Meta has been found in violation of Europe's GDPR rules requiring the social media giant to protect user data by "design and default."

Following the discovery of a data set of Facebook user personal data available on the Internet, the European Union's Data Protection Commission (DPC) has found Meta Platforms Ireland Ltd. (MPIL) in violation of General Data Protection Regulation rules, fining the platform $275 million (€265 million), and requiring the company to make cybersecurity changes. 

The breached personal data was first discovered in April 2021, and followed by the launch of a DPC investigation, the regulator explained in an announcement of its findings. DPC reported that Facebook was out of compliance with the GDPR regulation to provide "data protection by design and default." As a result a threat actor was able to use "data scraping" to exfiltrate massive amounts of collated personal user data, the DPC said.

"The decision imposed a reprimand and an order requiring MPIL to bring its processing into compliance by taking a range of specified remedial actions within a particular timeframe," the DPC ruled. "In addition, the decision has imposed administrative fines totaling €265 million on MPIL." 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

$275M Fine for Meta After Facebook Data Scrape

KnowBe4 empowers end users by introducing security awareness and compliance training on the go at no additional cost.

**TAMPA, Fla., Nov. 28, 2022 /PRNewswire/** — KnowBe4, the provider of the world's largest security awareness training and simulated phishing platform, today announced it is launching the new KnowBe4 Mobile Learner App to empower end users by introducing security awareness and compliance training on the go at no additional cost to customers, improving user engagement and strengthening security culture.

With a large majority of the world's population using smartphones today, mobile training revolutionizes the way people learn. This new app will enable end users to complete their security awareness and compliance training conveniently from their tablets or smartphones, giving them 24/7/365 access.

"The KnowBe4 Mobile Learner App is the first of its kind to launch in the security awareness and compliance training space, making it easier than ever to train users while subsequently strengthening an organization's security culture," said Stu Sjouwerman, CEO, KnowBe4. "This new app will enable IT and security teams to improve engagement and completion rates for required training thanks to a seamless user experience. This will also help users to associate security with their personal devices, keeping it top of mind all the time rather than only when they are at work on their computers. We are making this substantial new capability available at no additional cost to all subscription levels as a show of our commitment to supporting our customers' security and human risk management objectives."

Based on subscription levels, KnowBe4 offers 100+ Mobile-First training modules that were designed specifically for mobile. The KnowBe4 Learner App supports push notifications for custom announcements, and updates on assigned training as well as KnowBe4 newsletters.

The app is available for iOS and Android, and free to all KnowBe4 customers with a KnowBe4 training platform subscription. For more information, visit https://www.knowbe4.com/mobile-learner-app.

**About KnowBe4**

KnowBe4, the provider of the world's largest security awareness training and simulated phishing platform, is used by more than 54,000 organizations around the globe. Founded by IT and data security specialist Stu Sjouwerman, KnowBe4 helps organizations address the human element of security by raising awareness about ransomware, CEO fraud and other social engineering tactics through a new-school approach to awareness training on security. Kevin Mitnick, an internationally recognized cybersecurity specialist and KnowBe4's Chief Hacking Officer, helped design the KnowBe4 training based on his well-documented social engineering tactics. Tens of thousands of organizations rely on KnowBe4 to mobilize their end users as their last line of defense.

SOURCE: KnowBe4

KnowBe4 Launches New Mobile Learner App for Cybersecurity Learning

The DLMS-compatible, zero-trust meter-level security is built into the Renesas smart meter solutions, enabling smart meter manufacturers to get to market faster with built-in advanced security solutions.

**HOD HASHARON, Israel, Nov. 28, 2022 /PRNewswire/** — NanoLock Security, a leading cybersecurity provider for IIoT and OT devices and machines, today announces built-in, zero-trust meter-level cyber security protection for Renesas Electronics Corp. customers' smart meter products.

As the global energy economy worsens and cyberthreats like energy fraud and theft grow more frequent, Renesas' customers in meter manufacturing will now have NanoLock Security's DLMS compatible, zero-trust cyber protection built-in to their meters with no impact on performance, functionality, or deployment speed, giving them a significant competitive advantage.

This new solution gives Renesas' customers, renowned smart meter manufacturers, the ability to quickly build a product that is secure from all attack vectors, including insider manipulation and human error, without any disruptions to meter operations or product time to market.

"Edge devices like advanced metering infrastructure (AMI) are vulnerable targets for cyber attackers and can compromise service integrity, revenue, and safety," said David Stroud, Chief Revenue Officer, NanoLock Security. "With our meter-level protection built into Renesas metering solutions, Renesas customers can now bring secure and tamper-proof smart meters to the market faster, a critical edge in a hotly competitive industry."

NanoLock will be exhibiting the new solution at the Enlit Europe show in Frankfurt Germany at Altlatica Booth #12.1.C132.

To find out how manufacturers can get the new Renesas MCUs into their smart meters, visit the Renesas RL78 Partner page. To learn more about NanoLock, visit NanoLockSecurity.com.

**About NanoLoc****k Security**

NanoLock Security protects the operational integrity of connected devices, smart meters, and machines against cyber events and human error to maintain business continuity, improve safety and safeguard revenues.

Trusted by critical infrastructure customers, such as utilities, industrial and manufacturing companies, NanoLock Security protects power generation and energy management, industrial, water and wastewater plants, as well as food & beverage manufacturing, while ensuring compliance with international security standards and guidelines. NanoLock is headquartered in Israel with offices in the US, Europe, and Japan. Visit www.nanolocksecurity.com for more information and follow NanoLock on Twitter and LinkedIn.

SOURCE: NanoLock Security

NanoLock Brings Built-In Meter-Level Cybersecurity to Renesas Customers

BYOK was envisioned to reduce the risk of using a cloud service provider processing sensitive data, yet there are several deficiencies.

Let’s start with some basics: Your data can, and should, be encrypted at rest and in motion.

Data can be encrypted on the client side or on the server side. In the security realm, we have well-known best practices, which include defense in depth (i.e., not relying on a single security protective measure), and security by obscurity, which really isn’t security.

Here's what the cloud industry is doing, along with some underlying gaps. Most cloud service providers (CSPs) offer bring your own key (BYOK) in one way or another. Amazon Web Services, for instance, supports the following key management service (KMS) options:

*   **KMS only:** Customer-managed keys (CMKs) stored in the KMS.

*   **KMS with customer key store and CMK:** Again, managed by the customer and stored in the cloud hardware security module (HSM ).

*   **KMS with third-party HSM:** Customer-provided KMS with a direct connection to the KMS.

The keys are retained in the volatile KMS memory, meaning once the data encryption keys (DEKs) are decrypted, they are accessible within the CSP environment without requiring the key encrypting key (KEK) for each decryption or encryption.

In all implementation options listed, the data encryption keys are generated by the CSP's KMS and may or may not be exportable. The DEK is used to encrypt defined scopes of data (e.g., per bucket, day, file, etc.) and these DEKs are encrypted with the KEK.

**BYOK Benefits and Risks**

BYOK is meant to provide cloud customers more control over their hosted data. In reality, when BYOK is used, it actually works more like share your own key (SYOK), since once the key is provided to the CSP, customers have no control over the key use. The only benefit of SYOK, in my view, is ensuring the key randomness if you don't trust their random number generator. Otherwise, you may as well let the CSP generate the key.

BYOK is also offered by some CSPs in another model and connects to the customer’s hardware, which stores and controls the KEK. There are several outstanding issues with this model.

The DEKs may still be accessible to the service provider, purposely or otherwise, in addition to a malicious actor capable of succeeding in breaching the CSP's protective measures technically, or via social engineering, thus gaining access to the DEKs, whether in memory, cache, log files, or a malicious codebase. Retaining the KEK in memory is a double-edged sword, since you're effectively performing SYOK for better performance. But then why not just perform SYOK, in that case?

Another issue is that the service provider may not use the customer KEK to secure the DEK. And the CSP architecture, code, and various offerings may have security lapses that allow interception points. Even if DEKs are decrypted on the fly, which isn't usually supported or recommended, a communication issue could bring your business to a grinding halt, preventing existing data from being decrypted and new DEKs from being encrypted.

Trust is also a key element when working with a CSP. Trust should stem from certifications and third-party audits. Reference customers using the CSP for their sensitive data or production may also be an important factor in strengthening this trust. You also have to decide if you trust the CSP's authentication and authorization security. Even with federated security, that doesn't mean there aren't additional authentication and privilege escalation means.

In short: BYOK does not solve the problem nor reduce the risk!

**What Else Can We Do?**

Most CSPs offer customers self-service capabilities to revoke, rotate, and otherwise control the KEK. Enhanced security may be achieved by protecting the data prior to moving or granting the CSP access to it. But this is rarely beneficial and mostly recommended for securing PII/PHI or other strongly regulated data.

The most important factor is to consider all ingress and egress routes, including APIs and file transfers, as well as various privileged access needs. This also extends to authentication and authorization that uses role- or attribute-based access control to ensure non-repudiation, data sanitation, and industry best practices like zero trust**.**

****The Bottom Line****

My goal here is to raise awareness, not to reflect negatively on CSPs. But BYOK, for the most part, is snake oil. It’s often misunderstood as a panacea to working in the cloud while not requiring trust for the CSP.

SYOK is worthless. If you assume the CSP cannot generate sufficiently random keys for the KEK, why rely on it for the DEK? It's important to ensure there’s a well-designed security architecture in place that is constantly reassessed, tested, and monitored.

Bring Your Own Key — A Placebo?

A new, harder-to-peg version of the ransomware has been rewritten in the Rust programming language.

The APT group DefrayX appears to have launched a new version of its RansomExx malware, rewritten in the Rust programming language -- possibly to avoid detection by antivirus software.

According to IBM Security X-Force Threat researchers, that evasion may be successful, at least for now. IBM reported that one sample that it analyzed "was not detected as malicious in the VirusTotal platform for at least 2 weeks after its initial submission" and that "the new sample is still only detected by 14 out of the 60+ AV providers represented in the platform."

Besides being harder to detect and reverse-engineer, Rust has the advantage of being platform-agnostic. Thus, while the new version of RansomExx runs on Linux, IBM predicts a Windows version will be on its way soon, if it's not already loose and undetected.

RansomExx is far from the only malware package written in Rust. BlackCat, Hive, and, before that, Buer are prominent examples of malware that was rewritten to avoid detection based on the C/C++ versions.

DefrayX is known for its attacks targeting cloud workloads and specific verticals, including healthcare and manufacturing.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Slippery RansomExx Malware Moves to Rust, Evading VirusTotal

New users and monetization methods are increasingly profitable for gaming industry, but many companies find they have to stem growth in cheats, hacks, and other fraud to keep customers loyal.

The video game industry has been booming of late — and cybercriminals are drawn to it as an expanding threat surface, seeing players as a potentially less cautious group of victims. As such, cybersecurity has risen in profile as a major business priority and differentiator for many in the industry.

There's been an influx of casual gamers drawn to new mobile platforms during the pandemic, and companies have found increasingly profitable ways of monetizing in-game items and social experiences. Gaming studios and affiliated games companies seek to keep those users playing while maintaining that growth and profitability in the post-pandemic era.

But with so much entertainment competition out there — not just from other games, but also streaming and digital platforms — it's easy enough for players hacked or cheated one too many times to drop one game and pick up another one instead. Gaming industry insiders like Jonathan Shroyer say that if gaming companies are lax in security, "their games will not succeed."

"Players of games depend on trust, credibility, and predictability when leveraging a brand's game," says Shroyer, chief CX innovation officer for Arise Gaming, a consulting firm that helps gaming companies improve customer satisfaction and gamer engagement in their platforms. "If they find out there was a hack, or fraud, or other security issues, you will see a dramatic drop in gameplay and spend."

He says this is especially true in mobile gaming as these are the least sticky and most casual games in the industry. But the impact of cyber trust is felt across console, PC, virtual reality (VR), and streaming customers as well.

**More Gamers, More Attacks & More Customer Expectations**

There's a lot of money at stake for gaming companies planning for the future. According to a recent study by PwC earlier this year, the video gaming industry will earn $235.7 billion in 2022. That's following a massive tear over the last few years, with the combination of PC, console, and casual gaming companies increasing their revenue by an astonishing 32% from 2019 through 2021. PwC says it expects gaming revenue to keep ticking up from now through 2026 by a healthy 8.4% compound annual growth rate.

As the money has been flowing into everything from eSports to hyper-casual gaming, so, too, have the attacks. Akamai reported recently that cyberattacks on player accounts and gaming companies has increased "dramatically" in the past year, with Web application attacks rising by 167%. The firm says gaming is the industry most hit by distributed denial-of-service (DDoS) attacks, making up 37% of all DDoS globally. That's double the volume of attacks lobbed at the financial sector, which is the second-most DDoS-attacked vertical industry.

Account takeovers, cheating hacks, and fraud are all growing problems, and gamers are taking note of which companies are addressing these cybersecurity issues and which aren't. A study of attitudes from 10,000 gamers worldwide that was released last week by Kaspersky showed that 70% of regular gamers think hacking is a big problem in the gaming world. Around 63% of respondents said their accounts aren't safe enough from attacks — with one in three reporting that their accounts have been hacked in the last two years. And 89% of gamers said they want game developers to pay more attention to cybersecurity issues.

These stats point to why cybersecurity is fast becoming a huge engagement pillar for game studios right alongside designing creative gameplay and immersive worlds. It's a tricky proposition for security executives in this world, because gamers also have big expectations when it comes to gameplay and the overall ambiance of a gaming environment, says Julie Tsai, a longtime cybersecurity executive with deep expertise in the gaming world.

"Users and the community expect things at a high level. They expect things to be intuitive, they expect things to be in the spirit of the gaming — and also sometimes in the spirit of the culture of the particular gamer community they're in," says Tsai, who was head of security for Roblox for the past three years prior to recently venturing on her own as a security consultant. "They're very, very passionate and attached to these things. And also for a security professional, it means that you're going to be dealing with some of the strongest attackers and the adversaries that you can think of because they're very creative and often gamers themselves."

**Today's Biggest Cyberthreats to Gaming**

Like any other vertical industry, games companies are tasked with protecting their organizations from all nature of cybersecurity threats to their business. Many of them are large enterprises with the same concerns for the protection of internal systems, financial platforms, and employee endpoints as any other firm.

"Gaming companies have the same responsibility as any other organization to protect customer privacy and preserve shareholder value. While not specifically regulated like hospitals or critical infrastructure, they must comply with laws like GDPR and CaCPA," explains Craig Burland, CISO for Inversion6, a managed security service provider and fractional CISO firm. "Threats to gaming companies also follow similar trends seen in other segments of the economy — intellectual property (IP) theft, credential theft, and ransomware."

IP issues are heightened for these firms, like many in the broader entertainment category, as content leaks for highly anticipated new games or updates can give a brand a black eye at best, and at worst hit them more directly in the financials. The industry saw this kind of fallout in full effect in September when a hack of Take-Two Interactive and subsequent public leak of Grand Theft Auto 6 resulted in a 2.3% stock drop for the firm.

Layered on top of all of those typical enterprise cybersecurity concerns are unique eccentricities in protecting gaming platforms and player ecosystems. The gaming platforms are their brands — financial and customer service engines all rolled into one. And they're supremely juicy targets for all nature of malfeasance.

Some of the most common concerns gaming companies must contend with are cheaters who seek to take advantage of technical or bugs or design flaws to their advantage, spammers finding ways to blast out links to gamers to everything from snake-oil products to porn, scammers seeking to take advantage of and steal from younger gamers. And then, of course, most common of all are the everyday cyber fraudsters cashing in on account theft.

"What you have to realize is that criminals attack games for one of three reasons: status, ideology, or cash," says Brett Johnson, chief criminal officer for Arkose Labs and a former cybercriminal who before he went straight ran ShadowCrew, the forerunner to today's Dark Web marketplaces. "Most attacks — 98% or more — are cash driven. So criminals are looking for the easiest access that gives the largest return on investment."

The black-hat ROI prospects have especially grown now that gaming companies have monetized in-game assets through means like direct purchase, voluntary advertising views, and recurring subscriptions. This presents endlessly more new ways to commit financial fraud and launder money through gaming platforms. From a gaming cyber defender's perspective, this means that cheating and hacks now not only threaten gameplay experience, but create more financial and legal risks.

"Any time real money value is tied to in game assets, you will see a spike in fraud and other bad actors," Shroyer explains.

Attackers are turning up the heat on game users and platform with credential stuffing attacks and social engineering scams to break into accounts and access in-game currency and unique items. They leverage third-party marketplaces to sell these in-game assets off the platform for real currency to other gamers who want to bolster their characters or speed up their progress. This creates an ideal situation to not only fence stolen in-game assets, but to launder money stolen elsewhere online.

A lot of this criminal activity is powered by bots and click farms to scale up the profitability of their criminal enterprise, Johnson says.

"The problem is, from an attacker point of view, it's not really worth it to me to attack people manually. If you consider most of these accounts, the dollar amounts are not high enough for me to do that," he says. "So I need to find a way to scale that without me having to manually sign on or try to take over to account. And the answer to that is bots."

**The Culture Wildcard**

Many of the criminal ploys targeting games will also play upon the emotional mindset of gamers, who just want to have as much fun as possible. It makes them more likely to maybe fall for a phishing lure in hopes of getting a sneak peek at a new feature, or go to great lengths to buy items from a third-party marketplace that could speed up their progress.

"The gamer almost immediately is not acting out of reason or logic — it's a knee-jerk type of emotional thing. They want to play that game," Johnson says. "It's much easier for me as an attacker to use that to my advantage because they're already going through that door of reacting emotionally."

This highlights the big balancing act that gaming companies generally have to manage when it comes to protecting their platforms and their users. They've got to design better technical controls and more cyber resilience in their systems without damaging player experience or the vibrancy of the gaming culture built up around their brands and their gaming titles.

As Tsai alluded, gamers are passionate and they're also often curious hackers by nature. That includes the creative and benign type, but also the black hats.

The game industry has always been a place where everyone from script kiddies to budding cybercriminals have come to cut their teeth. For the most part, though, the cohort is usually mostly made up of customers who want to be able to develop and share their custom mods and who are willing to spend a lot of engaged time and money on their games, building up a community that buoys up successful games and studio brands.

This means that a lot of the work of security executives is in detangling the malicious elements from that creative and loyal group of gamers. This takes user education and outreach, foresight in design, and engineering work.

**Engineering Good Choices for Gamers**

On the latter front, some of the easiest and most low-hanging fruit can come through layered protection measures that just make it more expensive for attackers to run roughshod over platform with automated bot attacks.

"If a security product can increase the cost of the attack, the chances of the criminal staying on that platform, not very good," Johnson says. "That criminal's going to find someplace else where they can profit easier and not have to have the investment to get the attack to be successful."

According to Shroyer, the industry is in a lot better place now with moderating and managing mods and curbing cheating because there's more technical measures available to developers.

"Gaming brands now have more tools in their toolkit to prevent these activities," he says. "A few examples are unique online accounts that  require the latest software update to play games, new tech and security placed in gaming data centers that make hacking more difficult, and the ability to turn off access via games online if bad behaviors are noticed. These don't eradicate the issues, but similar to how Netflix and Hulu curbed illegal movie downloading, these tools have had a similar effect in the gaming space."  

More fundamentally at the design level, though, Tsai says that security teams and gaming developers also have to work to create player journeys and experiences less hackable. This doesn't mean shutting off the faucet for mods and other beneficial hacking in the platform. Instead, it means doing better threat modeling of platforms, locking down the riskiest areas and providing guardrails for user "developers" almost in the same way that a DevSecOps team would do so for internal developers.

"There's a saying in engineering with regards to user centricity, which is 'Make me make good choices,'" she says. "And so in that respect, you want to create technology that either encourages or only allows users to make good choices."

This kind of effort takes significant effort and a security-first mentality for game development. However, it's an investment that has a definite ROI for gaming firms, she says.

"Security ties to how users in the community think of your integrity and trust you. These are long-term assets," she says. "If you gain credibility over the years, it can absolutely be a business value-add."

For Gaming Companies, Cybersecurity Has Become a Major Value Proposition

Yet another *4Shell exploit highlights the horror of strange visitors into enterprise environments. This Tech Tip focuses on what to do next.

A family moves into their dream home, only to be plagued by ominous letters, a strange tenant, and sinister threats. Sound familiar?

It should. This is the story behind _The Watcher_, a true crime series that premiered on Netflix on October 13, 2022. It's also the story of the Text4Shell vulnerability, which was announced that same day, causing many people worldwide the horror of unknown attackers getting access to their private environments and threatening their applications.

Text4Shell is a remote code execution (RCE) vulnerability that allows attackers to remotely access a server and run malicious code on it. RCE attacks have become very popular lately, with vulnerabilities like Log4Shell and WannaCry, due to the growth of cloud applications that expose APIs (REST, GraphQL, LDAP, etc.) in public environments.

These attacks are straightforward for hackers to attempt. All they have to do is scan the Internet for applications running a known vulnerable tech stack, and search for the right external endpoint that will allow them to inject their malicious code.

**How Does Text4Shell Work?**

The Apache Common Text library is a widely used Java library for text manipulation and other string algorithms. It is a common dependency in the supply chain for many OSS libraries, and is used directly by many Java applications too.

One of the library functions, to create interpolators to substitute variables from a string, has flawed logic as it executes part of a given string without using isolation. This oversight makes the string accessible to the whole environment. In practical words, if you have a REST API with a request parameter such as 'https://your.app/user/{userID}', you would manipulate this 'userID' variable, with the 'createInterpolation(userID)' function.

In the case of a public API, any attacker can replace the 'userID' parameter with malicious code and have it execute it in your environment. The worst case scenario of such an attack is taking remote shell control of your environment (this is why this class of vulnerabilities are called \*4Shell).

For future reading, this Palo Alto Networks post has a practical code example that you can run locally and see this flaw in action.

**Can We Proactively Prevent RCEs?**

While there is no way for enterprises to promise they will never be hacked, applying proactive DevSecOps methodology in progressive development organizations can save you a lot of pain in future RCEs and \*4Shell attacks.

Progressive DevSecOps approaches make a concerted effort to assess all of the potential risks in the entire software development lifecycle, from the supply chain of your application to the runtime in production. It doesn't stop there, though. The more critical part is then making it possible to easily create continuous automated pipelines to detect, estimate, and remediate such security vulnerabilities.

The following best practices list will guide you step by step in creating self-defending engineering organizations, that autonomously maintain security based on security domain expertise available to defend against known hacking vectors.

**1\. Continuously Run SCA Tools on Your Code Base**

Software Composition Analysis tools have been available for many years, with countless free and commercial tools that leverage online sources to detect vulnerable versions of libraries and tools used in software. Multiple tools out there differ in their level of inspection, and the quality and coverage of their vulnerability database. For Java, you can use open source tools such as OWASP dependency check (or commercial tools such as Snyk and Mend). Regardless of which you choose, you should find the SCA tool available for your tech stack and run it regularly. Some defense is better than no defense.

By running those tools periodically on the code base, you can detect any vulnerable versions of tools and libraries you are using in your supply chain, just in time. We recommend running it at least daily, while also continuously monitoring new code being pushed for any updates that may include vulnerable versions.

Another point is ensuring a well-defined strategy for updating versions of vulnerable third-party libraries and tools. You can get help through APIs like https://osv.dev, which collects data on vulnerabilities and the versions where they are resolved, and also create automated processes that commit the fixed version like the Dependabot or jit.io auto-remediation feature.

**2\. Use SAST Tools**

Vulnerabilities found in third-party libraries should not always receive the highest priority for remediation. In the Text4Shell example, if you do not use the 'createInterpolator()' function in the code, there really is no reason to prioritize the upgrade, as it isn't possible to practically exploit the vulnerability. (This Twitter thread by Simon Bennetts, creator of OWASP ZAP, can teach a lot about prioritizing real risk based on the Log4Shell example that still has many in a frenzy).

So — how can you know if this is being used anywhere in your code? By running SAST tools.Static analysis security test (SAST) tools, as their name suggests, statically scan your code with tools like Abstract Source Tree (AST) or other string scanning methods to find if there are any places in the code that are vulnerable to known issues. Updated versions of such tools will detect the vulnerable code and will alert you. Some of the tools will even offer a practical fix for the vulnerabilities, so you'll only need to replace the code with the patch they suggest.

You can find SAST tools that are specific to languages such as Bandit for Python and GoSec for Golang, but there are also cross-language tools such as SonarQube and SemGrep.

You can also define those tools to run as part of the automated CI/CD pipelines so that any relevant new issues will be caught in time to avoid their propagation to production.

**3\. Avoid Default Errors**

The explosion in the number of RCE attacks previously mentioned is the byproduct of the existence of public-facing APIs that provide attackers an easy way to explore the public Internet for vulnerable servers. The typical method is to create automated scripts that scan for error responses that use default error messages and pages – making it easy to identify the underlying technology. (For example, the Apache Java 404 default page, the most commonly used Web server, even today remains a gold mine for would-be attackers.) By wrapping any of the errors returned to users with a custom error, you make it hard for attackers to identify what server technology you used, for example.

Besides serving as a best practice for code reviews and code styling, many of the SAST and lint tools also provide the added benefit of monitoring every HTTP request static tree and alert about any raw error that is returned to the end user.

**4\. Configure Everything as Code**

By configuring everything as code, all configuration is protocoled, monitored, and managed in a reliable and searchable way that makes changes and rollbacks fast and quiet. Not only that, you can use automated tools such as KICS and Checkov to scan the configuration files for any vulnerable configurations before you even deploy it to a real environment. By running these tools you can verify critical configuration issues such as:

*   Overly privileged containers, to ensure the container can only run only the particular code it should and also verify the narrowest set of permissions (also called least privilege).
*   API configurations and access to endpoints, to ensure all requests are validated for any potential code injections.
*   Scanning code runners to ensure containers don't have egress call access to a white list of addresses.

Like other static analysis tools, those tools make it very easy to create automated CI/CD pipelines that ensure every configuration deployed is the safest one, that changes are monitored, and that the human error factor is minimized to as close to zero as possible.

**5\. Do Not Run Code on Native Machines and Use Least Privilege**

The biggest damage \*4Shell vulnerabilities can cause is when you run these processes as standard processes in a (virtual) machine. Running code in containers minimizes the damage to the current running environment and enables you to maintain a very narrow set of permissions and privileges for the container.

By monitoring containers to run only in needed processes, alongside limiting the users that run the applications to only the required permissions, you can ensure there will not be any impact on the sensitive areas attackers will want to infiltrate.

Running all your applications in containers and other standard cloud-native methods also helps define a centralized network and privilege configuration that wraps up all the running applications, avoiding any manual configurations that can easily go bad.

When your architecture scales, you can use tools such as Wiz, Orca, and other cloud-native security observability tools to ensure everything is properly defined in real time.

**6\. Employ Dynamic API Scanning**

Using DAST tools like ZAP, you can find out which of your applications are really vulnerable to Text4Shell. This can be useful if you have a large number of applications that are vulnerable, making it possible to prioritize fixing them, or if you need access to the source code. The ZAP Text4Shell Scan Rule is currently in the optional Alpha Active Scan Rules add-on and requires an OAST service in order to work.

**Faster Security == Dev Velocity**

We can't expect exploits to disappear, and it shouldn't surprise us when new \*4Shell or any other zero days appear. What we can do is have the right guardrails and controls in place, so that we can quickly discover and remediate these without wreaking too much havoc on our already bogged-down dev processes.

By taking action today, you essentially avoid being caught off guard tomorrow and disrupting engineering delivery. We're privileged to be in an age with excellent open source security tooling that integrates well with our CI/CD and stacks, and we should make an effort to employ them as often as possible. What's more, this doesn't even require domain expertise any longer; there are plenty of DevSecOps tools (and, as noted above, open source tools) that will do this for you, and even SaaS-based offerings for those who are willing to pay for it that will orchestrate this end to end. Don't leave your house open to strangers. Start with the easy stuff — lock the front door.

How Development Teams Should Respond to Text4Shell

Unique conditions contribute to outsized telecom fraud across the continent, but working together can bring solutions.

With the digital transformation of the post-pandemic world, Africa is seeing a massive technology revolution, especially in the telecom industry, which has shifted network infrastructure away from traditional services to more advanced commercial routers, switches, and servers. But this move hasn't been without some challenges — notably cybersecurity risks. Mordor Intelligence predicts that the entertainment and telecommunication market in Africa will register a compound annual growth rate (CAGR) of 11.2% between 2021 and 2026, but the industry must fiercely combat telecom fraud if it hopes to scale.

A persistent problem in Africa, telecom fraud was one of the central discussions at the recent Africa Tech Festival 2022, held Nov. 14-16 in Cape Town, South Africa. The event, produced by Informa Tech, focuses on technology developments and industry trends in Africa, elevating those at the forefront of digital inclusion.

In 2020, a report by the Sierra Leonean National Telecommunication Commission stated, "Africa is losing around $1.59 billion yearly to telecoms fraud." There's a huge market for attackers to exploit here, and unless organizations rethink their approach to telecom fraud, they'll fall behind the attackers. While this is a worrisome reality, it isn't all bleak for Africa.

**Telecom Fraud Thriving in Africa**

Telecom fraud is growing everywhere, but Africa has its own special conditions that leave it even more exposed to the growing threat. Termination rates to African countries are among the highest in the world, making international calls very expensive.

"The cost differential between international and national calls is frequently quite dramatic," Africa Tech attendee Gavin Stewart, vice president of sales at Oculeus, says. "Therefore, fraudsters commonly apply manipulation so that international traffic masquerades as local/national calls and therefore get cheaper rates. This is achieved by pushing the traffic down illegitimate routings, impersonating a local number ID, or both. This 'bypass' fraud activity is particularly endemic across Africa."

In roaming fraud, for example, fraudsters get hold of SIM cards and use them from overseas markets to call international revenue share numbers. It takes a minimum of three to four hours for the call records to arrive back at the home network for analysis, providing these cybercriminals ample time to fully exploit this revenue stream. The fraud can equally occur by way of a sim box where illegal international voice-over-IP (VoIP) calls are diverted onto local mobile networks. The criminals benefit from the international call charges, but because the call appears to be local, the operator is only paid for a local rate call.

Global telecom fraud usually involves CLI refiling, which Stewart describes as "a kind of bypass fraud where the identifying number of a call is deliberately manipulated to benefit from cheaper termination rates unfairly." He notes that these cheaper rates are commonly offered for national calls or calls between country pairs that have negotiated a special arrangement, or even calls between members of a large telco multi-country group. "As telco networks have largely migrated to newer SIP-based networks, the technology has inadvertently made it much easier to achieve such manipulations," he adds.

**Fighting Fire With Fire**

McKinsey reports that the African domestic e-payments market is expected to see revenues grow by approximately 20% yearly, reaching around $40 billion by 2025. Most of these payments are powered by banks and nonbank players innovating to reduce friction in domestic and cross-border payments to benefit consumers and businesses. The nonbank players in Africa are primarily telecommunications service providers and fintech organizations. The large volume of transactions in the industry is an appealing target for fraudsters.

"Africa has been a global pioneer in mobile money transactions. Equally, this new money transfer channel attracts new and complex fraud use cases. Whereas the traditional banking sector benefits from multiple security layers and controls, a fraudster or cybercriminal targeting mobile money transactions needs only to access a mobile network in order to appropriate funds," Stewart says.

The future, he opines, will be to turn the advanced techniques used by bad actors against the cybercriminals. "Since fraudsters are manipulating SIP protocols, it follows that SIP level real-time protection is vital. AI (artificial intelligence) is also widely employed by fraudsters to disguise their methods in increasingly subtle ways that can evade the logic of outmoded anti-fraud systems. It is incumbent on telcos to implement AI-based technologies if they are to have any hope of successfully detecting and mitigating AI-driven frauds today," Stewart says.

**Collaborating for a Common Cause**

Telecom fraud in Africa cuts across several strata, from multiple opt-in frauds to text messages and international call fraud, with the motherlode being mobile money transactions. However, Stewart believes anti-fraud professionals can band together to deal with the elephant in the room.

"Cybersecurity and anti-fraud professionals have a culture of mutual cooperation, even where they are working for rival companies. It's normal to share intelligence collaboratively since this is an industrywide fight. With the resumption of face-to-face networking, security professionals will exchange intelligence, in many cases concerning new fraud attack types which were themselves powered up by the pandemic conditions," he notes.

Beyond employing new technologies in the fight against fraud, companies in the telecoms industry must actively seek collaboration. "Fraudsters are extremely clever, highly organized, and will always exploit the weakest link. The telecoms community must work together to tackle the common threat and invest in innovative solutions to fight it. Telecoms networks that are not equipped with the highest quality security, insights and fraud protection will be the softest targets," says Clémentine Fournier, Africa regional vice president of sales for BICS.

Why Africa's Telecoms Must Actively Collaborate to Combat Fraud

Months after a fix was issued by a vendor, downstream Android device manufacturers still haven't patched, highlighting a troubling trend.

It's called a "patch gap" and describes the time it takes a fix for a known vulnerability to trickle down from software vendor to individual device manufacturers. And the latest casualties are the millions of Pixel, Samsung, Xiaomi, and other Android device brands.  

According to Google's Project Zero, after its team discovered five separate bugs in the ARM Mali GPU driver, ARM  "promptly" issued a patch in July and August. Yet, Project Zero reported that every test device they looked at this week remains vulnerable. 

Until there's a better solution for tightening up the lag between the time a patch is issued and reaches the wider ecosystem, it's up to security teams to remain "vigilant," the Google Project Zero team advised. 

"Just as users are recommended to patch as quickly as they can once a release containing security updates is available, so the same applies to vendors and companies," the patch gap report explained. "Minimizing the 'patch gap' as a vendor in these scenarios is arguably more important, as end users (or other vendors downstream) are blocking on this action before they can receive the security benefits of the patch." 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

'Patch Lag' Leaves Millions of Android Devices Vulnerable

The infostealer Aurora’s low detection rates and newcomer status are helping it fly under the radar, as more cybercriminal gangs target cryptocurrency wallets and communications apps.

A growing number of cybercriminal groups are turning to an information stealer named Aurora, which is based on the Go open source programming language, to target data from browsers, cryptocurrency wallets, and local systems.

A research team at cybersecurity firm Sekoia discovered at least seven malicious actors, which it refers to as "traffers," that have added Aurora into their infostealer arsenal. In some cases, it's being used in conjunction with the Redline or Raccoon infostealers as well.

More than 40 cryptocurrency wallets, and applications like Telegram, have been successfully targeted so far, according to the report, which highlighted Aurora's relative unknown status and elusive nature as tactical advantages.

Aurora was first discovered by the company in July and is thought to have been promoted on Russian-speaking forums since April, where its remote access features and advanced infomation-stealing capabilities were touted.

"In October and November 2022, several hundreds of collected samples and dozens of active C2 servers contributed to confirm SEKOIA.IO\['s\] previous assessment that Aurora stealer would become a prevalent infostealer," the company's blog post explained. "As multiple threat actors, including traffers teams, added the malware to their arsenal, Aurora Stealer is becoming a prominent threat."

The report also noted that cybercriminal threat actors have been distributing it using multiple infection chains. These run the gamut from phishing websites masquerading as legitimate ones, to YouTube videos and fake "free software catalog" websites.

"These infection chains leverage phishing pages impersonating download pages of legitimate software, including cryptocurrency wallets or remote access tools, and the 911 method making use of YouTube videos and SEO-poised fake cracked software download websites," the blog post continued.

The company's analysis also highlights two infection chains currently distributing the Aurora stealer in the wild, one through a phishing site impersonating Exodus Wallet and another from a YouTube video from a stolen account on how to install cracked software for free.

The malware uses a simple file-grabber configuration to gather a list of directories to search for files of interest. It then communicates using TCP connection on ports 8081 and 9865, with 8081 being the most widespread open port. The exfiltrated files are then encoded in base64 and sent to the command-and-control server (C2).

The collected data is offered at high prices on various marketplaces to cybercriminals looking to carry out lucrative follow-up campaigns, in so-called "big-game hunting" operations that go after large companies and government-sector targets, according to the researchers.

**Open Source Malware Rising in Popularity**

A growing number of malicious actors are building malware and ransomware with open source programming languages like Go, which offers increased flexibility.

Go's cross-platform capability enables a single codebase to be compiled into all major operating systems. This makes it easy for threat actors, such as the ones behind BianLian, to make constant changes and add new capabilities to a malware to avoid detection.

The operators of the cross-platform BianLian ransomware have actually increased their C2 infrastructure in recent months, indicating an acceleration in their operational pace.

Uncommon programming languages — including Go, Rust, Nim, and DLang — are also becoming favorites among malware authors seeking to bypass security defenses or address weak spots in their development process, according to a report last year from BlackBerry.

Source

DARKReading