A dangerous VMware authentication-bypass bug could give threat actors administrative access over virtual machines.

Several VMware products need to be patched against a critical flaw that would allow authentication bypass for on-premises implementations.

The latest VMware bug is being tracked under CVE-2022-31656 and has a CVSSv3 base score of 9.8, according to the company. 

The VMWare advisory reported the products affected include: 

*   VMware Workspace ONE Access (Access)
*   VMware Workspace ONE Access Connector (Access Connector)
*   VMware Identity Manager (vIDM)
*   VMware Identity Manager Connector (vIDM Connector)
*   VMware vRealize Automation (vRA)
*   VMware Cloud Foundation
*   vRealize Suite Lifecycle Manager

"It is extremely important that you quickly take steps to patch or mitigate these issues in on-premises deployments," the company warned in a security advisory. "If your organization uses ITIL methodologies for change management, this would be considered an 'emergency' change."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Time to Patch VMware Products Against a Critical New Vulnerability

The CVE-2022-27535 local privilege-escalation security vulnerability in the security software threatens remote and work-from-home users.

A high-severity local privilege-escalation (LPE) vulnerability in Kaspersky's VPN Secure Connection for Microsoft Windows has been discovered, which would allow an attacker to gain administrative privileges and take full control over a victim's computer.

Tracked as CVE-2022-27535, the bug carries a high-severity CVSS score of 7.8 out of 10, according to an advisory out today from Synopsys, which discovered the issue. It exists in the Support Tools part of the application, and would allow an authenticated attacker to trigger arbitrary file deletion in the system.

"it could lead to device malfunction or the removal of important system files required for correct system operation," according to a Kaspersky spokesperson. "To execute this attack, an intruder had to create a specific file and convince users to run 'Delete all service data and reports' or 'Save report on your computer" product features.'"

While remote code execution (RCE) bugs tend to hog the patching spotlight, LPE flaws deserve recognition as they're often linchpins within a wider attack flow. After cybercriminals gain initial access to a target via RCE or social engineering, LPEs are generally used by attackers to boost their privileges from a normal user profile to SYSTEM – i.e., the highest privilege level in the Windows environment.

With these kinds of local admin privileges, an attacker can then gain further access to the network, and ultimately a company's crown jewels.

"A fully compromised computer would allow an attacker access to websites, credentials, files, and other sensitive information that could be useful by itself, or useful in moving laterally inside a corporate network," Jonathan Knudsen, head of global research at Synopsys Cybersecurity Research Center, tells Dark Reading.

Kaspersky's VPN Secure Connection offers remote workers a supposedly secure way to tie back to a corporate network and resources, and Knudsen notes that the bug discovery points out an important truism: "All software has vulnerabilities, even security software. The key to releasing better, more secure software is using a development process where security is part of every phase."

He adds that Synopsys hasn't seen any exploitation of the bug, but "most likely attackers will take note of it as a possible technique." Users should upgrade to version 21.7.7.393 or later to patch their systems.

High-Severity Bug in Kaspersky VPN Client Opens Door to PC Takeover

Securing email communication has never been more critical for organizations, and it has never been more challenging to do so. Attack volumes have increased and become more sophisticated.

**The Importance of Email Security**

Email remains the primary vehicle used by cybercriminals, with 90% of cyberattacks delivered via this attack vector. Email is also the most essential and widely used business communication tool.

Securing email communication has never been more critical for organizations, and it has never been more challenging to do so. Attack volumes have not only gone up, but the attacks delivered via email have also become more sophisticated.

The work-from-home shift experienced by most of the world has made employees and organizations more vulnerable to cyberattacks delivered by email than ever before. This makes business email an irresistible target for cybercriminals.

**Email Security Is at a Crossroads**

Protecting email, while reducing cost and complexity, is a business-critical objective for organizations of all sizes, working in virtually every industry, and in all areas of the world. Workers are more frequently than ever logging on remotely from home, from hotels, from coffee shops, and sometimes even using their own personal devices. Often distracted by their environment, even the most cautious user can inadvertently open a malicious email or click on a malicious link.

Some organizations are choosing to rely on platforms such as Microsoft 365 and Google Workspace to provide the base of their email security strategy, while others are choosing to rely on more specialized products such as a secure email gateway created by cybersecurity vendors. And while most cybersecurity vendors force customers to choose only their specialized solution in order to reap its benefits, it is completely possible for these vendors to modify their existing specialized solutions to work with well-known software vendor platforms to augment and enhance those platforms’ security to the extreme benefit of their customers.

