While it has been a perennial forecast that efficient universal quantum computers are “a decade away,” that prospect now seems a legitimate possibility. Organizations need to get ready now.

Public announcement of the 433-qubit IBM Quantum Osprey processor at the 2022 IBM Quantum Computing Summit on Nov. 9 represents another evolutionary milestone in the development of universal quantum computers. Not content with the increase in computational power provided by the Osprey quantum processor unit (QPU), IBM intends to release the 1,121-qubit Condor processor in 2023, followed by the Kookaburra platform with over 4,158 qubits in 2025. Kookaburra will exploit quantum parallelization of large processors, and its planned release will coincide with the availability of enhanced error-correction tooling that is essential for the practical application of IBM's vision of quantum-centric supercomputing.

The near prospect of scalable multi-QPU clustering, underpinned by growth in the size of universal quantum processors, means that increased attention must now be paid to the disruptive effects associated with quantum computing. While the research investment, technical skills, and operational considerations associated with the development of universal quantum computers suggest an adoption path analogous to that of digital supercomputers, with centralized availability of computing resources concentrated in the hands of wealthy corporations, international scientific collaboratives, and nation-states, the implications of the IBM development trajectory affect us all.

Back in 1994, two significant events in the history of quantum computing occurred when the publication of an algorithm by Peter Shor was followed in August of that year by the first NIST Workshop on Quantum Computing and Communication. Side-stepping the complex mathematics involved, in the context of the cryptographic methods we currently use to protect data, Shor’s algorithm established a method for efficiently resolving the prime factors of a given number using quantum computation. Lov Grover subsequently defined a different quantum mechanical algorithm in 1996 that delivers an exponential reduction in the time required to search for a discrete value within a list of possible alternatives.

Shor’s algorithm is significant because it provides an efficient means to derive the cryptographic keys on which modern public key cryptography depends, rendering established cryptographic methods such as RSA and Diffie-Hellman key exchange obsolete. Grover’s contribution affects existing data security practices because it reduces the effective bit-length security of symmetric AES cryptographic keys by half under a fault-tolerant quantum brute-force attack.

**It's Time To Get Ready for Quantum Computing****

The implications of universal quantum computers for our data security are well documented. Indeed, IBM reiterated the issues for data encryption in its announcement of the IBM Osprey QPU, commenting on the need for the industry to prepare for the inevitable impact now. It’s worth noting, however, that to defeat RSA 2,048-bit cryptography, approximately 6,190 fault-tolerant logical qubits would be needed — predicating parallel configuration of large QPUs. Even with computation resources at the necessary scale, the effective computational cost of breaking RSA 2048-bit encryption remains in excess of _1.17 megaqubitdays_ (i.e., 1.17 million qubits performing a prime factorization attack in a 24-hour period).

While it has been a perennial forecast that efficient universal quantum computers are “a decade away,” that prospect now seems a legitimate possibility. Neven's Law of double exponential improvement in quantum computational power may soon be observed in the pace of technical development. The 1994 NIST Workshop on Quantum Computing gave rise to the NIST Post-Quantum Cryptography Standardization project, which seeks to derive new cryptographic protocols that are resistant to quantum attacks and assume increased importance in the wake of the IBM Osprey announcement. The search for effective post-quantum cryptography (PQC) was advanced in July 2022, following the third round of algorithm evaluations, with the communication by NIST that four algorithms are candidates for standardization. The search continues, with a fourth round of evaluation now underway.

So, how should organizations heed the advice of IBM and providers of data security in order to adapt to the immanence of quantum-centric supercomputing? The first practical step is to recognize the implications of the new quantum paradigm and the importance of maintaining a flexible approach to developments in PQC. Under an expectation that universal quantum computers of the scale necessary to perform effective attacks on today's encrypted data will be concentrated in the hands of sufficiently capable service providers and nation-states, companies must consider that encrypted data appropriated today could be successfully decrypted in years to come.

The lifespan of data and its sensitivity must, therefore, be considered within contemporary risk assessments. Where exposure of data in the quantum era must be prevented, organizations should consider the adoption of the early candidate algorithms for NIST standardization. This requires the implementation of key management systems and cryptographic interfaces that retain the necessary agility should new PQC algorithms supersede the methods selected at this point in time. If standards change, or candidate protocols are found to be exploitable, it is vital that data can be encrypted to new levels of security, without constraint.

****Handle With Care**

A second, more cerebral, step in preparing for the impact of quantum computing at scale is to reflect on the way that quantum-centric supercomputing, as envisioned by IBM and others, will affect the way that sensitive data must be handled during processing. Whereas migration to public cloud services has yielded new operational models and economies of scale for customer organizations, it also has brought challenges in terms of the dual concerns regarding data sovereignty and retention of control over data security by the data owner. Understanding the additional implications for data security, and the competitive advantages to be gained from the adoption of quantum computing methods, should now be the focus of senior data and information security professionals and business leaders.

The NIST PQC Standardization project points to potential solutions to the quantum challenge to privacy and confidentiality that is rapidly approaching. Niels Bohr, one of the preeminent figures in the history of atomic physics, once said that if you are not shocked by the implications of quantum theory, then you have not understood it. The same could be said of the implications of universal quantum computers for global data security. Although the future remains opaque, it's certain that today's organizational leaders and technology providers must begin the path to the adoption of PQC. Their data depends on it.

Preparing for the Effects Of Quantum-Centric Supercomputing

Annual survey uncovers surprising data but warns against complacency.

**REDWOOD CITY, Calif.****,** **Jan. 10, 2023** **/PRNewswire/ --** Delinea, a leading provider of Privileged Access Management (PAM) solutions for seamless security, today published its 2022 State of Ransomware Report which finds that things may be looking up in the fight against ransomware. Cyber-attacks using the popular compromising tactic have declined significantly over the past 12 months compared to the previous year, and fewer companies are paying ransoms. Still, there are red flags in the annual report related to spending, planning, and using cybersecurity tools available to combat ransomware.

The survey of 300 US-based IT decision makers, conducted on Delinea's behalf by Censuswide, found that only 25% of organizations were victims of ransomware attacks over the past 12 months, a stunning 61% decline from the previous 12-month period when 64% of organizations reported being victims. Furthermore, the number of victimized companies who paid the ransom declined from 82% to 68%, which could be a sign that warnings and recommendations from the FBI to not pay ransoms are being heeded. Larger companies are much more likely to be victims of ransomware, as 56% of companies with 100 or more employees said they were victims of ransomware attacks.

Along with these positive results, the survey also raised concerns that a potentially reduced threat could lead to complacency. Budget allocations for ransomware are in decline, as only 68% of those surveyed said they are currently allocated budget to protect against ransomware versus 93% during the prior year. The number of companies with Incident Response Plans also declined from 94% to 71%, and only half are taking proactive, proven steps to prevent ransomware attacks such as enforcing password best practices (51%) and using Multi-Factor Authentication (50%).

"The reduction of ransomware attacks is an encouraging sign, but organizations need to make sure they keep their guard up against this constant, evolving threat," said Art Gilliland, CEO of Delinea. "Staying vigilant by maintaining a strong least privilege approach backed by stronger password protection, authentication enforcement, and access controls can help continue this downward trend."

The survey also revealed that the consequences of ransomware attacks are now more tangible, as more respondents specified that their companies lost revenue (56%) and customers (50%) compared to the previous year. Fewer organizations (43%) reported reputational damage as a result of being victims of a ransomware attack.

A complimentary copy of the 2022 State of Ransomware Report is available at delinea.com/resources.

**About Delinea**

Delinea is a leading provider of privileged access management (PAM) solutions that make security seamless for the modern, hybrid enterprise. Our solutions empower organizations to secure critical data, devices, code, and cloud infrastructure to help reduce risk, ensure compliance, and simplify security. Delinea removes complexity and defines the boundaries of access for thousands of customers worldwide. Our customers range from small businesses to the world's largest financial institutions, intelligence agencies, and critical infrastructure companies. Learn more about Delinea on LinkedIn, Twitter, and YouTube.

Delinea 2022 State of Ransomware Report Reveals That Attacks Are Down 61% From the Previous Year, and Ransom Payments Are Also on the Decline

Moving Analytics, leading provider of virtual cardiac rehabilitation and prevention, announced that it is launching single sign on authentication for its entire software platform.

**IRVINE, Calif.****,** **Jan. 9, 2023** **/PRNewswire-PRWeb/ --** Moving Analytics, leading provider of virtual cardiac rehabilitation and prevention, announced that it is launching single sign-on authentication for its entire software platform.

This means that any clinician user will require one set of login credentials from their host enterprise institution to gain access to the Moving Analytics application suite.

"Our single sign-on functionality enhances our patient data security, which is one of our top priorities," said Shuo Qiao, Chief Technology Officer for Moving Analytics. "Implementation of SSO enhances our ability to meet the needs of our enterprise clients."

The benefits are numerous, and include:

*   Increased Clinician Productivity: Instead of having to remember and manage multiple login credentials, clinicians will enter one username and password. This streamlined process will allow them to quickly log in, then move on to more important work.

*   Improved Security: When people try to remember multiple usernames and passwords, they are more apt to reuse passwords or write them down and store them in a way that's not secure. Single sign-on reduces these risks and protects data with one complex password.

*   Better user experience: Logging into various applications or accounts can be frustrating. With single sign-on, the login process is a simple experience, and there's no need to worry about forgetting or resetting multiple passwords.

"We are committed to being the best-in-class virtual cardiac rehab and prevention solution in the market and to increasing ease of use for our customers," said Harsh Vathsangam, CEO of Moving Analytics. "This feature is just one of many exciting features planned to achieve that mission."

**About Moving Analytics**

Moving Analytics is the leading national telehealth provider of remote cardiac rehab and cardiovascular prevention programs. The company combines evidence-based guidelines, behavioral science, remote monitoring and telehealth coaching to engage patients to adopt heart-healthy lifestyles and improve their wellbeing. Moving Analytics developed its programs in partnership with Stanford University, based on more than 30 years of published research. Patients in Moving Analytics' programs exercise more, have better medication adherence, lower blood pressure, lower rates of depression/anxiety, and lower rates of hospital readmission. Moving Analytics works with leading healthcare organizations including Veterans Affairs Administration, Healthcare Services Corporation, Highmark Health Plan, Capital District Physicians' Health Plan, Mayo Clinic and others.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Moving Analytics Launches Single Sign on to Strengthen Data Security and Improve User Experience

Hacking to kill: Dark Reading's Fahmida Y. Rashid reflects on the monumental Black Hat 2011 moment when Jay Radcliffe showed how to hack his insulin pump.

It was a huge wake-up call for the cybersecurity community: Weak security could have deadly consequences.

In 2011, Jay Radcliffe took the stage at Black Hat USA to present deeply personal, and frightening, news — insulin pumps, like the exact one he wore, could be hacked and used to harm or kill.

The implications of the presentation, entitled, "Hacking Medical Devices for Fun and Insulin: Breaking the Human SCADA System," were broad. And despite some early protests from the medical device community early on, it broke open the field of medical device security.

A decade later in 2021, Radcliffe helped start the University of Minnesota's new Medical Device Security Center that joins together researchers, manufacturers, and government to help incubate new solutions for potentially deadly healthcare security problems.

Dark Reading's Fahmida Y. Rashid sat down for Dark Reading's new video series, Black Hat Flashback, to share what it was like to be in the room during the session, and to discuss the incredible changes that have happened since.

Take a look at what she has to say about the Black Hat moment all these years later, then watch Radcliffe returning to Black Hat in 2013 to catch the industry up on what happened in the direct wake of his 2011 blockbuster disclosure.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Black Hat Flashback: The Deadly Consequences of Weak Medical Device Security

The issue concerns the boot layer of ARM chips, which are driving a low-power mobile ecosystem that includes 5G smartphones and base stations.

A security company is leading the coordinated vulnerability disclosure of multiple high-severity vulnerabilities in the Qualcomm Snapdragon chipset.

The vulnerabilities were identified in the Unified Extensible Firmware Interface (UEFI) firmware reference code and impacts ARM-based laptops and devices using Qualcomm Snapdragon chips, according to Binarly Research.

Qualcomm disclosed the vulnerabilities on Jan. 5, along with links to available patches. Lenovo has also issued a bulletin and a BIOS update to address the flaws in affected laptops. However, two of the vulnerabilities are still not fixed, Binarly noted.

