The malware is being used to deliver Clop ransomware, in a vicious spate of October attacks that show an evolution in its methods.

The Raspberry Robin cyber-worm operation has infected nearly 3,000 devices in almost 1,000 organizations in the last 30 days, according to Microsoft telemetry — and the threat seems to be molting into something new.

Raspberry Robin was initially spotted back in May, infecting targets via infected USB drives and worming to other endpoints — but then remaining dormant. That changed in July, when Microsoft security researchers saw Raspberry Robin importing the FakeUpdates malware to devices where it was nesting. Further exploration of the activity revealed some infrastructure overlaps with the infamous Dridex Trojan and the Evil Corp (aka DEV-0243) ransomware gang.

Since then, Raspberry Robin has also started deploying IcedID, Bumblebee, and Truebot, according to a Microsoft update on Oct. 27, with researchers uncovering a notable spate of attacks in October that have resulted in Clop ransomware infections. The threat has also taken flight beyond its initial USB access vector, researchers noted, and is now capable of using at least four different methods for gaining purchase on devices.

The computing giant attributes the post-compromise Clop activity to a group it tracks as DEV-0950 -- aka FIN11 or TA505 -- indicating that Raspberry Robin is establishing itself iin the wider cybercrime economy.

"DEV-0950 traditionally uses phishing to acquire the majority of their victims, so this notable shift to using Raspberry Robin enables them to deliver payloads to existing infections and move their campaigns more quickly to ransomware stages," Microsoft researchers noted.

They added, "Given the interconnected nature of the cybercriminal economy, it's possible that the actors behind these Raspberry Robin-related malware campaigns — usually distributed through other means like malicious ads or email — are paying the Raspberry Robin operators for malware installs."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Raspberry Robin's Cyber Worm Infects Thousands of Endpoints

A malicious employee was behind hateful, violent messages on the Post's website and Twitter account, the paper has confirmed.

New York Post readers are accustomed to cheeky headlines, but Thursday morning the news outlet's website and Twitter account were plastered with racist, violent, and explicit messages targeting politicians.

"The New York Post has been hacked," an early morning tweet from the Post's account explained. "We are currently investigating the cause."

The messages have been removed, but they targeted Rep. Alexandria Ocasio-Cortez; President Joe Biden and his son Hunter Biden; New York City Mayor Eric Adams; Texas Governor Greg Abbott; and Ill. Rep. Adam Kinzinger, along with others.

One of the tweets sent by the malicious insider read, "We must destroy and imprison Union teachers."

The site and the New York Post's Twitter feed are currently functioning normally. But the incident highlights the danger that insider threats, armed with credentials, can pose to a business.

"The New York Post's investigation indicates that the unauthorized conduct was committed by an employee, and we are taking appropriate action," a spokesperson for the publication said in a statement following the incident. "This morning, we immediately removed the vile and reprehensible content from our website and social media accounts."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

NY Post Falls Victim to Insider Threat

Even if the security bug is not another Heartbleed, prepare like it might be, they note — it has potentially sprawling ramifications.

Organizations have five days to prepare for what the OpenSSL Project on Oct. 26 described as a "critical" vulnerability in versions 3.0 and above of the nearly ubiquitously used cryptographic library for encrypting communications on the Internet.

On Tuesday, Nov. 1, the project will release a new version of OpenSSL (version 3.0.7) that will patch an as-yet-undisclosed flaw in current versions of the technology. The characteristics of the vulnerability and ease with which it can be exploited will determine the speed with which organizations will need to address the issue.

**Potentially Huge Implications**

Major operating system vendors, software publishers, email providers, and technology companies that have integrated OpenSSL into their products and services will likely have updated versions of their technologies timed for release with the OpenSSL Project's disclosure of the flaw next Tuesday. But that will still leave potentially millions of others — including federal agencies, private companies, service providers, network device manufacturers, and countless website operators — with a looming deadline to find and fix the vulnerability before threat actors begin to exploit it.

If the new vulnerability turns out to be another Heartbleed bug — the last critical vulnerability to impact OpenSSL — organizations and indeed the entire industry are going to be under the gun to address the issue as quickly as possible.

The Heartbleed vulnerability (CVE-2014-0160), disclosed in 2014, basically gave attackers a way to eavesdrop on Internet communications, steal data from services and users, to impersonate services, and do all this with little trace of their ever having done any of it. The bug existed in OpenSSL versions from March 2012 onward and affected a dizzying range of technologies, including widely used Web servers such as Nginx, Apache, and IIS; organizations such as Google, Akamai, CloudFlare, and Facebook; email and chat servers; network appliances from companies such as Cisco; and VPNs.

The disclosure of the bug triggered a frenzy of remedial activity across the industry and sparked concerns of major compromises. As Synopsys' Heartbleed.com site noted, Apache and Nginx alone accounted for a market share of over 66% of active sites on the Internet at the time Heartbleed was disclosed.

There's no telling, until Tuesday at least, if the new flaw will be anything like Heartbleed. But given the almost critical-infrastructure-like use of OpenSSL for encryption across the Internet, organizations would do well not to underestimate the threat, security experts said this week.

**Security Orgs Should Brace for Impact**

"It is a bit difficult to speculate about the impact, but past experience has shown that OpenSSL doesn't use the label 'critical' lightly," says Johannes Ullrich, dean of research at the SANS Institute.

OpenSSL itself defines a critical flaw as one that enables significant disclosure of the contents of server memory and potential user details, vulnerabilities that can be exploited easily and remotely to compromise server private keys.

Version 3.0, the current release of OpenSSL, is used in many current operating systems, such as Ubuntu 22.04 LTS and MacOS Mavericks and Ventura, Ullrich notes. Organizations can expect to receive Linux patches quickly and likely at the same time as the OpenSSL bulletin on Tuesday. But organizations should get ready now, finding out which systems use OpenSSL 3.0, Ullrich says. "After Heartbleed, OpenSSL introduced these preannouncements of security patches," he says. "They are supposed to help organizations prepare. So, use this time to find out what will need patching."

Brian Fox, co-founder and CTO at Sonatype, says that by the time the OpenSSL Project discloses the bug Tuesday, organizations need to identify if they are using a vulnerable version anywhere in their technology portfolio, which applications are using it, and how long it would take for them to remediate the issue. 

"Potential reach is always the most consequential piece of any major flaw," Fox notes. "In this instance, the largest challenge with updating OpenSSL is that often this usage is embedded inside of other devices." In these instances, it can be hard to assess exposure without asking the upstream provider of the technology, he adds.

Anything that communicates with the Internet securely could potentially have OpenSSL built in to it. And it's not just software that can be affected but hardware as well. The advance notice that the OpenSSL Project provided should give organizations time to prepare. "Finding what pieces of software or devices is the first step. Organizations should do that now, and then patching or sourcing updates from the upstream vendors will follow," Fox says. "All you can do at the moment is inventory."

**An Entire Ecosystem Might Need to Update**

A lot will also depend on how vendors of products with vulnerable versions of OpenSSL embedded in them respond to the disclosure. The OpenSSL Project's release of the new version on Tuesday is only the first step. "An entire ecosystem of applications built with OpenSSL will also have to update their code, release their own updates, and organizations will need to apply them," says John Bambenek, principal threat hunter at Netenrich.

Ideally, organizations that have dealt with Heartbleed will have an idea of where their OpenSSL installs are and which of their vendor products will require an update as well. "This is why software bills of materials can be important," Bambenek says. "They can take this time to reach out and understand their suppliers and vendors plans for updates to make sure those updates are applied as well." One likely issue that organizations need to be prepared for is how to deal with end-of-life products for which updates are not available, he adds.

Mike Parkin, senior technical engineer at Vulcan Cyber, says that without evidence of exploit activity and associated indicators of compromise, it is best that organizations follow their normal change management process for when a known update is on the way. "On the security side, it's worth putting some additional focus on systems that might be affected if an exploit emerges before the new release drops," he advises.

There's not enough information in OpenSSL Project's announcement to say how much work will be involved in the upgrade, "but unless it requires updating certificates, the upgrade will probably be straightforward," Parkin predicts.

Also on Nov. 1, the OpenSSL project will release OpenSSL version 1.1.1s, which it described as a "bug-fix release." Version 1.1.1, which it replaces, is not susceptible to the CVE that is being fixed in 3.0, the project noted.

Prepare Now for Critical Flaw in OpenSSL, Security Experts Warn

A bipartisan bill aims to create a usable framework for the use of open source components when building applications, which Google is urging the private sector to support.

Google is throwing its considerable weight behind a proposed U.S. government-led policy framework aimed at shoring up security for open source software, urging the private sector to support the initiative.  

The Securing Open Source Software Act introduced in the Senate last month \[PDF\] is a bipartisan bill that would create a security and risk-mitigation blueprint for the federal government's use of open source software.

"We are glad to see a continued emphasis on the importance of open-source software security from the U.S. government, and we hope that both public and private organizations will follow their lead to promote improved cybersecurity for the ecosystem at large," noted Royal Hansen, engineering vice president for Google’s trust and safety team, in an Oct. 27 blog post.