**Meeting Today's Email Security Needs**

Today's agile organizations desire — and should require — simplicity and effective results from their security tools. And with continual pressure for security leaders to justify their investments in new security technology, email security solutions should be diverse, cost effective, and deliver a quick return. This is all coming at a time when complexity for virtually every security team is increasing. System noise is increasing, the business and compliance needs of organizations are growing more diverse and complicated, and the risk cyberattacks pose is continually on the rise.

Gateway-less email security solutions stand poised to meet these customer needs. These solutions augment the security of software platforms like Microsoft 365 and Google Workspace by reinspecting emails that have already passed through the platform's email gateway and been scanned by its email security tool. These gateway-less email security solutions use routing rules to inspect emails after they have been scanned by the platform's detection engine but before they are delivered to users' inboxes. This helps stop the threats that may have been missed by Microsoft 365, Google Workspace, or other software platform security tools.

Gateway-less email security solutions deliver world-class protection, keeping email communication secure while augmenting the protection of incumbent email providers.

**The Benefits of Gateway-less Email Security**

Gateway-less solutions are growing in popularity due to their ease of deployment, ability to augment rather than replace software platform security, and appeal to organizations of all sizes. Cybersecurity analysts are now recommending gateway-less solutions as a viable email security option.

Gateway-less email security solutions stand behind security solutions organization are already using, helping to reduce the cost and complexity of email security deployments, which can be especially beneficial for smaller organizations with less complex email environments. Gateway-less solutions run entirely in the cloud with little to no infrastructure cost and require little to no security policy customization. This benefits both smaller organizations with lean IT departments and less resources, as well as larger organizations that are looking to cut costs, reduce resource use, and allow critical IT staff to focus on other areas of the enterprise.

When evaluating gateway-less email security solutions, organizations should seek out products that:

*   Deploy in a matter of minutes
*   Block even the most sophisticated email attacks with AI-powered detection
*   Enhance and extend the security of software platforms like Microsoft 365 and Google Workspace
*   Optimize protections with a quality best-practice, out-of-the-box security policy
*   Simplify email security with effortless administration
*   Allow users to easily see what threats have been blocked and why
*   Can be adjusted with the click of a button to meet user and admin needs
*   Defend against social engineering attacks
*   Remediate malicious emails with a single click

**The Bottom Line**

As the work-from-home shift transitions into a much more acceptable, prevalent, and permanent hybrid working environment, some organizations are choosing to stay with a traditional email security gateway, while others are moving toward gateway-less email solutions that augment the security of software platforms like Microsoft 365 and Google Workspace. Organizations that do so should seek out a gateway-less email security partner with advanced detection capabilities, access to long-standing threat intelligence based on long-running market and industry experience, and the ablity to deliver best-in-class efficacy that is difficult to match via a tried-and true solution platform that can reduce complexity, reduce organization risk, and bring email and collaboration security under one roof through a single pane of glass.

**About the Author**

    

Thom Bailey leads the Strategy & Evangelism team at Mimecast, the authority in email security, targeted threat protection, and data governance. With over 20 years in product marketing and product management experience, Thom's passion has been one of understanding the intersection of IT operations and security.

How Email Security Is Evolving

A global network of inauthentic news sites present themselves as independent news outlets, offering content favoring China's government and articles critical of the US.

A fake-news influence campaign based in China is leveraging at least 72 inauthentic news sites to push content strategically aligned with the political interests of the People's Republic of China (PRC) across the globe and in multiple languages.  

The sites are linked to a Chinese public-relations firm called Shanghai Haixun Technology, according to a report from Mandiant, which dubbed the campaign "HaiEnergy." To disseminate the content, the effort makes use of various social-media accounts with hundreds of thousands of followers. 

The purpose of the campaign is to target global audiences with messaging intended to improve the international image of China — and to discredit critics of its policies. According to the new Mandiant report, the campaign narratives include promoting the reform of Hong Kong's electoral system — giving the mainland government more control over choosing candidates — and criticizing the United States and its allies.

At the start of the month, several of the sites published articles critical of US House Speaker Nancy Pelosi's recently concluded trip to Taiwan, warning her to "stay away from Taiwan."

The content also attempts to discredit outspoken government opponents, including German anthropologist Adrian Zenz, who is known for his research on China's autonomous Xinjiang territory in the northwest, where there has been a reported genocide against the Uyghur population.

This was done via website articles and social-media posts, featuring what Mandiant suspects to be "at least three fabricated letters, based on obvious grammatical errors and typos."

One letter was observed being used by a Twitter account belonging to a suspected inauthentic persona "Jonas Drosten" (@Jonas\_drosten), who posted a tweet containing images of three letters. The tweet, and one of the letters, alleges that Adrian received "financial support from US Senator Marco Rubio and former White House Chief Strategist Steve Bannon."  

The Uyghur ethnic minority community has in the past been a target of multiple other disinformation efforts.

**Outsourcing Fake News Efforts**

Mandiant researchers were not able to determine whether Shanghai Haixun Technology is aware of the fakeness of the HaiEnergy effort, but the researchers found evidence that the campaign has leveraged services and infrastructure belonging to the PR firm to host and distribute content.  

The campaign's use of third-party infrastructure allows the operators behind the campaign to obfuscate their identities while distributing content. And the use of a PR firm in this campaign may also be suggestive of recent trends noted by Meta (PDF) regarding the increased outsourcing of influence operations to third parties.

The Mandiant report also notes that actors that use PR firms may also do so to lower the barrier to entry for such activity to actors with limited experience in such areas.

"The campaign does not appear to be particularly sophisticated, as evidenced at least in part by the seeming lack of substantial engagement outside of inauthentic amplification of its content," says Ryan Serabian, senior analyst at Mandiant.  

For instance, some of the social-media accounts outright note that they've been commissioned to promote content, and their bios suggest that they were willing to do "paid promos."

Serabian explains that social-media platforms, governments, and other organizations increasingly look to root out inauthentic information activity, so he expects that actors will adapt new tactics and strategies, like contracting PR firms, to continue to achieve their aims.

"As we've highlighted, such actors might seek to leverage PR firms to distribute content, and they may also become more inventive in the types of content they distribute, such as by way of using technology like artificial intelligence-generated 'deepfake' images and videos," he says.  

This particular operation follows the efforts of Russian operatives, and those allied with Russian interests, which unleashed a deluge of disinformation and fake news to try and sow fear and confusion in Ukraine following the invasion of that nation.

Massive China-Linked Disinformation Campaign Taps PR Firm for Help

Users can identify risks across five domains, work on multiple projects, and take advantage of exclusive community benefits.

EVERGREEN, Colo., Aug. 4, 2022 /PRNewswire/ — Phylum, The Software Supply Chain Security Company, announces the release of its free Phylum Community Edition to expand the standard in supply chain security risk analysis to everyone.

Users can quickly understand valuable risk insights based on our unique approach to defending the software supply chain.

The free Phylum Community Edition allows any user to identify open-source risks across five domains with deductive analysis that is integrated into every stage of a build. Available immediately, users can:

— Sign up for a free, individual account here  
— Work on up to five projects at a time  
— Join the Phylum slack community to collaborate with other developers and security professionals  
— Get exclusive access to future beta features  
— Contribute feedback to the product  
— Access community support  

"We're excited to get Phylum in the hands of security engineers and developers around the world. Supply chain attacks are just getting started, and users need the ability to identify risk across the entire OSS supply chain attack surface. With the Phylum Community Edition, users can quickly understand valuable risk insights based on our unique approach to defending the software supply chain," said Peter Morgan, co-founder and president of Phylum.

**The Phylum Risk Framework  
**  
Phylum's proactive approach to analyzing the risk inherent within the software supply chain is built from years of research and observation.

Instead of taking a retrospective approach by analyzing incidents after they occur, Phylum starts by consuming all available information about open-source packages and structuring the data in a consistent format for analysis. Layers of analytics, heuristics, and ML models then comb through the data to find risk indicators. Deductive analysis is then applied to account for the entire context around each indicator, and identified risks are prioritized based on the risk tolerance criteria set by the organization.

This allows Phylum to effectively surface and prioritize meaningful issues before an incident occurs, in a manner that does not overwhelm security teams. These risks can then be addressed before leading to compromise, outages, service degradation at runtime or legal liability.

"Given the large volume of components involved in the development of modern software, surfacing meaningful findings becomes critically important — as does accurately prioritizing issues. Phylum defines the attack surface and conducts the deductive analysis, and users define risk tolerance based on project needs. This combination results in a significantly reduced attack surface, and categorized risk prioritized by business objective," said Brad Crawford, vice president of product at Phylum and co-author of the MITRE ATT&CK Framework.

The Phylum Risk Framework is the standard in software supply chain security, defined by the following categories: Malicious Code, Software Vulnerabilities, Authorship Risk, Reputation, License Misuse and Engineering Risk.

Get the Phylum Community Edition here.

Phylum will be at Black Hat 2022 in Innovation City booth# IC53. To meet up at the event, request a meeting here.

About Phylum  
Phylum is the Software Supply Chain Company, on a mission to secure the universe of code. Developers and security professionals use Phylum to identify open-source risks across five domains using deductive analysis that is integrated into every stage of a build. The company is built by a team of career security researchers and developers with decades of experience in the US Intelligence Community and commercial sectors. Learn more at https://phylum.io, read The Phylum Research Blog, and follow us on LinkedIn and Twitter.

SOURCE: Phylum

Phylum Releases a Free Community Edition to Make Software Supply Chain Security More Accessible

It's a myth that consuming and processing alerts qualifies as security. Today's technology allows better detection and prevention, rather than accepting the low bar for protection set by ingrained incident response reactions.

You've probably seen ads for identity protection. They're everywhere, probably because almost half of all US citizens were victims of identity theft between 2020 and 2022. Although these ads claim to protect your identity, if you listen closely, what the service provides is an alert once your identity has been — or is in the process of being — stolen.

While these alerts can be immeasurably valuable, that's a very generous interpretation of "protection." If you entrusted me with protecting your valuables, and all I could do was let you know they had been stolen, you wouldn't be happy with my performance.

This same myth of protection has become accepted in the cybersecurity industry: the myth that an alert produced every time something is believed to be malicious or suspicious qualifies as security. This low bar for protection is what enterprises and consumers have been taught to accept. It's what security professionals have been taught to work with. The entire ecosystem is designed around the idea that consuming and responding to alerts is synonymous with protection.

Rather than protecting the enterprise, these voluminous alerts are putting enterprise security at risk. Security teams are drowning in alerts and saddled with excessive false positives. They are stretched beyond capacity due to working in a highly reactive, "always on" mode. According to Deep Instinct's Voice of SecOps survey, the industry is reaching a tipping point: Nearly 90% of cybersecurity professionals polled say they are stressed in their role, while 40% believe their existing security solution stack is inadequate and nearly half (46%) of the respondents have thought about quitting the industry.  

Now more than ever, we must redefine protection and lean into prevention. However, before we look ahead to how, let's quickly look at how we got here: a two-prong issue stemming from both the mindset of early cybersecurity groups and the technology available at the time.

**We Must Stop Living in the Past**

The ILoveYou virus hit within my first week in the National Security Incident Response Center, causing billions of dollars in damage. Back in the early 2000s, we dealt with ILoveYou like we did with any disaster. We built a response team, gathered data, worked to stop the damage, and made recommendations for the next time. This mindset was built into every Computer Emergency (or Incident) Response Team that popped up in the 2000s, from inside the Pentagon to Carnegie Mellon. A respond-to-an-event ecosystem was created.

The technologies and intelligence available then lacked the context, precision, and speed needed to get in front of these threats. Practitioners focused on what they could do: process data after an event as quickly as possible. This is where new technologies can be impactful. There was a lot of excitement when endpoint detection and response (EDR) was able to respond within minutes of an intruder entering a network. While that's a commendable response time, you wouldn't want someone inside your house poking around for minutes before you responded. On top of that, the people responsible for responding are now being buried by an avalanche of false alarms.

Many accept that false-positive detection rates of 30% to 50% are inevitable, so we train artificial intelligence to consume and attempt to make sense of those alerts for us. Cybersecurity must evolve beyond making ineffective processes faster. It's time to redefine protection and lean from response toward prevention. What if detection were accurate and fast enough to make a difference _before_ an alert was generated?

We can give defenders the ability to see deeply into network sessions to expose the techniques that hackers employ. We can expose those techniques quickly enough to make a difference so that entire categories of attacks are stopped before they begin, and minor evasions such as changing IP addresses are no longer effective. The detection accuracy is so good that false positives are a thing of the past. It's time to develop and introduce automated preventive controls into an industry that is overly optimized for response.

True protection is no longer a myth. The technology exists today to make this a reality. With ransomware on the rise, defenders are rightly being asked to focus on resilience and recovery. The reality is that defenders will add this focus on resilience and recovery as another task or project on top of their already overwhelming days spent chasing incidents and being buried in false alarms, all while considering quitting the business. We can retrain and reskill our cyber workforce to be stewards of true protection, giving them time and space to do their jobs and make a difference. This is the future of cybersecurity — and that future begins now.

The Myth of Protection Online — and What Comes Next

Agentless approach meets the attacker earlier to protect financial services and other large enterprises from an underserved attack vector.

**NEW YORK, NY – Aug. 3, 2022** – Deep Instinct, the first company to apply end-to-end deep learning to cybersecurity, today delivered Deep Instinct Prevention for Applications, an agentless, on-demand, antimalware solution for the enterprise that is device and operating system agnostic. This new offering revolutionizes threat protection beyond the endpoint with flexible, deploy anywhere, in-transit file scanning via API to quickly return a malicious versus benign verdict at enterprise speed. It protects any web application or cloud storage from malicious content while fully ensuring data privacy.

Until now, financial services and other industries with petabytes of data in motion each day have been at high risk from uploaded malicious content that can be detonated upon download from storage. These organizations have been relying on antiquated solutions that are slow, consume vast CPU and memory resources, and miss unknown malware, leaving this threat segment underserved.

In the wake of the pandemic, fintech transactions alone rose by 13% and their volume by 11%, indicating significant industry growth. With tens of millions of files in transit each day connected to high-value trading data, mortgage applications, insurance claims, and other sensitive information, financial institutions are at risk from unchecked malicious uploads or downloads and lack viable options to ensure infected content is not a threat to their operations or their customers. As threat actors seek alternative points of entry into enterprise environments, this risk factor will only increase. In fact, one study found that 35% of "never-before-seen" malware files were hidden in Microsoft Office and PDF files.

"As threat actors compromise points of entry beyond the endpoint, financial services institutions that exchange tens of millions of files each day are at increased risk. This was primarily created by the failure of established antivirus, network and other solutions to evolve. They are slow, can't scale or process high volumes of daily traffic or handle large file sizes, and often resort to sandboxing. As a result, they continue to miss unknown threats, and incur high infrastructure costs. "That's the worst of both worlds for an enterprise," said Guy Caspi, CEO and Co-Founder of Deep Instinct. "Deep Instinct is disrupting the cybersecurity status quo by setting a new standard for preventing malicious files, both known and unknown, before they reach storage."

Deep Instinct Prevention for Applications provides organizations an on-demand, high-speed scanning solution that prevents \>99% unknown malware hidden in files and easily scales to scan tens of millions of files per day. With very low CPU requirements, a low false-positive rate of <0.1%, near zero latency, and low processing requirements, Deep Instinct provides the most innovative solution for this underserved threat gap. A typical traditional AV solution is ineffective at preventing unknown malware, will require sandbox and cloud intelligence checks, and takes an average of 90 seconds to 3 minutes to make decisions. Traditional AV/sandbox solutions are ineffective at solving this issue as they are easily evaded and slow to respond. This increases risk and negatively affects the user experience but impacts the business by slowing down critical processes.

"Deep Instinct is addressing a major pain point of today's enterprise — their exposure to an ever-expanding number of attack vectors," said David OLeary, Field CISO – Sr. Director, Global Cybersecurity, SHI. "We look forward to bringing this truly unique solution to our enterprise customer base and helping them better protect themselves and their customers from malicious content as they exchange important files every day."

Other benefits of Deep Instinct Prevention for Applications include the following:

*   Does not rely on the cloud to provide a verdict.
*   Only the file hash ever leaves the environment, retaining full customer data privacy.
*   No customer data is used for training or updating AI models.
*   Minimal infrastructure resources, including CPU and memory usage, combined with a small footprint, ensure a low total cost of ownership.

For more product information and case studies, please visit: https://deepinstinct.com/prevention-for-applications.

**About Deep Instinct**

Deep Instinct takes a prevention-first approach to stopping ransomware and other malware using the world's first and only purpose-built, deep-learning cybersecurity framework. We predict and prevent known, unknown, and zero-day threats in <20 milliseconds, 750X faster than the fastest ransomware can encrypt. Deep Instinct has >99% zero-day accuracy and promises a <0.1% false positive rate. The Deep Instinct Prevention Platform is an essential addition to every security stack — providing complete, multilayered protection against threats across hybrid environments. For more, visit www.deepinstinct.com.

Deep Instinct Pioneers Deep-Learning Malware Prevention to Protect Mission-Critical Business Applications at Scale

In the last month, "Pl0xP" cloned several GitHub repositories, adding malicious code to the forks that would attempt to infect developer systems and steal sensitive files that included software keys.

A hacker going by the handle "Pl0xP" cloned a large number of GitHub repositories and slightly changed the cloned repository names, in a typosquatting effort to impersonate legitimate projects — thus potentially infecting any software that imported the code, software experts said today.

The widespread cloning resulted in more than 35,000 insertions of a malicious URL into different code repositories, although the exact number of affected software projects is likely much smaller, software engineer Stephen Lacy stated in an early morning Twitter post. The attack, a variant of dependency confusion, could have caused problems for developers using the fake GitHub repositories without adequate verification of the software source, he said.

If imported, the malicious code executes code on the system, according to Lacy. "This attack will send the ENTIRE ENV of the script, application, laptop (electron apps), to the attacker's server! ENVs include: Security keys; AWS access keys; Crypto keys … much more." 

"ENVs" are environment variables, used to store information that developers want to reference in their workflows.

The software engineer found the malicious functionality when he audited a software library that he considered incorporating into his own project, Lacy said.

"I discovered the exploit as I was reviewing a project I found off a Google search," he tweeted. "This is why we don't install random packages off the internet!"

Cloning — or "forking" — is not a new malicious technique, but it's a tricky one.

"Bad actors have already been known in the past for creating cloned/forked popular repositories with malicious code," says Mor Weinberg, Aqua Security software engineer. "This can become quite difficult to spot, as cloned repositories may retain code commits with usernames and email addresses of the original authors, giving off a misleading impression that newer commits were made by the original project authors as well. Open source code commits signed with GPG keys of authentic project authors are one way of verifying the authenticity of code."

"This … was akin to someone standing up a 'fake' website or sending a phishing email," adds Mark Lambert, vice president of products at ArmorCode. "This is going to catch people that are not paying attention."

**An Attack or Legitimate Research?**

This mass forking in GitHub may not have been a real attack. A person claiming to have knowledge of the issue positioned the widespread typosquatting as a legitimate research effort.

"This is a mere bug-bounty effort. no harm done. Report will be released," a Twitter user named "pl0x\_plox\_chiken\_p0x" tweeted on Aug. 3.

While an ill-conceived research project could explain the attack, creating thousands of code changes for research seems irrationally risky. Moreover, the Twitter user had only registered the account in the prior three days — short account lifetimes are often a characteristic of fraudulent online personas.

The claim of the attack being part of a bug bounty "is waiting to be proven, as the activity is having the characteristics of one with a malicious intent," Jossef Harush, head of supply chain security engineering at software security firm Checkmarx, tells Dark Reading.

In any event, Michael Skelton, senior director of security operations at bug-bounty platform Bugcrowd, notes that at least the original code repositories remained unaffected.

"While it's unclear what the nature of Pl0xP's bug-bounty finding would be (as social engineering is out of scope for nearly all bug-bounty programs), it does look like they cloned a number of repositories, and made their changes in those clones only — in no cases did this change make its way into the original repositories that had been cloned," he says. "Cloning a repository is a standard action that doesn't impact the original repository unless the owner merges a change back (requested through a pull request), which wasn't done here."

**Malicious Software Dependencies Abound**

GitHub seemingly cleaned up the malicious code commits, and as of the afternoon on Aug. 3, a search for the embedded bad URL turned up zero results. Yet the attack is hardly the first time that open source projects have had to deal with attackers. The number of attacks against the software supply chain jumped 650% in 2021, mainly driven by dependency-confusion attacks, where the attacker uses an almost identically named version of an open source code block in hopes of developers mistyping the name of a desired library or component, or not noticing the slight difference in nomenclature.   

Seeding repositories with malicious, misnamed projects requires the attacker to do some groundwork. In July, software security firm Checkmarx revealed a way of creating fake developer accounts on GitHub, complete with an active history of code commits to increase their credibility. The technique, along with the latest attack, underscores that maintainers need to take steps to only accept signed code commits, Harush says. Developers need to "beware of pull requests and contributions having suspicious unverified commits, \[and need to\] review ... the content of the contributions compared to the disclaimer in the commit message and contributions adding or modifying existing dependencies to similar named dependencies as part of the contribution," he adds.

**Don't Trust, Verify**

To avoid their projects being poisoned, maintainers and developers should only trust those contributors that are known to them and have an extensive and verifiable commit history. They should also use the available tools — such as digital signatures and multifactor authentication — to secure their accounts, Harush says.

"As you should not trust candy from strangers — don't trust code from strangers," he says. "Users may be tricked when evaluating the candidate project and think they are legitimate, \[so\] they use it in their local development computers, build environments, production environments, and even build software, \[until finally executing something malicious\] on customers' \[systems\]."

In Checkmarx's July advisory on spoofing identity information and commit information in the _git_ command-line utility, the company underscored the risks to software projects when malicious committers disguise themselves as known contributors. This "makes the project look trustworthy," the firm stated. "What makes this commit-spoofing even more alarming is the fact that the user being spoofed isn’t notified and won’t know that their name is being used."

GitHub has already added digital signatures for code commits to verify the identity of the contributor, but project maintainers should enable "vigilant mode," a feature of GitHub that displays details of the verification status of every commit and their contributor, Checkmarx stated.

At the very least, developers and project maintainers should occasionally review their commit log and ask their other maintainers to enable GPG-signed commits, Harush says. "Getting used to having a signed commit log will benefit you to pay attention to unverified contributions."

GitHub could not immediately be reached for comment.

35K Malicious Code Insertions in GitHub: Attack or Bug-Bounty Effort?

The identity-services company is being acquired by Thoma Bravo software investment for cash, before being delisted.

Investment firm Thoma Bravo has entered into a agreement to acquire Ping Identity in a deal valued at about $2.8 billion. Upon completion of the all-cash transaction, the firm said it will take the identity management services provider private. 

Ping offers cloud-based security software that enables password-less sign-on, fraud protection, and more. The 10-figure cash offer puts the investment group in a position to take advantage of what they forecast will be a $50 billion enterprise identity-security solutions market, according to Thoma Bravo partner Chip Virnig.

"This compelling transaction is a testament to Ping Identity's leading enterprise identity solutions, our talented team, and our outstanding customers and partners," Andre Durand, Ping Identity's chief executive officer said in an announcement of the deal. "Identity security and frictionless user experiences have become essential in the digital-first economy and Ping Identity is better positioned than ever to capitalize on the growing demand from modern enterprises for robust security solutions."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Ping Identity to Go Private After $2.8B Acquisition

Early-stage startup Footprint's goal is to provide tools that change how enterprises verify, authentication, authorize, and secure identity.

Whenever a person walks into a financial services institution to open a bank account, apply for a loan, or obtain a credit card, that institution needs to first verify that person’s identity. Personal information is typically supplied by the person filling out the form, and then the institution matches the information against a series of databases. This process is repeated for every transaction, even if it's within the same institution.  

The current system can tell that a real person is trying to open an account, but it doesn’t actually verify whether the person who is submitting the information is really the person whose information was provided.

Footprint, which announced a $6 million seed investment on Wednesday, wants to solve this problem. The startup intends to change how identity verification is performed by giving enterprises the tools to verify, authenticate, authorize, and secure identity. 

The company relies on cryptography to tokenize identity and uses cutting-edge biometric scans, liveness checks, and peer-to-peer verification to validate people are who they say they are. The approach is similar to Apple Pay in that personally identifiable information (PII) – such as a Social Security number, date of birth, email address, and phone number – is encrypted and stored in a secure enclave on the user’s mobile device. The enclave is backed by hardware-level cryptographic attestation, the company says. Each user has a private key pair for access, and Footprint uses FaceID, TouchID, and other technologies to verify the authenticity of the person.

The tools would address challenges related to know-your-customer verification processes, identity verification, and securely storing PII while keeping people in control of their identities, the company says. The organization won't actually have to collect or store PII. Footprint can pave the way for "a better OAUth for Fintech," the company stated in a press release.

The product is currently in early access release. The tool is expected to be generally available in the fall.  

"Footprint up-levels the consumer experience by becoming their passport to the internet," the company said in the release.

Source

DARKReading