China-based threat actor used poisoned vSphere Installation Bundles to deliver multiple backdoors on systems, security vendor says.

VMware issued urgent new mitigation measures and guidance on Sept. 29 for customers of its vSphere virtualization technology after Mandiant reported detecting a China-based threat actor using a troubling new technique to install multiple persistent backdoors on ESXi hypervisors.

The technique that Mandiant observed involves the threat actor — tracked as UNC3886 — using malicious vSphere Installation Bundles (VIBs) to sneak their malware onto target systems. To do so, the attackers required admin-level privileges to the ESXi hypervisor. But there was no evidence that they needed to exploit any vulnerability in VMware's products to deploy the malware, Mandiant said.

**Wide Range of Malicious Capabilities**

The backdoors, which Mandiant has dubbed VIRTUALPITA and VIRTUALPIE, enable the attackers to carry out a range of malicious activities. This includes maintaining persistent admin access to the ESXi hypervisor; sending malicious commands to the guest VM via the hypervisor; transferring files between the ESXi hypervisor and guest machines; tampering with logging services; and executing arbitrary commands between VM guests on the same hypervisor.

"Using the malware ecosystem, it is possible for an attacker to remotely access a hypervisor and send arbitrary commands that will be executed on a guest virtual machine," says Alex Marvi, a security consultant at Mandiant. "The backdoors Mandiant observed, VIRTUALPITA and VIRTUALPIE, allow attackers interactive access to the hypervisors themselves. They allow attackers to pass the commands from host to guest." 

Marvi says Mandiant observed a separate Python script specifying which commands to run and which guest machine to run them on.

Mandiant said it was aware of fewer than 10 organizations where the threat actors had managed to compromise ESXi hypervisors in this manner. But expect more incidents to surface, the security vendor warned in its report: "While we noted the technique used by UNC3886 requires a deeper level of understanding of the ESXi operating system and VMware's virtualization platform, we anticipate a variety of other threat actors will use the information outlined in this research to begin building out similar capabilities."

VMware describes a VIB as a "collection of files packaged into a single archive to facilitate distribution." They are designed to help administrators manage virtual systems, distribute custom binaries and updates across the environment, and create startup tasks and custom firewall rules on ESXi system restart.

**Tricky New Tactic**

VMware has designated four so-called acceptance levels for VIBs: VMwareCertified VIBs that are VMware created, tested, and signed; VMwareAccepted VIBs that are created and signed by approved VMware partners; PartnerSupported VIBs from trusted VMware partners; and CommunitySupported VIBs created by individuals or partners outside the VMware partner program. CommunitySupported VIBs are not VMware- or partner-tested or supported.

When an ESXi image is created, it is assigned one of these acceptance levels, Mandiant said. "Any VIBs added to the image must be at the same acceptance level or higher," the security vendor said. "This helps ensure that non-supported VIBs don't get mixed in with supported VIBs when creating and maintaining ESXi images." 

VMware's default minimum acceptance level for a VIB is PartnerSupported. But administrators can change the level manually and force a profile to ignore minimum acceptance level requirements when installing a VIB, Mandiant said.

In the incidents that Mandiant observed, the attackers appear to have used this fact to their advantage by first creating a CommunitySupport-level VIB and then modifying its descriptor file to make it appear that the VIB was PartnerSupported. They then used a so-called force flag parameter associated with VIB use to install the malicious VIB on the target ESXi hypervisors. Marvi pointed Dark Reading to VMware when asked whether the force parameter should be considered a weakness considering that it gives administrators a way to override minimum VIB acceptance requirements.

**Operation Security Lapse?**

A VMware spokeswoman denied the issue was a weakness. The company recommends Secure Boot because it disables this force command, she says. "The attacker had to have full access to ESXi to run the force command, and a second layer of security in Secure Boot is necessary to disable this command," she says. 

She also notes that mechanisms are available that would allow organizations to identify when a VIB might have been tampered with. In a blog post that VMWare published at the same time as Mandiant's report, VMware identified the attacks as likely the result of operational security weaknesses on the part of the victim organizations. The company outlined specific ways organizations can configure their environments to protect against VIB misuse and other threats.

VMware recommends that organizations implement Secure Boot, Trusted Platform Modules, and Host Attestation to validate software drivers and other components. "When Secure Boot is enabled the use of the 'CommunitySupported' acceptance level will be blocked, preventing attackers from installing unsigned and improperly signed VIBs (even with the --force parameter as noted in the report)," VMware said.

The company also said organizations should implement robust patching and life-cycle management practices and use technologies such as its VMware Carbon Black Endpoint and VMware NSX suite to harden workloads.

