The ongoing campaign is spreading worldwide, using the lure of a fully functional Google Translate application for desktops that has helped the threat stay undetected for months.

A cryptomining campaign has potentially infected thousands of machines worldwide by hiding in a Google Translate download for desktops.

According to researchers at Check Point, the threat actor behind it is a Turkish-speaking software developer called Nitrokod, which offers free versions of popular software applications that don't have an official desktop version — like Google Translate.

In fact, its version of the translation utility, created using the official Google Translate webpages and a Chromium-based framework, is its most popular offering, researchers said in a blog post this week. It's distributed in a watering-hole approach, available via websites like Softpedia and uptodown, and turning up at the top of search results for “Google Translate desktop download."

Unfortunately, the downloads are Trojanized, which victims might not realize for a very long time (or ever) given that the app actually works as advertised.

"This campaign highlights the diverse methods of propagation employed by cryptojacking groups," says Matt Muir, security researcher at Cado Security. "Although masquerading as legitimate applications is as old as malware itself … sadly, it remains far too easy to trick an end user into installing what they believe to be a popular application."

**Built for Stealth**

The campaign, which is ongoing and spreading globally, sports several features that are designed to help it remain undetected, Check Point researchers found.

For instance, after the software is installed, the infection process goes dormant for weeks. Tom Kellermann, senior vice president of cyber-strategy at Contrast Security, tells Dark Reading that this is a prime example of a growing trend.

"Notably, after initial injection they are waiting weeks to remain undetected," he says. "Placing malware on a sleep cycle is becoming mainstream, and 'chronos' attacks are growing where adversaries use time for the purposes of evasion."

After the sleep interval, the infection process is initiated and the victim receives an updated file that, over the course of a few days, loads a chained series of four droppers onto the machine. Finally, the last dropper fetches the Monero-focused XMRig cryptominer and executes it.

The download then connects out to a command-and-control (C2) server for configuration data and begins mining, while the attackers delete any evidence of the infection process. Meanwhile, Google Translate will continue to work properly, separately — offering no red flags for analysis.

"This allowed the campaign to successfully operate under the radar for years," according to Check Point's analysis. "This way, the first stages of the campaign are separated from the ones that follow, making it very hard to trace the source of the infection chain and block the initial infected applications."

Active since 2019, Nitrokod claims to offer free and safe software, which in reality are all threats, researchers noted. The behaviors are similar to the Google Translate campaign in all other infected programs, they said. Thus, while this campaign was spotted in July, it's likely that there will be additional activity from the cybercrime group going forward.

**How to Protect Against Cryptomining**

Assaf Morag, lead data analyst on the Aqua Nautilus research team, notes that the campaign illustrates how cryptojacking crooks are proliferating their attack methods and continuing to go after virtual coins as a quick financial win.

In addition to Trojanized applications, "some cryptominers are hidden in websites, and when an unsuspecting victim browses the site, the cryptomining script on the website is running in the browser, often without users' knowledge or consent," he says. "Another type of cryptojacking that we've seen recently is often more complex. It involves a large botnet infrastructure that scans for vulnerabilities and misconfigurations, exploits them, and disseminates the cryptojacking malware and often other malware aimed to expand the attack and make it persistent."

As a result, businesses should shore up their basic defenses such as patching and Web filtering, and implement policies against downloading anything but approved software onto endpoints, network sensors, servers, and firewalls. And even then, users should only download software from official repositories — like Google Play, in this case; if there's no official desktop app, users should make do with the Web-based version.

Michael Clark, director of threat research at Sysdig, also says the campaign puts remote workers on notice.

"The software it pretends to be something that could be used by anyone," he says. "It shows that your endpoints and even users at home could be affected by cryptomining. Endpoints may not be as powerful as servers, but for a cryptominer, every bit of processing power they can steal adds to their profits."

And what if it's too late? If infected, "users will see a performance issue with their systems and potentially need a fresh install of their operating system to rid the system of the malware effectively," says James McQuiggan, security awareness advocate at KnowBe4.

