The phishing campaign deploying a ScanBox reconnaissance framework has targeted the Australian government and companies maintaining wind turbines in the South China Sea.

The Chinese state-aligned threat actor TA423 (aka Leviathan/APT40) is behind a sustained cyber-espionage campaign against countries and entities operating in the South China Sea, including organizations involved in an offshore wind farm in the Taiwan Strait.

The threat actor's most recent campaigns used malicious emails impersonating Australian media organizations, including the fake Australian Morning News, to deliver ScanBox malware for reconnaissance, according to a report drafted by cybersecurity firm Proofpoint, working in collaboration with PwC.

Researchers also observed phishing activity targeting governmental agencies, media companies, and South China Sea wind turbine operators, as well as a European manufacturer supplying equipment for the Yunlin Offshore Windfarm in the Taiwan Strait.

The espionage campaign was active from April through June, with URLs delivered in phishing emails that redirected victims to a malicious website, where the landing page delivered a JavaScript ScanBox malware payload to selected targets.

"The ScanBox-related phishing campaigns identified in April through June 2022 originated from Gmail and Outlook email addresses which Proofpoint assess with moderate confidence were created by the threat actor, and utilized a variety of subject \[lines\] including 'Sick Leave,' 'User Research,' and 'Request Cooperation,'" a blog post on the campaign noted, adding that the phishing campaign is currently ongoing.

ScanBox is a reconnaissance and exploitation framework designed to harvest several types of information, such as the target's public-facing IP address, the type of Web browser they use, and their browser configuration (language or plugin information, for example). It allows threat actors to profile victims, and to deliver further carefully crafted malware to selected targets of interest.

This serves as a setup for the following stages of information gathering and potential follow-on exploitation or compromise, where malware could be deployed to gain persistence on the victim's systems and allow the attacker to perform espionage activities.

"It creates an impression of the victim's network that the actors then study and decide the best route to take to achieve further compromise," explains Sherrod DeGrippo, Proofpoint's vice president of threat research and detection.

Proofpoint began to observe a consistent pattern of targeting against entities based in Malaysia and Australia as far back as March 2021 — the first phase of the campaign.

"The second phase began in March 2022 and consisted of phishing campaigns which used RTF template injection attachments leveraging template URLs that were customized for each target," the report noted.

**Active for Almost a Decade**

DeGrippo notes that TA423 has been active for almost 10 years, with its activity dovetailing with military and political events in the Asia-Pacific region. TA423's typical targets include defense contractors, manufacturers, universities, government agencies, legal firms involved in diplomatic disputes, and foreign companies involved with Australasian policy or South China Sea operations.

She calls TA423 "one of the most consistent" advanced persistent threat (APT) actors in the threat landscape, supporting the Chinese government in matters related to the South China Sea, including during the recent tensions in Taiwan.

"This group specifically wants to know who is active in the region and, while we can’t say for certain, their focus on naval issues is likely to remain a constant priority in places like Malaysia, Singapore, Taiwan, and Australia," she explains.

The group is so capable that in 2021, the US Department of Justice charged four of its alleged members with "global computer intrusion campaign targeting intellectual property and confidential business information."

"We expect TA423 to continue pursuing its intelligence-gathering and espionage mission primarily targeting countries with interests in the South China Sea, as well as further intrusions in Australia, Europe and the United States," DeGrippo says.

**Spike in Phishing Campaigns**

Malicious actors are using increasingly sophisticated and unusual methods to conduct phishing campaigns.

Earlier this month, threat actors use a compromised Dynamics 365 Customer Voice business account and a link posing as a survey to steal Microsoft 365 credentials in a widespread campaign.

Google researchers also discovered the latest threat from Iranian APT group Charming Kitten, which has a new data-scraping tool that claws emails from victim Gmail, Yahoo, and Microsoft Outlook accounts using previously acquired credentials.

DeGrippo says protecting email users and the email vector should be a top priority for organizations, particularly those heavily targeted industries with significant email traffic.

"Organizations should focus on a cybersecurity strategy based on people, processes, and technology," she adds. "This means training individuals to identify malicious emails, using email security tools to block threats before they reach users' inboxes, and putting the right processes in place to ensure that threats can be mitigated immediately."

Chinese Hackers Target Energy Sector in Australia, South China Sea

The relationship between information technology and operational technology will need top-down support if a holistic security culture is to truly thrive.

Most members of the security community acknowledge the need for an improved security culture — meaning systemic corporate awareness, measurement, and monitoring for improvement of cybersecurity to lower the overall risk. Just look at Kim Zetter's Black Hat USA 2022 keynote, which called for crucial security improvements throughout critical infrastructure.

Many times, the impediment to effective security is not necessarily technical but, rather, a cultural issue. Many often mistakenly equate user education and training with the creation of a security culture. User education is about information sharing on issues and obligations — whereas security culture is about behavioral changes in support of security.