Open source software code, i.e., the freely available building blocks for applications of all stripes, is fundamentally the engine that drives modern digital enterprise. But malicious cyber activity against the software supply chain has infamously spiraled in the past few quarters, from SolarWinds to Log4Shell to a cornucopia of malicious and poisoned projects and packages popping up in trusted code repositories like npm.

Hansen noted that "seemingly simple questions about the open-source supply chain are still difficult to answer," including:

*   Does a project contain known vulnerabilities?
*   Are the project’s maintainers and community following security best practices during software development?
*   What open source dependencies are part of a particular piece of software?
*   How secure was the distribution supply chain?

Google has been actively working on the problem, through initiatives like extending its bug-bounty efforts to open source. The industry has championed approaches like software bills of material (SBOMs) and automated code reviews to help catch vulnerable pieces before they propagate too far across the landscape. Google and other tech giants have also invested millions into nonprofit organizations and software foundations like the Open Source Security Foundation to support open source creators. On the policy side, the US government has embraced SBOMs for agencies, among other moves.

The new federal legislation, if it passes, will encourage more public-private partnership, and bring the public sector to the table in even more meaningful ways, according to the tech behemoth.

"Securing open-source software is a shared responsibility, and we look forward to continued collaboration on this urgent, critical problem," Hansen said.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Google Trumpets US Federal Open Source Security Initiative

Industry-first unified identity platform provides the building blocks to help businesses build and operate their unique identity process end-to-end.

**SAN FRANCISCO, Oct. 27, 2022 /PRNewswire/ —** Persona today launched the next evolution of its unified identity platform to help businesses mitigate online fraud and meet ever-evolving compliance standards. The new Persona platform connects, centralizes and orchestrates all fragmented identity data, disparate systems and identity operations under a single infrastructure. Leading companies—including Square, Gusto, Revel, Toast, Coursera, and Dapper Labs—leverage Persona to quickly adapt to evolving fraud techniques and regulatory compliance requirements—all while creating a frictionless experience for customers.

"With rising fraud rates and tightening regulation, organizations need to ensure the people and businesses they work with are who they say they are," said Rick Song, CEO, Persona. "But the way businesses manage and verify their customers' identities today is purely transactional. This is because identity is ever-evolving and incredibly resource-intensive to manage. No use case is created equal. The rigor necessary for a company to verify one user might drastically differ from another due to a number of factors, including transaction risk, location and associated regulations. And applying a one-size-fits all approach leads to high failure rates and frustrated customers."

**The New Persona Platform: Building Blocks for Identity Operations**

In order for businesses to effectively mitigate fraud and stay compliant, they need to be able to customize the way they interact and build a relationship with each user. Persona's configurable building blocks allow organizations to tailor and streamline each stage of their unique identity processes. Solutions include:

*   **Verifications:** the industry's most robust and fully-automated suite of international verification tools—e.g., database, documentary, biometric, digital ID, and behavioral signals.
*   **Dynamic Flow:** the first dynamic risk assessment engine that customizes the way businesses collect and verify information based on real-time signals.
*   **Cases:** a fully-customizable investigation center that can be tailored and optimized for every team's unique internal review processes.
*   **Workflows:** a flexible no-code identity process automation builder that can ingest data, automate complex decisions, and trigger actions.
*   **Graph:** a link analysis and fraud investigation solution that proactively surfaces hidden fraud rings and detects new fraud patterns.
*   **Marketplace:** a robust library of integrations with identity data providers and business productivity applications that enables organizations to unsilo and connect identity data to their business systems for better decision-making and automation.

Each of Persona's products work independently and in tandem with each other, allowing businesses to build their ideal solution for any use case. Two of Persona's newest solutions, Graph and Marketplace, illustrate how Persona's building blocks work together seamlessly to power all identity operations from end to end in one place.

For example, if a business is having trouble preventing duplicate account fraud, they can use the Marketplace to consolidate active and passive signals from Persona with third-party signals, such as data from partners including Chainalysis and SentiLink. Graph then takes that information and surfaces suspicious patterns to prevent fraud before it escalates. Finally, the business can use the business platform integrations from the Persona Marketplace to automate any follow-up actions, such as updating accounts in Salesforce or closing out tickets in Zendesk.

Song continued, "In today's constantly changing digital landscape, organizations struggle to balance fraud mitigation and conversion optimization without putting a huge strain on their operations team. With Persona's re-architected platform, companies can tackle every identity need—from identity verification to fraud review—individually, or orchestrate and safeguard their identity operations from end to end by combining building blocks on one cohesive platform."

**ABOUT PERSONA**

Persona offers a unified identity platform that gives businesses the building blocks they need to securely collect, verify, manage, and make decisions about individuals' and businesses' identities—along with automation and orchestration tools to streamline the entire process from end to end.

Founded in 2018, Persona is headquartered in San Francisco and is available in 200+ countries and territories and 20 different languages. Persona serves any business that needs to verify its customers online, including retail, fintech, marketplace, delivery services, real estate and hospitality, HR, edtech, legal services, home and childcare services, and more. For additional information, please visit https://withpersona.com/.

Persona Launches Unified Identity Platform to Fight Fraud and Reduce Compliance Risk

70% of investors on the cap table are women.

**TORONTO – October 27, 2022** **—** Cybersecurity startup Protexxa today announced it has raised CAD$4 million in seed funding. The company, which launched at an intimate event earlier this month, aims to address the risk to businesses resulting from gaps in personal cybersecurity for both companies and individuals. Its seed funding round was led by BKR Capital, which makes transformational investments in disruptive companies and promising Black technology founders. The Firehood Angels and several angel investors, including Jeff Fettes, Annette Verschuren, and Leen Li also participated in the round. The funds will be used to build out the cybersecurity platform with assisted remediation technology, facilitate pilots with global customers, and prepare to scale its operations. The company is currently in the process of filing several patents.

Protexxa is the brainchild of global information technology leader and cybersecurity executive Claudette McGowan. Prior to Protexxa, McGowan held the role of Global Executive Officer for Cybersecurity at TD Bank. As she is passionate about advancing women in technology, 70% of Protexxa investors are women.

**Protexxa Personalized Cybersecurity Protection Platform**

Of the 4.95 billion global internet users, half are victims of cybercrime and most don’t even realize they have been compromised. Protexxa is addressing the human element of cybersecurity by connecting the dots between personal cyber hygiene and business risk. Using artificial intelligence (AI), the Protexxa platform rapidly identifies, evaluates, predicts, and resolves common cyber issues. With 43% of cyberattacks aimed at small businesses, cyber solutions for businesses of all sizes are needed now more than ever.

Protexxa’s personalized cybersecurity protection platform is currently being piloted across several industries including government, academia, and healthcare.

“Since the pandemic, cybercrime has quadrupled and continues to accelerate. Our goal is to be part of the solution. Through Protexxa, we will democratize cybersecurity by making it more accessible for both businesses and individuals,” says McGowan, who is at the helm of Protexxa in the role of Chief Executive Officer. “The key is to connect the dots on how personal cyber hygiene can affect an organization. This means identifying blind spots and building out personalized training, assessment, and awareness plans to move cyber health in a positive direction.”

**Protexxa Advisory Circle**

As Protexxa Advisory Chair, Jodi Kovitz leads the company’s Advisory Circle, which includes notable executives such as Wes Hall, Chairman of Kingsdale; Sherry Shannon-Vanstone, former CEO of Trustpoint and now CEO of Profound Impact; Yung Wu, CEO of MaRS; Jean Augustine, CEO of Jean Augustine Centre for Young Women's Empowerment; and Larissa Holmes, former Chief Talent Officer at Borrowell.

**Cyber Security Fast Facts**

*   90% of digital breaches and attacks are caused by human error.
*   Remote work and lockdowns has resulted in a 50% increase in worldwide internet traffic, leading to new cybercrime opportunities.
*   Global spending on cybersecurity exceeded $1 trillion in 2021.
*   More than 90% of successful attacks against businesses originate from phishing.
*   $21 billion is anticipated to be spent annually on training and cyber awareness by 2027.

**About Protexxa**

Protexxa is a B2B SaaS cybersecurity startup that connects the dots between personal cyber hygiene and business risk. Using artificial intelligence (AI), the Protexxa platform rapidly identifies, evaluates, predicts, and resolves common cyber issues. With a key focus on prevention and increasing global cyber literacy, Protexxa also offers personalized training and consulting for companies worldwide. For additional information, visit protexxa.com.

Cybersecurity Startup Protexxa Raises $4 Million in Seed Funding to Protect Businesses and Individuals Online as Cybercrime Accelerates

A novel campaign is using an emerging URL redirection tactic to try to trick business users and others into clicking on an embedded link and giving up credentials.

Threat actors are targeting Instagram users in a new phishing campaign that uses URL redirection to take over accounts, or steal sensitive information that can be used in future attacks or be sold on the Dark Web.  