If exploited, these hardware vulnerabilities allow attackers to gain control of the system by modifying a variable in nonvolatile memory, which stores data permanently, even when a system is turned off. The modified variable will compromise the secure boot phase of a system, and an attacker can gain persistent access to compromised systems once the exploit is in place, says Alex Matrosov, founder and CEO of Binarly.

"Basically, the attacker can manipulate variables from the operating system level," Matrosov says.

**Firmware Flaws Open the Door to Attacks**

Secure boot is a system deployed in most PCs and servers to ensure that devices start properly. Adversaries can take control of the system if the boot process is either bypassed or under their control. They can execute malicious code before the operating system is loaded. Firmware vulnerabilities are like leaving a door open — an attacker can gain access to system resources as and when they please when the system is switched on, Matrosov says.

"The firmware piece is important because the attacker can gain very, very interesting persistence capabilities, so they can play for the long term on the device," Matrosov says.

The flaws are notable because they affect processors based on the ARM architecture, which are used in PCs, servers, and mobile devices. A number of security problems have been discovered on x86 chips from Intel and AMD, but Matrosov noted that this disclosure is an early indicator of security flaws existing in ARM chip designs.

Firmware developers need to develop a security-first mindset, Matrosov says. Many PCs today boot based on specifications provided by UEFI Forum, which provides the hooks for the software and hardware to interact.

"We found that OpenSSL, which is used in UEFI firmware — it's in the ARM version — is very outdated," Matrosov says. "As an example, one of the major TPM providers called Infineon, they use an 8-year-old OpenSSL version."

**Addressing Affected Systems**

In its security bulletin, Lenovo said the vulnerability affected the BIOS of the ThinkPad X13s laptop. The BIOS update patches the flaws.

Microsoft's Windows Dev Kit 2023, code-named Project Volterra, is also impacted by the vulnerability, Binarly said in a research note. Project Volterra is designed for programmers to write and test code for the Windows 11 operating system. Microsoft is using the Project Volterra device to lure conventional x86 Windows developers into the ARM software ecosystem, and the device's release was a top announcement at Microsoft's Build and ARM's DevSummit conferences last year.

The Meltdown and Spectre vulnerabilities largely affected x86 chips in server and PC infrastructures. But the discovery of vulnerabilities in ARM's boot layer is particularly concerning because the architecture is driving a low-power mobile ecosystem, which includes 5G smartphones and base stations. The base stations are increasingly at the center of communications for edge devices and cloud infrastructures. Attackers could behave like operators, and they will have persistence at base stations and nobody will know, Matrosov says.

System administrators need to prioritize patching firmware flaws by understanding the risk to their company and addressing it quickly, he says. Binarly offers open source tools to detect firmware vulnerabilities.

"Not every company has policies to deliver firmware fixes to their devices," Matrosov says. "I have worked for large companies in the past, and before I started my own company, none of them — even these hardware-related companies — had an internal policy to update the firmware on employee laptops and devices. This is not right."

Latest Firmware Flaws in Qualcomm Snapdragon Need Attention

The AI-based chatbot is allowing bad actors with absolutely no coding experience to develop malware.

Since OpenAI released ChatGPT in late November, many security experts have predicted it would only be a matter of time before cybercriminals began using the AI chatbot for writing malware and enabling other nefarious activities. Just weeks later, it looks like that time is already here.

In fact, researchers at Check Point Research (CPR) have reported spotting at least three instances where black hat hackers demonstrated, in underground forums, how they had leveraged ChatGPT's AI-smarts for malicious purposes.

By way of background, ChatGPT is an AI-powered prototype chatbot designed to help in a wide range of use cases, including code development and debugging. One of its main attractions is the ability for users to interact with the chatbot in a conversational manner and get assistance on everything from writing software to understanding complex topics, writing essays and emails, improving customer service, and testing different business or market scenarios.

But it can also be used for darker purposes.

**From Writing Malware to Creating a Dark Web Marketplace**

In one instance, a malware author disclosed in a forum used by other cybercriminals how he was experimenting with ChatGPT to see if he could recreate known malware strains and techniques.

As one example of his effort, the individual shared the code for a Python-based information stealer he developed using ChatGPT that can search for, copy, and exfiltrate 12 common file types, such as Office documents, PDFs, and images from an infected system. The same malware author also showed how he had used ChatGPT to write Java code for downloading the PuTTY SSH and telnet client, and running it covertly on a system via PowerShell.

On Dec. 21, a threat actor using the handle USDoD posted a Python script he generated with the chatbot for encrypting and decrypting data using the Blowfish and Twofish cryptographic algorithms. CPR researchers found that though the code could be used for entirely benign purposes, a threat actor could easily tweak it so it would run on a system without any user interaction — making it ransomware in the process. Unlike the author of the information stealer, USDoD appeared to have very limited technical skills and in fact claimed that the Python script he generated with ChatGPT was the very first script he had ever created, CPR said.

In the third instance, CPR researchers found a cybercriminal discussing how he had used ChatGPT to create an entirely automated Dark Web marketplace for trading stolen bank account and payment card data, malware tools, drugs, ammunition, and a variety of other illicit goods.

"To illustrate how to use ChatGPT for these purposes, the cybercriminal published a piece of code that uses third-party API to get up-to-date cryptocurrency (Monero, Bitcoin, and \[Ethereum\]) prices as part of the Dark Web market payment system," the security vendor noted.

**No Experience Needed**

Concerns over threat actors abusing ChatGPT have been rife ever since OpenAI released the AI tool in November, with many security researchers perceive the chatbot as significantly lowering the bar for writing malware.

Sergey Shykevich, threat intelligence group manager at Check Point, reiterates that with ChatGPT, a malicious actor needs to have no coding experience to write malware: "You should just know what functionality the malware — or any program — should have. ChatGTP will write the code for you that will execute the required functionality."

Thus, "the short-term concern is definitely about ChatGPT allowing low-skilled cybercriminals to develop malware," Shykevich says. "In the longer term, I assume that also more sophisticated cybercriminals will adopt ChatGPT to improve the efficiency of their activity, or to address different gaps they may have."

From an attacker’s perspective, code-generating AI systems allow malicious actors to easily bridge any skills gap they might have by serving as a sort of translator between languages, added Brad Hong, customer success manager at Horizon3ai. Such tools provide an on-demand means of creating templates of code relevant to an attacker's objectives and cuts down on the need for them to search through developer sites such as Stack Overflow and Git, Hong said in an emailed statement to Dark Reading.

Even prior to its discovery of threat actors abusing ChatGPT, Check Point — like some other security vendors — showed how adversaries could leverage the chatbot in malicious activities. In a Dec. 19 blog, the security vendor described how its researchers created a very plausible-sounding phishing email merely by asking ChatGPT to write one that appears to come from a fictional webhosting service. The researchers also demonstrated how they got ChatGPT to write VBS code they could paste into an Excel workbook for downloading an executable from a remote URL.

The goal of the exercise was to demonstrate how attackers could abuse artificial intelligence models such as ChatGPT to create a full infection chain right from the initial spear-phishing email to running a reverse shell on affected systems.

**Making It Harder for Cybercriminals**

OpenAI and other developers of similar tools have put in filters and controls — and are constantly improving them — to try to limit misuse of their technologies. And at least for the moment, the AI tools remain glitchy and prone to what many researchers have described as flat-out mistakes on occasion, which could thwart some malicious efforts. Even so, the potential for misuse of these technologies remains large over the long term, many have predicted.

To make it harder for criminals to misuse the technologies, developers will need to train and improve their AI engines to identify requests that can be used in a malicious way, Shykevich says. The other option is to implement authentication and authorization requirements in order to use the OpenAI engine, he says. Even something similar to what online financial institutions and payment systems currently use would be sufficient, he notes.

Attackers Are Already Exploiting ChatGPT to Write Malicious Code

The Serbian government reports that it staved off five attacks aimed at crippling Serbian infrastructure.

The Serbian Ministry of the Interior reported over the weekend being targeted by at least five separate distributed denial-of-service (DDoS) attacks in 48 hours, intended to hobble the country's IT infrastructure.

Working together, the Ministry of Internal Affairs and Telecom Serbia were able to fend off the DDoS attacks.

"All attacks were repelled and the Ministry's bases were protected and safe," the statement said. "Enhanced security protocols have been activated, which can lead to slower work and occasional interruptions of certain services, all in order to protect the data of the Ministry of Internal Affairs."

The cyberattacks come amid rising tensions in the Balkans as a result of the Russian invasion of Ukraine.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Serbia Slammed With DDoS Attacks

Organizations often defer patching because of business disruption fears — but that didn't work out very well for Rackspace's Hosted Exchange service.

The recent ransomware incident at Rackspace that took down the company's hosted Microsoft Exchange server environment has focused attention on the often-risky gamble that security teams take when choosing to mitigate a vulnerability — rather than apply a patch for it.

Last week, Rackspace disclosed that a Dec. 2 intrusion into the hosting company's Exchange server service environment resulted from its decision to hold off on applying a patch for a server-side request forgery (SSRF) vulnerability in Exchange Server (CVE-2022-41080) that Microsoft had patched in November. The vulnerability, when chained with another previously disclosed remote code execution (RCE) flaw in Exchange Server — tracked as CVE-2022-41082 — gives attackers a way to take complete control of affected servers.

**Deferred Patching**

According to Rackspace's chief security officer, Karen O'Reilly-Smith, the company held off on applying the patch for the SSRF flaw over concerns that it would cause disruptive authentication errors. Instead, Rackspace decided to apply a mitigation measure that Microsoft had issued for the vulnerability thinking it would be an effective measure. O'Reilly-Smith said that Microsoft's notes on CVE-2022-41080 merely described it as a privilege escalation vulnerability and made no mention of the fact that it was part of an RCE chain.

A Microsoft spokesman tells Dark Reading that the company had nothing to share at this time on Rackspace's comments related to the company's patch for the SSRF flaw, or the notes that accompanied its disclosure.

Rackspace's decision to hold off on patching the vulnerability is not unusual, says John Bambenek, principal threat hunter at Netenrich. "Often mitigations are preferable, especially in highly public resources where there is sensitivity to downtime," he says. In fact, the more public-facing an application is, the more organizations will go for mitigations, he says. 

"Most of the time it can be a good bet if the mitigations are sound and complete," Bambenek notes. "But it requires a really savvy professional who can read between the lines to make a sound judgement."

In Rackspace's case, its mitigation strategy failed because an attacker — later identified as the Play ransomware group — found a way to use CVE-2022-41080 to trigger the CVE-2022-41082 RCE flaw in its environment. Up to that point security researchers had only observed attackers triggering the RCE flaw via a different Exchange Server SSRF vulnerability tracked as CVE-2022-41040, in the combination known as ProxyNotShell. The attack caused widespread service outages for Rackspace customers, many of which are small and midsize businesses.

"Rackspace put mitigations in place in relation to the ProxyNotShell chain disclosed by Microsoft in late September, prior to patches being available, which didn’t happen until November," an external adviser of Rackspace tells Dark Reading. 

When the patches did become available, Rackspace held off on applying them because of concerns over reported authentication issues related to the patches and because the company already had the appropriate mitigations in place, the adviser says. 

"At that time, there were no known or disclosed remote code execution risks associated with CVE-2022-41080, which CrowdStrike discovered while investigating the Rackspace incident," the adviser adds.

**Skipping Security Patches: A Risky Gambit**

The incident highlights the risks organizations take when they rely too much on mitigations alone to keep them safe from vulnerability exploits, says Mike Parkin, senior technical engineer at Vulcan Cyber**.** 

**"**Deploying vendor recommended mitigations for a known vulnerability is not supposed to be the end of the issue," he says. "They’re what you do until the vendor in question can develop a patch and you can deploy it."

The only time it's OK to mitigate and not patch is when the vendor has no patch for the vulnerability yet, or there's some technical reason why an organization cannot deploy it in a target environment, Parkin says. 

"There are going to be cases where change-management procedures delay deploying the patch. But a good process from both change management and security perspectives is to have patches going in as soon as possible while meeting stability concerns," he says, adding that this is especially true when there are known exploits in the wild targeting a particular vulnerability.

Patching and vulnerability remediation in general remains a major challenge for organizations. A study that vulnerability management vendor Edgescan conducted last year showed that organizations still take an average of 60 days to fix critical vulnerabilities of the sort that tripped up Rackspace. 

The study found that 57% of observed vulnerabilities on enterprise networks were more than two years old and a startling 17% were more than five years old. All of these vulnerabilities had working exploits in the wild, and adversaries — including nation-state actors and cybercriminal groups — had exploited many of them.

**Dwindling Time to Exploitation**

Making matters worse is the fact that cybercriminals have become much faster at exploiting new vulnerabilities, so the time between initial disclosure and exploit availability has been shrinking rapidly.

The trend pushed the US Cybersecurity and Infrastructure Security Agency (CISA) to issue a directive in Nov. 2021 that requires all federal civilian branch agencies to remediate known exploited vulnerabilities within a specific — usually two-week — timeframe. CISA has also advocated that all organizations refer to its catalog of Known Exploited Vulnerabilities (KEV) regularly to see what vulnerabilities attackers are exploiting in the wild so they can remediate them immediately. CISA adds new vulnerabilities to its catalog only if a patch or clear remedial action is available from the affected vendor.

Richard Stiennon, chief research analyst at IT-Harvest, says the fact that many companies still take 60 days to patch critical vulnerabilities is not surprising given the complexity of the task, especially for large organizations. Patching often involves scheduled downtime, which for many organizations tends to be on early weekend mornings, he says. The task involves taking down all affected severs, installing the patch, and rebooting and testing them before bringing the systems back up. 

"Imagine you are a big company with 2,000 servers that need an emergency patch," Stiennon says. "Of course, you would apply a mitigation first. You cannot do it the same day."

Steinnon says cloud adoption has begun changing vulnerability management processes in many organizations. These days, a system that needs patching may be a container or a virtual machine. "Now the process is to mirror the production system, patch it, test it, and swap the updated instances into production with no down time."

Rackspace Ransomware Incident Highlights Risks of Relying on Mitigation Alone

Business users receive a message from Facebook warning their accounts will be permanently suspended for using photos illegally if they don't appeal within 24 hours, leading victims to a credential-harvesting page instead.

An extensive credential-harvesting campaign has hackers leveraging Facebook copyright infringement notices to steal enterprise credentials.

Malicious actors continue to use tried and true phishing techniques and social engineering tactics to compel targets into giving up key information, attempting to generate anxiety to prompt a hasty handover. According to a Monday report from Avanan, this latest campaign sends users an email warning that because the page has uploaded a photo violating Facebook’s copyright infringement policy, the account will be permanently suspended unless they click on link to appeal the decision.

This link leads not to a Meta site but rather a credential-harvesting site, the report notes.

"Though this email has a sender address that clearly does not come from Facebook, it’s otherwise fairly believable," the report said.

Jeremy Fuchs, cybersecurity researcher and analyst at Avanan, explains the campaign could be aimed at any organization, but would be most effective with companies that rely heavily on Facebook advertising.

"The urgency indicated in the email could cause some to take quick action," he says. "These types of attacks keep on finding success because they work. Attackers are able to use this to evade legacy defenses and are able to persuade users to click on it and take action."

To guard against similar social media-based phishing attack relying on a harried response to perceived urgency, Fuchs says checking the URL for legitimacy is a good start — as is checking the sender address.

"If those are off, that’s a good sign that something is amiss," he says. "The key thing is to encourage staff to take a beat before responding. That allows them to look for things like grammar errors, mismatched sender address, wrong URLs, and more."

Fuchs adds attacks constantly evolve, and malicious actors are likely to continue to use new lures, new services, and new ways to capture the victim’s attention.

The report advises employing security tactics like always double-checking sender addresses, hovering over all URLs before clicking, and logging into the Facebook account directly to check the status of the account, instead of clicking on the URL in the email.

**Social Media a Popular Attack Vector**

The use of social media, though indispensable for many companies, also carries a risk, and Avanan and other security firms have spotted similar attacks spoofing the same brand as a sign hackers are getting people to bite.

Some 400 mobile apps posing as legitimate software on Google Play and the Apple App Store over the past year were designed to steal Facebook user credentials.

Facebook lead-generation forms had previously been repurposed to collect passwords and credit card information from unsuspecting Facebook advertisers, with attackers piggybacking on the power of the Facebook brand by using emails that look like they're coming from Facebook Ads Manager.