**Building Security Culture Through User Awareness**

Though user awareness and building a security culture are different exercises with distinct challenges, they share one commonality_:_ They require serious attention and support. With that in mind, these two exercises actually complement each other.

Consider this: While there are many debates on CISO reporting structures, the support necessary for driving a security culture is not dependent upon this hierarchy; it's dependent on the modification of user behavior through generally accepted business operations. This holistic business process modification is why the security culture needs to be driven from the top down.

User awareness should be baked into an organization's security tools and take place as consistently as searching the systems for indications of compromise. User awareness does not take the place of, and is not the same as, the creation of a security culture — rather, it's a necessary component of any effective security culture.

**Getting on Board**

Ownership and support for creating security culture must be driven at the board level. This is because while many exploitations and attacks are no more than another security alert to manage, when a skilled adversary gets involved, serious risks arise. As I always say: Amateurs hack systems; professionals hack people. Hacking the human as a security risk category has a high yield of success and transcends technological safeguards.

The trick is to protect the human operator from the pitfalls of human nature by controlling and sculpting behavior. This often requires critical thought about ingrained business practices. Support for the realization of necessary changes will rely heavily upon top-down influence.

**Security Culture in OT Environments**

OT environments are saddled with even more significant challenges in examining and cultivating their security culture. Not only do business users play an integral role, but OT engineers are just as vital to preventing and responding to security events.

The relationship between IT and OT is where the creation of a holistic security culture will need top-down support to look critically at the overall business and operational processes. Things that can torpedo the most earnest attempts at shoring up a security effort could be as unsuspecting as the accounting process for applying budgets across the individual locations or the perception of ownership for security.

While these examples are the tip of the iceberg, it's important to create a holistic and continuous process improving program within the organization to continue to ask, "How could our security culture be improved?"

**Security Culture in IT Environments**

Unlike OT, the recognition of the need for technologies is well defined in IT. For example, asset inventory and visibility is a commodity product set for IT. There are many asset management vendors from which to choose, and a skilled IT team can quickly adopt these tools. The process of selecting technology may be influenced by an IT-centric process. Cultural changes may be found that would better fit the selection of complementary products on the OT side.

Asset inventory, vulnerability, and risk management are more challenging in OT due to the nature of the technology and topology. The personnel are typically engineers that specialize in the process and not necessarily the tool (systems) with how they interact with the operations of moving molecules. The owners of OT assets have a different mission focus from IT owners, and their training does not necessarily include security. The creation of a security culture must take these different mindsets into account and use relatable tactics to change behavior.

**Blending Cultures: IT and OT**

A risk-based approach will help IT and OT professionals by standardizing key metrics like life, health, safety, not to mention the impact on production capacity and efficiency. This approach should also include maximum tolerable downtime (MTD) and mean time to recovery (MTR).

This will drive answers to why personnel should care about security. Organizations will want to give the collective team a chance for success. While looking at business processes for assigning tasks across groups, subtle changes may become apparent when viewed through a security lens. While system ownership must remain bifurcated due to inherent, operationally driven needs, the IT/security/OT teams must all work in lockstep to address critical vulnerabilities, potential security events, and incident response/recovery. Speed and efficiency are paramount.

These are only two aspects of creating a security culture but serve as an excellent example of why there is more to changing behavior than simple information sharing. Creating a security culture is vital to any organization to augment the security technology investments but is indispensable to an OT operator's survival in the fast-paced breach response process.

Security Culture: An OT Survival Story

Nearly half of respondents say their company relies on outdated backup and recovery infrastructure — in some cases dating back to the 1990s, before today's sophisticated cyberattacks.

**SAN JOSE, Calif. Aug. 29, 2022** (BUSINESS WIRE) — New global research commissioned by Cohesity, a leader in next-gen data management, reveals that nearly half of respondents say their company depends on outdated, legacy backup and recovery infrastructure to manage and protect their data. In some cases, this technology is more than 20 years old, and was designed long before today’s multicloud era and onslaught of sophisticated cyberattacks plaguing enterprises globally.

“In this survey, we found nearly 100 respondents who said their organizations are relying on outdated data infrastructure, and this raises the question, how many other businesses are in the same situation around the world?”

Challenges pertaining to outdated infrastructure could easily be compounded by the fact that many IT and security teams don’t seem to have a plan in place to mobilize if and when a cyberattack occurs. Nearly 60% of respondents\* expressed some level of concern that their IT and security teams would be able to mobilize efficiently to respond to an attack.

These are just some of the findings from an April 2022 survey, conducted by Censuswide, of more than 2,000 IT and SecOps professionals (split nearly 50/50 between the two groups) in the United States, the United Kingdom, Australia, and New Zealand. All respondents play a role in the decision-making process for IT or security within their organizations.

