Yet another *4Shell exploit highlights the horror of strange visitors into enterprise environments. This Tech Tip focuses on what to do next.

A family moves into their dream home, only to be plagued by ominous letters, a strange tenant, and sinister threats. Sound familiar?

It should. This is the story behind _The Watcher_, a true crime series that premiered on Netflix on October 13, 2022. It's also the story of the Text4Shell vulnerability, which was announced that same day, causing many people worldwide the horror of unknown attackers getting access to their private environments and threatening their applications.

Text4Shell is a remote code execution (RCE) vulnerability that allows attackers to remotely access a server and run malicious code on it. RCE attacks have become very popular lately, with vulnerabilities like Log4Shell and WannaCry, due to the growth of cloud applications that expose APIs (REST, GraphQL, LDAP, etc.) in public environments.

These attacks are straightforward for hackers to attempt. All they have to do is scan the Internet for applications running a known vulnerable tech stack, and search for the right external endpoint that will allow them to inject their malicious code.

**How Does Text4Shell Work?**

The Apache Common Text library is a widely used Java library for text manipulation and other string algorithms. It is a common dependency in the supply chain for many OSS libraries, and is used directly by many Java applications too.

One of the library functions, to create interpolators to substitute variables from a string, has flawed logic as it executes part of a given string without using isolation. This oversight makes the string accessible to the whole environment. In practical words, if you have a REST API with a request parameter such as 'https://your.app/user/{userID}', you would manipulate this 'userID' variable, with the 'createInterpolation(userID)' function.

In the case of a public API, any attacker can replace the 'userID' parameter with malicious code and have it execute it in your environment. The worst case scenario of such an attack is taking remote shell control of your environment (this is why this class of vulnerabilities are called \*4Shell).

For future reading, this Palo Alto Networks post has a practical code example that you can run locally and see this flaw in action.

**Can We Proactively Prevent RCEs?**

While there is no way for enterprises to promise they will never be hacked, applying proactive DevSecOps methodology in progressive development organizations can save you a lot of pain in future RCEs and \*4Shell attacks.

Progressive DevSecOps approaches make a concerted effort to assess all of the potential risks in the entire software development lifecycle, from the supply chain of your application to the runtime in production. It doesn't stop there, though. The more critical part is then making it possible to easily create continuous automated pipelines to detect, estimate, and remediate such security vulnerabilities.

The following best practices list will guide you step by step in creating self-defending engineering organizations, that autonomously maintain security based on security domain expertise available to defend against known hacking vectors.

**1\. Continuously Run SCA Tools on Your Code Base**

Software Composition Analysis tools have been available for many years, with countless free and commercial tools that leverage online sources to detect vulnerable versions of libraries and tools used in software. Multiple tools out there differ in their level of inspection, and the quality and coverage of their vulnerability database. For Java, you can use open source tools such as OWASP dependency check (or commercial tools such as Snyk and Mend). Regardless of which you choose, you should find the SCA tool available for your tech stack and run it regularly. Some defense is better than no defense.

By running those tools periodically on the code base, you can detect any vulnerable versions of tools and libraries you are using in your supply chain, just in time. We recommend running it at least daily, while also continuously monitoring new code being pushed for any updates that may include vulnerable versions.

Another point is ensuring a well-defined strategy for updating versions of vulnerable third-party libraries and tools. You can get help through APIs like https://osv.dev, which collects data on vulnerabilities and the versions where they are resolved, and also create automated processes that commit the fixed version like the Dependabot or jit.io auto-remediation feature.

**2\. Use SAST Tools**

Vulnerabilities found in third-party libraries should not always receive the highest priority for remediation. In the Text4Shell example, if you do not use the 'createInterpolator()' function in the code, there really is no reason to prioritize the upgrade, as it isn't possible to practically exploit the vulnerability. (This Twitter thread by Simon Bennetts, creator of OWASP ZAP, can teach a lot about prioritizing real risk based on the Log4Shell example that still has many in a frenzy).

So — how can you know if this is being used anywhere in your code? By running SAST tools.Static analysis security test (SAST) tools, as their name suggests, statically scan your code with tools like Abstract Source Tree (AST) or other string scanning methods to find if there are any places in the code that are vulnerable to known issues. Updated versions of such tools will detect the vulnerable code and will alert you. Some of the tools will even offer a practical fix for the vulnerabilities, so you'll only need to replace the code with the patch they suggest.

You can find SAST tools that are specific to languages such as Bandit for Python and GoSec for Golang, but there are also cross-language tools such as SonarQube and SemGrep.

You can also define those tools to run as part of the automated CI/CD pipelines so that any relevant new issues will be caught in time to avoid their propagation to production.

**3\. Avoid Default Errors**

The explosion in the number of RCE attacks previously mentioned is the byproduct of the existence of public-facing APIs that provide attackers an easy way to explore the public Internet for vulnerable servers. The typical method is to create automated scripts that scan for error responses that use default error messages and pages – making it easy to identify the underlying technology. (For example, the Apache Java 404 default page, the most commonly used Web server, even today remains a gold mine for would-be attackers.) By wrapping any of the errors returned to users with a custom error, you make it hard for attackers to identify what server technology you used, for example.

Besides serving as a best practice for code reviews and code styling, many of the SAST and lint tools also provide the added benefit of monitoring every HTTP request static tree and alert about any raw error that is returned to the end user.

**4\. Configure Everything as Code**

By configuring everything as code, all configuration is protocoled, monitored, and managed in a reliable and searchable way that makes changes and rollbacks fast and quiet. Not only that, you can use automated tools such as KICS and Checkov to scan the configuration files for any vulnerable configurations before you even deploy it to a real environment. By running these tools you can verify critical configuration issues such as:

*   Overly privileged containers, to ensure the container can only run only the particular code it should and also verify the narrowest set of permissions (also called least privilege).
*   API configurations and access to endpoints, to ensure all requests are validated for any potential code injections.
*   Scanning code runners to ensure containers don't have egress call access to a white list of addresses.

Like other static analysis tools, those tools make it very easy to create automated CI/CD pipelines that ensure every configuration deployed is the safest one, that changes are monitored, and that the human error factor is minimized to as close to zero as possible.

**5\. Do Not Run Code on Native Machines and Use Least Privilege**

The biggest damage \*4Shell vulnerabilities can cause is when you run these processes as standard processes in a (virtual) machine. Running code in containers minimizes the damage to the current running environment and enables you to maintain a very narrow set of permissions and privileges for the container.

By monitoring containers to run only in needed processes, alongside limiting the users that run the applications to only the required permissions, you can ensure there will not be any impact on the sensitive areas attackers will want to infiltrate.

Running all your applications in containers and other standard cloud-native methods also helps define a centralized network and privilege configuration that wraps up all the running applications, avoiding any manual configurations that can easily go bad.

When your architecture scales, you can use tools such as Wiz, Orca, and other cloud-native security observability tools to ensure everything is properly defined in real time.

**6\. Employ Dynamic API Scanning**

Using DAST tools like ZAP, you can find out which of your applications are really vulnerable to Text4Shell. This can be useful if you have a large number of applications that are vulnerable, making it possible to prioritize fixing them, or if you need access to the source code. The ZAP Text4Shell Scan Rule is currently in the optional Alpha Active Scan Rules add-on and requires an OAST service in order to work.

**Faster Security == Dev Velocity**

We can't expect exploits to disappear, and it shouldn't surprise us when new \*4Shell or any other zero days appear. What we can do is have the right guardrails and controls in place, so that we can quickly discover and remediate these without wreaking too much havoc on our already bogged-down dev processes.

By taking action today, you essentially avoid being caught off guard tomorrow and disrupting engineering delivery. We're privileged to be in an age with excellent open source security tooling that integrates well with our CI/CD and stacks, and we should make an effort to employ them as often as possible. What's more, this doesn't even require domain expertise any longer; there are plenty of DevSecOps tools (and, as noted above, open source tools) that will do this for you, and even SaaS-based offerings for those who are willing to pay for it that will orchestrate this end to end. Don't leave your house open to strangers. Start with the easy stuff — lock the front door.

How Development Teams Should Respond to Text4Shell

Unique conditions contribute to outsized telecom fraud across the continent, but working together can bring solutions.

With the digital transformation of the post-pandemic world, Africa is seeing a massive technology revolution, especially in the telecom industry, which has shifted network infrastructure away from traditional services to more advanced commercial routers, switches, and servers. But this move hasn't been without some challenges — notably cybersecurity risks. Mordor Intelligence predicts that the entertainment and telecommunication market in Africa will register a compound annual growth rate (CAGR) of 11.2% between 2021 and 2026, but the industry must fiercely combat telecom fraud if it hopes to scale.

A persistent problem in Africa, telecom fraud was one of the central discussions at the recent Africa Tech Festival 2022, held Nov. 14-16 in Cape Town, South Africa. The event, produced by Informa Tech, focuses on technology developments and industry trends in Africa, elevating those at the forefront of digital inclusion.

In 2020, a report by the Sierra Leonean National Telecommunication Commission stated, "Africa is losing around $1.59 billion yearly to telecoms fraud." There's a huge market for attackers to exploit here, and unless organizations rethink their approach to telecom fraud, they'll fall behind the attackers. While this is a worrisome reality, it isn't all bleak for Africa.

**Telecom Fraud Thriving in Africa**

Telecom fraud is growing everywhere, but Africa has its own special conditions that leave it even more exposed to the growing threat. Termination rates to African countries are among the highest in the world, making international calls very expensive.

"The cost differential between international and national calls is frequently quite dramatic," Africa Tech attendee Gavin Stewart, vice president of sales at Oculeus, says. "Therefore, fraudsters commonly apply manipulation so that international traffic masquerades as local/national calls and therefore get cheaper rates. This is achieved by pushing the traffic down illegitimate routings, impersonating a local number ID, or both. This 'bypass' fraud activity is particularly endemic across Africa."

In roaming fraud, for example, fraudsters get hold of SIM cards and use them from overseas markets to call international revenue share numbers. It takes a minimum of three to four hours for the call records to arrive back at the home network for analysis, providing these cybercriminals ample time to fully exploit this revenue stream. The fraud can equally occur by way of a sim box where illegal international voice-over-IP (VoIP) calls are diverted onto local mobile networks. The criminals benefit from the international call charges, but because the call appears to be local, the operator is only paid for a local rate call.

Global telecom fraud usually involves CLI refiling, which Stewart describes as "a kind of bypass fraud where the identifying number of a call is deliberately manipulated to benefit from cheaper termination rates unfairly." He notes that these cheaper rates are commonly offered for national calls or calls between country pairs that have negotiated a special arrangement, or even calls between members of a large telco multi-country group. "As telco networks have largely migrated to newer SIP-based networks, the technology has inadvertently made it much easier to achieve such manipulations," he adds.

**Fighting Fire With Fire**

McKinsey reports that the African domestic e-payments market is expected to see revenues grow by approximately 20% yearly, reaching around $40 billion by 2025. Most of these payments are powered by banks and nonbank players innovating to reduce friction in domestic and cross-border payments to benefit consumers and businesses. The nonbank players in Africa are primarily telecommunications service providers and fintech organizations. The large volume of transactions in the industry is an appealing target for fraudsters.

"Africa has been a global pioneer in mobile money transactions. Equally, this new money transfer channel attracts new and complex fraud use cases. Whereas the traditional banking sector benefits from multiple security layers and controls, a fraudster or cybercriminal targeting mobile money transactions needs only to access a mobile network in order to appropriate funds," Stewart says.

The future, he opines, will be to turn the advanced techniques used by bad actors against the cybercriminals. "Since fraudsters are manipulating SIP protocols, it follows that SIP level real-time protection is vital. AI (artificial intelligence) is also widely employed by fraudsters to disguise their methods in increasingly subtle ways that can evade the logic of outmoded anti-fraud systems. It is incumbent on telcos to implement AI-based technologies if they are to have any hope of successfully detecting and mitigating AI-driven frauds today," Stewart says.

**Collaborating for a Common Cause**

Telecom fraud in Africa cuts across several strata, from multiple opt-in frauds to text messages and international call fraud, with the motherlode being mobile money transactions. However, Stewart believes anti-fraud professionals can band together to deal with the elephant in the room.

"Cybersecurity and anti-fraud professionals have a culture of mutual cooperation, even where they are working for rival companies. It's normal to share intelligence collaboratively since this is an industrywide fight. With the resumption of face-to-face networking, security professionals will exchange intelligence, in many cases concerning new fraud attack types which were themselves powered up by the pandemic conditions," he notes.

Beyond employing new technologies in the fight against fraud, companies in the telecoms industry must actively seek collaboration. "Fraudsters are extremely clever, highly organized, and will always exploit the weakest link. The telecoms community must work together to tackle the common threat and invest in innovative solutions to fight it. Telecoms networks that are not equipped with the highest quality security, insights and fraud protection will be the softest targets," says Clémentine Fournier, Africa regional vice president of sales for BICS.

Why Africa's Telecoms Must Actively Collaborate to Combat Fraud

Months after a fix was issued by a vendor, downstream Android device manufacturers still haven't patched, highlighting a troubling trend.

It's called a "patch gap" and describes the time it takes a fix for a known vulnerability to trickle down from software vendor to individual device manufacturers. And the latest casualties are the millions of Pixel, Samsung, Xiaomi, and other Android device brands.  

According to Google's Project Zero, after its team discovered five separate bugs in the ARM Mali GPU driver, ARM  "promptly" issued a patch in July and August. Yet, Project Zero reported that every test device they looked at this week remains vulnerable. 

Until there's a better solution for tightening up the lag between the time a patch is issued and reaches the wider ecosystem, it's up to security teams to remain "vigilant," the Google Project Zero team advised. 

"Just as users are recommended to patch as quickly as they can once a release containing security updates is available, so the same applies to vendors and companies," the patch gap report explained. "Minimizing the 'patch gap' as a vendor in these scenarios is arguably more important, as end users (or other vendors downstream) are blocking on this action before they can receive the security benefits of the patch." 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

'Patch Lag' Leaves Millions of Android Devices Vulnerable

The infostealer Aurora’s low detection rates and newcomer status are helping it fly under the radar, as more cybercriminal gangs target cryptocurrency wallets and communications apps.

A growing number of cybercriminal groups are turning to an information stealer named Aurora, which is based on the Go open source programming language, to target data from browsers, cryptocurrency wallets, and local systems.

A research team at cybersecurity firm Sekoia discovered at least seven malicious actors, which it refers to as "traffers," that have added Aurora into their infostealer arsenal. In some cases, it's being used in conjunction with the Redline or Raccoon infostealers as well.

More than 40 cryptocurrency wallets, and applications like Telegram, have been successfully targeted so far, according to the report, which highlighted Aurora's relative unknown status and elusive nature as tactical advantages.

Aurora was first discovered by the company in July and is thought to have been promoted on Russian-speaking forums since April, where its remote access features and advanced infomation-stealing capabilities were touted.

"In October and November 2022, several hundreds of collected samples and dozens of active C2 servers contributed to confirm SEKOIA.IO\['s\] previous assessment that Aurora stealer would become a prevalent infostealer," the company's blog post explained. "As multiple threat actors, including traffers teams, added the malware to their arsenal, Aurora Stealer is becoming a prominent threat."

The report also noted that cybercriminal threat actors have been distributing it using multiple infection chains. These run the gamut from phishing websites masquerading as legitimate ones, to YouTube videos and fake "free software catalog" websites.

"These infection chains leverage phishing pages impersonating download pages of legitimate software, including cryptocurrency wallets or remote access tools, and the 911 method making use of YouTube videos and SEO-poised fake cracked software download websites," the blog post continued.

The company's analysis also highlights two infection chains currently distributing the Aurora stealer in the wild, one through a phishing site impersonating Exodus Wallet and another from a YouTube video from a stolen account on how to install cracked software for free.

The malware uses a simple file-grabber configuration to gather a list of directories to search for files of interest. It then communicates using TCP connection on ports 8081 and 9865, with 8081 being the most widespread open port. The exfiltrated files are then encoded in base64 and sent to the command-and-control server (C2).

The collected data is offered at high prices on various marketplaces to cybercriminals looking to carry out lucrative follow-up campaigns, in so-called "big-game hunting" operations that go after large companies and government-sector targets, according to the researchers.

**Open Source Malware Rising in Popularity**

A growing number of malicious actors are building malware and ransomware with open source programming languages like Go, which offers increased flexibility.

Go's cross-platform capability enables a single codebase to be compiled into all major operating systems. This makes it easy for threat actors, such as the ones behind BianLian, to make constant changes and add new capabilities to a malware to avoid detection.

The operators of the cross-platform BianLian ransomware have actually increased their C2 infrastructure in recent months, indicating an acceleration in their operational pace.

Uncommon programming languages — including Go, Rust, Nim, and DLang — are also becoming favorites among malware authors seeking to bypass security defenses or address weak spots in their development process, according to a report last year from BlackBerry.

Hot Ticket: 'Aurora' Go-Based InfoStealer Finds Favor Among Cyber-Threat Actors

Chinese threat actors have already used the vulnerable and pervasive Boa server to infiltrate the electrical grid in India, in spate of malicious incidents.

Microsoft this week identified a gaping attack vector for disabling industrial control systems (ICS), which is unfortunately pervasive throughout critical infrastructure networks: the Boa Web server.

The computing giant has identified vulnerabilities in the server as the initial access point for successful attacks on the Indian energy sector earlier this year, carried out by Chinese hackers. But here's the kicker: It's a Web server that's been discontinued since 2005.

It may seem strange that a nearly 20-year-old end-of-life server is still hanging around, but Boa is included in a range of popular software developer kits (SDKs) that Internet of Things device developers use in their design of critical components for ICS, according to Microsoft. As such, it's still used across myriad IoT devices to access settings, management consoles, and sign-in screens for devices on industrial networks — which leaves critical infrastructure vulnerable to attack on a large scale.

These include SDKs released by RealTek that are used in SOCs provided to companies that manufacture gateway devices like routers, access points, and repeaters, researchers noted.

In April, Recorded Future reported on attacks on the Indian power sector that researchers attributed to a Chinese threat actor tracked as RedEcho. The activity targeted organizations responsible for carrying out real-time operations for grid control and electricity dispatch within several northern Indian states, and it occurred throughout the year.

It turns out that the vulnerable component in the attacks was the Boa Web server. According to a Microsoft Security Threat Intelligence blog post published Nov. 22, the Web servers and the vulnerabilities they represent in the IoT component supply chain are often unbeknownst to developers and administrators who manage the system and its various devices. In fact, admins often don't realize that updates and patches aren't addressing the Boa server, the researchers said.

"Without developers managing the Boa Web server, its known vulnerabilities could allow attackers to silently gain access to networks by collecting information from files," researchers wrote in the post.

**Making the Discovery**

It took some digging to identify that the Boa servers were the ultimate culprit in the Indian energy-sector attacks, the researchers said. First they noticed that the servers were running on the IP addresses on the list of indicators of compromise (IoCs) published by Recorded Future at the time of the release of the initial report last April, and also that the electrical grid attack targeted exposed IoT devices running Boa, they said.

Moreover, half of the IP addresses returned suspicious HTTP response headers, which might be associated with the active deployment of the malicious tool that Recorded Future identified was used in the attack, the researchers noted.

Further investigation of the headers indicated that more than 10% of all active IP addresses returning the headers were related to critical industries — including the petroleum industry and associated fleet services — with many of the IP addresses assigned to IoT devices with unpatched critical vulnerabilities. This highlighted "an accessible attack vector for malware operators," according to Microsoft.

The final clue was that most of the suspicious HTTP response headers that researchers observed were returned over a short time frame of several days, which linked them to likely intrusion and malicious activity on networks, they said.

**Gaping Security Vulnerabilities in the Supply Chain**

It's no secret that the Boa Web server is full of holes — notably including arbitrary file access (CVE-2017-9833) and information disclosure (CVE-2021-33558) — that are unpatched and need no authentication to exploit, the researchers said.

"These vulnerabilities may allow attackers to execute code remotely after gaining device access by reading the 'passwd' file from the device or accessing sensitive URIs in the Web server to extract a user's credentials," they wrote.

"Critical vulnerabilities such as CVE-2021-35395, which affected the digital administration of devices using RealTek's SDK, and CVE-2022-27255, a zero-click overflow vulnerability, reportedly affect millions of devices globally and allow attackers to launch code, compromise devices, deploy botnets, and move laterally on networks," they said.

While patches for the RealTek SDK vulnerabilities are available, some vendors may not have included them in their device firmware updates, and the updates do not include patches for Boa vulnerabilities — factors that also make the existence of Boa Web servers in ICS ripe for exploitation, researchers added.

**Current Threat Activity and Mitigation**

Microsoft's research indicates that Chinese attackers have successfully targeted Boa servers as recently as late October, when the Hive threat group claimed a ransomware attack on Tata Power in India. And in their continued tracking of the activity, researchers continued to see attackers attempting to exploit Boa vulnerabilities, "indicating that it is still targeted as an attack vector" and will continue to be one as long as these servers are in use.

For this reason, it's crucial for ICS network administrators to identify when the vulnerable Boa servers are in use and to patch vulnerabilities wherever possible, as well as take other actions to mitigate risk from future attacks, researchers said.

Specific steps that can be taken include using device discovery and classification to identify devices with vulnerable components by enabling vulnerability assessments that identify unpatched devices in the network and set workflows for initiating appropriate patch processes with solutions.

Administrators also should extend vulnerability and risk detection beyond the firewall to identify Internet-exposed infrastructure running Boa Web server components, researchers said. They also can reduce the attack surface by eliminating unnecessary Internet connections to IoT devices in the network, as well as applying the practice of isolating with firewalls all IoT and critical-device networks.

Other actions to consider for mitigation include using proactive antivirus scanning to identify malicious payloads on devices; configuring detection rules to identify malicious activity whenever possible; and adopting a comprehensive IoT and OT solution to monitor devices, respond to threats, and increase visibility to detect and alert when IoT devices with Boa are used as an entry point to a network.

Microsoft: Popular IoT SDKs Leave Critical Infrastructure Wide Open to Cyberattack

Fueling the trend are the rising adoption of cloud computing solutions, technology advancements, stricter data safety regulations, and the move to digitalization, says Brandessence Market Research.

**LONDON, Nov. 23, 2022 /PRNewswire/** — The Global Penetration Testing Market is poised to reach a valuation of USD 5.28 Billion in 2028 from USD 1.87 Billion in 2021, registering a CAGR of 15.97% over the forecast duration.

Penetration test is referred to as a type of ethical hacking that is deliberately performed on a computer system to assess its security while identifying exploitable vulnerabilities. The testers adopt similar equipment, tool, and tactics used by cyberattacks. This is mainly done to deceive the criminals by distributing decoys and traps in the system that resemble the genuine assets. Organizations that are highly prone to cybercrime adopt this testing method to ensure the overall safety of their computer infrastructure.

The growth occurrences of cyberattacks, rising adoption of cloud computing solutions, along with technology advancements in the field are primarily augmenting the outlook of this business vertical. Further, the booming IT industry, stringent data safety regulations, and rapidly evolving technological infrastructure across various regions are creating lucrative opportunities for this marketplace to prosper.

Also, rising R&D activities in the field, surging digitalization trends across various industry verticals, coupled with increasing number of data centres worldwide, are adding traction to the development of Global Penetration Testing Market. Moreover, escalating demand for high-speed internet connection, rising popularity of remote working, and increasing incidences of cyberattack sophistication are stimulating the overall dynamics for this industry vertical. On the flip side, high costs pertaining to penetration tests and dearth of skilled professionals in the field are hindering the remuneration scope of this business sphere.

**Get Sample of \[email protected\] https://brandessenceresearch.com/downloadSample/PostId/2143**

**Competitive Hierarchy**

The prominent players characterizing the competitive Terrain of Global Penetration Testing Market are:

*   Checkmarx
*   Coalfire Systems
*   Core Security Technologies
*   FireEye
*   HackerOne Inc.
*   ImmuniWeb SA
*   Indium Software
*   International Business Machines Corporation
*   Netragard LLC
*   Netsparker Ltd
*   OffSec Services Limited
*   Micro Focus International plc
*   Acunetix
*   Others.

These companies are trying to enhance their position in the global market. They are adopting various strategies, including mergers & acquisitions, product launches, R&D investments, partnerships, and collaborations, among others to stay ahead of the curve.

**Global Penetration Testing Market Segmentation:**

**By Type:**

*   Wireless Network Penetration Testing Services
*   Network Penetration Testing
*   Web Application Penetration Testing
*   Social Engineering Penetration Testing
*   Mobile Application Penetration Testing
*   Others

**By Deployment:**

*   Cloud
*   On-premises

**By End-User:**

*   Healthcare
*   Government & Defense
*   Retail
*   BFSI
*   IT & Telecom
*   Others

**Category-Wise Outlook**

**Which is the leading deployment mode segment in this business sphere?**

The on-premises segment presently dominates the market in terms of volume share since it provides high control and flexibility to end-use enterprises which reducing the risks of data losses.

**Which end-user segment is poised to amass notable gains over the estimated timeline?**

The healthcare segment is anticipated to generate significant returns over the estimated timeline. This is credited to the rising adoption of EHR and telehealth solutions, which in turn increases the susceptibility of healthcare organizations to various forms of cybercrimes.

**Get Methodology @** **https://brandessenceresearch.com/requestMethodology/PostId/2143**

**Comparing the historical outlook and ongoing trends of this market**

This industry has been generating significant returns due to the presence of various expansion propellants across the globe.

There has been rising occurrence of cyberattacks across various industry verticals worldwide. In fact, the crime dwellers have begun adopting advanced technologies such as AI, analytics, and ML to sophisticate cyber-attacks. Such attacks tend to go unnoticed or undetected since most of the organizations lack preparedness and high-end tools. Many enterprises incur massive financial losses due to such attacks which in turn also affects their reputation in the market. This has increased the demand for effective tools and tactics to minimize the risk of sophisticated cybercrimes across numerous organizations.

The rising digitalization trend across a wide range of industries has resulted in the rising data privacy concerns. Due to widespread internet proliferation and growing adoption of smart devices, sectors such as healthcare, education, and retail, among others are trying to streamline their operations with an aim to reduce their overall expenses while leaving no room for human errors. But this has provided hackers with profitable opportunities since they can easily crack into the system of these organizations and procure confidential data. After getting their hands on these valuable assets, cybercriminals sell them on the dark web and earn massive profits. Therefore, many of these organizations have strengthened their cybersecurity entities which in turn is increasing the deployment of penetration testing solutions.

The onset of the COVID-19 pandemic is adding momentum to the progression of Global Penetration Testing market. Stringent lockdowns completely restricted the mobility of the masses and led to the temporary closure of commercial complexes. This pushed organizations to shift to a virtual mode of operations, thereby popularizing remote working trends. Unfortunately, this resulted in the surging occurrence of cyberattacks which in turn necessitated the deployment of effective tactics and tools to ensure user data safety and privacy during online communications, data transfer, and other activities.

**Region-Wise Insights**

**Which is the fastest growing region in this industry vertical?**

North America has emerged as one of the most rapidly growing regions in this marketplace owing to rapid internet proliferation, growing adoption of smart devices, and rising disposable income of the masses.

**How is Asia-Pacific faring in the marketplace?**

Asia Pacific is reckoned to capture a substantial revenue share over the forecast timeframe due to the rising occurrence of cyberattacks, the booming IT sector, and technological innovations in the field.

**Major Developments**

In June 2022, Synopsys announced the acquisition of Whitehat Security to strengthen its overall portfolio in this vertical.

**On Special Requirement,** **Penetration Testing Market Report is also available for regions listed below:**

**North America**

*   U.S, Canada

**Europe**

*   Germany, France, U.K., Italy, Spain, Sweden, Netherland, Turkey, Switzerland, Belgium, Rest of Europe

**Asia-Pacific**

*   South Korea, Japan, China, India, Australia, Philippines, Singapore, Malaysia, Thailand, Indonesia, Rest Of APAC

**Latin America**

*   Mexico, Colombia, Brazil, Argentina, Peru, Rest of Latin America

**Middle East and Africa**

*   Saudi Arabia, UAE, Egypt, South Africa, Rest Of MEA

**Purchase Copy of Report @ https://brandessenceresearch.com/Checkout?report\_id=2143**

**Related Reports:**

*   Security Information and Event Management Market is valued at USD 4.21 Billion in 2021 and is expected to reach USD 6.62 Billion by 2028 with a CAGR of 8.1% over the forecast period.
*   Security Orchestration Automation and Response (SOAR) Market is valued at USD 1.16 Billion in 2021 and is expected to reach USD 3.19 Billion by 2028 with a CAGR of 15.58% over the forecast period.
*   Application Security Market is valued at USD 7041.2 Million in 2021 and is expected to reach USD 20880.7 Million by 2028 with a CAGR of 16.8% over the forecast period.
*   Security and Vulnerability Management Market are valued at USD 11.26 Billion in 2021 and expected to reach USD 21.38 Billion by 2028 with a CAGR of 9.6% over the forecast period.
*   Chemical Sensor Market is valued at USD 25.46 Billion in 2021 and is expected to reach USD 42.23 Billion by 2028 with a CAGR of 7.5% over the forecast period.
*   Image Sensor Market is valued at USD 20.62 Billion in 2021 and is expected to reach USD 36.78 Billion by 2028 with a CAGR of 8.62% over the forecast period.
*   Ultrasonic Sensors Market is valued at USD 6.29 Billion in 2021 and expected to reach USD 13.74 Billion by 2028 with a CAGR of 11.8% over the forecast period.
*   Smart Sensors Market is valued at USD 42.74 Billion in 2021 and expected to reach USD 145.30 Billion by 2028 with the CAGR of 19.1% over the forecast period.
*   CMOS Image Sensor Market is valued at USD 16.82 Billion in 2021 and is expected to reach USD 23.04 Billion by 2028 with a CAGR of 8.65% over the forecast period.

**Brandessence Market Research & Consulting Pvt ltd.**

Brandessence Market Research publishes market research reports & business insights produced by highly qualified and experienced industry analysts. Our research reports are available in a wide range of industry verticals including aviation, food & beverage, healthcare, ICT, Construction, Chemicals, and lot more. Brand Essence Market Research report will be best fit for senior executives, business development managers, marketing managers, consultants, CEOs, CIOs, COOs, and Directors, governments, agencies, organizations, and Ph.D. Students. We have a delivery center in Pune, India, and our sales office is in London.

**Follow Us:** LinkedIn **Blog:** **Top 5 Electric Air Taxi Market**

SOURCE: Brandessence Market Research and Consulting Private Limited

Penetration Testing Market Size Is Projected to Reach $5.28B Globally by 2028

New laws have made the current US privacy landscape increasingly complex.

With 65% of the global population expected to have its personal data covered under modern privacy regulations by 2023, respecting data privacy has never been more critical. As an example, the introduction of the federal American Data Privacy and Protection Act (ADPPA), along with the recent passage of a patchwork of state-level privacy laws, has made the current US privacy landscape increasingly complex. This results in challenges for organizations, both in managing exploding volumes of data and understanding how specific data privacy regulations apply to them.

As businesses of all sizes try to remain on top of ever-changing data privacy laws and proactively monitor relevant rules, they should also be taking necessary steps to map where consumer and employment data lives, and the potential risks to that data. By bolstering cybersecurity defenses, organizations can be better prepared for data privacy regulations, now and in the future.

Let's remember why this has become so vital. First, consumers and employees are more informed than ever about personal rights and how data privacy regulations apply to them. This is an important and positive development, considering the dramatic increase in the risk of fines and litigation for noncompliance — one of the foundations necessary for protecting individual rights.

The convergence of personally identifiable information (PII) and protected health information (PHI) also represents data risks. For example, payment information from an insurance claim, along with an email address and other digital breadcrumbs found on the Internet, can be used to steal identities or result in data exfiltration. In addition, the adoption and long-term acceptance of hybrid work models can create challenges. Some organizations ask their employees very focused questions about behaviors and work-from-home arrangements for measuring productivity. Depending on the specific questions, there could be further privacy implications.

**Landscape of Confusion**

Given the vast varieties and jurisdictions of the current data privacy and protection regulations, there can be some confusion. For example, US companies located in North Dakota that conduct business domestically may be somewhat less preoccupied with rules that apply overseas. By contrast, for US organizations offering goods and services in the UK or EU, regulations such as the General Data Protection Regulation (GDPR) — along with the potential for penalties if they are breached — may well apply.

Additionally, in some organizations preconceptions related to the size of the company could cause compliance or regulatory issues, such as believing a company is too small for the data privacy regulations to apply. While it's true that most of the newer regulations focus on companies of a certain size, the actual sizing criteria may relate to a range of factors, such as the number of employees or annual revenue. Whether data privacy regulations apply or not might also depend on the volume of consumer information an organization handles.

The point is, every set of regulations has nuances, which is why it's important to understand both the relevance and boundaries of each. This should be monitored under regular review, particularly as organizations grow and regulations begin to apply where they didn't before. For instance, there have been recent developments around the new EU–UK Data Privacy Framework, also known as Privacy Shield 2.0, concerning intelligence activities.

A good rule of thumb is to follow best practices as soon as possible, so when the need for formal compliance arrives, everything is in place. The risk of getting it wrong is serious, with organizations potentially facing massive fines for non-compliance. That says nothing of the impact to brand reputation when a serious breach is revealed, including loss of consumer, employee, or investor confidence, where the effects can be prolonged and painful.

**Time for Federal Laws?**

New data privacy laws are being proposed on a regular basis. There are five US states set to have key regulations going into effect in 2023: California, Virginia, Colorado, Connecticut, and Utah. With 10% of US states to be covered by data privacy legislation by the end of next year, it's clear that a federal law would be useful.

In particular, federal legislation could play a critical role in aligning the US with other countries on the subject of data privacy. It would also provide vendors and users with much-needed clarity on how to use, store, and manage sensitive data. This alone would go a long way in clearing up the widespread confusion that abounds due to the existing patchwork of regulation. While the exact timing of federal legislation like the proposed ADPPA is unclear, it's not a matter of if, but when.

Overall, data and the laws that govern its protection exist within a rapidly evolving regulatory ecosystem. Further change — both domestically and internationally — is inevitable. Therefore, organizations must focus on the short- and long-term responsibilities of handling and safeguarding data. It's not just the right thing to do ethically and morally, it also represents sound decision making for the health of the business.

Where Are We Heading With Data Privacy Regulations?

As the open source social media network grabs the spotlight as a Twitter replacement, researchers caution about vulnerabilities.

From an anonymous server collecting user information to configuration errors that create vulnerabilities, infosec experts are pointing out security holes in Mastodon, which, seen as a replacement for Twittern is experiencing massive user growth — and an increased scrutiny of its flaws.  

Unlike other social media apps, which have a central authority, Mastodon is a federation of servers that can communicate with each other but which are maintained and run separately by independent admins. That means different rules, different configurations, and sometimes different software versions could apply to different users and postings.

One of the most popular "instances" — the Mastodon term for individual servers/communities — for the cybersecurity community is infosec.exchange, and its members certainly scrutinize its configuration. Gareth Heyes (@gaz on infosec.exchange), a researcher at PortSwigger, uncovered an HTML injection vulnerability stemming from attributes of the specific software fork used.

In another example from a recent Security Week article, Lenin Alevski (@alevsk on infosec.exchange), a security software engineer at MinIO, pointed out a system misconfiguration that would allow him to download, modify, or delete everything in the instance's S3 cloud storage bucket.

Finally, researcher Anurag Sen (@hak1mlukha on infosec.exchange) discovered an anonymous server that was scraping Mastodon user data.

**Twitter Users Flock to Mastodon**

Until recently, Mastodon was considered part of the social-media underground, an alternative to Twitter created in 2016 as an escape hatch in the face of buyout rumors. When Elon Musk first agreed to buy the microblogging behemoth back in April, Mastodon gained 30,000 new users in a day, compared with a more typical growth of below 2,000 a day. But that's a drop in the bucket compared with the 135,000 new users who joined on Nov. 7.

"Treat the Fediverse and any Mastodon instance as a place to share information, connect, and collaborate in the same way you'd do those things in person in a town square or public coffee shop. In short, don't use Mastodon to send sensitive, personal, or private information you wouldn't be comfortable posting publicly anyway," said Melissa Bischoping, director and endpoint security research specialist at Tanium, via email.

"Aside from the code, the way Mastodon is segmented means one or two people who administer a particular instance are the weak link in the security model," added David Maynor, senior director of threat intelligence at Cybrary. "My moving advice is firmly 'buyer beware.'"

Of course, Twitter is no stranger to security issues, so _caveat emptor_ is timeless and universal.

Cybersecurity Pros Put Mastodon Flaws Under the Microscope

An AI's "world" only includes the data on which it was trained, so it otherwise lacks context — opening the door for creative attacks from cyber adversaries.

Artificial intelligence and machine learning (AI/ML) systems trained using real-world data are increasingly being seen as open to certain attacks that fool the systems by using unexpected inputs.

At the recent Machine Learning Security Evasion Competition (MLSEC 2022), contestants successfully modified celebrity photos with the goal of having them recognized as a different person, while minimizing obvious changes to the original images. The most common approaches included merging two images — similar to a deepfake — and inserting a smaller image inside the frame of the original.

In another example, researchers from the Massachusetts Institute of Technology (MIT), University of California at Berkeley, and FAR AI found that a professional-level Go AI — that is, for the ancient board game — could be trivially beaten with moves that convinced the machine that the game had completed. While the Go AI could defeat a professional or amateur Go player because they used a logical set of movies, an adversarial attack could easily beat the machine by making decisions that no rational player would normally make.

These attacks highlight that while AI technology may work at superhuman levels and even be extensively tested in real-life scenarios, it continues to be vulnerable to unexpected inputs, says Adam Gleave, a doctoral candidate in artificial intelligence at the University of California at Berkeley, and one of the primary authors of the Go AI paper.

"I would default to assuming that any given machine learning system is insecure," he says. "\[W\]e should always avoid relying on machine learning systems, or any other individual piece of code, more than is strictly necessary \[and\] have the AI system recommend decisions but have a human approve them prior to execution."

All of this underscores a fundamental problem: Systems that are trained to be effective against "real-world" situations — by being trained on real-world data and scenarios — may behave erratically and insecurely when presented with anomalous, or malicious, inputs.

The problem crosses applications and systems. A self-driving car, for example, could handle nearly every situation that a normal driver might encounter while on the road, but act catastrophically during an anomalous event or one caused by an attacker, says Gary McGraw, a cybersecurity expert and co-founder of the Berryville Institute of Machine Learning (BIML).

"The real challenge of machine learning is figuring out how to be very flexible and do things as they are supposed to be done usually, but then to react correctly when an anomalous event occurs," he says, adding: "You typically generalize to what experts do, because you want to build an expert ... so it's what clueless people do, using surprise moves ... that can cause something interesting to happen."

**Fooling AI (And Users) Isn't Hard**

Because few developers of machine learning models and AI systems focus on adversarial attacks and using red teams to test their designs, finding ways to cause AI/ML systems to fail is fairly easy. MITRE, Microsoft, and other organizations have urged companies to take the threat of adversarial AI attacks more seriously, describing current attacks through the Adversarial Threat Landscape for Artificial-Intelligence Systems (ATLAS) knowledge base and noting that research into AI — often without any sort of robustness or security designed in — has skyrocketed.

Part of the problem is that non-experts who do not understand the mathematics behind machine learning often believe that the systems understand context and the world in which it operates. 

Large models for machine learning, such as the graphics-generating DALL-e and the prose-generating GPT-3, have massive data sets and emergent models that appear to result in a machine that reasons, says David Hoelzer, a SANS Fellow at the SANS Technical Institute. 

Yet, for such models, their "world" includes only the data on which they were trained, and so they otherwise lack context. Creating AI systems that act correctly in the face of anomalies or malicious attacks requires threat modeling that takes into account a variety of issues.

"In my experience, most who are building AI/ML solutions are not thinking about how to secure the ... solutions in any real ways," Hoelzer says. "Certainly, chatbot developers have learned that you need to be very careful with the data you provide during training and what kinds of inputs can be permitted from humans that might influence the training so that you can avoid a bot that turns offensive."

At a high level, there are three approaches to an attack on AI-powered systems, such as those for image recognition, says Eugene Neelou, technical director for AI safety at Adversa.ai, a firm focused on adversarial attacks on machine learning and AI systems.

Those are: embedding a smaller image inside the main image; mixing two sets of inputs — such as images — to create a morphed version; or adding specific noise that causes the AI system to fail in a specific way. This last method is typically the least obvious to a human, while still being effective against AI systems.

In a black-box competition to fool AI systems run by Adversa.ai, all but one contestant used the first two types of attacks, the firm stated in a summary of the contest results. The lesson is that AI algorithms do not make systems harder to attack, but easier because they increase the attack surface of regular applications, Neelou says.

"Traditional cybersecurity cannot protect from AI vulnerabilities — the security of AI models is a distinct domain that should be implemented in organizations where AI/ML is responsible for mission-critical or business-critical decisions," he says. "And it's not only facial recognition — anti-fraud, spam filters, content moderation, autonomous driving, and even healthcare AI applications can be bypassed in a similar way."

**Test AI Models for Robustness**

Like other types of brute-force attacks, rate limiting the number of attempted inputs can also help the creators of AI systems prevent ML attacks. In attacking the Go system, UC Berkeley's Gleave and the other researchers built their own adversarial system, which repeatedly played games against the targeted system, raising the victim AI's difficulty level as the adversary became increasingly successful.

The attack technique underscores a potential countermeasure, he says.

"We assume the attacker can train against a fixed 'victim' agent for millions of time steps," Gleave says. "This is a reasonable assumption if the 'victim' is software you can run on your local machine, but not if it's behind an API, in which case you might get detected as being abusive and kicked off the platform, or the victim might learn to stop being vulnerable over time — which introduces a new set of security risks around data poisoning but would help defend against our attack."

Companies should continue following security best practices, including the principle of least privilege — don't give workers more access to sensitive systems than they need or rely on the output of those systems more than necessary. Finally, design the entire ML pipeline and AI system for robustness, he says.

"I'd trust a machine learning system more if it had been extensively adversarially tested, ideally by an independent red team, and if the designers had used training techniques known to be more robust," Gleave says.

Adversarial AI Attacks Highlight Fundamental Security Issues

The Vietnam-based financial cybercrime operation's primary goal is to push out fraudulent ads via compromised business accounts.

A financially motivated threat actor targeting individuals and organizations on Facebook's Ads and Business platform has resumed operations after a brief hiatus, with a new bag of tricks for hijacking accounts and profiting from them.

The Vietnam-based threat campaign, dubbed Ducktail, has been active since at least May 2021 and has affected users with Facebook business accounts in the United States and more than three dozen other countries. Security researchers from WithSecure (formerly F-Secure) who are tracking Ducktail have assessed that the threat actor's primary goal is to push out ads fraudulently via Facebook business accounts to which they manage to gain control.

**Evolving Tactics**

WithSecure spotted Ducktail's activity earlier this year and disclosed details of its tactics and techniques in a July blog post. The disclosure forced Ducktail's operators to suspend operations briefly while they devised new methods for continuing with their campaign.

In September, Ducktail resurfaced with changes to the way it operates and to its mechanisms for evading detection. Far from slowing down, the group appears to have expanded its operations, onboarding multiple affiliate groups to its campaign, WithSecure said in a report on Nov. 22.

In addition to using LinkedIn as an avenue for spear-phishing targets, as it did in previous campaigns, the Ducktail group has now begun using WhatsApp for targeting users as well. The group has also tweaked the capabilities of its primary information stealer and has adopted a new file format for it, to evade detection. Over the course of the last two or three months, Ducktail also has registered multiple fraudulent companies in Vietnam, apparently as a cover for obtaining digital certificates for signing its malware.

"We believe the Ducktail operation uses hijacked business account access purely to make money by pushing out fraudulent ads," says Mohammad Kazem Hassan Nejad, a researcher at WithSecure Intelligence. 

In situations where the threat actor gains access to the finance editor role on a compromised Facebook business account, they also have the ability to modify business credit card information and financial details, such as transactions, invoices, account spending, and payment methods, Nejad says. This would allow the threat actor to add other businesses to the credit card and monthly invoices, and use the linked payment methods to run ads.

"The hijacked business could therefore be used for purposes such as advertising, fraud, or even to spread disinformation," Nejad says. "The threat actor could also use their newfound access to blackmail a company by locking them out of their own page."

**Targeted Attacks**

The tactic of Ducktail's operators is to first identify organizations that have a Facebook Business or Ads account and then target individuals within those companies whom they perceive as having high-level access to the account. Individuals the group has typically targeted include people with managerial roles or roles in digital marketing, digital media, and human resources. 

The attack chain starts with the threat actor sending the targeted individual a spear-phishing lure via LinkedIn or WhatsApp. Users who fall for the lure end up having Ducktail's information stealer installed on their system. The malware can carry out multiple functions, including extracting all stored browser cookies and Facebook session cookies from the victim machine, specific registry data, Facebook security tokens, and Facebook account information. 

The malware steals a wide range of information on all businesses associated with the Facebook account, including name, verification stats, ad spending limits, roles, invite link, client ID, ad account permissions, permitted tasks, and access status. The malware collects similar information on any ad accounts associated with the compromised Facebook account.

The information stealer can "steal information from the victim's Facebook account and hijack any Facebook Business account to which the victim has sufficient access by adding attacker-controlled email addresses into the business account with administrator privileges and finance editor roles," Nejad says.  Adding an email address to a Facebook Business account prompts Facebook to send a link via email to that address — which, in this case, is controlled by the attacker. The threat actor uses that link to gain access to the account, according to WithSecure.

Threat actors with admin access to a victim's Facebook account can do a lot of damage, including taking full control of the business account; viewing and modifying settings, people, and account details; and even deleting the business profile outright, Nejad says. When a targeted victim might not have sufficient access to allow the malware to add the threat actor’s email addresses, the threat has actor relied on the information exfiltrated from the victims’ machines and Facebook accounts to impersonate them.

**Building Smarter Malware**

Nejad says that prior versions of Ducktail's information stealer contained a hard-coded list of email addresses to use for hijacking business accounts. 

"However, with the recent campaign, we observed the threat actor removing this functionality and relying entirely on fetching email addresses directly from its command-and-control channel (C2)," hosted on Telegram, the researcher says. Upon launch, the malware establishes a connection to the C2 and waits for a duration of time to receive a list of attacker-controlled email addresses in order to proceed, he adds.

The report lists several steps that organization can take to mitigate exposure to Ducktail-like attack campaigns, beginning with raising awareness of spear-phishing scams targeting users with access to Facebook business accounts. 

Organizations should also enforce application whitelisting to prevent unknown executables from running, ensure that all managed or personal devices used with company Facebook accounts have basic hygiene and protection in place, and use private browsing to authenticate each work session when accessing Facebook Business accounts.

Source

DARKReading