As a lure, the campaign uses a suggestion that users may be committing copyright infringement — a great concern among social media influencers, businesses, and even the average account holder on Instagram, researchers from Trustwave SpiderLabs revealed in an analysis shared with Dark Reading on Oct. 27.

This type of "infringement phishing" was also seen earlier this year, in a separate campaign targeting users of Facebook — a brand also under Instagram parent company Meta — with emails suggesting users had violated community standards, the researchers said.

"This theme is not new, and we have seen it from time to time over the last year," Homer Pacag, Trustwave SpiderLabs security researcher, wrote in the post. "It’s the same copyright infringement trickery again, but this time, the attackers gain more personal information from their victims and use evasion techniques to hide phishing URLs."

That evasion comes in the form of URL redirection, an emerging tactic among threat actors who are evolving their phishing techniques to be sneakier and more evasive as internet users get more savvy.

Instead of attaching a malicious file that a user must click on to reach a phishing page — something that many people already know seems suspicious — URL redirection includes in a message an embedded URL that appears legitimate but which ultimately leads to a malicious page that steals credentials instead.

**Bogus Copyright Report**

The Instagram campaign that researchers discovered begins with an email to a user notifying him or her that complaints were received about the account infringing upon copyright, and that an appeal to Instagram is necessary if the user doesn't want to lose the account.

Anyone can file a copyright report with Instagram if the account owner discovers that their photos and videos are being used by other Instagram users — something that happens often on the social media platform. Attackers in the campaign are taking advantage of this to try to trick victims into giving away their user credentials and personal information, Pacag wrote.

The phishing emails include a button with a link to an "appeals form," informing users they can click the link to fill out the form and later will be contacted by an Instagram representative.

Researchers analyzed the email in a text editor and found that, rather than directing users to the Instagram site to fill out a legitimate report, it employs URL redirection. Specifically, the link uses a URL rewrite or redirector to a site owned by WhatsApp — hxxps://l\[.\]wl\[.\]co/l?u= — followed by the true phishing URL — hxxps://helperlivesback\[.\]ml/5372823 — found in the query part of the URL, Pacag explained.

"This is an increasingly common phishing trick, using legitimate domains to redirect to other URLs in this fashion," he wrote.

If a user clicks on the button, it opens his or her default browser and redirects the user to the intended phishing page, going through a few steps ultimately to steal user and password data if the victim follows through, the researchers said.

**Step-by-Step Data Harvesting**

First, if the victim enters his or her username, the data is sent to the server via the form "POST" parameters, the researchers said. A user is prompted to click a "Continue" button, and if this is done, the page displays the typed username, now prefixed with the typical "@" symbol used to signify an Instagram username. Then the page asks for a password, which, if entered, also is sent to the attacker-controlled server, the researchers said.

It's at this point in the attack where things deviate slightly from a typical phishing page, which is usually satisfied once a person enters their username and password into the appropriate fields, Pacag said.

The attackers in the Instagram campaign don't stop at this step; instead, they ask the user to type in his or her password once more and then fill in a question field asking in which city the person lives. This data, like the rest, also is sent back to the server via "POST," Pacag explained.

The last step prompts the user to fill in his or her telephone number, which presumably attackers can use to get past two-factor authentication (2FA) if it's enabled on an Instagram account, the researchers said. Attackers also can sell this info on the Dark Web, in which case it can be used for future scams that initiate via telephone calls, they noted.

Once all of this personal info is harvested by attackers, the victim is finally redirected to Instagram's actual help page and the beginning of the authentic copyright reporting process used to initiate the scam.

**Detecting Novel Phishing Tactics**

With URL redirection and other more evasive tactics being taken by threat actors in phishing campaigns, it's getting harder to detect — for both email security solutions and users alike — which emails are legitimate and which are the product of malicious intent, the researchers said.

"It can be difficult for most URL detection systems to identify this deceptive practice, as the intended phishing URLs are embedded mostly in the URL query parameters," Pacag said.

Until technology catches up with the constantly changing tactics of phishers, email users themselves — especially in a corporate setting — need to maintain a higher degree of alert when it comes to messages that appear suspicious in any way to avoid being fooled, the researchers said.

Ways users can do this are by checking that URLs included in messages match the legitimate ones of the company or service that claims to be sending them; only clicking on links in emails that come from trusted users with whom people have communicated with previously; and checking with IT support before clicking on any embedded or attached link in an email.

Cyberattackers Target Instagram Users With Threats of Copyright Infringement

Successful bug bounty programs strike a balance between vendor benefits and researcher incentives.

As vulnerabilities continue to take center stage and organizations look to launch bug bounty and security assurance programs, the competition for good researchers is fierce. But it can be hard for prospective researchers to evaluate these programs. Some common questions include what are the current rates for common vulnerabilities? How experienced is the team performing the report triage work? Does a security team or expert make the decisions about what classifies as a vulnerability?

Researchers generally doubt that a product and development team can fairly classify a bug report as a security vulnerability because of a perceived lack of security expertise. Instead, they tend to trust a program more if a dedicated security team (like ProdSec, AppSec, PSIRT, etc.) makes the decision about whether a report is a security vulnerability.

Security researchers also like to review program statistics, which often includes total payouts for the previous year. Higher total payouts often indicate there are more bugs to be found, where lower payouts may mean fewer bugs and/or rewards. They also care about average time to triage, or the time between submission and acknowledgement of a valid or invalid vulnerability. This can tell researchers if the program is experienced and sufficiently supported.

Time between submission and payment, or average time to bounty, is also important. Again, shorter is better and often means the program doesn't have funding issues and values the researcher's time. Longer bounty turnarounds can seed uncertainty.

It's no secret that vendors prefer lower severity bounties and lower payouts, while researchers like higher ones. A lower payout average may lead to the belief that vulnerabilities will be downplayed, and higher severity issues may not get the attention they deserve. High payouts may signal to researchers that no low-hanging fruit exists, which could dissuade new researchers from joining the program. It could also signal that the time investment to find a vulnerability is very high. Often a moderate payout average is best.

Another area that can dissuade researchers involves the legality of vulnerability reporting. Coordinated vulnerability disclosure policies can be tricky to follow when one party doesn't feel valued. Safe Harbor is a promise but can also appear as a threat.

Safe Harbor is a clause added to a vulnerability disclosure program policy that outlines that the security researcher shall not need to fear legal consequences (and may even be provided extra protections) by the target of their security research if that research is performed in good faith and in cooperation with the target. This leads to researchers wanting to know how vendors handle violations or how to get support when a vendor is not following their own stated policies. These are important processes to have defined.

What do researchers value in a program? In my experience, there are six primary areas.

**Speed**

As mentioned previously, faster is better. Researchers want decision-making, responses, vulnerability disclosure, and rewards distributed quickly.

**Humanity**

Researchers want to hear from people, not a corporation or its lawyers. They want to be treated and spoken to like a human being, not as researching robots.

**Transparency and Accessibility**

There should be as few barriers as possible when submitting a bug report. Do the researchers need a tax ID, email address, or encryption software? How can a researcher best engage with a vendor and program? What tools, software, hardware, training do the researchers need to invest in? And how does or will the vendor invest in its researcher population? Answer these questions and be transparent.

**Expertise**

Researchers spend time learning about a product and how it works before they can find ways to break it or make it do things it was not designed for. As a result, they expect that the people reading their reports have at least that same level of expertise.

**Advocacy**

Researchers don't work for the vendor; that's one reason why they submit through a bug bounty program. They can't be involved in all the conversations, so they need an advocate inside the company.

**Recognition/Rewards**

Bug bounty programs are a mutation of a vulnerability disclosure program (VDP), which is entirely based on the concept of "See something, say something," but offers a reward incentive instead of just simply doing it because it is the right thing to do. Ensuring that the incentives offered match the goals of the researcher is crucial. Do they want to be recognized or stay hidden? Do they want payment? Are they even allowed to receive rewards?

For vendors, there's a lot to consider when attracting talented researchers. Present program statistics at least annually (if not in real-time). Publish the decision matrix for rewards and recognition so researchers know what it takes to get a top bounty. Make documentation available that explains the process a bug report undergoes once it leaves the hands of the researcher. Set service-level agreements for key steps in the process and publish stats about how well the team meets them. Use human language, and understand that everyone makes mistakes in this process, but they're rarely malicious. Seek first to understand before casting judgement.

Finally, if you want to learn more about bug bounties, consider these organizations: Bug Bounty Community of Interest, FIRST, and OWSP. As bug bounty programs mature and become more humanized, vendors and researchers can work together to create policies and processes that are rewarding for all involved.

How to Attract Top Research Talent for Your Bug Bounty Program

Cybercriminal groups are targeting misconfigured Docker and Kubernetes clusters — or just automating the sign-up process for free trial accounts — to build infrastructure for cryptomining.

Cryptojacking is creeping back, with attackers using a variety of schemes to leech free processing power from cloud infrastructure to focus on mining cryptocurrencies such as Bitcoin and Monero.

Cryptominers are using the availability of free trials on some of the largest continuous integration and deployment (CI/CD) services to deploy code and create distributed mining platforms, according to Sysdig, a provider of security for cloud-native services. Attackers are also targeted misconfigured Kubernetes and Docker instances to gain access to the host systems and run cryptomining software, cybersecurity services firm CrowdStrike warned this week.

Both tactics are really just trying to cash in on the rise of digital currencies at someone else’s expense, says Manoj Ahuje, a senior threat researcher for cloud security at CrowdStrike.

"As long as the compromised workload is available, in essence, it is free compute — for a cryptominer, that’s a win in itself as his input cost becomes zero," he says. "And ... if an attacker can compromise a large number of such workloads effectively by crowdsourcing the compute for mining, it helps to reach the goal faster and mine more in the same amount of time."

Cryptomining efforts are increased over time, even as the value of cryptocurrencies have plunged in the past 11 months. Bitcoin, for example, is down 70% from its peak in November 2021, affecting many cryptocurrency-based services. However, the latest attacks show that cybercriminals are looking to pick off the lowest hanging fruit.

Compromising providers' cloud infrastructure may not appear to harm businesses, but the cost of such hacks will trickle down. Sysdig found that attacker typically only make $1 for every $53 of cost borne by the owners of the cloud infrastructure. Mining a single Monero coin using free trials on GitHub, for example, would cost that company more than $100,000 in lost revenue, Sysdig estimated.

Yet companies may not initially see the harm in cryptomining, says Crystal Morin, a threat researcher at Sysdig.

"They are not harming anyone directly, such as taking somebody's infrastructure or stealing data from businesses, but if they were to scale this up, or other groups took advantage of this type of operation — 'freejacking' — it could start financially hurt these providers and impact — on the back end — the users, with free trials going away or forcing legitimate users to pay more," she says.

**Cryptominers Everywhere**

The latest attack, which Sysdig dubbed PURPLEURCHIN, appears to be an effort to cobble together a cryptomining network from as many services as possible that offer free trials. Sysdig's researchers discovered that the latest cryptomining network utilized 30 GitHub accounts, 2,000 Heroku accounts, and 900 Buddy accounts. The cybercriminal group downloads a Docker container, runs a JavaScript program, and loads in a specific container.

The success of the attack is really driven by the cybercriminal group's efforts to automate as much as possible, says Michael Clark, director of threat research for Sysdig.

"They have really automated the activity of getting into new accounts," he says. "They use CAPTCHA bypasses, the visual ones and the audio versions. They create new domains, and host email servers on the infrastructure that they have built. It is all modular, so they spin up a bunch of containers on a virtual host."

GitHub, for example, offers 2,000 free GitHub Action minutes per month on its free tier, which could account for up to 33 hours of run time for every account, Sysdig stated in its analysis.

**Kiss-a-Dog**

The cryptojacking campaign CrowdStrike discovered targets vulnerable Docker and Kubernetes infrastructure. Called the Kiss-a-Dog campaign, the cryptominers use multiple command-and-control (C2) servers for resiliency, using rootkits to avoid detection. It includes a variety of other capabilities, such as placing backdoors in any compromised containers and using other techniques to gain persistence.

The attack techniques resemble those of other groups investigated by CrowdStrike, including LemonDuck and Watchdog. But most of the tactics are similar to TeamTNT, which also targeted vulnerable and misconfigured Docker and Kubernetes infrastructure, CrowdStrike stated in its advisory.

While such attacks may not feel like a breach, companies should take seriously any signs that attackers have access to their cloud infrastructure, says CrowdStrike's Ahuje.

"When attackers run a cryptominer in your environment, this is a symptom that your first line of defense has failed," he says. "Cryptominers are leaving no stones unturned to exploit this attack surface to their advantage."

Cryptojacking, Freejacking Compromise Cloud Infrastructure

**DUBLIN, Oct. 27, 2022 /PRNewswire/ —** The "Banking Encryption Software Market Size, Share & Trends Analysis Report by Component, by Deployment, by Enterprise Size, by Function (Cloud Encryption, Folder Encryption), by Region, and Segment Forecasts, 2022-2030" report has been added to **ResearchAndMarkets.com's** offering.

The global banking encryption software market size is expected to reach USD 5.03 billion by 2030, expanding at a CAGR of 13.0% from 2022 to 2030, according to this study conducted. The growing need for modern security solutions worldwide is anticipated to drive the growth of the industry. In addition, the rising incidences of cyber-attacks also bode well for growth.

Banking encryption software facilitates the confidential exchange of vital data by encrypting the data at the sender's end in a form not readable without a proper authentication key, which is usually in the form of a password. The receiver can use the authentication key to decrypt the data and read it. The strong emphasis banks and other financial institutions are putting on securing data transactions is driving the adoption of banking encryption software.

The growing partnerships among the encryption software providers are expected to drive market growth. For instance, In April 2021, Google Cloud and Broadcom collaborated. This collaboration increased the integration of cloud services into Broadcom's primary software franchises. In this partnership, Broadcom was able to make enterprise operations software and its security suite available on Google Cloud, enabling organizations to encrypt and decrypt data at the column level.

**Banking Encryption Software Market Report Highlights**

*   The software segment is expected to dominate the segment over the forecast period. This is due to its offered benefits such as security and privacy protection to the financial institutes
*   The cloud segment is anticipated to witness the fastest growth over the projection period. The growth of the segment can be attributed to the inexpensive deployment and customization options
*   The large enterprise segment dominated the market in 2021. Large organizations are adopting encryption solutions to meet the changing security needs owing to the rising incidences of cybercrimes
*   The cloud encryption segment is anticipated to witness the fastest growth because of its capability to facilitate a cost-effective and scalable encryption model
*   The Asia Pacific regional market is expected to witness the fastest growth over the projection period due to an increase in demand for encryption software among banks in developing countries in the Asia-Pacific, including China and India, to safeguard and ensure the privacy of data

**Key Topics Covered**

Chapter 1: Methodology and Scope  
Chapter 2: Executive Summary  
Chapter 3: Banking Encryption Software Industry Outlook  
Chapter 4: Investment Landscape Analysis  
Chapter 5: FinTech Industry Highlights  
Chapter 6: Banking Encryption Software Component Outlook  
Chapter 7: Banking Encryption Software Deployment Outlook  
Chapter 8: Banking Encryption Software Enterprise Size Outlook  
Chapter 9: Banking Encryption Software Function Outlook  
Chapter 10: Banking Encryption Software Regional Outlook  
Chapter 11: Competitive Analysis  
Chapter 12: Competitive Landscape

**Companies Mentioned**

*   Broadcom
*   ESET North America
*   IBM Corporation
*   Intel Corporation
*   McAfee, LLC
*   Microsoft
*   Sophos Ltd.
*   Thales Group
*   Trend Micro Incorporated
*   WinMagic

For more information about this report visit https://www.researchandmarkets.com/r/fp92vx.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

More Insights

Webinars

*   Penetration Testing, Red Teaming, and More: Improving Your Defenses By Thinking Like an Attacker
*   Building & Maintaining an Effective Incident Readiness and Response Plan

Reports

*   How Machine Learning, AI & Deep Learning Improve Cybersecurity
*   Breaches Prompt Changes to Enterprise IR Plans and Processes

Editors' Choice

Tara Seals, Managing Editor, News, Dark Reading

Jai Vijayan, Contributing Writer, Dark Reading

Shauli Rozen, CEO and Co-Founder, ARMO

Dark Reading Staff, Dark Reading

Webinars

*   Penetration Testing, Red Teaming, and More: Improving Your Defenses By Thinking Like an Attacker
*   Building & Maintaining an Effective Incident Readiness and Response Plan
*   State of Bot Attacks: What to Expect in 2023
*   Analyzing and Correlating Security Operations Data
*   Understanding Cyber Attackers & Their Methods

Reports

*   How Machine Learning, AI & Deep Learning Improve Cybersecurity
*   Breaches Prompt Changes to Enterprise IR Plans and Processes
*   Implementing Zero Trust In Your Enterprise: How to Get Started
*   6 Elements of a Solid IoT Security Strategy
*   Incorporating a Prevention Mindset into Threat Detection and Response

White Papers

*   Understanding the Zero Trust Approach
*   Top Cloud Threats to Cloud Computing: Pandemic Eleven
*   BotGuard for Applications Higher Education Case Study
*   Top Four Steps to Reduce Ransomware Risk
*   2022 Cyber Threat Landscape Report

Events

*   Understanding Cyber Attackers - A Dark Reading Nov 17 Event
*   Black Hat Europe - December 5-8 - Learn More
*   Black Hat Middle East & Africa - November 15-17 - Learn More

More Insights

Webinars

*   Penetration Testing, Red Teaming, and More: Improving Your Defenses By Thinking Like an Attacker
*   Building & Maintaining an Effective Incident Readiness and Response Plan

Reports

*   How Machine Learning, AI & Deep Learning Improve Cybersecurity
*   Breaches Prompt Changes to Enterprise IR Plans and Processes

Source

DARKReading