Mandiant also published a separate second blog post on Sept. 29 that detailed how organizations can detect threats like the one they observed and how to harden their ESXi environments against them. Among the defenses are network isolation, strong identity and access management, and proper services management practices.

Mike Parkin, senior technical engineer at Vulcan Cyber, says the attack demonstrates a very interesting technique for attackers to retain persistence and expand their presence in a targeted environment. "It looks more like something a well-resourced state- or state-sponsored threat would use, versus what a common criminal APT group would deploy," he says.

Parkin says VMware technologies can be very robust and resilient when deployed using the company's recommended configurations and industry best practices. "However, things become much more challenging when the threat actor is logging in with administrative credentials. As an attacker, if you can get root you have the keys to the kingdom, so to speak."

Dangerous New Attack Technique Compromising VMware ESXi Hypervisors

Identity verification could be the key to fighting back and building trust in an industry beset with high-stakes fraud.

Business email compromise (BEC) scams are some of the most potent threats to cybersecurity around the globe — and the threat is not letting up anytime soon. While ransomware attacks often grab the headlines, BEC scams are just as pervasive. Cybercriminals carry out BEC scams by "either spoofing an email account or website, sending spear-phishing emails, or using malware," according to the FBI.

Real estate is one of the industries significantly hit by BEC scams. Data from the FBI's Internet Crime Report 2021 revealed that "about 13,638 people were victims of wire fraud in the real estate and rental sector in 2020 — a 17% increase over 2019 — with losses of over $213 million." As a result, real estate and rental wire fraud were ranked No. 7 out of over 30 types of fraud monitored and reported by the IC3.

Another report, by the National Association of Realtors, showed that the real estate industry saw $6.9 billion in victim losses in 2021, with more than an estimated 2,300 average complaints daily. Undoubtedly, real estate wire fraud is one of the most common types of cybercrimes in the US today.

There are several reasons why BEC scams work. Tyler Adams, CEO and co-founder of Texas-based SaaS platform CertifID, recently discussed with Dark Reading three major ones and how to get ahead of them.

**1\. Information on Real Estate Transactions Is Public**

Whether they are targeting Fortune 500 companies or small real estate offices, BEC scam actors gather information to soften the target and make it more vulnerable to attacks. Usually, BEC scam victims receive a spoofed email on behalf of a party involved in a real estate transaction, with instructions directing them to change a payment type or location to a fraudulent account. Once the funds are deposited, they're rapidly withdrawn, making recovery difficult or impossible.

According to Adams, a major reason why attackers can successfully gather information on their targets is because all the information for real estate transactions is public.

"With a simple search online, you can see every house that's for sale, who the real estate agent is — and sometimes the seller themselves — and even the title/escrow companies that service the local market," he said.

Adams noted that information like the one above leads to targeted phishing attacks that result in BEC. "This makes it easy for fraudsters to impersonate mortgage lenders as part of a real estate closing, in hopes of having the payoff wire transfer redirected to the fraudster's bank account," he said.

In addition, the two parties involved in real estate transactions are expected to trust each other, and there's often a lot of information divulged in that process. Malicious actors exploit that trust by weaponizing the public information against unsuspecting businesses and individuals.

**2\. Many Communications Are Electronic**

Adams pointed out that lots of different people communicate electronically in the real estate industry. The average real estate transaction has six different people or parties, all communicating electronically to align on the details of the closing and transfer of funds, he noted. This often presents several loopholes that threat actors can exploit.

One of the ways attackers leverage electronic communications in real estate is through impersonation, Adams said.

"Sometimes it's realtor impersonation — such as a first-time home buyer getting an email from what appears to be their real estate agent but is instead a fraudster with details for where and when to send the money," Adams said. "Oftentimes it's lender impersonation."

He noted that a common fraud is impersonating a mortgage lender, fooling a buyer into sending their wire transfer to the scam artist instead of their lender.

**3\. Transactions Are Temptingly Big**

The payday for fraudsters is huge, Adams said. Measured by revenue, the market size of the US real estate sales and brokerage industry is $226.8 billion in 2022 alone, according to research firm IbisWorld. That's a per-year average growth of 4.9% from 2017 to 2022, the report states. The large volume of daily transactions in real estate makes the industry a juicy target for attackers.

This is why one of CertifID's major areas of practice is the small and midsize business (SMB) space, according to Adams. SMBs often lack the infrastructure to effectively monitor the daily volume of real estate transactions and the resources to recover from an incident when it occurs.

"There are millions of small and medium-sized businesses all across the United States that don't know how to leverage advanced API-based platforms to stay protected against cyberthreats. And one payoff from any of these cybercrimes can put such companies out of business," he said.

**Restoring Trust by Verifying Identity**

CertifID says it has developed the technology and expertise needed to track how money moves across the real estate industry, with the aim to restore trust in the industry. In an intricate system that involves knowing all the parties involved in every transaction, it's essential to prioritize identity verification, Adams said.

"If we're going to do a transfer transaction, we've got to know that you are who you say you are, because if you're at all being impersonated, then we can't trust any of the information," he says.

CertifID says its PayoffProtect product validates mortgage payoff wiring instructions, authenticating parties and bank wire information in real estate transactions. Its broader platform addresses the specific needs of real estate agents, title agents, and law firms.

Trust is one of the cardinal points in the real estate industry. Every single home that's for sale is online, and attached to it is a real estate agent who has a phone number and email address. They want to be contacted by as many people as possible because they want to sell that home, and they don't know whether a buyer is legit or a fraudster.

"Given real estate transactions are a fertile ground for BEC, and the impact these frauds have on the livelihoods of individuals and businesses, we'll continue to support this industry until we've made a significant impact in the fight against fraud," Adams said.

3 Reasons Why BEC Scams Work in Real Estate

2,700 cybersecurity career pursuers have already passed the (ISC)2 Certified in Cybersecurity℠ exam, with more than 53,000 more people registered for a free course and exam.

ALEXANDRIA, Va., Sept. 29, 2022 /PRNewswire/ — (ISC)² – the world's largest nonprofit association of certified cybersecurity professionals – today announced the rapid adoption of three initiatives aimed at addressing the cybersecurity workforce gap. (ISC)2 Candidates, (ISC)2 Certified in CybersecuritySM and (ISC)² One Million Certified in Cybersecurity are significant milestones in making cybersecurity careers more accessible to more people around the world.

One month after announcing (ISC)2 Candidates, launching Certified in Cybersecurity and opening enrollment for One Million Certified in Cybersecurity:

*   **55,000 individuals have signed up for (ISC)2 Candidates,** which is for individuals pursuing or considering a career in cybersecurity, or already seeking an (ISC)² certification. Upon enrolling as an (ISC)² Candidate, participants receive access to exclusive resources and benefits to propel them along their journeys to becoming cybersecurity professionals.
*   **2,700 people have passed their Certified in Cybersecurity exams**. Anyone earning the (ISC)² Certified in Cybersecurity certification demonstrates that they have the foundational knowledge, skills and abilities to take on entry- and junior-level cybersecurity roles, enabling employers to more confidently build resilient teams across all experience levels.
*   Through the **One Million Certified in Cybersecurity initiative,** **53,000 more people have enrolled** for a free Certified in Cybersecurity course and exam. This initiative pledges to provide free, entry-level cybersecurity certification exams and self-paced educational program courses to **one million new professionals starting a career in cybersecurity**.

**New Roads to Cybersecurity Career Success  
**Through these initiatives, tens of thousands of people have established or strengthened their connection with the cybersecurity community in just the past month, highlighting the importance of creating new and diverse pathways into the industry.

"These initial successes demonstrate that our efforts have already made a positive impact in opening new and unique pathways into the cybersecurity industry," said Clar Rosso, CEO, (ISC)². "They have also enabled us to expand our association which now reaches over a quarter of a million members, associates and candidates worldwide. It is exciting to see how targeted programs aimed at getting more people exposed to the cybersecurity profession can quickly lay the foundation for the next generation and not only help secure our nations and economies, but also enable them to benefit from rewarding and challenging careers."

"I'm switching career paths to move into cybersecurity," said Eric Turner, Systems Integration Developer, MSD of Warren Township. "The (ISC)2 Certified in CybersecuritySM entry-level certification is another great way to demonstrate my knowledge."

Learn more about these programs at www.isc2.org/candidate

(ISC)² will highlight the importance of diversity and accessibility in cybersecurity at its 12th annual (ISC)² Security Congress conference, a hybrid event taking place on October 10-12, 2022, in Las Vegas and online.

**About (ISC)²**

(ISC)² is an international nonprofit membership association focused on inspiring a safe and secure cyber world. Best known for the acclaimed Certified Information Systems Security Professional (CISSP®) certification, (ISC)² offers a portfolio of credentials that are part of a holistic, pragmatic approach to security. Our association of candidates, associates and members, more than 235,000 strong, is made up of certified cyber, information, software and infrastructure security professionals who are making a difference and helping to advance the industry. Our vision is supported by our commitment to educate and reach the general public through our charitable foundation – The Center for Cyber Safety and Education™. For more information on (ISC)², visit www.isc2.org, follow us on Twitter or connect with us on Facebook and LinkedIn.

(ISC)² Recruits More Than 55,000 Cybersecurity Candidates in First 30 Days of New Programs to Address Workforce Gap

Capital One lures leveraged the bank's new partnership with Authentify, showing that phishers watch the headlines, and take advantage.

A recent phishing campaign exploits Capital One's new partnership with verification service Authentify, sending thousands of scam emails to the bank's customers to try and trick them into uploading images of their identification cards. 

The emails appear to be sent from a Capital One corporate account, and explain what the Authentify authentication app does, according to researchers at Vade who have been tracking the campaign since July 1. To provide an idea of the volume of scam emails being launched at customers, Vade reported that, at one point, the attackers sent out at least 6,000 in one day. 

"You are required to provide any copy of your ID for verification and to ensure that you are fully enrolled to avoid account restrictions now," the phishing email read. 

Vade noted that, unlike most other campaigns targeting credentials, this Capital One phishing scam was after identities. 

**Phishers Watch the News**

The timing of the campaign shows cybercriminals are acutely aware of news items they can use to help sell their latest scams to victims, the Vade report said, adding that on the same day Capital One announced it would be working with Authentify, six other financial organizations, including Bank of America, PNC Bank, Wells Fargo, and other household brands, announced similar deals. 

These phishing attacks represent a larger trend of threat actors co-opting financial services brands to use as phishing lures for the cybercrimes, Vade added. Currently, financial services brands are the most spoofed, making up a full 34% of all phishing URLs during the first quarter of 2022, according to Vade's analysis. 

"We anticipate this trend to continue and urge users to be suspicious of both emails from financial institutions and also third-party applications associated with those institutions," read the report. "Always operate under the assumption that both can be spoofed and always login to accounts directly from a browser or application and not from email."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Capital One Phish Showcases Growing Bank-Brand Targeting Trend

APT group Witchetty (aka LookingFrog) has exploited the ProxyShell and ProxyLogon vulnerabilities to gain initial access and deploy new custom cyber tools against government agencies and a stock exchange.

An emerging cyber-espionage threat group has been hitting targets in the Middle East and Africa with a novel backdoor dubbed "Stegmap," which uses the rarely seen steganography technique to hide malicious code in a hosted image.  

Recent attacks show the group — called Witchetty, aka LookingFrog — fortifying its tool set, adding sophisticated evasion tactics, and exploiting known Microsoft Exchange vulnerabilities ProxyShell and ProxyLogon. Researchers from Symantec Threat Hunter observed the group installing webshells on public-facing servers, stealing credentials, and then spreading laterally across networks to propagate malware, they revealed in a blog post published Sept. 29.

In attacks between February and September, Witchetty targeted the governments of two Middle Eastern countries and the stock exchange of an African nation in attacks that used the aforementioned vector, they said.

ProxyShell is comprised of three known and patched flaws — CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 — while ProxyLogon is comprised of two, CVE-2021-26855 and CVE-2021-27065. Both have been exploited widely by threat actors since they were first revealed in August 2021 and December 2020, respectively — attacks that persist as many Exchange Servers remain unpatched.  

Witchetty's recent activity also shows that the group has added a new backdoor to its arsenal, called Stegmap, which employs steganography — a stealthy technique that stashes the payload in an image to avoid detection.

**How the Stegmap Backdoor Works**

In its recent attacks, Witchetty continued to use its existing tools, but also added Stegmap to flesh out its arsenal, the researchers said. The backdoor uses steganography to extract its payload from a bitmap image, leveraging the technique "to disguise malicious code in seemingly innocuous-looking image files," they said.

The tool uses a DLL loader to download a bitmap file that appears to be an old Microsoft Windows logo from a GitHub repository. "However, the payload is hidden within the file and is decrypted with an XOR key," the researchers said in their post.

By disguising the payload in this way, attackers can host it on a free, trusted service that is far less likely to raise a red flag than an attacker-controlled command-and-control (C2) server, they noted.

The backdoor, once downloaded, goes on to do typical backdoor things, such as removing directories; copying, moving, and deleting files; starting new processes or killing existing ones; reading, creating, or deleting registry keys, or setting key values; and stealing local files.

In addition to Stegmap**,** Witchetty also added three other custom tools — a proxy utility for connecting to command-and-control (C2), a port scanner, and a persistence utility — to its quiver, the researchers said.

**Evolving Threat Group**

Witchetty first caught the attention of researchers at ESET in April. They identified the group as one of three subgroups of TA410, a broad cyber-espionage operation with some links to the Cicada group (aka APT10) that typically targets US-based utilities as well as diplomatic organizations in the Middle East and Africa, the researchers said. The other subgroups of TA410, as tracked by ESET, are FlowingFrog and JollyFrog.

In initial activity, Witchetty used two pieces of malware — a first-stage backdoor known as X4 and a second-stage payload known as LookBack — to target governments, diplomatic missions, charities, and industrial/manufacturing organizations.

Overall, the recent attacks show the group emerging as a formidable and savvy threat that combines a knowledge of enterprise weak spots with its own custom tool development to take out "targets of interest," the Symantec researchers noted.

"Exploitation of vulnerabilities on public-facing servers provides it with a route into organizations, while custom tools paired with adept use of living-off-the-land tactics allow it to maintain a long-term, persistent presence in targeted organization," they wrote in the post.  

**Specific Attack Details Against Government Agency**

Specific details of an attack on a government agency in the Middle East reveal Witchetty maintaining persistence over the course of seven months and dipping in and out of the victim's environment to perform malicious activity at will.

The attack started on Feb. 27, when the group exploited the ProxyShell vulnerability to dump the memory of the Local Security Authority Subsystem Service (LSASS) process — which in Windows is responsible for enforcing the security policy on the system — and then continued from there.

Over the course of the next six months the group continued to dump processes; moved laterally across the network; exploited both ProxyShell and ProxyLogon to install webshells; installed the LookBack backdoor; executed a PowerShell script that could output the last login accounts on a particular server; and attempted to execute malicious code from C2 servers.

The last activity of the attack that researchers observed occurred on Sept. 1, when Witchetty downloaded remote files; decompressed a zip file with a deployment tool; and executed remote PowerShell scripts as well as its custom proxy tool to contact its C2 servers, they said.

Espionage Group Wields Steganographic Backdoor Against Govs, Stock Exchange

Bugs in Canon Medical's Virea View could allow cyberattackers to access several sources of sensitive patient data.

Canon Medical's Vitrea View is a widely used tool for securely sharing medical images between radiologists, physicians, and other healthcare providers on a patient care team. Two newly discovered vulnerabilities (collectively tracked as CVE-2022-37461) could allow threat actors to access much more than X-rays.   

One flaw is an unauthenticated reflected cross-site scripting (XSS) in an error message, according to a new report from Trustwave's SpiderLabs. Jordan Hedges, the threat researcher behind the finds, said the second is a separate Reflected XSS in the Vitrea View admin panel. 

"If exploited, these vulnerabilities could be used to retrieve patient information, stored images, or scans, and modify information, depending on privileges used during the session," Hedges wrote in a Thursday analysis. "Sensitive information and credentials for various services integrated with Vitrea View could be accessed, as well."

The Vitrea View meets international Digital Imaging and Communications in Medicine (DICOM) standards, the report notes, and thus integrates with many other things.

“Vitrea View is used to centralize potentially multiple sources and solutions for medical imaging, including X-Rays, MRIs, CRT scans, 3D imaging, etc.," Karl Sigler, senior security research manager at Trustwave SpiderLabs, tells Dark Reading. 

He added, "The images are also associated with a patient’s records, so these vulnerabilities means that there could potentially be a wealth of information that might be exfiltrated (damaging a patient’s confidentiality) or modified (swapping a patient’s medical images with another, deleting records, or potentially modifying patient information directly).”

The XSS medical imaging vulnerabilities were submitted to Canon Medial and a patch has been released. Hedges recommends organizations running the tool apply it immediately.

XSS Flaw in Prevalent Media Imaging Tool Exposes Trove of Patient Data

Organizations looking to get ahead in cloud security have gone down the path of deploying CSPM tooling with good results. Still, there’s a clear picture that data security and security operations are next key areas of interest.

As an industry, we're now at a point where we don't have to convince anyone that we have a massive digital dependence on cloud technologies and that securing cloud deployments is a key initiative for most organizations. There is widespread availability of cloud security posture management (CSPM) tooling — commercial- and community-driven alike — and CSPM itself is being incorporated into new tooling coming under the heading of cloud-native application protection platforms (CNAPP).

Many cloud security conversations focus primarily on making sure clouds are configured properly, but there is much more to cloud security than that. Much like traditional security is much more than patching, there is more to cloud security than configuration.

As we analyze cloud security trends, we recently collected survey data under our Omdia Decision Makers survey and found interesting results that highlight these conclusions.

The figure below plots responses to the question "What are your top concerns in relation to cloud security?" The bars on the left show the aggregate view (n=186). We can clearly see a major concern with cost of security tooling, then other concerns aggregated together, including security tooling functionality, responding to events, data security, and others.

    

That said, we also segmented the population into two groups based on their response to a previous question about how advanced their deployments of CSPM tools were. Our ongoing industry interactions with multiple stakeholders point to CSPM tools as the type of tool most often associated with "cloud security" conversations, so we chose CSPM deployment experience as a proxy for cloud experience. Statistician George Box is famous for saying "all models are wrong, but some are useful," which we think is relevant here; there's no implication of causation, but some interesting variations show up in the response data.

For those that have what we consider "low" experience with cloud security (n=61) by virtue of having CSPM deployments in the pilot or proof-of-concept stage, concerns around cost are even more pronounced, as are concerns about cloud permissions and a slight bump for concerns about compliance.

For those that have more cloud security experience (n=54) — those that responded that they have deployed CSPM in widespread production use —responses shifted significantly. Now, concerns about data security are much more pronounced, as are concerns about how to respond quickly to incidents, with additional notable concerns regarding the ever-present skills gap in terms of cloud technologies.

**Heightened Concerns**

Our interpretation of this data is that customers are indeed seeing value from the CSPM tooling for configurations and compliance, but they now have heightened concerns on data security, security operations, and making sure their teams are skilled in cloud technologies. These concerns are already lurking in the shadows, and once CSPM clears the way of handling the more visible security configuration/compliance concerns, these issues come to the forefront.

The responses uncovered here point to interesting directions for future inquiry. It is increasingly clear that data security presents a key area of concern. What are the ways one gets to data? One way is via direct access to the data stores themselves. This is the provenance of cloud configuration (CSPM) and the increasingly popular DSPM (data security posture management) category. Another is getting access via the very APIs provided by the company; this then leads down a path of paying close attention to API security.

For security operations, the path forward appears to include more considerations about how to incorporate cloud security use cases in SOC response flows. Dubbed cloud detection and response (CDR), this is also a promising area of research that we're watching.

For end users, this means being ready to address these categories soon. For vendors, understand that there is much more to customer demand for cloud security than CSPM — or even CNAPP — alone.

What Lurks in the Shadows of Cloud Security?

Inflated user bases and fake engagement cause more harm than good, especially when the artificial accounts are based on stolen human identities.

Growth in the number of new accounts looks great, but if fake accounts get in that mix, they are not providing the value you (and your investors) need. If you are a social media platform striving for growth, fake accounts may seem like the answer to your prayers — something you can show investors to demonstrate your reach. And to the end user, all those accounts that listen to music online or follow us on social media seem great. But the reality is that fake accounts are harmful, even before the truth comes to light.

It's especially damaging when bots use real human data, stolen and sold on the Dark Web, to create these fake accounts. And when they are exposed to sunlight, as the situation with Elon Musk's stalled acquisition of Twitter has shown, the effects can be unexpected and rampant, quickly taking on a life of their own.

We're going to look at what fake accounts mean, why they exist, and what you can do to combat this pernicious adversary.

**Enter the Billionaire**

Love him or hate him, you cannot deny the impact Musk has made on the tech industry. But second-guessing his motives and actions is very much like my dog trying to work out the significance of my sitting at my desk drumming my fingers on the keyboard all day.

When I spoke with Tamer Hassan, co-founder and CEO of Human Security, I asked him what he believes is the core challenge facing any investor looking at Twitter. 

"It's really all about the question, 'What would you do if you could look like a million humans?' The answer is a lot," he said. "Cybercriminals have proliferated sophisticated bots and spam accounts across social media platforms with limited accountability, and the combined result is diminished trust in the brand, a negative user experience, and a negative impact on the company's valuation and bottom line."

**Twitter & the Tragedy of the Digital Commons**

Twitter is an increasingly rare Internet resource. It is a common platform connecting humans all over the world and, with some rare exceptions, does not inhibit or censor free expression. As with most common goods, it is subject to overuse; the phrase "tragedy of the commons" originated to describe people overusing grassy common land to graze their livestock. As anyone who has dipped a toe into the Twitter stream knows, the slew of tweets is overwhelming and impossible to keep up with. This is made worse because, along with all of the humans desperate to air their opinions, points of view, and excitable investment plans, there are The Bots.

Bots are part of much of our life nowadays. Those of us using Office365 are familiar with the coy daily email saying, _"__Hey, we aren't analyzing what you do or the content of your inbox_, _but here's some stuff to be aware of_,_"_ and of course, on Twitter there are beneficial bots and harmful bots. Many bots watch for tweets that seem to relate to a particular subject (for example, #cybersecurity), and then amplify those tweets to their audiences. And of course, many will try and game these amplifiers, sometimes using bots of their own. And so the overgrazing continues.

**No One Should Pay for False Volume, Even Billionaires**

The primary incoming revenue stream for social platforms is advertising, which is driven by how many interested eyes can be shown targeted ads that are likely to lead to conversion. It therefore follows that the value of any social platform lies in the number of active users, whether it be a general-purpose networking platform such as Twitter, a narrow-purpose use case such as music, or even accommodation rentals (inactive users are just sludge at the bottom of the well). Bots, while they may generate activity, defraud advertisers by artificially inflating the user count.

Musk is understandably squeamish about paying for accounts that have zero (or even negative) lifetime value. When I asked about what a company can do about bots, Hassan commented, "Having the right protections in place, including transparency and regulation around the use of automation, to ensure they have a genuine view of human users on their platform can help brands establish greater credibility while also stopping cybercriminals from impacting their business."

Musk very publicly tried to withdraw from the Twitter acquisition, which has generated continuing legal ramifications. If we take his statements at face value, then the clear message is that bots and other fake accounts are bad business. Considering the ways that future Twitter (or any social media platform) could make money, being a trustworthy source of curated identity that doctors, banks, governments, and any other interested party (including peer-to-peer) can rely on would be a significant advantage.

**Here's Mudge in Your Eye**

One of Musk's stated concerns about the Twitter acquisition is that he has no certainty about how many of the platform's 396.5 million accounts are human. To add fuel to Twitter's bonfire of the vanities, its former CISO, Peiter "Mudge" Zatko, has blown the whistle on poor operational security controls, nonexistent software governance, and (you guessed it) inadequate user enrollment verification. In other words, no one knows how many users are bots, and what vulnerabilities exist in the platform that can be exploited by unfriendly groups — some of which are backed by nation-states.

As a former Facebook security engineer pointed out to me, "Mudge has a decades-long reputation of being highly ethical and one of the most respected practitioners in the cybersecurity community." When I asked whether they believed Mudge's claims about foreign intelligence infiltration, the response was, "I believe enough of it not to care about the rest."

Robert Graham takes a different view in his Cybersect blog, which contrasts the focus of a cybersecurity activist with that of a corporate executive. An executive's primary objective is to further the interest of the company and its shareholders, he wrote, which does not correlate with the ideals of many cybersecurity activists. In his view, Mudge has allowed his passion for cybersecurity excellence to overwhelm his responsibilities as an executive.

**Identity as a Commodity**

Identity is the cornerstone of cybersecurity. When an identity is successfully compromised, all of the other security controls will fold up and get out of the attacker's way. The opportunity for Twitter to provide an identity service based on its user base is a significant one.

It is clear, however, that if we cannot trust that the identities being asserted and corroborated by Twitter are genuine, then Twitter's usefulness in this area will always be limited. Twitter asserts that the cost of validating every account (and giving us all a little blue tick) is prohibitive, however, as the lifetime value of each Twitter account is very low.

I'm sure that Twitter is well aware of its security gaps. Indeed, a good use for some of Musk's proposed investment, if the company can still get it, would be to clean up the town square and correct the tragedy of the digital commons that we discussed earlier.

This is why identity is important, in particular being able to prove that a specific account is being operated by a human. If we manage to turn Twitter into a place where free speech is valued precisely _because_ the speakers are identified as human, then its value — to investors, the Twitter team, and most importantly, its users — will skyrocket.

Fake Accounts Are Not Your Friends!

The average cost of a data-exposing cybersecurity incident is $4.35 million. If your business can’t avoid to pay, make sure you’ve got a strong data loss prevention practice in place.

$4.35 million. That's the average total cost of a data-exposing cybersecurity incident, according to the Ponemon Institute's "Cost of a Data Breach Report 2022." That's an all-time high, up 12.7% from 2020.

Between the potential loss of trade secrets, reputational harm, and regulatory fines related to data privacy, data breaches can threaten an organization's very existence. And if you don't take proactive measures to prevent them, the circumstances that led to one breach can easily result in another. Eighty-three percent of breached organizations report having suffered more than one such event.

Data loss prevention, or DLP, refers to a category of cybersecurity solutions that are specifically **designed to detect and prevent data breaches, leaks, and destruction**. These solutions do so by applying a combination of data flow controls and content analysis. And in today's cyber-threat landscape, DLP has become a basic business need.

**The Three States of Data and How DLP Protects Them**

There are **three main states** in which data can reside within an organization:

*   **Data in use**:**** Data is considered to be _in use_ when it's being accessed or transferred, either via local channels (e.g., peripherals and removable storage) or applications on the endpoint. An example could be files that are being transferred from a computer to an USB drive.
*   **Data in motion**:**** Data is considered to be _in motion_ when it's moving between computer systems. For example, data that is being transferred from local file storage to cloud storage, or from one endpoint computer to another via instant messenger or email.
*   **Data at rest**:**** Data is considered to be _at_ rest when it's stored, either locally or elsewhere on the network, and is not currently being accessed or transferred.

Of course, most sensitive data will change between these states frequently — in some cases, almost continuously — though there are use cases where data may remain in a single state for its entire life cycle at an endpoint.

Similarly, there are three primary "functional" DLP types, each dedicated to protecting one of these states of data. Here are just some examples of how this can work:

*   **Data-in-use DLP** systems may monitor and flag unauthorized interactions with sensitive data, such as attempts to print it, copy/paste to other locations, or capture screenshots.
*   **Data-in-motion DLP** detects whether an attempt is being made to transfer (confidential) data outside of the organization. Depending on your organization's needs, this can include _potentially_ unsafe destinations, such as USB drives or cloud-based applications.
*   **Data-at-rest DLP** enables a holistic view of the location of sensitive data on a local endpoint or network. This data can then be deleted (if it's out of place), or certain users' access to it blocked depending on your security policies.

Not all potential sources of a data breach are nefarious — they're often the result of good old-fashioned human error. Still, the impact is just as real whether sensitive information is intentionally stolen or simply misplaced.

**DLP Architecture Types**

DLP solutions can be categorized based on their architectural design:

*   **Endpoint DLP** solutions use endpoint-based DLP agents to prevent data in use, data in motion, and data at rest from leaking — regardless of whether they're used solely within a corporate network or exposed to the Internet.
*   **Network/cloud DLP** solutions use only network-resident components — such as hardware/virtual gateways — to protect data in motion or at rest.
*   **Hybrid DLP** solutions utilize both network- and endpoint-based DLP components to perform the functionality of both endpoint and network DLP architectures.

It's important to note that due to the nature of their architecture, network DLP solutions cannot effectively safeguard data in use: It remains vulnerable to purely local activities, like unauthorized printing and screen capturing.

**Adopting DLP Is More Important Than Ever**

The benefits of a strong DLP program are clear. By taking proactive steps to slash the risk of data loss and leakage, organizations can achieve some powerful benefits:

*   More easily achieving and maintaining compliance with relevant data privacy regulations, such as the GDPR and HIPAA
*   Protecting intellectual property and trade secrets
*   Strengthening security in an era of widespread remote work and BYOD policies
*   Minimizing the potential impact of human error and negligence

Larger enterprises may choose to adopt on-premises DLP solutions — and for some, this may be the right choice. But setting up a successful DLP program is complex and resource-intensive, and it requires fine-tuning over an extended period of time. Businesses will also need to bring aboard specialized experts with relevant experience. Those without such a team already in place will likely find it more efficient to work with a managed service provider (MSP) for their DLP needs.

In turn, MSPs are turning to partners to help them build out these Advanced DLP offerings to help prevent data leakage from clients' workloads.

Whether you manage your DLP in-house or turn to a vendor to help, it is a critical part of a modern, and future, security stack.

**About the Author**

    

Iliyan Gerov is a Senior Product Marketing Specialist at Acronis.

Plug Your Data Leaks: Integrating Data Loss Prevention into Your Security Stack

External researchers contributed 16 of the 20 security updates included in the new Chrome 106 Stable Channel rollout, including five high-severity bugs.

Chrome is touting beefed-up security with the release of Chrome 106, which fixes 20 existing bugs, five of them high-severity. 

Of the 20 total security fixes included, 16 were found by external researchers through Google's bug bounty program. A blog post from Google Chrome's Srinivas Sista listed the specific CVEs spotted by the bug bounty hunters, including five designated high-severity, which are as follows:

*   CVE-2022-3304: Use after free in CSS. _Reported by Anonymous on 2022-09-01_
*   CVE-2022-3201: Insufficient validation of untrusted input in Developer Tools. _Reported by NDevTK on 2022-07-09_
*   CVE-2022-3305: Use after free in Survey. _Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Vulnerability Research Institute on 2022-04-24_
*   CVE-2022-3306: Use after free in Survey. _Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Vulnerability Research Institute on 2022-04-27_
*   CVE-2022-3307: Use after free in Media. _Reported by Anonymous Telecommunications Corp. Ltd. on 2022-05-08_

The biggest external researcher payout for far a bug that contributed to the latest Chrome 106 security update, according to Sista, was $9,000, the lowest was $1,000. Many payout amounts for other Chrome bug hunters are listed as "$TBD." 

As usual, Google did not list any technical details of the bugs. 

"We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel," Sista wrote. "As usual, our ongoing internal security work was responsible for a wide range of fixes." 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading