The global secure coding competition will be held In October, during Cybersecurity Awareness Month.

**SYDNEY, Australia — Aug. 23, 2022 —** Secure Code Warrior, the global, developer-driven security leader, today announced that it will host its second annual Devlympics secure coding competition Oct. 19-20. The competition will give developers around the world the opportunity to test their skills against vulnerabilities in code and put their secure coding skills to work. The winner will be crowned, "The Ultimate Warrior" and receive a cash prize.

Building a strong organizational culture focused on cybersecurity has never been more important in today's society, where vulnerable code in software remains quite pervasive. Secure Code Warrior is leading the way to help cultivate that culture by exciting and upskilling developers through friendly competition. In the last year alone, the company has hosted over 800 tournaments attended by more than 18,000 participants.

"Last year's inaugural Devlympics saw nearly 2,000 developers participate around the globe, and the impressive turnout further demonstrated why the developer community desires more inclusive, friendly forums like ours to engage and compete with one another to sharpen their skills," said Pieter Danhieux, CEO and co-founder, Secure Code Warrior. "We're proud to serve as that go-to tournament destination and look forward to continuing to make this the most sought after, security skills competition for years to come."

Devlympics 2022 builds on the great successes experienced during last year's inaugural event by doubling its duration (24 straight hours) and offering a wider variety of challenges. The competition is free-to-enter, and will feature two interactive arenas and 11 individual tournaments covering 45 languages. Participants will compete in hands-on challenges at varying degrees of difficulty to earn points against the clock as they climb the leaderboard.

The marquee tournament will run on Secure Code Warrior's flagship Learning Platform, allowing organizations and professionals to build their understanding of preventative secure coding techniques through an interactive, competitive tournament. In addition, developers can now access Secure Code Warrior's recently launched Secure Code Coach, the new go-to community microsite to build security skills and awareness. With a range of handy secure coding guidelines, hands-on missions, and videos, Secure Code Coach offers the latest best practices to ensure developers are equipped with all they need to ship secure code at speed.

Visit https://www.securecodewarrior.com/devlympics to learn more about Devlympics 2022.

**About Secure Code Warrior**

Secure Code Warrior builds a culture of security-driven developers by giving them the skills to code securely. Our flagship Learning Platform delivers relevant skills-based pathways, hands-on missions, and contextual tools for developers to rapidly learn, build, and apply their skills to write secure code at speed. Established in 2015, Secure Code Warrior has become a critical component for over 450 enterprises, including leading financial services, retail, and global technology companies across the world. Visit: www.securecodewarrior.com.

Secure Code Warrior Spotlights the Importance of Developer Security Skills with 2nd Annual Devlympics Competition

The scans used by the Python Package Index (PyPI) to find malware fail to catch 41% of bad packages, while creating plentiful false positives.

The scanners tasked with weeding out malicious contributions to packages distributed via the popular open source code repository Python Package Index (PyPI) create a significant number of false alerts, researchers have found. 

According to a Chainguard analysis of PyPI — the main repository for software components used in applications written in Python — the approach catches 59% of malicious packages but also flags a third of popular legitimate Python packages and 15% of a random selection of packages. 

The research aims to create a data set that Python maintainers and the PyPI repository can use to determine the efficacy of their system for scanning projects for malicious changes and supply chain attacks, the Chainguard researchers stated in a Tuesday analysis.

While the existing approach detects the majority of malware, it clearly needs significant improvements to prevent wasting project managers' time with false alarms, says Zack Newman, a senior software engineer at Chainguard, who collaborated on the research.

"These are volunteers with countless other responsibilities, not security researchers who are willing to spend all day trawling through suspicious code," he says. "They care a great deal about the security of PyPI and work very hard to improve the situation, but the return on effort just isn't there at the moment for these scanners."

False positives are the bane of many software analysis tools, and therefore security teams. Even with a system that is 100% accurate at finding malicious packages, if it has a 1% false positive rate, developers and application-security professionals would still have to dig through 200 alerts each week to determine if any of the 20,000 weekly PyPI releases are actually malicious.

"Hundreds of packages triggered alerts," Newman says. "While we did some spot checks, just a quick look isn't enough to tell for sure whether a package is malicious — that's why malware-detection tools are so important. This gave us a lot of empathy for the repository administrators, who would face this volume of alerts tenfold each week."

He adds, "To be useful, a scanner would need to reduce that false positive rate to around 0.01%, even at the expense of missing some malicious packages."

**PyPI's Malware-Scanning Approach**

PyPI aims to foil software supply chain attacks by checking packages and projects in two ways. The PyPI scans the package's _setup.py_ file using signatures to detect known suspicious patterns — expressed by YARA rules, an industry standard for creating malware signatures — that could indicate the inclusion of malicious functionality. (YARA stands for Yet Another Recursive Acronym, more of an inside industry joke than a descriptive name.) In addition, the repository's scanning tools analyze a projects commits and contributors for suspicious changes that could suggest malicious contributions.

The researchers built their data set using 168 known examples of malicious attacks on the PyPI repository. They then created a second data set with the 1,000 most-downloaded packages and the 1,000 most-imported packages, and when they eliminated duplicates, they ended up with 1,430 popular packages. Finally, they also created a data set of a random selection of 1,000 packages, which resulted in 986 random Python packages, since 14 did not have any Python code.

The popular and randomly selected packages were all assumed to be legitimate, the researchers said. In addition, the popular projects likely had better security hygiene and abided by programming best practices.

"While there is a chance that some of these packages are malicious, the chance that more than a handful of these packages is malicious is vanishingly small," they wrote in the analysis provided exclusively to Dark Reading. "Importantly, these packages are more likely to represent a package selected from PyPI at random."

**Open Source Software Repositories Remain a Cybercrime Target**

The research comes as application-security professionals and software developers look for ways to ensure the security of the open source software components that make up 78% of the code in an average program. 

The Open Source Security Foundation (OpenSSF) has launched a number of initiatives to improve the security of the open source software supply chain, including identifying the most critical packages that need more security scrutiny, and support for the adoption of SigStore, a way of cryptographically linking source code to compiled packages.

Attacks on the software supply chain have increased over the past few years. In the past month alone, security firm Kaspersky found malware in the Node Package Manager (npm) repository, while security firms Check Point and Snyk found nearly a score of malicious packages hosted on the PyPI repository service.

And it came to light that a school-aged kid in Italy uploaded multiple malicious Python packages containing ransomware scripts to PyPI, supposedly as an experiment.

It's unlikely that PyPI is alone in having problematic scanning results. Going forward, the Chainguard researchers plan to extend their analysis to evaluate at least four open source software malware analyzers, such as OSSGadget Detect Backdoor, bandit4ma, and OSSF Package Analysis, as well as translating the PyPI Malware Checks rules to SemGrep, a multilanguage open source static code analyzer.

One-Third of Popular PyPI Packages Mistakenly Flagged as Malicious

Company fortifies its ability to help organizations prepare and obtain CMMC certification.

**WASHINGTON, DC – Aug. 23, 2022 –** Coalfire Federal today announced it has been authorized by the Cybersecurity Maturity Model Certification (CMMC) Accreditation Body (The Cyber AB) as a CMMC Third-Party Assessment Organization (C3PAO). Coalfire was one of the first to be named a C3PAO candidate and is now among the first authorized by The Cyber AB to conduct CMMC assessments. The authorization fortifies the company's comprehensive compliance capabilities that enable clients to prepare for and obtain CMMC certification.

"Foreign adversaries are escalating attacks on Defense Industrial Base (DIB) organizations, compromising sensitive information, and threatening the integrity of weapons systems, platforms, tools, and materiel," said Coalfire Federal President Bill Malone. "CMMC is consistent with our mission and extends our commitment to provide cybersecurity services that enable and protect the mission of the DoD and its supply chain."

The Cybersecurity Maturity Model Certification program was created by the DoD to ensure organizations across the DIB achieve and maintain a minimum threshold level of cybersecurity to protect controlled unclassified information (CUI) and federal contract information (FCI). CMMC requirements will apply to all DIB organizations across the DoD's multitier supply chain that handle, store, or transmit CUI.

As the largest pure-play cybersecurity firm, Coalfire conducts thousands of compliance assessments every year. In addition to its early involvement as a C3PAO and CMMC RPO (Registered Provider Organization), the company is the largest FedRAMP provider, supporting more than 70% of the entire assessment, advisory, and engineering marketplace.

"With CMMC, the Department of Defense is addressing a critical problem by enhancing the cyber posture and resilience of companies across the DIB," said Malone. "Coalfire Federal is proud to have been an early participant and contributor to the formation of the accreditation body and an active participant in industry working groups and educational programs. We remain committed to working with the DoD, The Cyber AB, and the DIB to protect sensitive information and strengthen national defense."

**About Coalfire Federal**

Coalfire Federal has 20 years' experience providing cybersecurity services to a wide range of government and commercial organizations, enabling and protecting their mission-specific cyber objectives. Coalfire Federal is the leading FedRAMP 3PAO and offers a full spectrum of cybersecurity risk management and compliance services.

For more information about Coalfire Federal and CMMC, contact us at \[email protected\] or visit: www.coalfirefederal.com

Coalfire Federal Among First Authorized to Conduct CMMC Assessments

Make security training more engaging to build a strong cybersecurity culture. Here are four steps security and IT leaders can take to avoid the security disconnect.

Human error continues to be the leading cause of a cybersecurity breach. Nearly 60% of organizations experienced data loss due to an employee's mistake on email in the last year, while one in four employees fell for a phishing attack.

Employee apathy, while it may not seem like a major cybersecurity issue, can leave an organization vulnerable to both malicious attacks and accidental data loss. Equipping employees with the tools and knowledge they need to prevent these risks has never been more important to keep organizations safe.

A new report from Tessian sheds light on the full extent of employee apathy and its impact on cybersecurity posture. The report found that a significant number of employees aren't engaged in their organization's cybersecurity efforts and don't understand the role they play. One in three employees say they don't understand the importance of cybersecurity at work. What's more, only 39% say they're very likely to report a cybersecurity incident. Why? A quarter of employees say they don't care enough about cybersecurity to mention it.

This is a serious problem. IT and security teams can't investigate or remediate a threat they don't know about.

Employees play an important role in flagging incidents or suspicious activity early on to prevent them from escalating to a costly breach. Building a strong cybersecurity culture can mitigate apathy by engaging employees as part of the solution and providing the tools and training they need to work productively and securely.

**Ways to Improve Cybersecurity Culture**

Here are four ways to improve your cybersecurity culture:

*   **Deliver tailored security awareness training programs.** Global spending on security training continues to rise, but the reality is that most employees aren't engaged in this training. Nearly half (48%) of the security leaders surveyed by Tessian say that training is one of the most important influences on a positive cybersecurity posture. Despite that, only 28% of employees say security awareness training is engaging, and only half say that it is helpful. This is a major disconnect.
    
    Security training should be tailored to individual employees based on factors such as department, tenure, and geography. For example, teach remote employees about the specific types of scams that could target them, whereas the finance department should see real-world examples of wire-transfer fraud and related financial swindles. Rather than yearly or quarterly trainings, employees should receive the information they need in the moment to give context around their own cybersecurity behaviors and help them avoid mistakes.
    

*   **Implement a strong but simple incident-reporting process.** A similar disconnect between security teams and employees exists when it comes to the incident-reporting process. Tessian found that 80% of security leaders believe robust feedback loops are in place to report incidents, but nearly half (45%) of employees don't know who to report security incidents to. A well-defined, accessible reporting process can make it easy for employees to flag potential incidents and give security teams greater visibility into the organization's risk.
    
    For example, security teams can institute a single, defined process such as an email address or a phone number that employees can use to flag a suspicious email or potential cybersecurity incident. Often this process can be automated, as opposed to pulling in security team members at all hours and risking burnout. A strong reporting process will be predictable, automated where possible, and easy for employees to access without fearing they will be punished for making a cybersecurity mistake.
    

*   **Drop the fear, uncertainty, and doubt.** Punishing or shaming employees for making mistakes can lead them to disengage or feel apathy toward the cybersecurity culture. Employees won't trust nor want to engage with a security team that relies on fear or negative reinforcement.  
      
    Tessian's report found that half of employees have had a negative experience with a phishing simulation. Recent headlines show the type of backlash that can occur when companies use "gotcha" style phishing techniques designed to trick employees. Techniques like this can create an adversarial relationship between the security team and the rest of the company.
    
    A strong cybersecurity culture instills collaboration and uses positive incentives to engage employees. For example, reward employees who flag a cybersecurity incident, spot a suspicious email, or complete a training. It doesn't have to be a major investment. Peer recognition can go a long way.
    

*   **Align with the HR team.** Lastly, security training and best practices can be woven into the entire employee life cycle to foster and maintain a risk-aware organization. Security teams should partner with HR to play an active role in onboarding, offboarding, and day-to-day processes. For example, give new employees information on incident reporting and real-world examples of the scams that often target new employees.
    
    Similarly, during the offboarding process, employees should be reminded of data security processes, including why they cannot take documents and other information with them to a new job. In a separate Tessian report, 45% of employees admitted they've taken data before leaving or after being dismissed from a job. This isn't always done maliciously — many employees aren't aware of when documents belong to them and when they don't — so it's important to provide guidance.
    

**Importance of Building Strong Cybersecurity Culture**

Employees have become stewards of their organization's most sensitive data, while channels such as email have become the de facto method of communication across hybrid and remote teams. Security teams must safeguard the employees who manage data day-to-day and combat the apathy and disengagement that can lead to a costly breach.

A strong cybersecurity culture can make the difference between employees who put the organization at risk or who are actively part of the solution.

Virtually all IT and security leaders surveyed by Tessian (99%) agreed that a strong security culture is important in maintaining a strong security posture. However, if the right steps aren't taken, employees won't understand the vital role they play in protecting an organization from today's advanced threats.

Apathy Is Your Company's Biggest Cybersecurity Vulnerability — Here's How to Combat It

Engineering manager Scott Tenaglia describes how Meta extended the security red team model to aggressively protect data privacy.

As several countries and US states prepare to enact new data privacy regulations next year, some companies have begun borrowing from an approach familiar to cybersecurity teams: that the best defense is a strong offense. While security red teams made up of friendly hackers who engage in persistent penetration testing are common, some organizations are now applying that same concept to data privacy.

Meta Platforms, the parent company of Facebook, Instagram, and WhatsApp, is among those that formed a privacy red team. Scott Tenaglia, the engineering manager for Meta's privacy red team, described how and why Meta created it during a session at the Black Hat USA 2022 conference in Las Vegas.

In the session "Better Privacy Through Offense: How to Build a Privacy Red Team," Tenaglia emphasized that his presentation was just about the lessons learned from forming a privacy red team. But Meta, for years under scrutiny about how it handles user data, now emphasizes data protection. Earlier this year the company revamped its privacy policy, which it recently just referred to as a Data Policy.

"As privacy and data protection regulations have improved around the world in recent years, we've explored ideas in people-centered privacy design and have worked to make our data practices more transparent," said Meta's chief privacy officer Michel Protti in a recent blog post.

Companies are beginning to create privacy red teams modeled after security red teams, says Orson Lucas, a principal adviser for KPMG's cybersecurity services.

"We're having some early conversations about that," Lucas tells Dark Reading. "It's starting to come up as a point of conversation as a supplemental service, and it's still fairly early and exploratory, but it's something we very much see as an opportunity."

**How Privacy Red Teams Diverge**

Privacy red teams apply the same mindset as their security counterparts, but instead of trying to breach their own networks, they attempt to steal confidential data. Tenaglia acknowledged some overlap between security and privacy red teams but says there are more differences. For instance, he described the impact of attacking an Internet-connected crock pot.

"The security vulnerability might have been pretty vanilla, but the privacy impact of that vulnerability was super high," Tenaglia said. With a privacy compromise, the attacker can access a victim's location, photos, and other sensitive personal information.

"That's really a privacy impact," he said.

Similarly, the focus of a security red team includes mitigating an attack surface. The security red team engages in reconnaissance by scanning their own firewalls, and if they can't break into the network, that suggests there are no vulnerabilities, Tenaglia noted. If a member of the security red team successfully gets through the firewall, however, that would signal the need to get to the source of the vulnerabilities.

Meanwhile, a privacy red team is more focused on large-scale access to personal user information and data, Tenaglia said. A common way of mitigating that risk is by applying rate limits, allowing access to a specific amount of data during a particular time.

"Anytime you find access to sensitive data or important data, things you didn't think you shouldn't get access to, the first thing you're going to do is see how much more of it you can get. You're going to scale up that access. You're going to scrape," Tenaglia said. "If those rate limits are working well, then you probably aren't able to do much there. Otherwise, you probably need to make some tweaks to the rate limits."

**The Separate Goals of Security and Privacy Adversaries**

Tenaglia also described the differences in motives among security threat actors and privacy adversaries. Security adversaries who issue APTs tend to have infinite timescales and resources and usually target specific companies seeking to steal corporate assets. In contrast, privacy red teams go after users' individual or personal information, he said.

Despite the differences, Tenaglia said he believes in recruiting security professionals to join privacy red teams. For example, someone with in-depth knowledge of Linux or Windows makes a good candidate because of their experience breaking apart the operating system.