“IT and security teams should raise the alarm bell if their organization continues to use antiquated technology to manage and secure their most critical digital asset – their data,” said Brian Spanswick, chief information security officer, Cohesity. “Cyber criminals are actively preying on this outdated infrastructure, as they know it was not built for today’s dispersed, multicloud environments, nor was it built to help companies protect and rapidly recover from sophisticated cyberattacks.”

**Backup and Recovery Infrastructure That Could Be Considered Archaic**

Forty-six percent of respondents said that their organization relies on primary backup and recovery infrastructure that was designed in, or before, 2010. Nearly 100 respondents (94 out of 2011) revealed that their organization relies on backup and recovery infrastructure that was built before the new millennium — in the 1990s.

Enterprises are utilizing this legacy technology despite the fact that managing and securing data environments has become much more complex, not just because of the exponential growth in structured and unstructured data, but because of the vast array of locations where that data is stored. Forty-one percent of respondents stated that they store data on-premises, 43% rely on public cloud storage, 53% utilize a private cloud, and 44% have adopted a hybrid model (some respondents are using more than one option).

“In 2022, the fact that any organization is using technology to manage their data that was designed in the 1990s is frightening, given that data can be compromised, exfiltrated, held hostage, and it can create massive compliance issues for organizations,” said Spanswick. “In this survey, we found nearly 100 respondents who said their organizations are relying on outdated data infrastructure, and this raises the question, how many other businesses are in the same situation around the world?”

**What Keeps IT and SecOps Teams Up at Night**

Respondents highlighted what they believe would be their biggest barriers to getting their organization back up and running after a successful ransomware attack. The findings are as follows _(respondents were asked to check all that apply)_:

*   integration between IT and security systems (41%)
*   lack of coordination between IT and Security (38%)
*   lack of an automated disaster recovery system (34%)
*   antiquated backup and recovery systems (32%)
*   lack of a recent, clean, immutable copy of data (32%)
*   lack of and timely detailed alerts (31%)

With respect to the lack of coordination between IT and security, this coincides with other findings from this survey, denoting that a gap often exists between IT and SecOps that puts businesses and security postures at risk. For more on that, click here.

**What Do Survey Respondents Want Management to Prioritize?**

Respondents revealed that modernizing data management, protection, and recovery capabilities, in addition to increasing collaboration between IT and SecOps, offers a path to strengthening their organizations’ security postures and multicloud operations. The top five “must have'' measures that respondents would ask management for in 2022 are:  

1\. Integration between modern data management and security platforms and AI-powered anomalous data access alerts to provide early warning of attacks in progress (34%)  
2\. Extensible platform for third-party applications for security operations and incident response (33%)  
3\. Automated disaster recovery of systems and data (33%)  
4\. Upgrading from legacy backup and recovery systems (32%)  
5\. Rapid, organizationwide backup with in-transit data encryption (30%)

“Both IT decision-makers and SecOps should co-own the cyber-resilience outcomes, and this includes an evaluation of all infrastructure used in accordance with the NIST framework for data identification, protection, detection, response, and recovery. Also, both teams need to have a comprehensive understanding of the potential attack surface,” said Spanswick. “Next-gen data management platforms can close the technology gap, improve data visibility, help IT and SecOps teams sleep better at night, and stay one step ahead of bad actors who take great delight in exfiltrating data from legacy systems that can’t be recovered.”

**For more information:**

*   To learn more about Cohesity Data Security, click here.
*   To learn more about Cohesity Ransomware Recovery, click here.
*   To learn more about Cohesity Threat Defense, click here.
*   To learn more about next-gen data management, click here.

_\[\*\] When asked “If a ransomware attack occurred today, how confident, if at all, are you/would you be that your IT and Security teams would be able to mobilize efficiently to respond to the attack,” 60% applies to respondents who said ‘Somewhat confident’, ‘Not very confident’, and ‘Not at all confident’._

**About Cohesity**

Cohesity radically simplifies data management. We make it easy to protect, manage, and derive value from data — across the data center, edge, and cloud. We offer a full suite of services consolidated on one multicloud data platform: backup and recovery, disaster recovery, file and object services, dev/test, and data compliance, security, and analytics — reducing complexity and eliminating mass data fragmentation. Cohesity can be delivered as a service, self-managed, or provided by a Cohesity-powered partner.

_© 2022 Cohesity, Inc. All rights reserved. Cohesity, the Cohesity logo, Helios, and other Cohesity marks are trademarks or registered trademarks of Cohesity, Inc. in the U.S. and/or internationally. Other company and product names may be trademarks of the respective companies with which they are associated._

Cohesity Research Reveals that Reliance on Legacy Technology Is Undermining How Organizations Respond to Ransomware

The first-of-its-kind campaign threatens to remove code packages if developers don’t submit their code to a "validation" process.

A phishing campaign is targeting users of the Python Package Index (PyPI) by threatening to remove their code packages if they don't put it through a bogus validation process, PyPI administrators have warned.