And according to a report this month from Outseer, brand impersonations, or brandjackings, like these increased by 274% last year as attackers continue to peddle their scams by looking like they come from reliable sources.

As digital applications proliferate and use of social media remains strong, educating users against social engineering attempts is a key part of a strong defense.

'Copyright Infringement' Lure Used for Facebook Credential Harvesting

The JsonWebToken package plays a big role in the authentication and authorization functionality for many applications.

A high-severity vulnerability (CVE-2022-23529) has been discovered in the popular JsonWebToken (JWT) open source encryption project, which could be used by attackers to achieve remote code execution (RCE) on a target encryption server.

The JWT open standard defines a method of transferring information securely by encoding and signing JSON data. According to researchers at Palo Alto Networks' Unit 42, an exploit for the vulnerability results in the server verifying a maliciously crafted JSON web token request.

"Running malicious code on a server can lead to a huge damage and loss of confidentiality, integrity, and also may cause a denial of service," cautions Unit 42 security researcher Artur Oleyarsh. "Systems related to and communicating with the vulnerable server may suffer as well, so the attack potential and the consequences once the system is vulnerable for a remote code execution is significant."

The issue poses a threat to all who are using JWT versions prior and including v8.5.1. The patched version of the package is v9.0.0, according to a Jan. 9 posting from Unit 42.

Oleyarsh explains that usually, vulnerabilities related to JSON Web tokens are related to different token forging techniques that allow a malicious actor to bypass authentication and authorization mechanisms.

"This gives them \[the\] opportunity to take over accounts, impersonate users, and elevate privileges," he says. However, "this latest vulnerability is unique for several reasons. First, here we are talking about executing code on a host verifying JSON web tokens."

**Underneath the Hood of CVE-2022-23529**

Rather than bypassing authentication or authorization mechanisms, the bug provides a way for a cyberattacker to gain control over a key retrieval parameter of the "jwt.verify" function (known as secretOrPublicKey).

In a proof-of-concept exploit, Unit 42 was able to override the "toString()" method of the key object.

"In JavaScript, every object that inherits from Object.prototype, inherit the toString() method," Oleyarsh says. "Thus, if there is a blindly trusted call to that method, and we control the key object, we can override its toString() with malicious content and execute arbitrary code."

**Open Source Usage Grows, Along With Cyberthreat Level**

As the use of open source software (OSS) continues to grow, so does cyberattacker interest in using software components and packages like JWT as an attack vector.

"We are seeing threat actors actively scanning for known vulnerabilities and exploiting them within minutes," Oleyarsh says. "Without attention and awareness to OSS security, I think we will see more and more attacks leveraging OSS security issues."

He says as a community, security practitioners need to contribute and cooperate to make OSS software safer.

"Some of the developers and maintainers of OSS are building solutions with security in mind, which means that they are constantly fixing security vulnerabilities, scanning for vulnerable dependencies, and maintaining security advisories and publishing them so the users can patch for the non-vulnerable versions, and some of them are not," Oleyarsh notes.

Increasingly, tools have been launched to help defense, identity and access management, and security operations center teams discover vulnerable components. Google's OSV-Scanner, which launched in December, for instance generates a list of dependencies in a software development project and checks the OSV database for known vulnerabilities.

"Some are doing a great job in creating wonderful and creative solutions for many problems and making it available for use to anyone without charge," Oleyarsh says. "If you are implementing OSS within your organization, it is a good practice to use OSS package scanners to scan for vulnerable versions of OSS packages you are using, as well for vulnerable dependencies."

Meanwhile Google is also throwing its considerable weight behind a proposed US government-led policy framework aimed at shoring up security for open source software, urging the private sector to support the initiative.

From a manual perspective, Oleyarsh adds that teams should take a regular look at the security advisories pages of the OSS projects they use to keep up to date on bugs, and look at implementing software composition analysis (SCA) tools to help to track all the open source packages and modules used by a project in order to inform that process.

Then, "when you encounter a bug which has security implications, it is a good practice to reach out to the maintainers via a private chat and report the issue and even suggest and discuss the solution," he says.

Source

DARKReading