"We don't really want your knowledge of Windows and Linux — because of course we're not attacking those things — \[but\] we do want your skill set and your know-how to manipulate those things to apply that skill set to our platforms, Facebook, Instagram, Messenger, etc.," Tenaglia said. "And we can teach and give you the knowledge to make you successful manipulating those things."

He added that a critical requirement for someone on a privacy red team is to have privacy instincts. Aside from the distinct focus of privacy red teams, Tenaglia noted that at Meta, they partner with the legal, risk, and security teams.

Tenaglia said that the Meta privacy red team's version of a penetration test is what they call a product compromise test. Besides finding vulnerabilities that give access to user data, the attackers also look to squeeze data out of APIs, which contain various forms of data or connection to data sources. Another exploration is adversarial emulation operations, where an intruder tries to gain access to user data by creating accounts.

**The Subjectivity Issue With Privacy Findings**

Tenaglia explained that findings of privacy vulnerabilities can be much more subjective than security flaws because three different factors influence the very notion of a finding.

First, where an organization operates in the world brings different laws and regulations into effect that can influence the finding. Second, perception of privacy violation is colored by the statements an organization has issued on how it protects users' data.

And third, "even if the prior two are true — meaning your finding is in line with the company statements and it's not violating the law or regulation — you, as a user of that same platform, may say to yourself, 'For me as a user, I still don't think this means the expectation of privacy,'" Tenaglia said. "And you might want to call that a finding."

In the future, Tenaglia said he is hoping for the privacy red team to move from the subjective to the objective. For that to happen, the team needs to "understand these privacy weaknesses better, and to understand how to do privacy by design," he said. "I think we'll get there."

Meta Takes Offensive Posture With Privacy Red Team

Patients face possible disclosure of protected health information (PHI) to Meta, Facebook's parent company, resulting from an incorrect configuration of an online tracking tool.

WINSTON-SALEM, N.C., Aug. 19, 2022 /PRNewswire/ — Novant Health shared that, in an effort to be as transparent as possible, it is mailing letters to some of its patients following possible disclosure of protected health information (PHI) resulting from an incorrect configuration of a pixel, an online tracking tool.

In May 2020, as our nation confronted the beginning of the COVID-19 pandemic, Novant Health launched a promotional campaign to connect more patients to the Novant Health MyChart patient portal, with the goal of improving access to care through virtual visits and to provide increased accessibility to counter the limitations of in-person care. This campaign involved Facebook advertisements and a Meta (Facebook parent company) tracking pixel placed on the Novant Health website to help understand the success of those efforts on Facebook. A pixel is a piece of code that organizations commonly use to measure activity and experiences on their website. In this case, the pixel was configured incorrectly and may have allowed certain private information to be transmitted to Meta from the Novant Health website and MyChart portal.

Immediately upon becoming aware that the pixel had the capability to transmit unintended information to Meta, Novant Health disabled and removed the pixel as a precaution and began an investigation to learn whether, and to what extent, information was transmitted. Based on that investigation, Novant Health determined on June 17, 2022, that it was possible sensitive information or PHI might have been disclosed to Meta, depending upon a user's activity within the Novant Health website and MyChart portal. This information potentially included an impacted patient's: demographic information such as email address, phone number, computer IP address, and contact information entered into Emergency Contacts or Advanced Care Planning; and information such as appointment type and date, physician selected, button/menu selections, and/or content typed into free text boxes. The information did not include Social Security numbers or other financial information unless it was typed into a free text box by the user. The letter sent to each patient will specifically state whether such financial information may have been involved.

Based on its investigation, Novant Health is unaware of any improper use or attempted use of any patient information by Meta or any other third party. According to Facebook's Terms and Conditions, they have policies and filters that block sensitive personal data and do not incorporate that information into their Ad Manager. However, to be safe and transparent, Novant Health is sending letters to all potentially impacted patients, including some who are patients of independent physicians and facilities who use the Novant Health MyChart medical record. Novant Health has also implemented more structure, governance and policies around the use of pixels and is taking actions to ensure this does not happen again.

New Hanover Regional Medical Center patients are not impacted by this incident.

In addition to the resources shared, patients may call Novant Health at 704-561-6950 or visit www.novanthealth.org/pixel. Additionally, patients may also visit https://consumer.ftc.gov/online-security to learn more about best practices to protect their information online.

Novant Health takes privacy and the care of personal information very seriously and values patient trust to keep patients' medical information private. Novant Health will continue to be as transparent as possible and provide information to patients.

About Novant Health

Novant Health is an integrated network of hospitals, physician clinics and outpatient facilities that delivers a seamless and convenient healthcare experience to communities in North Carolina, South Carolina, and Georgia. The Novant Health network consists of more than 1,800 physicians and over 35,000 team members who provide care at more than 800 locations, including 15 hospitals and hundreds of outpatient facilities and physician clinics. In 2021, Novant Health provided more than $1.1 billion in community benefit, including financial assistance and services.

For more information, please visit our website at NovantHealth.org. You can also follow us on Facebook, Instagram, Twitter and LinkedIn.

Novant Health Notifies Patients of Potential Data Privacy Incident

Google researchers say the nation-state hacking team is now employing a data-theft tool that targets Gmail, Yahoo, and Microsoft Outlook accounts using previously acquired credentials.

Iranian advanced persistent threat (APT) group Charming Kitten has a new data-scraping tool in its arsenal that claws emails from victim Gmail, Yahoo, and Microsoft Outlook accounts using previously acquired credentials, Google researchers have found.

A team from Google Threat Analysis Group (TAG) discovered the tool, dubbed Hyperscrape, last December and has been tracking it since then, it said in a new blog post.

The attacker poses as a legitimate user by either by initiating an authenticated user session that's been hijacked or via stolen credentials, and then runs the scraper to download victims' inboxes, TAG's Ajax Bash said in Google's post.

"It spoofs the user agent to look like an outdated browser, which enables the basic HTML view in Gmail" by resulting in an error message, he explained.

If the attacker can't access the account this way, the tool displays a login page for manually entering credentials to proceed, with Hyperscrape waiting until it finds the victim's inbox page, according to Bash.

Hyperscrape appears to have been around since 2020, when its first samples were spotted. Charming Kitten — aka Phosphorus and myriad other names — continues to actively develop the tool. Attacks so far have been limited to less than two dozen accounts located in Iran, the researchers found.

**Modus Operandi**

Once logged in, Hyperscrape changes the account's language settings to English and goes through the contents of the mailbox, individually downloading messages as .eml files and marking them unread, Bash explained.

After downloading messages from the inbox, the tool reverts the language back to its original settings and deletes any security emails from Google. The tool is written in .Net for targeting Windows PCs and is designed to run on the attacker’s machine, he said.

Early versions of Hyperscrape included an option for actors to request data from Google Takeout, a feature that allows users to export their data to a downloadable archive file.

This feature would spawn a new copy of the tool and initialize a pipe communication channel to relay the cookies and account name, both of which are required to accomplish the export. Once received, the browser would navigate to the official Takeout link to request and eventually download the exfiltrated data.

The Takeout feature was never automated in the tool, however, and researchers said they’re not clear on why it was removed.

Google's researchers tested Hyperscrape specifically with a Gmail account, noting that functionality may differ for Yahoo or Microsoft email apps when under attack. Moreover, Hyperscrape won't run unless in a directory with other file dependencies, they explained.

**Furthering Objectives**

Charming Kitten is a prolific APT believed to be backed by government of Iran and known by a number of other names — including TA453, APT35, Ajax Security Team, NewsBeef, Newscaster, and Phosphorus.

The group — which first rose to prominence in 2018 — has been extremely active in the last several years and is best known for targeted cyber-espionage attacks against politicians, journalists, human-rights activists, researchers, scholars, and think tanks.

Some of the APT's more high-profile attacks occurred in 2020, when the group targeted the Trump and Biden presidential campaigns as well as attendees of two global geopolitical summits, the Munich Security Conference and the Think 20 (T20) Summit, in separate and various incidents.

While Hyperscrape doesn’t showcase anything groundbreaking as far as novel malware goes, it does show Charming Kitten's commitment to developing custom capabilities dedicated to a particular purpose, according to Bash.

"Like much of their tooling, HYPERSCRAPE is not notable for its technical sophistication, but rather its effectiveness in accomplishing Charming Kitten’s objectives," he explained.

And while groups like Charming Kitten often have very targeted goals for their cybercriminal activity, Google TAG's disclosure and work with law enforcement against APTs is aimed at raising awareness within both the security community and targeted companies and communities, according to the blog post.

The company encourages high-risk users to enroll in its Advanced Protection Program (APP) and use Google Account Level Enhanced Safe Browsing to ensure a high level of protection against ongoing threats.

Charming Kitten APT Wields New Scraper to Steal Email Inboxes

Security vendor Sucuri says adversaries are injecting malicious JavaScript into numerous WordPress websites that triggers phony bot-related checks.

Threat actors are spoofing Cloudflare DDoS bot-checks in an attempt to drop a remote-access Trojan (RAT) on systems belonging to visitors to some previously compromised WordPress websites.

Researchers from Sucuri recently spotted the new attack vector while investigating a surge in JavaScript injection attacks targeting WordPress sites. They observed the attackers injecting a script into the WordPress websites that triggered a fake prompt claiming to be the website verifying if a site visitor is human or a DDoS bot.

Many Web application firewalls (WAFs) and content distribution network services routinely serve up such alerts as part of their DDoS protection service. Sucuri observed this new JavaScript on WordPress sites triggering a fake Cloudflare DDoS protection pop-up.

Users who clicked on the fake prompt to access the website ended up with a malicious .iso file downloaded onto their systems. They then received a new message asking them to open the file so they can receive a verification code for accessing the website. "Since these types of browser checks are so common on the web many users wouldn't think twice before clicking this prompt to access the website they're trying to visit," Sucuri wrote. "What most users do not realize is that this file is in fact a remote access trojan, currently flagged by 13 security vendors at the time of this post."

**Dangerous RAT**

Sucuri identified the remote-access Trojan as NetSupport RAT, a malware tool that ransomware actors have previously used to footprint systems before delivering ransomware on them. The RAT has also been used to drop Racoon Stealer, a well-known information stealer that briefly dropped out of sight earlier this year before surging back on the threat landscape in June. Racoon Stealer surfaced in 2019 and was one of the most prolific information stealers of 2021. Threat actors have distributed it in a variety of ways, including malware-as-a-service models and by planting it on websites selling pirated software. With the fake Cloudflare DDoS protection prompts, threat actors now have a new way of distributing the malware.

"Threat actors, particularly when phishing, will use anything that looks legitimate to fool users," says John Bambenek, principal threat hunter at Netenrich. As people get used to mechanisms like Captcha's for detecting and blocking bots, it makes sense for threat actors to use those same mechanisms to try to fool users, he says. "This not only can be used to get people to install malware, but could be used for 'credential checks' to steal credentials of major cloud services (such as) Google, Microsoft, and Facebook," Bambenek says.

Ultimately, website operators need a way to tell the difference between a real user and a synthetic one, or a bot, he notes. But often the more effective the tools for detecting bots get, the harder they get for users to decode, Bambenek adds.

Charles Conley, senior cyber security researcher at nVisium, says that using content spoofing of the kind that Sucuri observed to deliver a RAT is not especially new. Cybercriminals have routinely spoofed business-related apps and services from companies such as Microsoft, Zoom, and DocuSign to deliver malware and trick users into executing all kinds of unsafe software and actions.

However, with browser-based spoofing attacks, default settings on browsers such as Chrome that hide the full URL or operating systems like Windows that hide file extensions can make it harder for even discerning individuals to tell what they're downloading and where it's from, Conley says.

Fake DDoS Protection Alerts Distribute Dangerous RAT

HD Moore's company has rebranded its IT, IoT, and OT asset discovery tool as the platform rapidly evolves.

HD Moore's company has rebranded its IT, IoT, and OT asset discovery tool as the platform rapidly evolves.

Source: HD Moore

Renowned security industry pioneer HD Moore — creator of the wildly popular Metasploit hacking toolkit — has renamed his startup Rumble to runZero in a nod to how its platform has evolved since its inception in 2019.

Moore initially built the IT asset discovery tool Rumble Network Discovery after years of witnessing firsthand as a penetration tester that organizations can't properly find, track, and manage IT devices on their networks, nor the security posture of those devices. He pioneered major research scanning for and discovering all types of exposed devices on the public Internet, ultimately developing the Rumble IT asset discovery tool that finds and fingerprints devices and their status on the network.

According to a blog post on the rebranding, the new name better reflects how the platform has evolved. Moore, the chairman and founding CTO of the startup, originally named the platform (and company) "Rumble" to mean "discover," but now that the platform can do more than find assets, he decided to rename it.

"Rumble was the perfect name for us at the time, but we've outgrown it. Each new integration we've added has extended Rumble's capabilities beyond discovery, by enriching asset data and uncovering coverage gaps in other IT and security tools," the company said in a blog post.

Moore's company received $5 million in venture capital in 2021.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Editors' Choice

Robert Lemos, Contributing Writer, Dark Reading

Jai Vijayan, Contributing Writer, Dark Reading

Ericka Chickowski, Contributing Writer, Dark Reading

Joshua Goldfarb, Fraud Solutions Architect - EMEA and APCJ, F5

Metasploit Creator Renames His Startup and IT Discovery Tool Rumble to 'runZero'

Alternative cloud providers offer streamlined capabilities for penetration testing, including more accessible tools, easy deployment, and affordable pricing.

Cloud data breaches are on the rise. In 2022, 45% of organizations reported a breach or compliance audit failure, representing a 5% increase from the year before. And just 11% reported that more than 80% of their sensitive data in the cloud is encrypted. With the help of red-team penetration testing, infosec developers have the ability to patch vulnerabilities before they reach end users. And as attacks continue to expand, red-team activities in the cloud are an absolute must for most organizations, and take up a growing chunk of infosec developers' time.

As a crucial layer of protection for businesses, infosec teams need technologies that make their work easier. Yet today, many cloud providers make security complex by overcomplicating either the deployment of required infrastructure or the pricing structure. This has to change. It's time for cloud providers to empower infosec developers with the right tools, platforms, and pricing to support essential testing and security work. Or risk breaches that cost money, reputation, and time.

**Companies Deserve Full Capabilities and Affordable Costs**

Security starts with the right strategy and tool set. When it comes to red-team activities, Kali is a top choice. A lightweight Linux distribution, Kali is open source and Debian-based, with a full suite of security testing tools. But Kali can be hard to use on some of the most popular cloud providers, like Amazon Web Services (AWS).

For one thing, deploying Kali Linux onto a cloud instance can be tedious and time consuming, especially if installing directly from an ISO using workarounds or exporting from a local VM. For example, though a penetration tester can set up a Kali Linux instance on Amazon's cloud, it's only available as an Amazon Machine Image (AMI) that runs Kali Linux on the Amazon Marketplace. This image doesn't include the full range of Kali's capabilities.

In addition to a challenging manual setup process, companies also need to grapple with pricing complexity — a problem that doesn't just affect finance teams but trickles down to developers too. Depending on the scope, size, and thoroughness of the engagement, penetration testing may require many instances and significant amounts of egress. On major cloud providers, these needs can run up a large bill. On top of that, pricing complexity may make these costs difficult to accurately estimate, placing an unfair responsibility on infosec professionals, developers, and business owners that may be expected to foresee (and prevent) high price tags.

While enterprise companies may not be concerned about these factors — they may have massive infosec teams to handle setup and deep pockets to deal with costs — small businesses will likely be more wary. As they grapple with a talent shortage and relatively tight budgets, they need partners that can support them in a different, more holistic way. Enter alternative cloud providers.

Though Kali is widely available, deploying it with a partner that offers deeper functionality and more thorough support at a fair cost is simply more practical, especially for SMBs. For security professionals in the cloud space to get the most of Kali, it must be offered as an officially supported distribution that can easily be deployed on any cloud instance. This ensures that the full range of testing opportunities and configurations supported by Kali Linux can easily run in the cloud. Akamai Linode offers Kali this way, giving end users access not only via the distribution but also as an app in Linode's marketplace. Another key differentiator is that alternative providers typically offer a higher level of support than other providers, helping SMBs tackle that tough initial setup, often with no added costs.

Pricing in general, not just for support, is more accessible through alternative providers as well. These players not only have more predictable, transparent costs thanks to flat rates, but some — like Linode — have generous transfer allowances and comparatively low overage costs. That's game-changing for penetration testers that deal with plenty of egress. Without worry about incurring significant extra costs, they can freely run the testing they need to protect their organizations.

**Consider Alternative Cloud Providers for Security Testing**

Every organization using cloud, no matter how small, should be doing security testing: cloud misconfiguration is the initial attack vector for 15% of all data breaches. And with breaches costing companies as much as $4 million dollars, they simply can't afford the risk.

As threats continue to grow, thorough and well-honed penetration testing is more important now than ever. And infosec teams need support. Let's arm these vital teams with key tools, easier deployment, and clearer, more affordable pricing schemes.

**About the Author**

    

Billy Thompson is a Solutions Engineering Manager on Akamai, Linode Compute, helping customers design portable architectures, and deploy them at scale for technical and business teams. Billy holds a degree in information security and has a special interest in IaC, Kubernetes, big data engineering, and Python and Rust programming languages. He is a longtime Arch Linux user and vegan, and never knows which to tell people first. Outside of work, he studies jujitsu, muay thai, and boxing. He also volunteers at his home for fostering and acclimating rescue dogs.

Source

DARKReading