PyPI administrators are alerting users about the repository — which enables Python developers to publish and find code packages to use for building software — of emails that claim they are implementing a "mandatory 'validation' process," they said in a series of tweets outlining how the scam works.

The messages invite PyPI users to follow a link to perform the validation "or otherwise risk the package being removed from PyPI." The administrators assured users in a post that they would never remove a valid project from the index, and they only take down projects that are found to be malicious or violate the company's terms of service.

The campaign, which the administrators said is the first of its kind, steals users credentials to load compromised packages to the repository. The administrators noted that the phishing campaign does not target code repositories as a way to spread malware through the software supply chain.

The attackers behind the scam already have successfully stolen credentials from several PyPI users and uploaded malware into the projects they maintain to serve as the latest release for those projects, according to PyPI.

"These releases have been removed from PyPI and the maintainer accounts have been temporarily frozen," according to PyPI's Twitter post.

**How the Scam Works**

According to PyPI, the initial phishing message dangles the lure that Google is behind the validation process of new and existing PyPI packages. Ironically, the message claims the new process is due to "a surge in malicious packages being uploaded to the PyPI.org domain."

The link takes the user to a phishing site that mimics PyPI's login page, which steals any credentials entered through a phishing site, "sites\[dot\]google\[dot\]com/view/pypivalidate." The data is sent to a URL on the domain "linkedopports\[dot\]com," according to PyPI.

PyPI administrators have been unable to determine whether the phishing site was designed to relay TOTP-based two-factor codes but noted that accounts protected by hardware security keys are not vulnerable to the attack.

Repository administrators are in the process of actively reviewing reports of new malicious releases and ensuring that they are removed so the accounts that have been compromised are restored and their maintainers can continue to use PyPI.

**Supply Chain in the Crosshairs**

The campaign bucks the trend where threat actors are targeting public code repositories to distribute malware to the software supply chain. Flawed code can be a goldmine for threat actors, expansively widening the impact of malicious campaigns when compromised code is built into numerous applications or websites without developers or users knowing.

The Log4J case — in which a flaw in a widely used Java logging tool affected millions of applications, many of which are still vulnerable — brought this to light in a big way, and threat actors recently have ramped up attacks on code repositories as a way to spread malicious code quickly through the supply chain.

Earlier this month, PyPI removed 10 malicious code packages from the registry after a security vendor informed it about the issue. Threat actors targeted the registry by embedding malicious code into the package installation script.

PyPI has been aware of the target on its back and in the past few years has enacted several security initiatives to better protect its users.

These measures include the addition of two-factor authentication (2FA) as a login option and API tokens for uploading software to the registry, a dependency resolver to ensure the pip package installer installs the right versions of package dependencies, and the creation of databases of known Python vulnerabilities in PyPI projects.

**Thwarting the Attack**

PyPI is currently working to make 2FA more prevalent across projects on the repository, administrators said, adding that PyPI users with 2FA already implemented should reset recovery codes if they think that their account has been compromised.

To avoid being phished altogether, PyPI users should confirm that the URL in the address bar of any email purporting to come from PyPI is http://pypi.org and that the site's TLS certificate is issued to http://pypi.org. Users also should consider using a browser-integrated password manager, administrators tweeted.

Enabling 2FA by using hardware security keys or WebAuthn 2FA also can help PyPI users avoid being compromised by phishing attempts, they said. In fact, to help facilitate better protection, the repository currently offers free hardware keys for maintainers of the top 1% of projects.

PyPI advised any users who think they've been compromised to contact \[email protected\] with details about the sender email address and URL of the malicious site to help administrators to respond to this issue.

Phishing Campaign Targets PyPI Users to Distribute Malicious Code

A people-first approach reduces fatigue and burnout, and it empowers employees to seek out development opportunities, which helps retention.

I manage a security operations center (SOC) in the midst of the Great Resignation and a massive cybersecurity skills gap. During this time, I've learned a few surprising things about how to recruit and maintain a cohesive SOC team.

A 2021 Devo study of more than 1,000 cybersecurity professionals found that working in a SOC has some unique pain points, including the amount of information that needs to be processed and the on-call nature of the job. Alert fatigue also contributes to this pain.

I've found that keeping the SOC staffed and engaged starts with a SOC's most important asset: its people. A people-first approach not only helps with reducing fatigue and burnout, but it also empowers employees to seek out opportunities for their own development, greatly aiding in retention. Here are three ways that I rely on to support my SOC colleagues.

**Give and Receive Regular Feedback**

Actionable feedback, both given and received, is something that people naturally desire. When done proactively, the team gains a clear understanding of their performance while building trust with their leaders. Even if everything is going well, letting your colleagues know what they are excelling at is imperative. This positive reinforcement often has more impact than letting them know when something needs to be improved.

I have an open-door policy with my team, which allows for a consistent feedback loop. If I need to be doing more for my team, I expect them to tell me where I can improve; on the flip side, hearing if something is going well helps me better calibrate my leadership style to my team.

I also encourage others to find departments within your company that will provide 180-degree feedback. This is vital for me as both a leader and an employee as it empowers me to check my own blind spots. As a leader, you should want to discover the areas where you can grow and better support your team.

**Rotate Tasks and Responsibilities**

Within my team, I have everyone rotate between managing alerts, self-paced training, and project work. This not only gives each team member a window into different aspects of the SOC, and work to develop themselves, it also removes some of the monotony and stress of the job.

For instance, if you have to come to work every day and consistently worry about urgent tickets and client requests, you will feel anxious and as though you constantly have to fix other people's problems. These feelings contribute mightily to burnout. Additionally, finding ways to automate regular tasks will reduce the stress and burden placed on the team so they can focus on more strategic work.

**Promote Interactions Throughout the Company**

It can be easy to get lost looking at each tree in the SOC, when you should instead be focusing on the forest of the company. That is why I encourage my team to take a step back and realize how their work is helping the company and community.

I do this by coordinating opportunities for my team to work with individuals outside their realm, for instance in sales or marketing, so everyone understands the product and overall goals. Also, assisting others outside of your team and even your company helps you to fully understand the value you provide and where others can benefit from your team's support and expertise.

I encourage my team to complete a quarterly "Do Good" project, which focuses on the needs of the company and the larger security community. For instance, how can we work together to educate others about bad actors and mitigate the threats they pose? In April, the SOC team identified and validated IP addresses that were being used for attacks across several of our clients. After they were identified, we ensured they were available to the public so others could leverage our knowledge to block attackers.

Doing projects like these reminds the team how critical their work is and unites us around a common goal.

**The Key Differentiator: How People Are Treated**

How the leaders treat their people is a key differentiator in today's job market, especially as many organizations look to creative ways to solve cybersecurity's ongoing talent shortage. It goes without saying that employers should also look to train employees rather than expect them to come to an entry-level job with 30 years of experience and a CISSP cert.

When I am hiring, I look for strong base foundations and proven self-starters, along with potential — and desire — to grow, rather than previous experience. It is always rewarding to give deserving people an opportunity and watch them flourish.

Additionally, having your team complete self-paced training and educational opportunities enables each person to work on skills and techniques that will only aid the company down the line. Fostering that growth is just good business.

While there certainly isn't a one-size-fits-all approach to managing people, as each person, SOC, and company are different, keeping your people at the heart of all things will never go out of style. The stronger your employees, the better off your SOC, and your organization as a whole, will be.

Building a Strong SOC Starts With People

The search engine giant's Vulnerability Rewards Program now covers any Google open source software projects — with a focus on critical software such as Go and Angular.

Google plans to pay out cash rewards for information on vulnerabilities discovered in any of its open source projects as part of an ongoing effort to improve the security of open source code.

The new Open Source Software Vulnerability Rewards Program (OSS VRP), which extends Google's existing Vulnerability Rewards Program, was announced in a blog post published today.

Google will pay researchers up to $31,337 for information on vulnerabilities in open source software projects — particularly those managed by Google — that impact the firm's software and services. Google's goal is to secure its own software supply chain, but because many non-Google developers use the company's open source software — such as the Go programming language and Angular Web framework — the initiative promises to help secure the wider open source ecosystem as well.

At first, Google will focus on the most widely used and critical projects, says Francis Perron, open source security technical program manager at Google.

"We want to offer a high-quality bug-hunting experience, so we picked projects which had enough maturity in their response and their processes to test this program," he says. "Broadening the scope will happen after we compile enough data internally, and make sure we can scale up without harming the projects, and the researchers."

**Supply Chain Security Challenges**

Securing the software supply chain has become a major effort of technology firms and the policymakers. In January, the Biden administration met with technology companies and open source organizations to find ways to promote secure coding, find more vulnerabilities, and speed patching of open source projects.

Last year, Google pledged to spend $10 billion over five years, supporting efforts by the OpenSSF, adding a cybersecurity advisory group, and bolstering its Invisible Security zero trust initiative.

"Governments and businesses are at a watershed moment in addressing cybersecurity," Kent Walker, president of global affairs for Google and its parent company Alphabet, said in the 2021 announcement of the company's $10 billion pledge. "Cyberattacks are increasingly endangering valuable data and critical infrastructure. While we welcome increased measures to reinforce cybersecurity, governments and companies are both facing key challenges."

Over the past decade, Google has paid out more than $38 million in rewards to researchers who have submitted 13,000 vulnerabilities to the company, as part of its Vulnerability Rewards Program. 

Google has already offered bounties for bugs in its Chrome browser and the Android mobile operating system, both of whose base code are managed as open source projects. The company paid out $2.9 million to 119 researchers for their reports of vulnerabilities in Android, with the highest reward hitting $157,000. Similarly, the company paid $3.3 million to 115 researchers for finding bugs in Chrome in 2021.

**Paying for "Eleet" Bug Finds**

With its Open Source Software Vulnerability Rewards Program (OSS VRP), Google is creating a standard framework to reward researchers who find issues in the open source software projects maintained by the company.

Google will allow submissions for "\[a\]ll up-to-date versions of open source software (including repository settings) stored in the public repositories of Google-owned GitHub organizations," the company stated in its blog post. In addition, the company has focused on rewards for several critical projects, including the Go programming language, the Angular Web framework, and its nascent operating system for connected devices, Fuchsia.

The company currently asks for submissions of vulnerabilities that affect the supply chain, design issues that could result in vulnerabilities in Google's products, and security weaknesses such as compromised credentials, weak passwords, or insecure installation configurations. As part of its focus on the supply chain, the company will reward researchers who submit vulnerabilities to third-party open source projects on which Google's software depends.

"This program focuses on Google-produced open source projects, and the proposed short list of flagship projects listed includes projects also driven by Google," says Google's Perron. "The rules also include the 'Standard' tier, which does incorporate a vast amount of projects."

The company plans to pay researchers anywhere from $100 to $31,337 — a special number because it spells out "eleet," or elite, in hackerspeak — with the higher payouts going to more severe, or more creative, vulnerabilities.

With the additional bounty programs, some vulnerabilities rewards may overlap with other programs. Google pledged to work with researchers to submit their vulnerability reports to the right programs to maximize their payout, the company said.

Google Expands Bug Bounties to Its Open Source Projects

US cybersecurity services firm expands services in Latin America.

**SCOTTSDALE, Ariz., Aug. 29, 2022** (GLOBE NEWSWIRE) — Cerberus Cyber Sentinel Corporation (NASDAQ: CISO), an industry leader as a managed cybersecurity and compliance provider, based in Scottsdale, Ariz., announced that it has completed the acquisition of CUATROi, a cloud managed services provider and cybersecurity company with headquarters in Santiago, Chile, and offices in Bogotá, Colombia, and Lima, Peru. Under the terms of the agreement, CUATROi became a wholly owned subsidiary of Cerberus Sentinel.

CUATROi is a secured managed services provider to organizations throughout South America. Alejandro Torchio, CEO of CUATROi, will continue to manage the company's team of professionals and will work closely with the leadership team in Latin America.

“CUATROi is an excellent cultural fit with the Cerberus Sentinel family of companies,” said David Jemmett, CEO and founder of Cerberus Sentinel. “Cybersecurity is a worldwide problem that requires global capabilities to address the security demands of businesses and organizations. CUATROi has been partners with our Arkavia Networks team, also based in Santiago, Chile, for several years. They are a great addition to our growth strategy throughout Latin America.”

“We are very pleased to be part of the Cerberus Sentinel family of companies, a worldwide company and a global leader in cybersecurity, whose culture is similar to CUATROi. I want to thank the entire CUATROi team at the regional level who, through teamwork, managed to position ourselves regionally as a technological partner for our clients. I am sure that this will be a great opportunity for all of us to be part of a world-class company like Cerberus Sentinel,” said Alejandro Torchio, CEO, CUATROi.

CUATROi will continue to be based in Chile.

**About Cerberus Sentinel**

Cerberus Sentinel is an industry leader as a managed cybersecurity and compliance provider. The company is rapidly expanding by acquiring world-class cybersecurity, secured managed services, and compliance companies with top-tier talent that utilize the latest technology to create innovative solutions to protect the most demanding businesses and government organizations against continuing and emerging security threats and compliance obligations.

**Safe Harbor Statement**

This news release contains certain statements that may be deemed to be forward-looking statements under federal securities laws, and we intend that such forward-looking statements be subject to the safe-harbor created thereby. Such forward-looking statements include, among others, our belief that CUATROi is an excellent cultural fit with the Cerberus Sentinel family of companies; and our belief that CUATROi is a great addition to our growth strategy throughout Latin America. These statements are often, but not always, made through the use of words or phrases such as "believes," "expects," "anticipates," "intends," "estimates," “predict,” "plan," “project,” “continuing,” “ongoing,” “potential,” “opportunity,” "will," "may," "look forward," "intend," "guidance," "future" or similar words or phrases. These statements reflect our current views, expectations, and beliefs concerning future events and are subject to substantial risks, uncertainties, and other factors that could cause actual results to differ materially from those reflected by such forward-looking statements. Such factors include, among others, risks related to our ability to raise capital; our ability to increase revenue and cash flow and become profitable; our ability to recruit and retain key talent; our ability to identify and consummate acquisitions; our ability to acquire, attract, and retain clients; and other risks detailed from time to time in the reports filed with the Securities and Exchange Commission, including the Annual Report on Form 10-K for the fiscal year ended December 31, 2021. You should not place undue reliance on any forward-looking statements, which speak only as of the date they are made. Except as required by law, we assume no obligation and do not intend to update any forward-looking statements, whether as a result of new information, future developments, or otherwise.

SOURCE: Cerberus Cyber Sentinel Corporation

Cerberus Sentinel Announces Acquisition of CUATROi

To help organizations with their plans, NIST and the Department of Homeland Security developed the Post-Quantum Cryptography Roadmap.

Practically speaking, quantum computers are still years away, but the US Cybersecurity and Infrastructure Agency is still recommending that organizations begin preparations for the migration to the post-quantum cryptographic standard.

Quantum computers use quantum bits (qubits) to deliver higher computing power and speed, and are expected to be capable of breaking existing cryptographic algorithms, such as RSA and elliptic curve cryptography. This would impact the security of all online communications as well as data confidentiality and integrity. Security experts have warned that practical quantum computers could be possible in less than ten years.

The National Institute of Standards and Technology announced the first four quantum-resistant algorithms that will become part of the post-quantum-cryptographic standard in July, but the final standard is not expected until 2024. Even so, CISA is encouraging critical infrastructure operators to begin their preparations in advance.

“While quantum computing technology capable of breaking public key encryption algorithms in the current standards does not yet exist, government and critical infrastructure entities—including both public and private organizations—must work together to prepare for a new post-quantum cryptographic standard to defend against future threats,” CISA says.

To help organizations with their plans, NIST and the Department of Homeland Security developed the Post-Quantum Cryptography Roadmap. The first step should be creating an inventory of vulnerable critical infrastructure systems, CISA said.

Organizations should identify where, and for what purpose, public key cryptography is being used, and mark those systems as quantum-vulnerable. This includes creating an inventory of the most sensitive and critical datasets that must be secured for an extended amount of time, and all systems using cryptographic technologies. Having a list of all the systems would ease the transition when it comes times to make the switch.

Organizations will also need to assess the priority level for each system. Using the inventory and prioritization information, organizations can then develop a systems transition plan for when the new standard is published.

Security professionals are also encouraged to identify acquisition, cybersecurity, and data security standards that will need to be updated to reflect post-quantum requirements. CISA encourages increasing engagement with organizations developing post-quantum standards.

The agency’s focus on the inventory echoes the recommendations made by Wells Fargo at RSA Conference earlier this year. In a session discussing the financial giant’s quantum journey, Richard Toohey, technology analyst at Wells Fargo, suggested that organizations begin their crypto inventory.

"Discover where you have instances of certain algorithms or certain types of cryptography, because how many people were using Log4j and had no idea because it was buried so deep?" Toohey said. "That's a big ask, to know every type of cryptography used throughout your business with all your third parties — that's not trivial. That's a lot of work, and that's going to need to be started now."

Wells Fargo has a “very aggressive goal” to be ready to run post-quantum cryptography in five years, according to Dale Miller, the chief artchitect of information security architecture at Wells Fargo.

Migrating industrial control systems (ICSs) to post-quantum cryptography will be a major challenge for critical infrastructure operators, mainly because the equipment is often geographically dispersed, CISA said in the alert. Even so CISA urged critical infrastructure organizations to include in their strategies the actions needed to address risks from quantum computing capabilities.

CISA is not the only one sounding the alarm about getting started. In March, the Quantum-Safe Working Group of the Cloud Security Alliance (CSA) set a deadline of April 14, 2030, by which companies should have their post-quantum infrastructure in place.

“Do not wait until the quantum computers are in use by our adversaries to act. Early preparations will ensure a smooth migration to the post-quantum cryptography standard once it is available,” CISA said.

A Peek Into CISA's Post-Quantum Cryptography Roadmap

Documents appear to show that Israeli spyware company Intellexa sold a full suite of services around a zero-day affecting both Android and iOS ecosystems.

Last month, an unknown customer appears to have shelled out around €8 million for a full-service zero-day remote control execution (RCE) exploit. 

Screenshots shared of the zero-day exploit bill of sale are dated July 14 and show that Intellexa, a spyware company, sold a product it called Nova Suite to an unknown buyer. It promised turnkey infections for Android, as well as iOS devices. The paperwork references iOS version 15.4.1 from March, but it's unclear how many devices remain vulnerable. 

Intellexa also promised the malware is delivered with just one click and uses the browser to inject the Android and iOS payload to mobile devices. The purchase price also includes data analysis, a "magazine" of 100 other infections, and even a full year's warranty. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Receipt for €8M iOS Zero-Day Sale Pops Up on Dark Web

Low/no-code tools allow citizen developers to design creative solutions to address immediate problems, but without sufficient training and oversight, the technology can make it easy to make security mistakes.

There used to be a time where risk-averse organizations could severely limit their business users' ability to make costly mistakes. With limited technical know-how, strict permissions, and lack of tailwind, the worst thing a business user could do was download malware or fall for a phishing campaign. Those days are now gone.

Nowadays, every major software-as-a-service (SaaS) platform comes bundled with automation and application-building capabilities that are designed for and marketed directly to business users. SaaS platforms like Microsoft 365, Salesforce, and ServiceNow are embedding no-code/low-code platforms into their existing offerings, placing them directly in the hands of business users without asking for corporate approval. Capabilities that were once available only to the IT and development teams are now available throughout the organization.

Power Platform, Microsoft's low-code platform, is built into Office 365 and is a great example due to Microsoft's strong foothold in the enterprise and the rate in which it is adopted by business users. Perhaps without realizing it, enterprises are placing developer-level power in the hands of more people than ever before, with far less security or technical savvy. What could possibly go wrong?

Quite a lot, actually. Let's examine a few real-world examples from my experience. The information has been anonymized, and business-specific processes were omitted.

**Situation 1: New Vendor? Just Do It**

The customer care team at a multinational retail company wanted to enrich their customer data with consumer insights. In particular, they were hoping to find more information about new customers so that they could better serve them, even during their initial purchase. The customer care team decided on a vendor they would like to work with. The vendor required data to be sent to them for enrichment, which would then be pulled back by their services.

Normally, this is where IT comes into the picture. IT would need to build some sort of integration to get data to and from the vendor. The IT security team would obviously need to be involved, too, to ensure this vendor can be trusted with customer data and approve the purchase. Procurement and legal would have taken a key part, as well. In this case, however, things went in a different direction.

This particular customer care team were Microsoft Power Platform experts. Instead of waiting around for resources or approval, they just went ahead and built the integration themselves: collecting customer data from SQL servers in production, forwarding it all to an FTP server provided by the vendor, and fetching enriched data back from the FTP server to the production database. The entire process was automatically executed every time a new customer was added to the database. This was all done through drag-and-drop interfaces, hosted on Office 365, and using their personal accounts. The license was paid out-of-pocket, which kept procurement out of the loop.

Imagine the CISO's surprise when they found a bunch of business automations moving customer data to a hard-coded IP address on AWS. Being an Azure-only customer, this raised a giant red flag. Furthermore, the data was being sent and received with an insecure FTP connection, creating a security and compliance risk. When the security team found this through a dedicated security tool, data had been moving in and out of the organization for almost a year.

**Situation 2: Ohh, Is It Wrong to Collect Credit Cards?**

The HR team at a large IT vendor was preparing for a once-a-year "Give Away" campaign, where employees are encouraged to donate to their favorite charity, with the company pitching in by matching every dollar donated by employees. The previous year's campaign was a massive success, so expectations were through the roof. To power the campaign and alleviate manual processes, a creative HR employee used Microsoft's Power Platform to create an app that facilitated the entire process. To register, an employee would log in to the application with their corporate account, submit their donation amount, select a charity, and provide their credit card details for payment.

The campaign was a huge success, with record-breaking participation by employees and little manual work required from HR employees. For some reason, though, the security team was not happy with the way things turned out. While registering to the campaign, an employee from the security team realized that credit cards were being collected in an app that did not look like it should be doing so. Upon investigation, they found that those credit card details were indeed improperly handled. Credit card details were stored in the default Power Platform environment, which means they were available to the entire Azure AD tenant, including all employees, vendors, and contractors. Furthermore, they were stored as simple plaintext string fields.

Fortunately, the data-processing violation was discovered by the security team before malicious actors — or compliance auditors — spotted it. The database was cleaned up, and the application was patched to properly handle financial information according to regulation.

**Situation 3: Why Can't I Just Use Gmail?**

As a user, nobody likes enterprise data loss prevention controls. Even when necessary, they introduce annoying friction to the day-to-day operations. As a result, users have always tried to circumvent them. One perennial tug-of-war between creative business users and the security team is corporate email. Syncing corporate email to a personal email account or corporate calendar to a personal calendar: Security teams have a solution for that. Namely, they put email security and DLP solutions in place to block email forwarding and ensure data governance. This solves the problem, right?

Well, no. A repeated finding across large enterprises and small businesses finds that users are creating automations that bypass email controls to forward their corporate email and calendar to their personal accounts. Instead of forwarding emails, they copy and paste data from one service to another. By logging into each service with a separate identity and automating the copy-paste process with no-code, business users bypass security controls with ease — and with no easy way for security teams to find out.

The Power Platform community has even developed templates that any Office 365 user can pick up and use.

**With Great Power Comes Great Responsibility**

Business user empowerment is great. Business lines should not be waiting for IT or fighting for development resources. However, we can't just give business users developer-level power with no guidance or guardrails and expect that everything will be alright.

Security teams need to educate business users and make them aware of their new responsibilities as application developers, even if those applications were built using "no code." Security teams should also put guardrails and monitoring in place to ensure that when business users make a mistake, like we all do, it will not snowball into full-blown data leaks or compliance audit incidents.

Source

DARKReading