Crypto-Crooks Spread Trojanized Google Translate App in Watering-Hole Attack

New Golang cyberattacks use deep space images and a new obfuscator to target systems — undetected.

Threat hunters are warning security teams to be on the lookout for new cyberattack that uses a chance to see historic James Webb space telescope deep field images as a lure. The campaign's victims are infected with Golang malware. 

Besides the novel lure strategy, the Go programming-based malware gives threat actors added flexibility across platforms and frameworks, in addition to providing reverse-engineering protections and obfuscation benefits, the Securonix research team reported. They dubbed the new cyberattack chain GO#WEBFUSCATOR for its ability to get around extended detection and response (EDR) defenses.

"The image contains malicious Base64 code disguised as an included certificate," the researchers who found the James Webb image-themed cyberattack explained. "At the time of publication, this particular file is undetected by all antivirus vendors according to VirusTotal." 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

James Webb Telescope Images Loaded With Malware Are Evading EDR

OpenText makes a $6 billion bet that bigger is better in security and that cybersecurity platform plays are the future.

Canadian software giant OpenText last week announced its intention to purchase Micro Focus in a deal valued at roughly $6 billion.

To give an idea of the scale of the combined company, the statement announcing the acquisition listed the combined company's totally addressable market to be $170 billion. Of that, Micro Focus's most recent annual revenue was $2.7 billion, while OpenText's revenue was approximately $3.5 billion.

The difference between revenue and addressable market presents an idea of why the companies see the potential for growth to come out of the combination.

**Growth by Acquisition**

Both Micro Focus and OpenText have spent recent years growing by acquisition. Micro Focus added SIEM/SOAR vendor ArcSight into its fold, along with NetIQ, Fortify, Voltage, and other products, thanks to its 2017 spinout-merger with Hewlett Packard Enterprise's software division. OpenText has added a resilience company like Carbonite to a portfolio that includes a variety of thread detection, investigation, and response (TDIR) products and services, as well as insider threat mitigation, and an array of forensics products.

So, what does the combination mean for customers and potential customers? For one thing, it dramatically increases the likelihood that any given midsize or large enterprise is already a customer of the new company. OpenText lists more than 120,000 customers in 110 countries around the world, while Micro Focus claims revenue in 180 different countries. Together, the companies have remarkable penetration in the large enterprise segment internationally.

The cybersecurity market, and the broader IT industry, has seen company strategies flow between a focus on single, "best of breed" solutions and a push toward multisolution conglomerates. OpenText and Micro Focus are obviously practitioners of the latter. For customers that look to their solution providers for broad security suites, the combination should make OpenText a more compelling potential provider by way of a considerably broader set of solutions. The combination may be even more compelling for customers trying to make decisions regarding security for hybrid- or multicloud architectures.

And while they've received little credit for it in the marketplace, both organizations have quietly been fostering notable innovations. Micro Focus earlier this year launched its Galaxy threat research platform, the latest initiative in a multiyear effort to position ArcSight at the center of a differentiated, cutting-edge security operations center (SOC) platform. Meanwhile, OpenText has built its own security management platform with Security Cloud, positioning the offering as an end-to-end cloud security solution for the large, distributed enterprise.

**Additive Strengths**

It's important to remember that for both OpenText and Micro Focus, security is just one focus area amid a broad set of overall business offerings. While the security offerings of the two companies will certainly complement one another, the most significant corporate benefits may be the additive strengths the product and service solutions deliver. Micro Focus, for example, has significant product offerings in the COBOL space, suggesting that running applications in hybrid mainframe-cloud architectures could be easier with the combined products from the two organizations.

OpenText began life as a university-based project to bring the world's most comprehensive dictionary to word-nerds around the globe. It has, since the mid-1990s, grown by acquisitions of ever-greater size and scope. While the Micro Focus purchase is OpenText's largest deal yet, there's no reason for customers or investors to believe it is the last.

OpenText Goes All-in on Cybersecurity Size and Scale With Micro Focus Purchase

(ISC)² pledges to expand and diversify the cybersecurity workforce by providing free "(ISC)² Certified in Cybersecurity" education and exams to 1 million people worldwide.

**ALEXANDRIA, Va., Aug. 31, 2022 /PRNewswire/** — (ISC)² — the world's largest nonprofit association of certified cybersecurity professionals — today announced that the (ISC)² One Million Certified in Cybersecurity initiative is now accepting participants. To qualify, individuals must enroll as an (ISC)² Candidate, for free, which entitles them to a wide array of exclusive programs and services to assist individuals starting a cybersecurity career, including free education and exams for the association's new entry-level cybersecurity certification (ISC)² Certified in CybersecuritySM.

First announced by (ISC)² CEO Clar Rosso during last month's Cyber Workforce and Education Summit at the White House, (ISC)² is acting on its pledge to implement meaningful solutions to our global cybersecurity workforce challenges. Research suggests organizations that focus on recruiting and developing entry-level cybersecurity staff — including those with little or no technical experience — accelerate the invaluable hands-on training the next generation of professionals needs to start a successful cybersecurity career.

Those who earn the (ISC)² Certified in Cybersecurity demonstrate to employers that they have the foundational knowledge, skills and abilities necessary for an entry-level cybersecurity role.

"The global cybersecurity workforce shortage is an issue we can no longer just talk about. It's time for decisive action," said Rosso. "I am proud that our association — with its rich history of advocating for the advancement, expansion and enablement of the cybersecurity workforce — is undertaking this unprecedented initiative to make rewarding cybersecurity careers accessible to so many people. We look forward to welcoming our One Million Certified in Cybersecurity participants to our community as (ISC)² Candidates and soon as new certified members of our association."

**How the Program Works  
**  
To participate in the One Million Certified in Cybersecurity initiative, individuals must visit www.isc2.org/candidate and enroll as an (ISC)² Candidate. Upon completion of that process, which includes an online form and affirmation to abide by the (ISC)² Code of Ethics, individuals will be able to access their free education and exam via their (ISC)² Candidates benefits page.

Participants will receive a free exam, as well as access to the (ISC)² Certified in Cybersecurity online self-paced education course. The course provides a review of the subject matter published in the (ISC)² Certified in Cybersecurity exam outline, which shares the security concepts on which certification candidates will be evaluated, including:

— Security Principles  
— Business Continuity (BC), Disaster Recovery (DR), and Incident Response Concepts  
— Access Controls Concepts  
— Network Security  
— Security Operations

University students, recent graduates, career changers and other professionals wishing to expand their skills and opportunities are encouraged to participate, especially individuals employed or seeking employment within small and midsized businesses.

After successfully completing the exam, participants will become (ISC)² members with access to a wide array of professional development resources to help them throughout their careers. The (ISC)² entry-level cybersecurity certification is the first step on a career-long journey that will help cybersecurity professionals gain experience and work toward advanced qualifications such as the CISSP®.

**Encouraging Diversity and Inclusion  
**  
In addition to open enrollment, (ISC)² will work closely with new and existing partner organizations to reach historically under-represented populations and encourage greater diversity within the cybersecurity community. (ISC)² has pledged that 500,000 course enrollments and exams will be directed toward students of historically black colleges and universities (HBCUs), minority-serving institutions (MSIs), tribal organizations and women's organizations across the US and the globe.

For more information on One Million Certified in Cybersecurity, including how to partner with (ISC)² to help support under-represented populations globally, visit www.isc2.org/IMCC.

**About (ISC)²**  
(ISC)² is an international nonprofit membership association focused on inspiring a safe and secure cyber world. Best known for the acclaimed Certified Information Systems Security Professional (CISSP®) certification, (ISC)² offers a portfolio of credentials that are part of a holistic, pragmatic approach to security. Our membership, more than 168,000 strong, is made up of certified cyber, information, software and infrastructure security professionals who are making a difference and helping to advance the industry. Our vision is supported by our commitment to educate and reach the general public through our charitable foundation — The Center for Cyber Safety and Education(TM). For more information on (ISC)², visit www.isc2.org, follow us on Twitter or connect with us on Facebook and LinkedIn.

© 2022 (ISC)² Inc., (ISC)², CISSP, SSCP, CCSP, CAP, CSSLP, HCISPP, CISSP-ISSAP, CISSP-ISSEP, CISSP-ISSMP and CBK are registered marks, and CC is a service mark of (ISC)², Inc.

SOURCE: (ISC)2

(ISC)² Opens Global Enrollment for '1 Million Certified in Cybersecurity' Initiative

A security vulnerability (CVE-2022-28799) in one of TikTok for Android's deeplinks could affect billions of users, Microsoft warns.

A high-severity flaw in the Android version of the TikTok app — which has been installed more than 1.5 billion times so far via the Google Play Store — could allow threat actors to hijack a user's account with a single click.

Microsoft discovered the high-severity vulnerability in the handling of one of TikTok for Android's deeplinks, a particular type of hyperlink in Android that links to a specific component within an app. To exploit it, cybercriminals could craft a malicious link that, if clicked, would allow full account access.

Tracked as CVE-2022-28799, the flaw could allow attackers to modify users' TikTok profiles and access sensitive information, "such as by publicizing private videos, sending messages, and uploading videos on behalf of users," according to a Microsoft Security blog post published Wednesday.

In all, an exploit exposes 70 methods for an attacker to modify users' TikTok profiles and access sensitive information without users' awareness, he said.

**Under the Hood: Exploiting JavaScript**

While CVE-2022-28799 itself is found in a deeplink in the Android version of TikTok, exploiting the flaw depends on the app's implementation of JavaScript interfaces, which are provided by the app's WebView component, Microsoft said.

WebView allows applications to load and display web pages and, using the "addJavascriptInterface" API call, also can provide bridge functionality that allows JavaScript code in the web page to invoke specific Java methods of a particular class in the app.

The issue with WebView is that if someone such as a threat actor loads untrusted web content to WebView with application-level objects accessible via JavaScript code, the app is vulnerable to JavaScript interface injection. This may lead to data leakage, data corruption, or, in some cases, arbitrary code execution, Microsoft said.

"TikTok for Android uses JavaScript interfaces extensively, enhancing the WebView capabilities that are used within the app," according to the post.

Microsoft researchers discovered what they call "a class of interest" that makes use of WebView in TikTok's Android version that "registers a JavaScript bridge that has access to every type of functionality implemented by the classes of a bridge," which can be exploited due to the deeplink vulnerability, they said.

"Attackers can use the vulnerability to redirect URLs to various components of the application via a query parameter to trigger the deeplink and call nonexported activities, expanding the attack surface of the application," according to the post.

**Proof-of-Concept TikTok Attack**

In a proof-of-concept (PoC) exploit, Microsoft researchers were able to force the application to load an arbitrary URL (https://www.tiktok\[.\]com, in this case) to the application's WebView, they said.

"By crafting this URL with additional query parameters, it was possible to inject an instance of the JavaScript bridge that provides full access to the functionality implemented by the affected bridge package," according to the post.

It added, "In short, by controlling any of the methods able to perform authenticated HTTP requests, a malicious actor could have compromised a TikTok user account."

**Patch the TikTok App Now**

Microsoft notified TikTok about the flaw, according to its responsible disclosure practices. TikTok responded by rapidly issuing a fix to both versions of the Android app it offers — one for East Asia and Southeast Asia and the other for all remaining countries — which both were affected. Users should update their apps to the latest version to protect themselves.

The quick response is notable, given the myriad privacy and security issues that have plagued TikTok in the past. However, it has been cleaning up its act in recent years, starting with its introduction of a bug-bounty program through HackerOne in 2020.

In February, the company's global chief security officer Roland Cloutier told Dark Reading that TikTok has committed to building a culture of security and transparency going forward, given its access to sensitive data and content for billions of organizations and individuals.

TikTok for Android Bug Allows Single-Click Account Hijack

While cloud breaches are going to happen, that doesn't mean we can't do anything about them. By better understanding cloud attacks, organizations can better prepare for them. (First of two parts.)

Cloud breaches are inevitable.

It's the reality we live in. The last few years have demonstrated that breaches occur, no matter how much security organizations put in place. The increased complexity of organizations — where a single mistake or vulnerability can lead to a compromise — coupled with the increased motivation, sophistication, and dedication of attackers, means breaches are here to stay. At the same time, organizations are transitioning to the cloud, making attackers shift focus to rapidly increase their attacks on cloud environments.

While this means that cloud breaches are inevitable, that doesn't mean we can't do anything about them. By better understanding cloud attacks, organizations can better prepare for them. Then, hopefully, they can contain and respond to attacks faster, reducing their impact and averting a crisis.

This two-part series will explore real-world attacks that unravel, investigate, and share insights on practical ways organizations can respond to cloud attacks in today's threat landscape.

**SaaS Marketplace Hack Leads to Major Breach**

In the last few years, software-as-a-service (SaaS) platforms have been replacing traditional enterprise applications, making it easier for organizations to adopt and manage them. Part of the value such platforms provide is the ability to integrate and expand rapidly, supporting the ever-growing demands of users for more functionality. Further enhancing their platforms, SaaS vendors are creating a marketplace to allow third-party providers to add functionality and integration for its users. These marketplaces, however, can introduce substantial third-party risk, as can be seen in the following scenario.

After a company was notified by GitHub of a potential risk, GitHub didn't provide any specific indicators of unauthorized access. Instead, GitHub provided only a generic notice that DeepSource, one of the apps the company had previously been using on the marketplace, was breached, making it hard to understand whether the organization was affected or not. An initial review done by the company of its GitHub logs did not help, as it could not see any access to its code by DeepSource.

The reason for this was rather simple — and it is at the heart of how many SaaS marketplaces operate. A few months before the breach, one of the company's developers tried out the DeepSource app, wherein the developer granted DeepSource access to the code under his username. When the attackers used DeepSource's access to download the entire code repository, what appeared in the logs was a pull request under the name of a legitimate user. The only indicator that it was malicious was the identification of an irregular IP address, which eventually was tied to other known attacks.

At this point, it became clear that the entire code repository had been stolen, and a full-blown response was needed to contain and recover from the breach. As with most code leakage cases, the immediate concern was access to secrets (passwords/keys) in the code. While it is generally bad practice to have hardcoded secrets in code, it is still a common practice by many — and this case was no different. By identifying the relevant secrets in the code, the next steps of the attackers — which, as expected, started accessing some of the Amazon Web Services (AWS) infrastructure — was predicted. By quickly identifying them, the company was able to block access to all relevant resources, contain the breach, and recover before more damage could be done.

**Cryptominer Injected into a Virtual Machine Template**

What if one could mine cryptocurrency at somebody else's expense? This idea is at the heart of many cryptomining attacks we see today, where attackers take over cloud resources, then run cryptominers on them collecting cryptocurrency while the hacked organization pays the cloud compute bills for it.

In a recent incident, a company had identified unknown files on 18 AWS EC2 machines they were running in the cloud. Looking at the files, it became clear they had fallen victim to the ongoing TeamTNT Watchdog cryptomining campaign. It was initially unclear how the attackers managed to infect so many EC2 instances, but as the investigation unfolded, it became apparent that instead of targeting individual machines, the attackers targeted the Amazon Machine Image (AMI) template used to create each machine. During the creation of the original image, there was a short time where a service was misconfigured, allowing remote access. TeamTNT used automatic tools to scan the network, identify it, and immediately place the miners there, which then got duplicated to every new machine created.

This highlights another common attack pattern: implanting cryptominers in publicly available AMIs through the Amazon marketplace.

As demonstrated by these cases, cloud attacks are here to stay. They're different from what we're used to observing, so it's time to better prepare for their arrival. Stay tuned for part two, where we will dive into cloud ransomware and how to avoid it.

_The second part of this article is here._

The Inevitability of Cloud Breaches: Tales of Real-World Cloud Attacks

Next-gen platform delivers adaptive and robust, continuous authentication with identity orchestration and a frictionless user experience.

