Even very short tasks may be worth automating if you do them frequently. Here's how to decide what to tackle first.

Picture it: the company boardroom, two weeks ago: Due to "an uncertain economic outlook," the expanded security budget and new hires you asked for in 2023 have been denied. As the company "tightens its belt," you may even lose existing budget and some headcount.

You had plans to use those resources to help you shore up security weaknesses and react more adroitly to changes and new environments that seem to appear like clockwork with every two-week development sprint.

So what's a CISO to do? Telling your engineers to work harder won't really cut it. You need a way to complete work more efficiently and do more with less. You need automation. Everyone's first reaction is that automation doesn't work everywhere — and that's correct — but there are plenty of cases where it works.

**Identifying What to Automate**

Reach for automation when you have tasks that are repetitive — tasks that happen often enough that the time savings of automation can justify the upfront cost of development and maintenance of the solution. Points to consider:

*   **Frequency:** How often does the task occur? Even a short, 30-second task can be a valuable target for automation if you are doing it 100 times per week.
*   **Standardization:** Is the task standardized? Repetitive tasks that have well-documented playbooks or your staff can do in their sleep are great candidates for automation, while tasks that require substantial human consideration are not.
*   **Sub-tasks:** Can a portion of a task be broken off and automated? End-to-end automation isn't always possible, but partial automation can be valuable. 
*   **Opportunity cost:** Does this task have external costs that should be considered? A five-minute task that interrupts an engineer's workflow and delays the work by 20 minutes is actually a 25-minute task. If this engineer's time is better served building vs. completing interruption-driven tasks, the task is a prime candidate for automation. Be sure to include these factors when you weigh the opportunity cost of automating a task.

If a task isn't a good candidate for automation but still takes up a bunch of time, can you identify a different, but related, process to automate and reduce the number of times a task must be performed? For example, you might not be able to update vulnerable dependencies automatically in production, but flagging them during development may mean you have far fewer that make it that far.

**Example: Automating PCI Scans & Reporting**

Let's consider automation in the context of vulnerability scanning, the bane of many security teams' existence. At one employer, I needed to run weekly PCI scans of all of our infrastructure. Each week, before I could run that scan, I needed to update the asset inventory by manually compiling lists of IPs and hostnames from our cloud infrastructure providers, and then update the target list in the scanner's Web interface. We only did this once a week, but it took about 30 minutes each time.

Both the cloud infrastructure providers and the scanner had an API, so it was relatively simple to build automation that could authenticate to both systems and compile the relevant information. This was an automation win.

Once the vuln scanner reports were produced, we needed to review and act on the findings — another weekly task that took several hours. Because the reports were provided in XML, it was simple enough to have them machine-parsed, deduplicated, and summarized via email with new issues logged as tickets. _This_ was an even bigger automation win.

**Where to Start**

As with everything in information security, getting started with security automation boils down to prioritization. You can't possibly tackle everything at once, so identify the list of possibilities; rank them based on how much they matter, both in terms of risk and potential effort savings; and start working your way down the list.

If you're totally new to automation, start with smaller, easier wins and advance from there.

Take, for example, a security operations scenario you encounter more frequently than you'd like: open S3 buckets. Open S3 buckets seem to happen all the time, despite AWS' best efforts to warn against them. This can be a good candidate for automation because it is a standard process that happens with high frequency. Here is one way to accomplish this with the AWS command-line interface.

The AWS CLI command _aws s3api list-buckets_ lists all of the available S3 buckets. From that list, take each bucket name and use the command _aws s3api get-bucket-policy --bucket YOUR\_BUCKET\_HERE_ to get the bucket's permissions.

This will output the identity and access management (IAM) policy that is applied to the bucket. Parse the IAM policy, looking for policies that allow AllUsers (everyone on the Internet), AuthenticatedUsers (everyone with an AWS account, even people not in your organization), or buckets that simply allow the \* principal. This way we generate a list of all open buckets.

You can use that same _aws s3api get-bucket-policy_ command with the _\--policy_ parameter to upload a new policy file that doesn't have those permissions so that you can close these gaps. Once you become familiar enough with performing these tasks on the command line, you can start to script the repeatable steps into a Python or shell script. Eventually you can automatically kick off and run the entire process while you sleep or do other work.

**Automating Can Present Challenges**

If you are worried that your automation won't be ready for the prime-time demands of your production environment, start by automating away tasks in development and staging environments or even sales engineering and data science environments.

Finally, if you want to automate in production but have concerns about business impacts, focus on automating in response to recent changes pulled from a CI/CD system or something like AWS' EventBridge. Finding that you need an exception for a newly deployed system in the first minute of its life cycle (when it is being closely monitored by the teams that just deployed it) is much more palatable than finding it out because it broke a week ago after working for nine months and now customers are complaining.

There are costs associated with building and maintaining this automation. These costs vary depending on the tooling available to you and your team's skill sets. Some teams prefer to custom-script everything in Python/Ruby/Perl/Bash and orchestrate it through cron jobs and modules in your CI/CD pipeline. Other teams may prefer to shift some of the maintenance costs onto a remediation vendor — limiting their direct involvement to configuring tools that interface with a security information and event management (SIEM) or security orchestration, automation and response (SOAR) platform and using that to kick off low-code/no-code remediation workflows built into another tool.

The choice to use an external vendor can be a good way to lower the ongoing maintenance costs of your solution. This is especially true for interactions with APIs and services whose changes might break your tooling.

**The Cumulative Effect of Automation**

Each individual task might not seem to amount to much. However, over a whole team's worth of tasks for an entire organization, the savings start to add up and the cost starts to scale much more favorably.

Automation will never replace a security team — some tasks require human interaction and human decision-making. However, as businesses continue to grow and security budgets grow tighter, it can help to empower those humans to do more and be more effective and more productive.

Effective and Efficient Automation for Security Teams

**ATLANTA****,** **Jan. 4, 2023** **/PRNewswire/ --** CORL Technologies, the leading provider of risk management solutions for healthcare, today introduced Third-Party Incident Response (TPIR). This managed incident response solution allows healthcare providers to address third-party security incidents proactively. CORL's TPIR service tames the chaos of incident response by enabling healthcare companies to share information and provide total clarity about how each party will respond to industry-wide vulnerabilities and episodic data breaches.

According to SC Magazine, nine out of the ten most significant healthcare data breaches were caused by third-party vendors. The Verizon annual Data Breach Investigations Report indicates ransomware saw a 13% increase in 2022, making up almost 70% of malware breaches. Ransomware incidents can cause computer systems to be down for weeks, creating a ripple effect that can impact hundreds of providers and patients.

CORL's TPIR eliminates the chaos of third-party incident response for faster resolution. TPIR clarifies every stage in an incident lifecycle, including proactive preparedness profiles and scoring, impact mapping, managing outreach and response, automating communications, and identifying key metrics using standardized data. CORL offers healthcare companies numerous benefits, including:

*   **Improved preparedness** – Create a strong data foundation with readiness profiles, managed key contact rolodexes, and scores by vendor, vendor tier, and in aggregate.
*   **Extended visibility** – Understand incident implications using impact mapping, live response tracking, reports, and other tools.
*   **Reduced internal burden** – CORL serves as an expert partner providing scalable outreach, response management, and reporting.
*   **Well-defined course of action** – TPIR provides a clear communication plan for each vendor with correct contacts and escalations.

"We developed Third-Party Incident Response to prepare healthcare providers and vendors before an incident occurs," said Cliff Baker, Chief Executive Officer of CORL Technologies. "Vendor data breaches happen every day, and very few know who to contact or how to escalate when they don't get what they need. With TPIR we eliminate the chaos, provide clarity around points of contact, escalation, incident impact, remediation, etc., and do all the outreach, so there is no impact on the internal team."

TPIR provides preparedness at scale, starting with an accurate data foundation. CORL prepares a Third-Party Incident Preparedness (TPIP) profile and score for each vendor to identify gaps and improve preparedness across all vendors. CORL's managed Third-Party Incident Impact (TPI3) workflow provides rapid insight into how an incident impacts the business. The result is a coordinated plan of action that outlines responsibilities and eliminates duplicate efforts.

"CORL is committed to going beyond risk management tools that stop short of solving the problem," continued Baker. "Our managed assessment methodology, the way we utilize data, and decision-support tools address the healthcare industry's real-world security and privacy challenges. We are committed to integrating the best of technology and human intelligence to make third-party risk management a business enabler."

**About CORL Technologies**

CORL is a leading provider of vendor risk management solutions for the healthcare industry. CORL gets results by scaling organizational and vendor risk programs through our healthcare vendor risk clearinghouse solution, dashboard reporting that business owners can understand, and proven workflows that drive measurable risk reduction. CORL accelerates the speed of vendor risk assessments and holds vendors accountable for remediating risk exposures. Together with sister company Meditology healthcare's preeminent cybersecurity consulting firm and certification body, the company has offices in Atlanta, Philadelphia, Denver, San Diego, and St. Louis. 

For more information, visit http://corltech.com.

CORL Technologies Introduces Proactive Third-Party Incident Response Solution for Healthcare

Attackers have compromised a Colombian financial institution and are using a bevy of leaked customer details in further malicious activity to spread an info-gathering remote access Trojan (RAT).

Threat actors are using data stolen from a Colombian bank as a lure in what appears to be a malicious campaign aimed at spreading the BitRAT malware, researchers have found. The activity demonstrates the evolution of how attackers are using commercial, off-the-shelf malware in advanced threat scenarios, they said.

Researchers at IT security and compliance firm Qualys were investigating "multiple lures" for BitRAT when they identified that the infrastructure of a Colombian cooperative bank had been hijacked. Attackers were using sensitive data gleaned from that compromise to try to capture victims, they reported in a blog post published Jan. 3.

"While digging deeper into the infrastructure, we identified logs that point to the usage of the tool sqlmap to find potential SQLi faults, along with actual database dumps," Akshat Pradhan, senior engineer of threat research at Qualys, wrote in the post.

Overall, threat actors leaked 4,18,777 rows of sensitive data from the bank's customers, including details such as Colombian national ID numbers — called "Cedula" numbers — as well as email addresses, phone numbers, customer names, payment records, salary, home addresses, and other data, researchers said.

So far, researchers have not seen the data dumped on any hacker forums or Dark Web sites, and are following standard breach-disclosure guidelines as they further investigate, they said.

**A Commercial RAT With a Long Tail****

Threat actors began marketing BitRAT on underground cybercriminal markets starting in February 2021. The RAT is notorious for its social media presence and its relatively low price of $20, which makes it popular among cybercriminals, researchers said.

Key capabilities of BitRAT include: data exfiltration, execution of payloads with bypasses, distributed denial of service (DDoS), keylogging, webcam and microphone recording, credential theft, Monero mining, and running tasks for process, file, and software, among others.

BitRAT is an example of how the use of commercial RATs has evolved not only with new capabilities for propagation, but also by harnessing the use of legitimate infrastructures to host malicious payloads, Pradhan said. This is something that enterprises now need to account for in their respective security defense postures, he noted.

To that end, researchers advised that all organizations employ endpoint detection and response (EDR) solutions to detect malware such as BitRAT as it inserts itself into a network endpoint, they said. Functions like asset management, vulnerability detection, policy compliance, patch management, and file-integrity monitoring capabilities across a system are key for combating malware like this, they added.

Enterprises should also implement external attack surface management solutions, which allow for continuous monitoring and reduction of the entire enterprise attack surface — including internal and Internet-facing assets and discover previously unidentified exposures — to counter evolving threats, researchers said.

****Anatomy of the BitRAT****

Researchers found and analyzed a cache of Excel sheets — all authored by "Administrator" — being used as lures for a BitRAT campaign, with data from the tables being reused in Excel maldocs as well being included in the database dump, they said.

"The Excel contains a highly obfuscated macro that will drop an .inf payload and execute it," Pradhan wrote in the post. "The .inf payload is segmented into hundreds of arrays in the macro."

A de-obfuscation routine performs arithmetic operations on the arrays to rebuild the payload once it's ready for execution, with the macro then writing the payload to "temp" and executing it via a file called advpack.dll, he said.

The macro itself also includes a hex-encoded, second-stage .dll payload that is decoded via certutil, written to "%temp%\\," and executed by the command "rundll32," researchers found. After this process is executed, the temp files are then deleted, they said.

It's this .dll file that uses various anti-debugging techniques to download and execute the final BitRAT payload. The file also uses the WinHTTP library to download BitRAT-embedded payloads from a GitHub repository created in mid-November by a "throwaway" account to the "%temp%" directory, Pradhan wrote.

In the final stage of BitRAT execution, the .dll uses WinExec to start the "%temp%" payload and exits. To maintain persistence on a user's machine, the BitRAT sample starts and then relocates the loader to the user's startup, the researchers said.

**

BitRat Malware Gnaws at Victims With Bank Heist Data

Improve overall IT administration and establish a framework to identify misconfigurations and automate the process of checking IaC before it makes it into the production environment.

Infrastructure as code (IaC) has gained rapid popularity for its ability to automate the management and provisioning of IT infrastructure by replacing manual processes with machine-readable configuration (definitions) files that contain specifications that are simple to edit, maintain, and distribute.

This approach is especially appealing and efficient when standing up and modifying infrastructure-as-a-service (IaaS) instances in cloud application environments.

But, like any technology, these gains aren't without some pain. One of the most formidable tasks is dealing with IaC management and security. While it's now incredibly fast and convenient to propagate changes across multiple production environments, errors and vulnerabilities can also spread like wildfire. This includes misconfigurations and incorrect default settings, all of which can potentially expose sensitive data, intellectual property (IP), and trade secrets.

As a result, it's wise to establish a framework — including the right strategy and technology tools — that can identify misconfigurations, fix incorrect values, and automate the sometimes-daunting process of checking IaC.

**Cracking the Code on IaC**

One of the things that makes infrastructure-as-code so appealing is the ability to automate infrastructure deployment processes as part of the development life cycle. This practice is usually referred to as creating a CI/CD pipeline — continuous development and continuous deployment. Manually provisioning, configuring, and managing systems is a time-consuming and error-prone task. IaC is an essential component for automating these processes. With the click of a button, it's possible to set up, delete, or make widespread changes to an existing environment across multiple cloud platforms using APIs

It's also possible to gain visibility into all these changes. So, if it is necessary to roll back a system to a particular date or configuration, the task is reasonably easy to manage. Because IaC typically has built-in support for things like declarative and imperative language, filters, and rules and settings, it's possible to create a standard deployable configuration file that tells a cloud provider exactly what resource to provision.

Eliminating manual processes doesn't prevent problems. IaC environments remain vulnerable to configuration errors. In many cases, IaC definition files mitigate the risk of introducing security misconfigurations due to human errors such as applying the wrong user access policy or important security settings. However, when human-made mistakes happen, they will affect all resources that are using the same definition files and may impact thousands of resources.

In fact, it's remarkably easy to miss configuration issues in IaC, especially when a large and complex cloud infrastructure is provisioned. And once the problem exists in the production environment it's usually a lot more difficult and time-consuming to fix. As a result, organizations should implement a shift-left approach to IaC security that's designed to fix issues directly when code is written or modified.

**Finding the Fix**

Addressing the problem involves scanning new IaC files for errors and fixing them before they are released to production, as well as discovering misconfigurations already deployed in cloud environments and modifying the IaC files. This requires following a clearly defined three-step process:

*   **Identify the misconfigurations.** This "hygiene" starts with state and resource aware scanning of configuration files to identify errors or policy violations that need to be fixed. These processes should scan the cloud runtime environment and take into account the plan and state outcomes. Once problems have been identified, it's critical to fix code for all files that touch the cloud environment. In some cases, thousands of configuration files might exist.
*   **Create a staging environment for testing.** One of the big advantages of IaC is that you can quickly create many instances of your entire infrastructure, it's simple to create a staging environment and a production environment. Once the review process is complete in the staging environment, transferring it to a live setting is a process that takes place at the push of a button.
*   **Inspect an IaC environment before provisioning to production so that it aligns with security policies.** The inspection process should include a review that ensures that a policy is correctly translated into a control, and the control is correctly embedded in the configuration file. For example, an organization might check to see that any sensitive data isn't stored in clear text or secrets are not exposed. It's critical to conduct a thorough review so that a new setting or configuration doesn't introduce a new issue.
*   **Add the correct values.** The next step is to fix the actual problem. This may be something as straightforward as encrypting a database that was previously unencrypted or something as complicated as changing a specific setting in all the virtual machines or storage devices in a particular region or country. Once this analysis is complete, it's possible to update configuration files or create new ones.
*   **Deploy the new or updated code.** After you have made the necessary changes, it's time to push out the new or updated configuration files. While IaC makes this task much easier, it's important to ensure that the update is going to the right place and that it will be deployed as intended, as part of a managed CI/CD process.

While IaC provides huge advances for deploying and managing today's highly complex cloud and IT environments, it does not address security issues and configuration errors that will inevitably occur. However, with the right processes, procedures, and tools it's possible to automate the detection and remediation of security risk in even the largest IaC deployments.

Understanding Infrastructure-as-Code Risks in the Cloud

**DUBLIN****,** **Jan. 4, 2023** **/PRNewswire/ --** The "Global Mobile Biometrics Market Size, Share & Industry Trends Analysis Report By Industry, By Technology, By Authentication Mode (Single Factor and Multi Factor), By Component (Hardware, Software and Service), By Regional Outlook and Forecast, 2022 - 2028" report has been added to  ResearchAndMarkets.com's offering.

The Global Mobile Biometrics Market size is expected to reach $91.9 billion by 2028, rising at a market growth of 21.8% CAGR during the forecast period.  
Mobile biometric authentication uses biometrics to recognize and confirm a person's identity when they attempt to access any mobile application. Authentication can be carried out using these mobile biometric devices in a number of different ways, including face recognition, fingerprint readers, voice recognition, and others. Mobile biometrics solutions straddle the line between identity and connectivity.  
They make use of smartphones, tablets, other forms of handheld devices, wearable technologies, and Internet of Things devices for their flexible deployment capabilities. Controlling access to information, locations, and systems have become more and more necessary over time. Many businesses currently use cards, PINs, or passwords to verify users' identities before granting access. However, there are significant problems with this conventional method.  
In recent years, biometric technology has gained popularity on mobile devices. The technology improved in terms of user-friendliness and consumer affordability. This biometric solution is a method used to authenticate a person who is in possession of a mobile device and uses it as a distinctive biometric identifier. Single-factor authentication (SFA) and multi-factor authentication (MFA) are the two different authentication mechanisms used by mobile biometric systems.  
These systems operate using a variety of techniques, including Deep Neural Networks and Keystroke Dynamics. Together, these procedures form a mobile biometrics system that provides coordinated security for mobile devices. The demand for this effective security solution typically increases significantly. In order to determine similarity, biometric authentication compares data for a person's features to that person's biometric "template".  
**COVID-19 Impact Analysis**  
The pandemic had a positive impact on the mobile biometrics market. This was due to a significant shift toward the rise of digital stores and e-commerce platforms, which has led to an increase in the use of online payments. The potential for an increase in cyberattacks in the form of fraud and identity theft also guided the market. Secure authentication services for different banking and financial applications, like client KYC and money transfer, are required in such a situation, and the usage of top-notch security tools is crucial.  
**Market Growth Factors**

**Increase In Platforms Using Biometric Authentication**  
The demand for biometric solutions has increased over the past few years as digital media and internet content delivery have grown. Traditional methods of authentication, like signatures and text-based credentials, have been shown to be more difficult for users to use because they are so vulnerable to contemporary cyberattacks. Furthermore, customers really need to develop faster methods of authentication due to the growing quantity of digital services.  
**Assurance Of Higher Security With Biometrics Usage**  
One of the key factors propelling the growth of mobile biometrics is the increasing demand for intelligence security devices in mobile devices to secure the data saved in the devices, such as bank account information, photos, recordings, contacts, and other personalized data. By confirming a physical, real-world characteristic that is (typically) specific to that person, such as fingerprints, facial features, voice articulation, and others, biometric solutions can give providers a higher level of assurance that the person is real.  
**Market Restraining Factors**

**Wrong And Inaccurate Results Through Biometrics**  
False positives and inaccuracy are two of the most significant challenges. Biometric authentication procedures rely on insufficient data to confirm a user's identity. For instance, during the enrollment step, a mobile biometric device will scan a whole fingerprint and turn it into data. Future fingerprint biometric authentication, however, will only require a portion of the print to confirm identity, making the process speedier overall.

**Scope of the Study**

**Market Segments Covered in the Report:**

**By Industry**

*   Public Sector
*   BFSI
*   Healthcare
*   IT & Telecommunication
*   Others

**By Technology**

*   Fingerprint Recognition
*   Face Recognition
*   Voice Recognition
*   Others

**By Authentication Mode**

*   Single Factor
*   Multi Factor

**By Component**

*   Hardware
*   Software
*   Service

**By Geography**

*   North America
*   US
*   Canada
*   Mexico
*   Rest of North America
*   Europe
*   Germany
*   UK
*   France
*   Russia
*   Spain
*   Italy
*   Rest of Europe
*   Asia Pacific
*   China
*   Japan
*   India
*   South Korea
*   Singapore
*   Malaysia
*   Rest of Asia Pacific
*   LAMEA
*   Brazil
*   Argentina
*   UAE
*   Saudi Arabia
*   South Africa
*   Nigeria
*   Rest of LAMEA

**Key Market Players**

**List of Companies Profiled in the Report:**

*   3M Company
*   Apple Inc.
*   NEC Corporation
*   BIO-key International, Inc.
*   Fujitsu Limited
*   HID Global Corporation
*   Precise Biometrics AB
*   M2SYS Technology, Inc.
*   Aware, Inc.

For more information about this report visit https://www.researchandmarkets.com/r/vwb2z6

Insights On the Mobile Biometrics Global Market To 2028 - Increase In Platforms Using Biometric Authentication Drives Growth

Adopting post-quantum cryptography is something that has been discussed for years; it's time for organizations to get to work.

2022 has been a big year for quantum computing. Over the summer, National Institute of Standards and Technology (NIST) unveiled four quantum computing algorithms that will be eventually turned into a final quantum computing standard, and governments around the world boosted investments in quantum computing. 2023 may be the year when quantum finally steps into the limelight with organizations preparing to begin the process of implementing quantum computing technologies into existing systems. It will also be the year to start paying attention to quantum computing-based attacks.

"In 2023, we'll see both the private and public sector's increased awareness around the challenges associated with quantum resilience, and we'll see efforts begin to take hold more significantly to prepare for quantum computing," says Jon France, CISO of (ISC)2.

McKinsey recently noted the amount of money different countries have allocated for quantum computing to date — China leads the pack with $15.3 billion in public funds in quantum computing investments. The European Union governments combined have invested $7.2 billion, which dwarfs the US with $1.9 billion.

That doesn't mean the US has been standing still. A key effort — the list of four NIST-approved algorithms (CRYSTALS-Kyber, CRYSTALS-Dilithium, FALCON and SPHINCS+) — will help organizations future-proof current data security measures against harvest-now/decrypt-later (HNDL) attacks. These attacks refer to adversaries hanging on to encrypted items until a time when quantum computing technology that can decrypt them become available. And last month, US president Joe Biden signed the Quantum Computing Cybersecurity Preparedness Act (HR 7535) into law to give the Office of Management and Budget authority to begin implementing NIST-approved quantum algorithms throughout the executive branch.

The new law highlights the importance of implementing quantum computing technologies into existing systems now, but it doesn't address the necessity of monitoring for threats, says Yudong Cao, co-founder and CTO of Zapata Computing. "We should be actively monitoring the threat by sponsoring cybersecurity research activities into various methods, exact or heuristic, for compromising the current encryption schemes," Cao says.

There is also a lot of investment activity in the private sector, with start-ups focused on quantum technologies collecting $1.4 billion in funding in 2021 alone, McKinsey said. Nearly half (49%) of those private investments are in companies in the United States, compared to just 6% in China, the analysts noted.

"Building cyber resilience in preparation for quantum technology should have been an effort started a decade ago ... but now is the second best time," France says. However, for both private and public sector organizations, the process of making infrastructure "quantum-resilient" will be a difficult and slow one.

"Much of the encryption infrastructure in communication networks that keeps information safe now is deeply embedded, i.e., certificates, and will take years to transition to quantum resilient algorithms, posing a timeline issue for changeover before the general availability of quantum computing," France says.

In a recent survey from Deloitte, enterprises said without external pressure — such as regulatory and compliance requirements — they won't be prioritizing quantum security initiatives.

2023 Will See Renewed Focus on Quantum Computing

The popular PyTorch Python project for data scientists and machine learning developers has become the latest open source project to be targeted with a dependency confusion attack.

An unknown attacker slipped a malicious binary into the PyTorch machine learning project by registering a malicious project with the Python Package Index (PyPI), infecting users' machines if they downloaded a nightly build between Dec. 25 and Dec. 30.

The PyTorch Foundation stated in an advisory on Dec. 31 that the effort was a dependency confusion attack, in which an unknown entity created a package in the Python Package Index with the same name, _torchtriton_, as a code library on which the PyTorch project depends. The malicious library included the functions normally used by PyTorch but with a malicious modification: It would upload data from the victim's system to a server at a now-defunct domain.

The malicious function would grab a variety of system-specific information, the username, environment variables, a list of hosts to which the victim's machine connects, the list of password hashes, and the first 1,000 files in the user's home directory.

"Since the PyPI index takes precedence, this malicious package was being installed instead of the version from our official repository," the advisory stated. "This design enables somebody to register a package by the same name as one that exists in a third party index, and \[the package manager\] will install their version by default."

The attack is the latest software supply chain attack to target open source repositories. In mid-December, for example, researchers discovered a malicious package disguised as a client from cybersecurity firm SentinelOne that had been uploaded to PyPI. In another dependency confusion attack in November, attackers created more than two dozen clones of popular software with names designed to fool unwary developers. Similar attacks have targeted the .NET-focused Nuget repository and the Node.js Package Manager (npm) ecosystem.

**Same Name, Different Packages**

In the latest attack on PyTorch, the attacker used the name of a software package that PyTorch developers would load from the project's private repository, and because the malicious package existed in the PyPI repository, it gained precedence. The PyTorch Foundation removed the dependency in its nightly builds and replaced the PyPI project with a benign package, the advisory stated.

The group also removed any nightly builds that depend on the _torchtriton_ dependency from the project's download page and says it plans to take ownership of the _torchtriton_ project on PyPI.

Fortunately, because the _torchtritan_ dependency was only imported into the nightly builds of the program, the impact of the attack did not propagate to typical users, Paul Ducklin, a principal research scientist at cybersecurity firm Sophos, said in a blog post.

"We're guessing that the majority of PyTorch users won't have been affected by this, either because they don't use nightly builds, or weren't working over the vacation period, or both," he wrote. "But if you are a PyTorch enthusiast who does tinker with nightly builds, and if you've been working over the holidays, then even if you can't find any clear evidence that you were compromised, you might nevertheless want to consider generating new SSH key pairs as a precaution, and updating the public keys that you've uploaded to the various servers that you access via SSH."

The PyTorch Foundation confirmed that users of the stable version of the PyTorch library would not be affected by the issue.

**Mistaken Intentions?**

In a widely circulated _mea culpa_, the attacker claimed that they are a legitimate researcher and that the issue resulted from their investigation into dependency confusion issues.

"I want to assure that it was not my intention to steal someone's secrets," the person wrote, claiming to have notified Facebook on Dec. 29 of the issue and made reports to companies using the HackerOne crowdsourcing platform. "Had my intents been malicious, I would never have filled \[sic\] any bug bounty reports, and would have just sold the data to the highest bidder."

Because of the statement, some experts considered the PyTorch advisory to be a "false alarm," but there have been other attackers that have donned the mantle of a misunderstood researcher.

Moreover, the impact of the attack could have exposed victims' sensitive information, even if the person behind the malware had good intentions, Sophos' Ducklin wrote in a blog post about the software supply chain attack.

"How is this a 'false alarm'? " he also said in a tweet. "This malware deliberately steals your data… and transmits it scrambled, not encrypted ... so anyone on your network path who recorded it can trivially decode it."

Cyberattackers Torch Python Machine Learning Project

**JERUSALEM, ISRAEL (PRWEB)** **JANUARY 03, 2023 --** C2A Security, a leading provider of automated cybersecurity solutions for connected, autonomous, and electric vehicles will showcase its flagship product, EVSec, during the Consumer Electronics Show (CES 2023) taking place in Las Vegas, January 5-8, 2023. EVSec’s innovative automated cybersecurity DevOps platform helps C2A Security customers and partners including Thundersoft, NTT Data, Marelli, MIH, and more, manage software at scale.

As electric and software-defined vehicles become more popular on the roads, governments are instituting regulations, and OEMs, tier-1, and tier-2 suppliers are seeking ways to keep up with this new, ever-evolving industry landscape. C2A Security’s EVSec - Cybersecurity DevOps platform - was built to automate the compliance process for current and emerging cybersecurity standards and regulations. EVSec enables developers to focus on innovation and enhancements, such as new products and features, so automotive companies can stay competitive and provide more business value to the end customer while getting built-in, efficient, and streamlined cybersecurity at scale.

With automotive regulations in Europe and the US promoting the future sales of EVs to rise, cyber threats are inevitable, making C2A’s EVSec solution critical to maintaining the safety of not only the drivers but critical infrastructures as well. Growing its sales funnel by 15 times this past year, and creating strategic partnerships with European, US, and Asian-based OEMs and Tier-One suppliers, C2A Security’s award-winning solution has proven a necessity for the future of the global EV ecosystem.

Partners include:

Thundersoft\- C2A provides the necessary tools for OEMs and suppliers in China to enable the development of intelligent connected and electric vehicles and to effectively identify and respond to cyberattacks and provide full lifecycle security protection for the automotive industry.

"We have deeply felt the growth of the intelligent connected vehicle business and cybersecurity is an indispensable part of the intelligent connected vehicle," says Wenguang Wu, Executive President of ThunderSoft. "The cooperation with C2A Security provides cybersecurity solutions for the whole lifecycle of connected vehicles in China. We look forward to expanding the cooperation globally and bringing the vehicle industry to a safer future."

NTT Data Corporation \- A Japanese multinational player in the field of IT services: C2A Security’s EVSec platform will be sold globally by NTT DATA and is the first platform selected to be incorporated in the new Global Automotive Security Test Center of NTT Data. 

“We want to apply our expertise in cybersecurity to the connected car sector, thanks to our global Automotive Security Test Center and to our collaboration with C2A Security, NTT DATA will be an international reference point to protect connected cars from cyber-attacks and ensure the drivers' safety,” said Marco Garelli, Head of Automotive at NTT DATA Italy.

Marelli - C2A Security’s joint project with Marelli, a leading global Tier-1using EVSEC Attacker, intelligent system level, and security validation tool to shift left the system validation process using the information from the target to support more targeted, faster, and result-oriented testing which leads to smart and efficient validation. 

“Fuzz testing, with C2A’s solution, enables early discovery of vulnerabilities hence reducing the time needed to deliver SW and products,” said Cosimo Senni Guidotti Magnani Senior Manager Connected Vehicle Cyber Security of Marelli

MIH Consortium - C2A Security is the ambassador of the Foxconn-initiated MIH Consortium winning the MIH startup challenges and showing a strong alignment with the MIH open and agnostic EV platform built by MIH, C2A is an official MIH member and contributes to bringing cybersecurity as a full component of MIH projects. 

“C2A Security shares the same vision as MIH, in offering a seamless and holistic approach to automotive cybersecurity over the entire lifecycle,” said Jack Cheng, CEO of MIH Consortium

At CES, C2A’s executive team is scheduling appointments and demonstrations of EVSec at the Westgate Hotel to showcase the solution and the value it provides to its customers.

About C2A Security 

C2A provides automated cybersecurity solutions to enable the connected, autonomous, and electric mobility revolution. C2A Security's flagship product EVSec is a Cybersecurity DevOps platform, helping automotive companies remain competitive and provide more business value in the software-defined vehicle era, supporting the security lifecycle from development to operations and back and automating the process of complying with cybersecurity standards and regulations. Using EVSec, C2A’s customers get efficient and streamlined cybersecurity, managing software at scale while overcoming the shortage of professional cyber experts, reducing costs and time to deployment.

C2A Security To Showcase Automotive Cybersecurity DevOps Platform at CES In Las Vegas, January 5-8

Researchers who discovered the backdoor Linux malware say it may have been around for more than three years — and it targets 30+ plug-in bugs.

A newly identified Trojan backdoor program exploits some 30 vulnerabilities in WordPress plug-ins and themes in order to breach websites based on the WordPress content management system. It only needs to abuse one of those flaws to execute an attack.

Researchers from Doctor Web who discovered two iterations of the malware — dubbed Linux.BackDoor.WordPressExploit.1 and Linux.BackDoor.WordPressExploit.2 — said sites running outdated or unpatched versions of these WordPress tools are at risk of harboring malicious JavaScripts that redirect site visitors to nefarious websites, and should update those programs ASAP.

And here's a scary twist: "An analysis of an uncovered trojan application, performed by Doctor Web's specialists, revealed that it could be the malicious tool that cybercriminals have been using for more than three years to carry out such attacks and monetize the resale of traffic, or arbitrage," the researchers wrote about the malware, which targets 32-bit versions of Linux and also can run on 64-bit versions of the platform.

Among the plug-ins and themes the Trojan's version 1 variant abuses are WP Live Chat Support Plugin; Yellow Pencil Visual Theme Customizer Plugin; Easysmtp; WP GDPR Compliance Plugin; Google Code Inserter; Blog Designer WordPress Plugin; and WP Live Chat. Version 2 exploits other WordPress plugins, including Brizy WordPress Plugin; FV Flowplayer Video Player; WordPress Coming Soon Page; Poll, Survey, Form & Quiz Maker by OpinionStage; and Social Metrics Tracker.

WordPress plug-ins and themes are a popular avenue for cybercriminals looking to take over websites; they can be used for everything from phishing to ad fraud to malware distribution. Vulnerabilities are not uncommon. For instance, in December an SSRF vulnerability in the Google Web Stories plug-in was found that would allow a cyberattacker to collect metadata from WordPress sites hosted on an AWS server, and potentially log in to a cloud instance to run commands.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

WordPress Sites Under Attack from Newly Found Linux Trojan

The Russian-speaking cybercrime gang said an affiliate violated its rules against attacks that could lead to bodily harm for medical patients.

After being hit by the LockBit ransomware-as-a-service (RaaS) apparatus, the Hospital for Sick Children (SickKids) received an unexpected holiday gift: A free decryptor and an apology from the cybercriminal group.

The children's hospital, located in Toronto, announced on Dec. 19 that it had just suffered a cyberattack that precipitated what it termed "Code Grey" — i.e., an internal systems failure. That forced clinicians to "transition to downtime procedures," it said, adding that it nonetheless believed the attack had only "impacted a few internal clinical and corporate systems, as well as some hospital phone lines and webpages."

By Dec. 29, the story was a bit more dire: SickKids admitted that parents and patients were experiencing diagnostic and/or treatment delays — a reality that families should expect to continue, according to an update from the hospital. However, it had managed to restore about half of its affected footprint, it said.

Researcher Dominic Alvieri then tweeted that he had a posting from the LockBit gang's leak site apologizing for the hit, and blaming the attack on a rogue affiliate who was outside of the group's control. LockBit, like many other ransomware bigwigs, rents out its malware to affiliates who carry out the actual attacks in exchange for a 20% cut of the takings.

"We formally apologize for the attack…and give back the decryptor for free, the partner who attacked this hospital violated our rules, is blocked and is no longer in our affiliate program," according to the posting.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading