criminal dealings of the Dark Web, dominated by black hats.

"Exploit brokers function as market makers by contracting with suppliers (security researchers) managing an inventory of exploits, and selling to buyers (actors who deploy offensive cyber-operations)," according to a recent paper on the gray-market exploit world presented at the 21st Workshop on the Economics of Information Security (WEIS’22) in Tulsa, Okla., earlier this year. 

"In doing so, brokers can more efficiently manage transaction costs relative to suppliers and buyers directly contracting with each other. Additionally brokers provide a layer of insulation against reputation and legal fallout," the paper explained, adding that the price of exploits has grown by 1,240% over the last six years in the gray market.

****War in Ukraine Sparks Signal Exploit Bidding War**

Perhaps one of the most public and prolific players in the market is Zerodium, an American firm with an obscured customer list of "government institutions mainly from Europe and North America," according to the company's FAQ. 

The firm offers as much as $2 million for iOS flaws and presents many public offers for exploits in a range of operating systems and applications. The company has had a standing offer since 2017 of "up to" $500,000 for exploits of Signal and other social messaging apps, including Facebook Messenger, WhatsApp, and Telegram.

The entrance of OpZero into this mix with an offer of three times that amount, which has experts such as security researcher The Grugq postulating that the company is a stand-in for Russian intelligence services that are "desperate" for Android and Signal exploits.

"Android has an almost 80% market share in Ukraine, and Signal has over 2 million daily active users," The Grugq recently wrote. "Android phones with Signal are robust security platforms. They’re not military equipment, but they’re perfectly capable of providing protection against a wide range of security threats. Including nation state level threat actors. Russia appears to be lacking an Android or Signal capability."

New Exploit Broker on the Scene Pays Premium for Signal App Zero-Days

New investment will accelerate growth and expansion of SaaS identity-hygiene platform.

**NEWARK, N.J., Nov. 30, 2022 /PRNewswire****/** — SPHERE Technology Solutions (SPHERE), a leader in identity hygiene, announced today a $31 million Series B investment led by Edison Partners, a Princeton-based leading growth equity firm, with participation from existing investor Forgepoint Capital. As part of the transaction, Edison General Partner Lenard Marcus will join SPHERE's board of directors.

As cyberattacks escalate in number and severity, Identity Hygiene has become foundational to enterprise security, digital transformation, and mandatory compliance. The increasing needs around ensuring identities have access to only the required resources has been in direct response to the rise in ransomware attacks and bad actors who take advantage of wide open and mismanaged access.

SPHERE immediately shrinks the attack surface of these threats through an automated platform that provides visibility and remediation of identity hygiene risks along with tech-enabled managed services, delivering expertise to accelerate these crucial programs. SPHERE's current customers are some of the largest and most highly regulated organizations globally, ranging from financial institutions to healthcare providers and more. With this investment, SPHERE will expand its SaaS offering, channel ecosystem and alliances, and sales and marketing to accelerate growth.

"As a company founded and operated by a team of security practitioners, we developed a mission-critical solution well before the market even deemed it mission-critical," said Rita Gurevich, founder and CEO of SPHERE. "We've experienced the problems that our customers encounter firsthand, and understand the time, dedication, and resources it takes to solve the complex issues they face every day. We're thrilled to have the support of Edison Partners and Forgepoint Capital for our next chapter of growth."

For over 13 years, SPHERE has enabled IT and Security teams to adopt a Zero Trust model by finding and fixing any type of identity access issue across any resource — in a fraction of the time these complex capabilities would take manually. The platform SPHEREboard provides an end-to-end workflow for end-user and privileged account controls, across cloud and on-premises systems and infrastructure, remediates open, excessive and inappropriate access, and provides an evergreen path for sustainability.

"Identity management, and more broadly information security, starts with the ability to ensure that the only parties with access to sensitive or operational data are those identified by management," said Marcus. "SPHERE's platform enables enterprises to improve their identity hygiene and maintain compliance. Its managed services offerings enable it to service the mid-market and large enterprises, where the problem is pervasive. Edison Partners is also proud to support female trailblazers like Rita Gurevich, who are closing the gender diversity gap in a historically male-dominated industry."

SPHERE continues to build significant traction and earn industry accolades that recognize the company's growth, leadership and commitment to diversity, a source of passion for Gurevich ever since she began building the company from the ground up. SPHERE was honored as a Gold Winner in the 2022 Globee Cyber Security Excellence Awards, named a finalist in the annual SINET 16 Awards, and selected by the Timmy Awards for Best Tech Workplace for Diversity in New York. A proven leader and innovator in cybersecurity, Gurevich was named by _SC Magazine_ as a top "Women to Watch" in 2022. She was also selected as the only female finalist for the _SC Awards_ "Security Executive of the Year."

"Our focus is to invest in the most innovative cybersecurity companies and SPHERE's combination of automation and expertise is unmatched in the industry," said Forgepoint Capital Managing Director Don Dixon. "Major corporations including many of the world's leading financial institutions rely on Sphere for its ability to effectively address two critical use cases – Zero trust initiatives and regulatory requirements for identity entitlements. We're excited to continue our partnership and to welcome Lenard and Edison to the board of directors."

**About SPHERE**

SPHERE is an award-winning, woman-owned cybersecurity business focusing on improving security and enhancing compliance. SPHERE's identity hygiene solution puts the controls in place to secure an enterprise's most sensitive data, create the right governance processes for systems and assets, and ensure organizations are compliant with the regulations surrounding their respective industries. For more information, please visit www.SPHEREco.com.

**About Edison Partners**

Edison Partners is a leading growth equity firm providing the financial and intellectual capital that CEOs and their executive teams need to grow and scale their companies. The firm's team brings more than 275 years of combined investing, operating and sector experience to each investment, accessible via the Edison Edge value creation platform, which is tailored to each business' strategy, stage and operating needs. Edison targets high-growth financial technology, healthcare IT and vertical SaaS and marketplace companies located outside Silicon Valley with $10 million to $30 million in revenue. Investments also include buyouts, recapitalizations, spinouts, and secondary stock purchases. Edison's active portfolio has created aggregated market value exceeding $10 billion. Edison Partners manages $1.6 billion in assets. For more information on Edison Partners, please visit edisonpartners.com and follow on LinkedIn.

**About Forgepoint Capital**

Forgepoint Capital is a leading cybersecurity venture capital firm that invests in transformative companies protecting the digital future. As the most active sector-focused firm in cybersecurity and infrastructure software, Forgepoint has the largest dedicated investment team and portfolio of over 40 companies. The firm brings over 100 years of proven company-building experience and its Advisory Council of more than 80 industry leaders to support entrepreneurs advancing innovation globally. Founded in 2015, Forgepoint is proud to partner with category-defining companies such as 1Kosmos, Area 1 Security (Cloudflare), Attivo Networks (SentinelOne), BehavioSec (RELX), Bishop Fox, Cysiv (Forescout), Huntress, IDX (ZFOX), Noname Security, NowSecure, ReversingLabs, SPHERE, Uptycs and more as they achieve their market potential. Learn more at forgepointcap.com or follow Forgepoint on LinkedIn.

SOURCE: SPHERE

SPHERE Receives $31M for Series B Funding From Edison Partners, Forgepoint Capital

The simplicity and profitability of these attacks continue to appeal to threat actors a decade later.

In 2012, the US Federal Bureau of Investigation (FBI) began investigating an influx of reported fraud incidents involving threat actors rerouting payments to attacker-controlled accounts. In these incidents, victims received seemingly legitimate emails containing requests to alter scheduled payments. The threat actors typically impersonated executives or finance and payroll personnel and convinced victims to reroute payments to a different bank account. These first instances of business email compromise (BEC) kicked off a decade of attacks that use this simple yet highly effective scheme. While the threat has evolved, threat actors continue to use phishing attacks to steal credentials and then send fraudulent invoices soliciting payment. Thousands of organizations have lost billions of dollars.

**What Have We Learned in the Past Decade?**

When BEC was first discovered, law enforcement referred to it as "man in the email" fraud. Because much of the money at the time was sent to China, Japan, and South Korea, law enforcement believed that the threat actors could be Asia-based organized crime groups. Multiple investigations confirmed that these schemes were connected and that the money eventually ended up with threat actors located in Nigeria.

BEC fraud emerged from Nigerian organized crime groups that conducted operations such as romance scams, advance-fee schemes (also known as "Nigerian prince" or "419" scams), and elder fraud. The low barrier to entry and potential for high payouts attracted more threat groups. Because the technical aspects of these schemes are relatively simple, threat actors with little to no technical capabilities could launch successful attacks.

By 2014, cooperation between law enforcement and financial institutions revealed a clearer understanding of BEC schemes. As BEC tactics, techniques, and procedures (TTPs) matured, the financial losses and number of impacted organizations increased. In 2014, the US Internet Crime Complaint Center (IC3) received 2,417 BEC complaints, with losses totaling $226 million. The numbers grew steadily until a decrease in reported incidents in 2020. However, that decline was likely due to the COVID-19 pandemic disrupting normal business processes. Momentum resumed in 2021, with 19,954 complaints and adjusted losses of almost $2.4 billion.

    

Number of organizations reporting BEC incidents and reported losses between 2014 and 2021. Source: Secureworks, based on data from the Internet Crime Complaint Center (IC3).

**Who Is Connducting BEC Attacks?**

To this day, the vast majority of BEC operations still originate in Nigeria. Many Nigerian fraud groups incorporated BEC into their existing criminal activities and taught other threat actors how to operate the schemes. Each group determined its own targeting, focusing on specific geographic regions, organizational roles (e.g., CFO, finance manager, accountant), and industries. In 2016, Secureworks researchers estimated that the GOLD SKYLINE threat group (also known as Wire-Wire Group 1) stole approximately $3 million per year. By 2018, Secureworks research indicated that the GOLD GALLEON threat group attempted to steal an average of $6.7 million per year.

Due to the profitability of these schemes, cybercriminals in other regions began adopting BEC. Eastern European groups have shown particular sophistication. For example, Russian cybercrime group Cosmic Lynx has successfully targeted senior-level executives at multinational corporations using a dual impersonation scheme. The threat actors impersonate a company's CEO and then assume the identity of a legitimate attorney who is responsible for facilitating an acquisition. They prompt victims to send money to attacker-controlled accounts.

Despite the expansion of BEC attacks to other regions, none match the volume from Nigeria. The Nigerian fraud ecosystem has grown and flourished over the past decade. Hundreds of social media profiles flaunt wealth obtained from these attacks to recruit participants in Nigeria, where the average monthly salary is less than $800.

**Why Is BEC Still Prevalent?**

Despite thousands of BEC arrests, the schemes are still popular among cybercriminals. Business-to-business payments are the most frequent targets, but BEC actors also attack other payment methods. Payroll systems have been manipulated to add fictitious employees and send money to the associated accounts. BEC actors have also attacked real estate transactions and rerouted house payments.

While security controls can detect the compromise of an email account, technology can only go so far. As the threat actor continues to use the victim's account or pivots to attacker-controlled infrastructure, detection becomes more challenging. Organizations should implement technical proactive security defenses such as multifactor authentication and conditional access, along with human processes such as verifying requests via trusted contact details before performing high-risk actions and training employees to adopt a "trust but verify" approach to email.

Coordination among financial institutions, government agencies, private industry, and law enforcement across the globe has started to mitigate the impact of BEC attacks. In 2021, the IC3 Recovery Asset Team helped financial institutions recover approximately 74% of the stolen funds it pursued. Reducing the profitability of these attacks could lessen the appeal for threat actors and result in a decrease of BEC fraud.

The Evolution of Business Email Compromise

Current authentication methods are based on the bearer model, but lack of visibility into the entities leveraging API secrets has made this untenable.

Today most API communication between machines is secured through API secrets — static keys, tokens, or PKI certificates that act like system passwords in order to authenticate machines and broker communication between them. These machines could be cloud workloads, pods, containers, servers, virtual machines, microservices, or physical machines like servers or Internet of Things devices.

The challenge with current mechanisms of securing authentication between machines is that they all prescribe a bearer model of authentication. As long as an API key, token, or certificate is valid, it can be held and used from anywhere, even a nefarious machine. The model does not guarantee trusted access or trust in the API client. Further adding to the risk is that these API secrets are often long-lived and cumbersome to maintain hygiene around.

Perfect security hygiene would mean each API secret is uniquely assigned to only one machine, never shared, routinely rotated. and securely distributed through development and deployment systems to the machine that needs it without the risk of being leaked along the way. The reality is API secrets are often shared across dozens or hundreds of machines and workloads. They are rarely, if ever, rotated, and provisioning and managing secrets across different applications and environments is an arduous task.

**The Cost of Secrets**

According to a 2021 report by 1Password, IT and DevOps spend an average of over 25 minutes each day managing secrets, at an estimated payroll expense of $8.5 billion annually across companies in the US. In a world where development and deployment systems are fully automated, provisioning and rotating secrets continues to be a very manual, laborious process.

Leaked infrastructure secrets come at a measurable cost. Exposed code, credentials, and keys — whether they are exposed accidentally or intentionally — cost companies an average of $1.2 million in revenue per year, according to the 1Password report.

More recently, the static nature of API secrets has made them ripe targets for adversaries. Much like passwords, secrets tend to become more vulnerable as they age — a problem that is only compounded when those secrets are being shared across dozens, sometimes hundreds of different workloads. Today, secrets are getting leaked at an alarming rate in code repositories, continuous integration (CI) systems like Jenkins or Travis, orchestration tools like Kubernetes, and cloud hosting environments like Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure. Ditto for logging tools like Splunk and Elastic and even collaboration environments like Slack. Organizations leaked more than 6 million passwords, API keys, and other sensitive data in 2021, doubling the number from the previous year, according to a recent GitGuardian review.

**Tools to Improve Things**

Enterprises can take extra steps to keep their secrets more secure. Secrets management solutions like vaults or secrets managers help organize and better secure these system passwords. But if your organization happens to be operating workloads with all three cloud providers, your team will have to leverage three proprietary secrets management systems in order to safeguard those secrets — Azure Key Vault, AWS Secrets Manager, and Secret Manager for GCP.

Tools do exist that can scan your environments to find hard-coded secrets in source code, code repositories, CI environments, and logging systems. Some tools can also scan public personal and organization repositories for secrets that may have already been exposed.

**An Unbearable Burden**

One significant blind spot for many engineering and security teams is visibility into the identities of the machines, applications, services, or workloads that are leveraging API secrets. If it isn't already broken by this point, that becomes the point where the bearer model starts to break down.

Between the manual nature of secrets management, the vulnerability of these static values, and the way the explosion of API usage has significantly increased the amount of compromised keys, tokens, and certificates, not having visibility into the entities that are leveraging API secrets has made the bearer model untenable. CISA's zero-trust framework and NIST 800-207 provide guidelines around how organizations think about machines and workloads as nonperson entities — where the user isn't a human, but rather another application or service account.

While CISA and NIST guidelines assist organizations in handling identity and access, the solution to this problem has already been established for human-to-machine interactions: multifactor authentication (MFA). If we think about the genesis of MFA as it relates to applications and services human users are accessing, the purpose is to validate the user identity with a set of credentials. Many companies require employees to enable MFA to ensure that it is indeed Jane who is trying to access the CRM application with her username and password, just in case her user credentials were compromised. The static nature of passwords, coupled with how long they tend to age well past most security guidelines, makes them ripe targets for adversaries, which is why many organizations mandate MFA to access applications that contain sensitive data.

The bearer model is no different — keys, tokens, and certificates are static values that act as system passwords. The challenge many organizations face is having visibility into the identities of the machines, applications, workloads, or services that are ultimately leveraging those credentials.

API Secrets: Where the Bearer Model Breaks Down

Red Hat has issued patches for a bug in an open source Java virtual machine software that opens the door to drive-by localhost attacks. Patch now, as it's easy for cyberattackers to exploit.

A critical remote code execution (RCE) bug in an open source Java virtual machine (JVM) framework threatens enterprise environments by giving attackers an easy way to compromise development teams — thus gaining access to production systems.

That's according to Joseph Beeton, senior application security researcher at Contrast Security, who discovered the vulnerability in Quarkus, a Red Hat-managed, Kubernetes-native Java framework that's optimized for JVMs.

The bug is tracked as CVE-2022-4116 and has been given a rating of 9.8 on the CVSS.

The relatively new Quarkus framework is used as a platform for serverless, cloud, and Kubernetes environments — the last of which is the de facto container management platform for cloud-native environments, and has had numerous security issues of its own.

The Quarkus flaw is present in the framework's Dev UI Config Editor, making it vulnerable to drive-by localhost attacks that could lead to RCE, Beeton wrote in a blog post published Nov. 29. Moreover, "exploiting the vulnerability isn’t difficult, and can be done by a malicious actor without any privileges," he noted in the post.

Beeton discovered the vulnerability some weeks ago while preparing a talk for the recently held DeepSec conference, but says that he waited to disclose his findings until after Red Hat published details of the flaw on its customer support portal Nov. 21. Beeton also published a proof of concept exploit for CVE-2022-4116 in his post.

Patched versions of Quarkus, available now, are 2.14.2.Final and 2.13.5.Final (LTS); anyone using the framework is encouraged to update immediately.

**'Dangerous' Security Flaw**

The vulnerability affects the "quarkus\_dev\_ui" package, according to Red Hat, which means it impacts developers building services using Quarkus, not actual services running in production.

However, it's still dangerous for several reasons — for one because it's fairly easy to exploit, and for another because developers often have direct access to an enterprise's production environment, Beeton tells Dark Reading.

"Developers generally have access to production systems, and even if they don't, they do have the ability to make code changes," he says. "A compromised developer's machine could be leveraged to push malicious code changes to production.”

For example, if a developer running Quarkus locally visits a website with malicious JavaScript, that JavaScript can silently execute code on the developer’s machine, which can lead to all kinds of trouble on any network or assets attached to it.

In enterprise cloud-based environments, developers also often have to code bases, Amazon Web Services keys, server credentials, and other assets, Beeton said in his posting.

"Access to the developer's machine gives an attacker a great deal of scope to pivot to other resources on the network, as well as to modify or to flat-out steal the codebase," he wrote.

**The Bug in a Cloud-Security Context**

The flaw must be understood in the context of cloud-based footprints that have numerous hosted services running in a larger environment, Beeton explained. One misconception about this type of architecture is that "services that are only bound to localhost are not accessible from the outside world," he noted in his post.

"Because of this misplaced belief, developers, for the sake of convenience, will run services they are developing that are configured in a less secure way compared with how they would \[typically\] do it," he wrote.

There's no problem with this scenario in the case of accessing normal JavaScript in a browser and loaded from a nonmalicious domain, he said. In that case, the JavaScript would not be able to make requests to other domains, including localhost, without a preflight request that is used to check the server's Cross-Origin Resource Sharing (CORS) settings. This is a standard check to see if the server allows requests from the domain being accessed.

However, in the case of a certain type of request that does not require a preflight request — called Simple Requests — the flaw comes into play, Beeton said.

"For a Simple Request, the browser makes the request, receives the response, but that data — including the HTTP Status Code — is not returned to JavaScript," he wrote. "It is possible, however, to infer whether the request was successful based on how long it took to return. Within those constraints, it is possible to access localhost and, in certain circumstances, to trigger arbitrary code execution."

**Multiple Ways Developers Can Be Targeted**

If this is the case, threat actors can compromise websites that developers use by injecting malicious JavaScript into ads served on the sites. For an attack on the Quarkus flaw to be successful in this scenario, someone who is running Quarkus in developer mode would have to visit a website containing the malicious JavaScript, Beeton said.

In this way, attackers can access developer code via non preflighted HTTP requests to those services bound to localhost, he explained.

"It just requires that Quarkus is running in developer mode at the same point the browser tab is open," he noted. "No other interaction is required for this vulnerability to be exploited."

Attackers also can exploit the flaw by launching a phishing attack that convinces a developer to open a web browser on a compromised page. "If they happen to be running Quarkus in developer mode, compromising them would merely entail getting them to click the link; the page containing malicious JavaScript will then be loaded, and they would be compromised," Beeton explained.

Other ways the flaw can be exploited are through common misconfigurations in the Spring framework, which provides a comprehensive programming and configuration model for modern Java-based enterprise applications, he said. Alternatively, an attacker can exploit known vulnerabilities to generate an RCE on the developer's machine or on other services on their private network.  

**Potential Impact and Fix**

There are two bits of good news surrounding the status of the flaw, Beeton acknowledged. One is that Red Hat's Quarkus team, as mentioned before, already has issued a fix that requires the Dev UI to check origin headers for "origin : localhost" — which is set by the browser itself and not modifiable by JavaScript — and only accept these requests, he said.

The other reassuring aspect is that Quarkus is a young framework, having been launched in 2019, so it's not likely to be used as extensively as, say, the open-source Spring Boot framework, he said.

And while Quarkus is gaining in popularity, particularly for Kubernetes enthusiasts, "given its ease of use and significantly lighter demand on hardware resources to run and to run applications," it still is not as widely used as Kubernetes itself, Beeton said.

"Therefore, the number of developers affected by this drive-by localhost attack is probably small," he said.

**Squashing the Attack Vector**

Even with the Quarkus flaw fixed, developers using open-source frameworks still should be wary as they develop services via the localhost, as there are likely more vulnerabilities equivalent to CVE-2022-4116 that have yet to be found, Beeton warned.

A solution for the entire attack vector is on the horizon with W3C’s new Private Network Access (PNA) specification, which eventually will be integrated into browsers to squash this mode of exploit altogether, he said.

Currently, however, only the team supporting the Chromium framework — the basis for the Chrome and Edge browsers — is actively working to implement the new spec, Beeton said. In fact, the targeted mid-December release of Chrome 109 should include support for PNA.

Firefox, meanwhile, has PNA support on its backlog, but has not yet scheduled a release date, while plans to add the spec to Safari or Edge remain unclear, though the Chromium update may bode well for its upcoming addition in Edge, he added.

Critical Quarkus Flaw Threatens Cloud Developers With Easy RCE

The quarterly report, made possible by its Dynamic Defense™ service, demonstrates significant progress in mitigating domain abuse among its top-level domains (TLDs).

**BELLEVUE, Wash., Nov. 30, 2022 /PRNewswire/** — To promote awareness among registrars, trusted notifiers, and end users, Identity Digital™, a leader in connecting the online world with domain names and related technologies, very recently published its first (Q2) Anti-Abuse Report. The report shares data and statistics on DNS abuse within the registry operator's TLD portfolio. The second (Q3) Anti-Abuse Report is slated to come out shortly as well.

The Anti-Abuse Report found that nearly 93% of the abuse cases identified in Q2 2022 involved phishing attacks, including homograph attacks, where bad actors register domains using visually similar characters to legitimate websites for nefarious purposes. Identity Digital automatically blocks homographic domain names, ensuring none of their variations can be registered.

"We're proud to publish our first Anti-Abuse Report that raises  
awareness on a wide range of DNS attacks and demonstrates significant  
progress in mitigating domain abuse within our TLD ecosystem," says Akram Atallah,  
CEO of Identity Digital. "While overall quite rare, in cases of clear  
domain abuse, we aim to intervene as quickly as possible. Most of the  
harm is done in the first eight hours, so taking swift action is  
important. As a result of the Dynamic Defense initiative, we observe  
55% mitigation of identified reports, within 24 hours of a report, which  
is five times faster than the 96 hours1 industry standard."  

The Identity Digital Dynamic Defense™ (DND) team has decades of experience dealing with DNS abuse, drafted industry-standard security frameworks, and are on the front lines of the fight against DNS abuse. Identity Digital acts upon specific, credible notices on serious abuse cases, including child sexual abuse materials, illegal online distribution of opioids, human trafficking, and specific and credible incitements to violence.

**About Identity Digital**

Identity Digital Inc. simplifies and connects the online world with domain names and related technologies to empower people to build, market, and own their authentic digital identities. The company is a member of the Anti-Phishing Working Group (APWG) and the Internet Watch Foundation (IWF). It's also represented in US InfraGard, a partnership between the FBI and the private sector dedicated to sharing information and intelligence to prevent hostile acts against the US. In addition, Identity Digital participates in ICANN at all levels and holds leadership positions at the Registries Stakeholder Group, the Registries Stakeholder Group DNS Abuse Working group, the Contracted Party House DNS Abuse Working Group, and the Security & Stability Advisory Committee (SSAC).

With the world's largest portfolio of nearly 300 TLDs, such as .live, .technology, and .restaurant, Identity Digital operates around 25 million domains on its innovative registry services platform. In addition, it enables customers to discover, register, support and use high-quality domain names with its registrar, Name.com. Headquartered in Bellevue, WA, Identity Digital is a global company with approximately 250 employees. For more information, please visit identity.digital.

1 Source: icann.org,

SAC115 SSAC Report on Interoperable Approach to Addressing Abuse Handling in the DNS

  
SOURCE: Identity Digital, Inc.

Source

DARKReading