**IRVINE, Calif., Aug. 31, 2022 —** SecureAuth, a leader in access management and authentication, announces the general availability of Arculix, a next-generation access management and continuous authentication platform. Driven by SecureAuth’s patented risk-based behavioral modeling engine, Arculix provides end users with a frictionless and passwordless digital journey.

The platform takes into account an identity’s level of assurance based on user, device and browser trust that employs artificial intelligence and machine learning (AI/ML) to determine anomalous behavior. Arculix enables organizations to accelerate their Zero Trust initiatives by ensuring the right digital identities have the right amount of access to the right resources while improving user experience by eliminating the need to repeatedly ask users to re-authenticate. It can be deployed as a standalone identity provider or can extend other IdPs, like Microsoft (E3/E5 subscriptions), if the customer chooses to leverage their existing primary identity provider but needs to implement more advanced risk-based continuous authentication.

“Arculix’s groundbreaking AI-driven behavioral modeling and device trust capabilities take identity and access management (IAM) to a new level of security and user experience with passwordless authentication,” said Mark Mahovlich, Vice President of Strategy and Execution, ICM Cyber, a SecureAuth certified partner. “With Arculix we are helping our customers implement true passwordless and continuous authentication to mature their IAM programs and better secure their organizations.”

“With Arculix, organizations can improve digital experience and productivity at a time when identity has become the primary attack surface,” said Matt Ulery, Chief Product Officer, SecureAuth. “Organizations can have simplicity without sacrificing flexibility, enable a Zero Trust approach and leverage actionable threat intelligence and situational context to deliver the right user experience for workforce and customers. Early adopters of Arculix within the financial and insurance industries have been able to improve user experience and reduce help desk costs while reducing identity attacks including fraud, account take over (ATO) and credential stuffing.”

Arculix generates a risk score at the start of the user journey when logging into a device that is used to grant access to everything the user needs like web apps, servers, and services without interacting with another factor check. Risk is continuously re-assessed to provide invisible multi-factor authentication (MFA) that utilizes analytics to deliver a frictionless user experience with adaptive workflows that step-up or step-down authentication based on overall risk.

"Identity security remains a top concern and investment area for most enterprise and government organizations especially given that universal adoption of passwordless log-in technology is encouraged by leaders such as Apple, Google, Meta, Microsoft, Twitter, and more," said Jay Bretzmann, Research Vice President for Security Products, IDC. “Arculix has the potential to be a Phoenix taking advanced authentication technology to the next adoption level so that security teams actually start to use it.”

**Arculix Platform**

Key features of the Arculix platform include:

1. **Arculix Risk Analysis —** Based on its innovative behavioral modeling patent technology and AI, this system allows for a frictionless authentication process as well as the ability to predict a user’s digital behavior and patterns to preemptively prevent fraud.

2\. **Arculix Device Trust** — This capability utilizes analytics to evaluate device context and telemetry to provide a seamless experience to create the user’s digital DNA for resource and app access/usage. Arculix Device Trust is FIDO2 certified.

3\. **Arculix Mobile App** — The mobile app informs end-users of risk after login based on device and browser fingerprint analysis after login and automatically performs step-up login when a threat is detected.

To learn more, visit, Arculix Overview.

**About SecureAuth Corporation**

SecureAuth is a next-gen access management and authentication company that enables secure and passwordless, continuous authentication experience for employees, partners and customers. With the only solution that can be deployed in cloud, hybrid and on-premises environments, SecureAuth manages and protects access to applications, systems and data at scale, anywhere in the world. To find out more, please visit www.secureauth.com.

SecureAuth Announces General Availability of Arculix, Its Next-Gen Passwordless, Continuous-Authentication Platform

New graph-based tool offers a better alternative to current approaches for finding vulnerabilities in JavaScript code, they note.

Researchers at Johns Hopkins University recently uncovered a startling 180 zero-day vulnerabilities across thousands of Node.js libraries using a new code analysis tool they developed specifically for the purpose, called ODGen.

Seventy of those flaws have since received common vulnerabilities and exposures (CVE) identifiers. They include command injection flaws, path traversal vulnerabilities, arbitrary code execution issues, and cross-site scripting vulnerabilities — some of them in widely used applications.

In a paper released at the Usenix Security Symposium earlier this month, the Johns Hopkins researchers — Song Li, Mingqing Kang, Jianwei Hou, and Yinzhi Cao — described ODGen as a better alternative to current code-analysis and so-called graph query-based approaches for finding Node.js vulnerabilities.

Program analysis-based approaches have proved useful in helping detect individual vulnerability types such as code-injection flaws in JavaScript. But they cannot be easily extended to detect all kind of vulnerabilities that might be present in the Node.js platform, the researchers said. Similarly, graph-based code-analysis methods — where code is first represented as a graph and then queried for specific coding errors — works well in environments such as C++ and PHP. However, graph-based approaches are not as efficient in mining for JavaScript vulnerabilities because of the programming language's extensive use of dynamic features, they noted.

**A 'Novel' Approach for Finding JavaScript Vulnerabilities**

So, the researchers instead developed what they described as a "novel" and better method called Object Dependence Graph (ODG) that can be used for detecting Node.js vulnerabilities. They implemented ODGen to generate "ODG" for Node.js programs to detect vulnerabilities, they said.

Cao, assistant professor of computer science at Johns Hopkins University and a co-author of the research report, uses a couple of analogies to describe graph-based code analysis in general and their proposed Objective Dependence Graph. "If we consider a vulnerability as a special pattern — say, a green node connected with a red node and then a black node — a graph-based code-analysis tool first converts programs to a graph with many nodes and edges," Cao says. "Then the tool looks for such patterns in the graph to locate a vulnerability."

The Object Dependence Graph that the researchers have proposed refines this approach by representing JavaScript objects as nodes and adding features — including dependencies between objects — that are specific to the programming language, and then querying for errors. Cao describes how the method works using grains in a handful of rice: If all the grains look the same before boiling but assume two different shades after boiling — one representing good grains and the other bad grains — then it becomes easier to spot and weed out the bad grains. "Abstract interpretation is kind of like the boiling process that converts rice — that is, programs — into different colored objects" so errors are easier to spot, Cao says.

**A Variety of Bugs**

To see if their approach works, the researchers first tested ODGen against a sample of 330 previously reported vulnerabilities in Node.js packages on the node package manager (npm) repository. The test showed the scanner correctly identifying 302 of the 330 vulnerabilities. Buoyed by the relatively high accuracy rate, the researchers ran ODGen against some 300,000 Java packages in npm. The scanner reported a total of 2,964 potential vulnerabilities across the packages. The researchers checked 264 of them — all with more than 1,000 downloads per week on average — and were able to confirm 180 as being legitimate vulnerabilities. Forty-three of them were at the application level, 122 were in packages that are imported by other applications or code, and the remaining 15 were present in indirect packages.

A plurality (80) of the confirmed vulnerabilities that ODGen detected were command injection flows that allow attackers to execute arbitrary code at the operating system level via a vulnerable application. Thirty were path traversal flaws; 24 enabled code tampering, and 19 involved a specific type of command injection attack called prototype pollution.

New ODGen Tool Unearths 180 Zero-Days in Node.js Libraries

These five suggestions provide a great place to start building a scalable and affordable program for creating secure apps.

Some security programs need to have the absolute highest possible level of security assurance for the systems and the data they protect. They need to be as close to perfect as they can be. Examples of this would be managing evidence for top secret counterterrorism activities, invaluable intellectual property such as the first COVID-19 vaccine, or systems that require uptimes of five 9s (99.999%) or higher, for which downtime of a single minute can cost millions of dollars.

That said, for most companies, a "good" application security (AppSec) program will suffice. A good program is one where your applications are safe against the most common types of attacks but could still fall to a determined, well-funded, and advanced attacker. Let's discuss the differences, and how to create something that meets your company's needs.

**Elections Require Perfection**

For a "perfect" AppSec program, every single potential vulnerability reported by any test must be investigated by a security expert. This means running static application security testing (SAST), dynamic application security testing (DAST), and other automated tools with the confidence level for findings set to report "any and all" possibilities. That requires hiring one or more security experts who are trained to run down each item and given weeks to check each application. It also means hiring several security professionals to do manual security testing and code review, for multiple viewpoints, and to re-test that the bugs are truly fixed and have not created new bugs in the process. It is both time-consuming and quite expensive.

A few years ago, I worked on an application that had to run on a 32-kilobit modem in the Arctic. It makes our elections in Canada happen, which meant it had to be absolutely perfect. We hired several different security professionals, who used a multitude of tools and manual techniques to find both security and non-security issues within our application. We did stress testing, performance testing, integration testing, and so much more. We set up a functional returning office (the place that you vote), with every system fully functional, and ran an entire 36-day mock election, with fake security incidents thrown into the mix, 6 months before the big day. We spent the following 6 months finalizing every detail. It's unlikely you would have noticed, as when the 52nd General Election happened on Oct. 19, 2015, it went off without a hitch.

They don't write news articles when everything goes right. We also put in quite a bit more work than what I shared above, which I am not at liberty to share. The point is that being perfect is not cheap, and it is not quick.

**5 Ways to Make Good 'Good Enough'**

With that story in mind, does your organization need to be truly _perfect_? Or is "good" _good enough_? Let's look at some ways your organization could create a scalable and affordable application security program that is _good_.

**1\. Automate.** First off, leverage automation whenever possible. There are many free and paid security tools that can provide good results. When I say good, I mean most of the results they report are true positives, and the false negatives (missed bugs) are at a level your organization can be comfortable with. Some automated tools will allow you to set a confidence level for your results; starting with a confidence level of "high" in the first year of your program, and then shifting to "medium" in the second year, is a good way to get software developers to have faith in what you are reporting while not overwhelming them.

**2\. Use anti-pattern matching SAST.** For SAST tools, when you're aiming for "good" results, select a next-generation SAST that performs anti-pattern matching (regex looking for known-bad patterns) rather than an original SAST type that performs symbolic execution (running down every possible code outcome, searching for potential flaws and bugs). While the original types of SAST are ideal for creating a perfect application, next-generation SASTs are faster, provide more true positives, and are sometimes quite a bit cheaper as well.

**3\. Spell out technical requirements.** When starting new projects, give your project team a list of expectations, both for technical security requirements and for activities you expect them to participate in as part of the project life cycle. You could create a list once for each type of technology (Web apps, APIs, serverless, infrastructure as code, containers, etc.), then reuse that list for every new project it applies to. This also allows a project manager to schedule time for the security activities to happen so that project teams don't face unexpected overtime.

**4\. Run a threat model.** During the design phase, reserve one hour with the product owner, the technical leader of the project, and a member of the AppSec team. Perform a simple threat model on your application and implement some of the recommendations from that session.

**5\. Train people on secure coding.** Give your software developers secure coding training. There's several free or almost-free courses on the Internet for this now, and every bug they help your people avoid creating saves you more time and money than you may realize.

Although this is just a short list of ways to build a scalable and affordable program for creating secure apps, these five suggestions provide a great place to start from or to add to an already existing program to make "good" software.

Don't Let 'Perfect' Be the Enemy of a Good AppSec Program

Analysts find five cookie-stuffing extensions, including one that's Netflix-themed, that track victim browsing and insert rogue IDs into e-commerce sites to rack up fake affiliate payments.

Researchers have flagged five separate malicious Chrome extensions masquerading as Netflix viewers and more. They track user activity and insert code into any e-commerce sites they visit, letting cyberattackers steal payments through the retailer affiliate programs. 

McAfee Labs analysts found the Chrome extensions being marketed to let users watch Netflix in groups, automatically clip coupons, and take screenshots. All together, the apps have been downloaded 1.4 million times, they found. 

The McAfee team has been working on tracking down malicious Chrome extensions, and its latest report is part of that project, researchers wrote in a recent blog about their findings. The researchers warn end users to take extra precautions to verify an extension's safety if it asks for additional permissions. 

"This blog highlights the risk of installing extensions, even those that have a large install base as they can still contain malicious code," they said. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading