Joshua Schulte has been convicted for his role in the Vault 7 Wikileaks data dump that exposed invasive US cyber intelligence tactics.

Joshua Schulte, a former CIA programmer, has been found guilty by a jury in a Manhattan, NY court for stealing the trove of classified data on US cyber espionage that was exposed in the Vault 7 Wikileaks data dump.

Schulte, 33, was convicted of stealing and revealing secrets, including details about how the CIA used malware to compromise mobile phones and smart devices to spy on targets. The verdict was reported by Courthouse News Service, which said that in addition to the conviction on nine counts of stealing classified documents, Schulte has unrelated charges pending for child pornography. Altogether, he faces up to 80 years in prison.

A 2020 trial for Schulte ended with a deadlocked jury and a mistrial. Schulte opted to represent himself in the most recent proceedings, according to Courthouse News.

Schulte was first named as a suspect in the Vault 7 Wikileaks release in 2018. The cache of cyber spy secrets including zero-day vulnerabilities in Android, iOS, and Windows, along with known bugs in routers, smart TVs, and smart vehicles that were allegedly being exploited for spycraft by the CIA.

In a 2017 statement released along with the Vault 7 files, Wikileaks had bragged, "This extraordinary collection ... gives the entire hacking capacity of the CIA."

Federal prosecutors who charged Schulte agreed.

US Attorney Damian Williams said in reaction to the verdict that it was "one of the most brazen and damaging acts of espionage in American history."

Prosecutors described Schulte as a disgruntled employee motivated by petty revenge against the CIA. "Schulte was aware that the collateral damage of his retribution could pose an extraordinary threat to this nation if made public, rendering them essentially useless, having a devastating effect on our intelligence community by providing critical intelligence to those who wish to do us harm," Williams said.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Ex-CIA Programmer Found Guilty of Stealing Vault 7 Data, Giving It to Wikileaks

Researchers who helped thwart the Russian nation-state group's recent attack on Ukraine's power supply will disclose at Black Hat USA what they found while reverse-engineering the powerful Industroyer2 malware used by the powerful hacking team.

The infamous Sandworm threat group operating out of Russia's military GRU unit has no qualms about taunting researchers when it finds it is being watched. Just ask Robert Lipovsky and his fellow researchers at ESET, who got the message loud and clear when they dissected one of Sandworm's newer malware variants earlier this year: The Sandworm attackers disguised the loader for one of its data-wiping variants as the IDAPro reverse-engineering tool — the very same tool the researchers had used to analyze the attackers' malware.

Lipovsky, principal threat intelligence researcher at ESET, knew it was no coincidence. Sandworm most likely was brazenly — and sarcastically — making a point that the group knew ESET was on its trail. "There's no reason to use IDAPro" in an attack on an engineering substation because that's not a tool that would be used on that system, he explains. "It's fairly clear the attackers are fully aware we are onto them and blocking their threats. They are maybe trolling us, I would say."

That wasn't the only message Sandworm seemed to be sending. The group also dropped a Trojan-ridden version of ESET's security software in its targeting of Ukrainian networks. "They were sending a message that they were aware we are doing our job protecting the users in Ukraine," Lipovsky says.

Lipovsky was part of the ESET team that — along with Ukraine's computer emergency response team (CERT-UA) and Microsoft — in April blocked a cyberattack by Sandworm on an energy company in Ukraine using a new version of its game-changing Industroyer malware weapon, Industroyer2. Had it not been thwarted in time, the attack would have knocked several high-voltage substations from part of the nation's electric grid.

Industroyer2 is a more custom version of the first iteration (Industroyer) that Sandworm unleashed in December 2016, temporarily knocking out power in parts of Kyiv, the capital of Ukraine. The Industroyer2 attack attempt in April also came with destructive disk-wiping tools designed to destroy engineering workstations running Windows, Linux, and Solaris, in an attempt to thwart recovery operations when the attackers' planned power blackout hit. Industroyer was the first known malware able to shut out the lights, and it can communicate with ICS hardware in electrical substations — circuit breakers and protective relays, for instance — via popular industrial network protocols.

Even after the high-profile foiling of the Industroyer2 attack attempt on Ukraine in April, Sandworm continues to relentlessly hammer at Ukraine's cyber defenses. "It didn't end with Industroyer2. It continues today," says Lipovsky, who with ESET senior malware researcher Anton Cherepanov will share their insiders' view of Sandworm and dissect the group's Industroyer2 malware at Black Hat USA in Las Vegas next month. 

"There are more wipers today … and new execution chains being used," he says.

Most of the current attack attempts by Sandworm against Ukraine's infrastructure now carry disk-wiping weapons. "We've seen disruption activity \[attempts\] at an increased rates since February," he says, when Russia first invaded Ukraine. Intel-gathering via cyber-espionage attacks also has been active, he adds, noting that while Sandworm is the most prominent Russian threat actor targeting Ukraine, it's not the only one.

**Industroyer2 up Close**

In their Black Hat talk, Lipovsky and Cherepanov plan to reveal more technical details about Sandworm that haven't yet been made public, as well as share recommendations for utilities to defend against the nation-state group's attacks.

Lipovsky and his team describe Industroyer2 as a simpler, more streamlined version of the first version. Unlike the first Industroyer, Industroyer2 speaks just one OT protocol, IEC 104. The original version used four different industrial protocols. It's likely more efficient and focused that way: "\[IEC 104 is\] one of most common \[OT\] protocols and a regional thing" in Europe, he notes.

The disk-wiping capabilities with Industroyer2 eclipse that of the first version. "The first one was a framework with multiple components, and it was also calling additional modules that were there for wiping," he says. Industroyer2 is more "self-contained" and offers wipers as separate executables, he says, malware weapons that have been discovered in other recent cyber incidents. 

CaddyWiper is the main disk wiper used with Industroyer2. Sandworm pointed CaddyWiper at a Ukrainian bank 24 hours before Russia invaded Ukraine in February, at a government agency in early April, and on some Windows workstations at the targeted Ukrainian energy firm. Sandworm also set destructive malware programs ORCSHRED, SOLOSHRED, and AWFULSHRED on Linux and Solaris workstations there. And, as a final touch, Sandworm had scheduled CaddyWiper to execute on April 8 as a way to erase all evidence of Industroyer2, but it was blocked.

Interestingly, Sandworm does not typically wipe domain controllers, so as not to disrupt its own foothold in the victim's network. "They wipe regular workstations to disrupt a target's operations, but they want to keep their presence once they've infiltrated an environment," Lipovsky says.

Even with all that ESET and other researchers now know about Industroyer2, there is still no full picture of the initial attack vector in the Industroyer2 attack on the Ukrainian energy firm. CERT-UA said the attack appeared to be in two stages, the first one likely in February of this year and the other in April, when the goal was to disconnect the electrical substations and sabotage the power operations on April 8.

**Defense Against Industroyer, Sandworm**

While Industroyer2 has been trained on Ukraine, its emergence has shaken the OT industry.  "Industroyer was a wake-up call for the whole ICS community. This is a serious threat," Lipovsky says.

The playbook for protecting an OT network from Industroyer and related attacks isn't much different than others. "It's what we've always been saying: Have visibility into the environment; have EDR, XDR tools; multiple layers of security in the stack; and access controls," Lipovsky says.

In their talk at Black Hat Lipovsky and Cherepanov also will share EDR rules, configuration suggestions to stop lateral movement, and rules for Snort and YARA tools

They also plan to reiterate that engineering workstations in OT networks have become major targets, so they have to be part of the security equation. "A lot of SCADA software and monitoring is happening on regular workstations that run Windows or Linux. These machines should have the appropriate security measures and solutions that are multilayered," including running EDR or XDR tools, he says.

Sandworm APT Trolls Researchers on Its Trail as It Targets Ukraine

And some ways to up your game for identifying fabricated online profiles of people who don't exist.

On April 18, 2022, a handful of US citizens scrambled to get their taxes filed. While tax season is usually a stressor, consider that these filers got some unsolicited help. Imagine that somehow, strangers that might resemble angels just appeared in their lives, offering guidance and help to work with them through this process … all through the computer screen.

For our story, let's consider we receive a benign LinkedIn message from "Alice Dupree," stating that she is a liaison with H&R Block and is reaching out to offer any assistance in filing taxes. If we examine Alice's profile, everything mentioned lines up with her public presence. In fact, she looks like a very reputable person! She attended a prestigious university, has had a prolific career, and has an enticing professional summary.  

While we could review her education and past work experience with her LinkedIn profile, there is certainly other demographic, geographic, or personal information that we wouldn’t see online. So let's talk about Alice on a more personal level.

She is 49 years old, she lives in San Diego, California, and her favorite color is black (to match the business suits she wears). On top of that, she was born on July 1, 1972, and her zodiac sign is Cancer. She drives a 2005 Lexus LS to visit her mother (maiden name "Weaver"), and in case you ever need to reach her, her cell phone number is 909-722-3198.

She has an O+ blood type and has a Mastercard that expires in February 2025. Alice owns an iPhone, but when she is on her computer, she uses the Firefox Web browser.

We never would have the need for that information, or ask any questions pertaining to it — but if we did, Alice would have all the answers. It is her life story, after all!

You might be wondering how I know so much about Alice. Well, that's because I made her up.

Alice doesn't exist, and all her background information has been randomly computer generated to make her character all the more convincing. Her entire persona was artificially created with free, publicly accessible online tools that anyone can use.

**Faking People (For Real)**

It is surprisingly easy to come up with a whole identity for a fake person in this day and age. In all reality, there are online tools that do all the hard work for you. Social engineering is just too easy for scammers and cybercriminals.

Perpetrators can use Fake Name Generator to rapidly create an entire persona for fake but believable characters — just like I did with Alice Dupree.

    

Once all this background information has been generated and supplied for a budding scammer, they simply need a believable profile picture to replace the default gray silhouette.

If it wasn't already easy enough, cybercriminals and scammers can not only generate an entire person's history, but also their appearance with another online tool like This Person Does Not Exist.

**How Can You Tell What Is Real?**

Maybe an observant eye might notice a few telltales that this Alice character is a randomly generated persona. The profile picture gained from This Person Does Not Exist might have the strongest indicators:

*   The person's gaze is directly into the camera.

*   They might have odd or unusual traits.

*   Accessories like hats or glasses or even hair strands might fade in and out.

*   The side edges background may have very strange figures.

You may have noticed our so-called Alice is wearing earrings, but the left looks a bit more distorted than the right.

    

  
But how can someone defend against falling for Internet scams like this? Whenever possible, if an individual can do their due diligence by reaching out to the alleged company or school this persona is/was a part of, they can determine if this is legitimate.

Examining their profile might also reveal that the account has little to no activity. Social media sites may prune or remove accounts with little to no activity, in which case scammers really need to spend time to keep up the charade and look as realistic as possible.

If there is any suspicion you received a message from a fake persona, it is worth doing some online research to determine if this person is who they say they are – or if they exist at all.

For some semblance of "training your eyes" to detect fake computer-generated profile pictures, check out Which Face Is Real. Bear in mind some of the indicators discussed: centered eyes, blurry backgrounds, fading glasses or hair strands, and mismatched earrings. When lies and cons are at your door, inbox, or direct messages, _you_ are the front line of defense.

How Hackers Create Fake Personas for Social Engineering

Offensive security leader continues to defy market and economic trends with record growth and recognized innovation.

PHOENIX, AZ – July 14, 2022 – Bishop Fox, the leading authority in offensive security, today announced $75 million in Series B funding from growth-oriented investment firm, Carrick Capital Partners. The strategic second round brings total funding to $100 million for the 17-year-old cybersecurity firm. The funding will be used to grow the company’s unparalleled team of offensive security experts and fuel expansion of its award-winning Cosmos platform. As part of the transaction, Carrick Managing Director Chris Wenner will join the Bishop Fox board of directors, alongside current board member Will Lin, Managing Director of Forgepoint Capital, the Series A lead investor. Forgepoint Managing Director Don Dixon will shift from his role as a board member to a board advisor.

As cyberattacks escalate in the wake of economic uncertainty and geopolitical dynamics, the US government has proposed legislation designed to increase public and private sector collaboration on cybersecurity, including bills aimed at expanding and activating a broader workforce and promoting education and preparedness in defense of US assets. These initiatives place Bishop Fox in a unique position to lead the market in both areas. The company has developed one of the industry’s most prestigious educational programs for offensive security training and advancement, including Bishop Fox Academy, curriculum developed in partnership with universities, and extensive mentoring resources. Additionally, Bishop Fox’s comprehensive offensive security solutions and industry-leading attack surface management technology help organizations proactively improve their security posture.

The power of Bishop Fox stems from creatively combining technology and automation with unmatched human expertise to find vulnerabilities before the bad guys do. This winning combination serves as the foundation for the Cosmos platform, which performs continuous offensive testing at scale to outpace modern attackers. Executing more than 2.3 billion operations and identifying 13,000+ exposures every week, Cosmos can save security teams more than 5,000 hours per year in vulnerability identification and triage, and reduce the time to remediate critical vulnerabilities by 82%. The increasing demand for the platform resulted in tripling Annual Recurring Revenue (ARR) in 2021.

“This capital will fuel additional innovation in our Cosmos platform, investment in our people, and expansion of Bishop Fox Academy. By further developing the best technology and talent in the industry, we will continue to define the future of offensive security,” said Vinnie Liu, co-founder and CEO of Bishop Fox. “Additionally, the funding will enable us to accelerate our international expansion, extending our expertise to help even more organizations defend forward. We’re excited to partner with Carrick, an investor who shares our vision and mission.”

“Bishop Fox has one of the best reputations with customers we have ever come across, and the highest quality solutions and tech-enabled services in the cybersecurity industry. The

combination of their world-class security operators, unique process, and Cosmos technology platform has enabled them to continuously improve the security posture of complex, global enterprises at scale,” said Wenner. “We are excited to partner with them to extend their leadership position and innovation in offensive security.”

Trusted by thousands of customers, including Google, Equifax, John Deere, Sonos, and Zoom,

Bishop Fox has continued to gain momentum and receive industry recognition since announcing record growth and success earlier this year. Highlights include:

● Achieving the sole leadership ranking for Cosmos in the Maturity/Platform Play quadrant in the GigaOm Radar Report for Attack Surface Management (ASM). ● Scoring a “hat trick” in three separate industry award programs – the Stevies, the Globees and the Global InfoSec Awards – all of which included innovation among the accolades.

● Growing first quarter bookings by more than 50% year-over-year from 2021 to 2022.

● Increasing the firm’s workforce by 33% since the beginning of the year, with record-setting hiring in the first half of 2022.

● Achieving a Net Promoter Score (NPS) of 90 in the first quarter of this year for consulting services, which is considered world class in customer satisfaction. ● Growing its partnership with the ioXt Alliance, which in six months advanced from serving as an Authorized Labs partner to gaining approval to test IoT devices under the ioXt Certification Program’s base profile. ● Expanding the executive team with the additions of Penelope “Penny” Yao as Vice President of Product Management and KJ Nouri as Vice President of Engineering.

"It has been a pleasure to partner with Bishop Fox on their extraordinary journey," said Lin. "Their demonstrated commitment to comprehensive and continuous security innovation amidst changing customer needs and the evolving threat landscape have made them the solution of choice for modern organizations, and why they are the leader in offensive security. We're excited to continue our partnership and to welcome Chris and Carrick to the board of directors."

About Carrick Capital Partners

Headquartered in San Francisco and Newport Beach, Carrick Capital Partners is a growth-oriented investment firm that utilizes ABV (Approach to Building Value) to operationally scale fast-growing, technology-enabled businesses. Carrick adds value by taking a concentrated approach and dedicating significant resources post-investment. Leveraging decades of experience, Carrick helps scale great companies that deliver excellent returns for investors, stimulating economic growth and positively impacting the industry landscape. Working directly with CEOs and entrepreneurs, Carrick fulfills a vital need for investment capital and growth expertise. For more information, please visit www.carrickcapitalpartners.com.

About Forgepoint Capital

Forgepoint Capital is the most active cybersecurity venture capital firm in the world, with 37 active portfolio companies and the largest and most diverse team dedicated to investing in the sector. The firm brings over 100 years of proven company-building experience and its Advisory

Council of more than 75 senior executives across industries to back transformative companies protecting the digital future. Founded in 2015, Forgepoint has raised $770 million, deployed over $500 million, and empowered industry leaders such as 1Kosmos, Area 1 Security (Cloudflare), Attivo Networks (SentinelOne), BehavioSec (RELX), Bishop Fox, Cysiv (Forescout), Huntress, IronNet Cybersecurity (IRNT), Noname Security, NowSecure, ReversingLabs, Uptycs and more to reach their market potential. Learn more about Forgepoint at https://forgepointcap.com or follow us on LinkedIn.

About Bishop Fox Bishop Fox is the leading authority in offensive security, providing solutions ranging from continuous penetration testing, red teaming, and attack surface management to product, cloud, and application security assessments. We’ve worked with more than 25% of the Fortune 100, half of the Fortune 10, eight of the top 10 global technology companies, and all of the top global media companies to improve their security. Our Cosmos platform was named Best Emerging Technology in the 2021 SC Media Awards and our offerings are consistently ranked as “world class” in customer experience surveys. We’ve been actively contributing to and supporting the security community for almost two decades and have published more than 16 open-source tools and 50 security advisories in the last five years. Learn more at bishopfox.com or follow us on Twitter.

Bishop Fox Secures $75 Million in Growth Funding From Carrick Capital Partners

Vulnerability will remain a "significant" threat for years to come and highlighted the need for more public and private sector support for open source software ecosystem, Cyber Safety Review Board says.

The US Department of Homeland Security's Cyber Safety Review Board (CSRB) has concluded that the Apache Log4j vulnerability disclosed in December 2021 will remain a significant risk to organizations for the next decade or longer.

The recently formed board, made up of private industry and government cybersecurity experts, determined that the open source community is not adequately resourced to ensure the security of its code and requires broad assistance from stakeholders across the private and public sectors. In a report published, today, the board recommended that federal agencies — as some of the largest consumers of open source code — contribute to open source security and called on the government to consider funding investments to improve security of the ecosystem.

CSRB released a set of 19 high-level recommendations for organizations to mitigate exposure to Log4j-related attacks and other similar software supply chain risks going forward. The recommendations for organizations include looking for and replacing vulnerable Log4j versions, establishing processes to prevent re-introduction of vulnerable versions into the environment, and maintaining an accurate inventory of IT assets and applications.

**An Endemic Vulnerability**

The CSRB's conclusions and recommendations are based on its months-long investigation into the circumstances surrounding the Log4j vulnerability disclosure and the response to it from the open source community, technology vendors, and government and private organizations.

"The Board assesses that Log4j is an 'endemic vulnerability' and that vulnerable instances of Log4j will remain in systems for many years to come," the CSRB said a report Thursday that summarized its findings.

"Though exploitation of Log4j has been at lower levels than expected and there has been no big Log4j attacks on critical infrastructure targets, the threat is not diminished," the report noted. "Significant risk remains."

"The most important aspects of the CSRB report should not surprise anyone who understands the reality of our complex interconnected world," says Katie Moussouris, founder and CEO of Luta Security and a CSRB member. "We depend on open source technology that isn't as well-supported from a security standpoint even though we need it to be, to help combat threats," she says.

The DHS established CSRB in February 2022 in response to a cybersecurity Executive Order the Biden administration issued last May. The CSRB's mandate is to get security experts from government and private organizations to review and assesses significant security events so improvements can be at a national level to prevent similar incidents. The Log4j review was the CSRB's first mission.

Apache Log4j is an open source logging tool that is present in almost every single Java application environment. In November 2021, a security engineer with China's e-commerce giant Alibaba reported a vulnerability (CVE-2021-44228) in Log4j to its maintainer, the Apache Software Foundation (ASF). The vulnerability — in a Log4j component for data storage and retrieval called Java Naming and Directory Interface (JNDI) — basically gave attackers a way to take complete remote control of vulnerable systems. Public disclosure of the vulnerability on Dec. 9, 2021, triggered widespread concern because it was easy to exploit, was ubiquitously present, and had disastrous consequences.

Another major, continuing issue — and one that the CSRB highlighted in its report — is the fact that vulnerable versions of Log4j are often not easily detected because of how deeply embedded the component can be in many environments.

**A Preventable Catastrophe?**

The CSRB review showed that an individual member of the open source community submitted the vulnerable JNDI component for inclusion with Log4j back in 2013. The Log4j team accepted the component, and it was later integrated into thousands of applications that used Log4j. The Board determined that the vulnerability could have been detected back in 2013 if the Log4j team had someone with security skills to review the code, or if they had training in secure coding practices.

"Unfortunately, the resources to perform such a review were not available to the volunteer developers who led this open-source project in 2013," the Board said.

Investigators found that the organizations which responded most effectively to the Log4j vulnerability disclosure were also the ones that had effective asset and risk management processes in place and had the resources to mobilize quick action on an enterprisewide scale. But few organizations were able to mount that kind of response, or had the speed required to respond to a vulnerability of this magnitude, CSRB found. As a result, there was considerable delay in both their assessment of risk from the vulnerability and in their management of it. Many had to decide whether to upgrade to the fixed version of Log4j that the ASF released — and risk business disruption from potential application breakages — or leave the vulnerability untouched and risk attack.

"The Log4j event highlighted fundamental adoption gaps in vulnerability response practices and overall cybersecurity hygiene," the report said.

Moussouris says Log4j highlighted the critical need for organizations to know their assets and what versions of software are running on their critical systems. "What might surprise the public is that so few organizations actually have a current list of their critical assets and what software is running on their networks," she says. "We're not prepared to respond to the next library incident until that changes."

One major takeaway from CSRB's report is the need for more coordinated action around open source security. Often, widely used open source components such as Log4j are maintained by volunteer teams with little consideration for security. They typically do not have coordinated vulnerability disclosure and response teams to investigate reported vulnerabilities and to address them.

"To reduce recurrence of the introduction of vulnerabilities like Log4j, it is essential that public and private sector stakeholders create centralized resourcing and security assistance structures that can support the open-source community going forward," CSRB said.

**Increased Support for Open Source Ecosystem**

Eric Brewer, vice president of infrastructure at Google, says the report provides a positive and nuanced view of how organizations need to approach open source use in their environments. "If you are using open source, you can't expect other people to magically fix security issues for you," he says. Implicit in the use of open source code is the fact that organizations are consuming the software "as-is." That means they need to share responsibility for mitigating risk associated with it as well, Brewer says.

He welcomes the CSRB's call for increased investments around open source security and says what's also needed are more organizations that can serve as curators for major open source projects. Big companies such as Google could fix vulnerabilities in open source code that they themselves consume and then offer the curated software so others can safely use it. He points to other organizations such as Red Hat and Databricks, which offer curated versions of major open source projects, as other examples.

"Open source software is fundamentally managed differently than commercial software, but open source software plays a key role in the success of commercial software," says Tim Mackey, principal security strategy at Synopsys Cybersecurity Research Center. Organizations that depend on a commercial vendor to alert them of a problem in an open source component are presuming the vendor is properly managing their usage of open source and that they are able to identify and alert all users of their impacted software. To mitigate the risk, "software consumers should implement a trust-but-verify model to validate whether the software they're given doesn't contain unpatched vulnerabilities," Mackey says.

DHS Review Board Deems Log4j an 'Endemic' Cyber Threat

Attackers use scam security checks to steal victims' government documents, photos, banking information, and email passwords, researchers warn.

Researchers have discovered a new phishing kit that injects malware into legitimate WordPress sites and uses a fake PayPal-branded social engineering scam to trick targets into handing over their most sensitive data, including government documents, photos, and even banking information — under the guise of security controls. 

Akamai researchers said the attackers use a file management WordPress plug-in to deploy the phishing kit, which includes several checks on the connected IP addresses to evade detection of their known malicious domains. It also allows the threat actors to rewrite URLs without the .php at the end, making them look more like genuine addresses. 

Once up and running, the scam PayPal site asks victims to jump through a series of apparent security measures — even a CAPTCHA challenge — when the threat actors are simply grabbing the information for data and identity theft. 

"By using captcha immediately, telling the victim that there has been unusual account activity, and reinforcing 'trust' by utilizing 'new security measures' like proof of government identification, they are making the victim feel as if they are in a legitimate scenario," the Akamai team explains in their new report on the PayPal phishing kit. "The same methods that can ensure an identity is secure can ultimately lead to total identity theft — not just credit card numbers, but cryptocurrency accounts and anything else the threat actor wants to obtain." 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

New Phishing Kit Hijacks WordPress Sites for PayPal Scam

Developers can now rest assured that the code they are using, as well as their GitHub accounts, are safe.

TEL AVIV, Israel , July 14, 2022 /PRNewswire/ -- Scribe Security, a leading software supply chain security solutions provider, announced today the release of Scribe Integrity, a code integrity validator that authenticates open-source and proprietary source code, and an integral building block of its platform solving the software supply chain security challenge. Scribe Integrity provides developers with an added layer of visibility, allowing developers peace of mind that the code they are using is safe. Scribe is simultaneously introducing its open-source Github security project, GitGat.

In 2021, software supply chain (SSC) attacks more than tripled, with recent attacks on SolarWinds, CodeCov, and Log4Shell underscoring the growing risk of such attacks to enterprises.

DevSecOps and security teams often focus on software vulnerabilities, overlooking the risk of tampering with software in the build process. Scribe bridges this gap in a practical manner by providing a convenient work tool that automatically reports integrity validation within a trusted software bill of materials SBOM.

Scribe leverages the principle of 'hash everything, sign everything', utilizing open-source intelligence that it collects on open-source dependencies. In this first release, Scribe's solution addresses the widely used Node.js and the popular npm package manager, which have recently suffered from a multitude of attacks.

Scribe's additional release, GitGat, is a Policy-as-Code tool, utilizing Open Policy Agent (OPA), an open source project, that addresses users' security posture. GitGat allows users to periodically run reports to gain insight into the changing security landscape of the organization. As GitGat evolves, it will cover more parts of the CI/CD toolchains.

"As software supply chains are an overlooked corner of the cyber world, they have become an increasingly attractive attack vector for hackers," said Scribe CEO and Co-founder, Rubi Arbel. "We are excited to be introducing a developer-first, practical tool that will give DevSecOps and security practitioners the assurance they need to trust the software they build and use."

**About Scribe**

Founded by cyber security and cryptography experts, Scribe Security develops a novel software supply chain security solution to increase trust in software products. For more information visit https://scribesecurity.com/

Scribe Security Releases Code Integrity Validator Alongside Github Security Open Source Project

Investment bolsters Shift5’s traction within commercial aerospace and defense industries.

Arlington, VA, July 14, 2022 (GLOBE NEWSWIRE) -- Shift5, the OT cybersecurity company that defends military platforms and critical transportation systems from cyberattacks, today announced that AEI HorizonX, AE Industrial Partners’ venture capital group formed in partnership with The Boeing Company, has joined the company as an investor in its oversubscribed Series B funding round led by Insight Partners. Through the longevity and deep networks of AE Industrial Partners and Boeing, AEI HorizonX will enable Shift5 to capitalize on its momentum within the broader aviation ecosystem.

“Amid a shifting regulatory environment, Shift5 brings to market a solution that has been long-needed in the aviation ecosystem,” said Brian Schettler, Partner, Head of AEI HorizonX. “The company’s ability to transform previously inaccessible data from within aircraft into useful insights, paired with the credibility of the company’s founders and its extensive work within the U.S. Department of Defense, make clear that Shift5 is blazing a trail that many will follow.”

Shift5 unlocks the serial networks and data that control planes, trains, and tanks, providing visibility into fleet assets where operators have historically been locked out. Shift5 allows operators to gain complete observability, detect threats, and maintain resilience of operational technology (OT) systems as cyber-physical attacks become an increasingly attractive strategy for digital attackers. By providing visibility into the data that powers their most expensive, longest-lived, and most consequential fleet assets, Shift5 allows rail, aerospace, and defense companies to make data-informed decisions once considered impossible, to improve cybersecurity and increase operational efficiency.

“As security leaders from CISA and FBI warn critical infrastructure operators about the risk of cyberattacks, it’s imperative that the transportation and defense industries heed these warnings,” said Josh Lospinoso, CEO and co-founder, Shift5. “The only way for aerospace and defense operators to ensure the resiliency of their business-critical assets is by gaining complete visibility into them. Access to OT data enables teams to have more productive discussions and make mission-critical decisions in real-time. We’re thrilled to work with AEI to bring modern cybersecurity capabilities and situational awareness to planes, trains, and tanks.”

“There’s a direct correlation between the OT data Shift5 can access and value delivered to an organization. The depth of access, accuracy of information, and usability of insights enable customers to gain federal compliance with strict industry regulations, make smarter business decisions, and enable greater safety aboard fleet assets,” said Joe Lea, President, Shift5. “Working with AEI will amplify our ability to help aerospace and defense organizations capitalize on the data existing above the wheels of their planes and weapon systems.”

To learn more about how the Shift5 is unlocking operational technology (OT) to help the world’s transportation and weapon systems defend against cyberattacks and improve operations, please visit https://shift5.io.

**About Shift5**  
Shift5 is the OT cybersecurity company that protects the world’s transportation infrastructure and weapons systems from cyberattacks. Created by founding members of the U.S. Army Cyber Command who pioneered modern weapons system cyber assessments, Shift5 defends military platforms and commercial transportation systems against malicious actors and operational failures. Customers rely on Shift5 to detect threats and maintain the resilience of a wide variety of operational technology systems, including aviation, rail and metro, defense, helicopters, and other heavy fleet machinery. For more information, visit https://shift5.io.

**About AE Industrial Partners  
**AE Industrial Partners is a private equity firm specializing in aerospace, defense & government services, space, power & utility services, and specialty industrial markets. AE Industrial Partners invests in market-leading companies that can benefit from its deep industry knowledge, operating experience, and relationships throughout its target markets. AE Industrial Partners is a signatory to the United Nations Principles for Responsible Investment and the ILPA Diversity in Action initiative. For more information, visit https://www.aeroequity.com.

AEI HorizonX Ventures Joins Shift5 Series B Funding Round

Professional Finance Company (PFC) was hit in February 2022 by a ransomware attack.

Debt-collection company Professional Finance Company (PFC) this month disclosed that data on healthcare patients from hundreds of its medical organization clients had been breached in a ransomware attack on the firm in February. PFC provides collection services for some 650 hospitals and healthcare facilities in the US.

"PFC found no evidence that personal information has been specifically misused," the company said its data breach disclosure notice, but added that "it is possible" some patient data was "accessed by an unauthorized third party."

Among that data: patient names, addresses, account balances, and in some instances, birth dates, Social Security numbers, health insurance information, and treatment data, PFC said. According to a report on Tech Crunch, PFC told the US Department of Health and Human Services that the attack affected 1.91 million patients.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Data of Nearly 2M Patients Exposed in Ransomware Attack on Healthcare Debt Collection Firm

Bitcoin is down more than 70% from its highs late last year, causing disruptions for cybercriminals and the underground exchanges that fuel the dark markets.

As the value of Bitcoin plunged in the last eight months, some security firms have observed an impact on ransomware activity.

Since the beginning of the year, for example, ransomware attacks have dropped by about a quarter, according to cybersecurity firm Arctic Wolf. In another measure of the disruption, most of the fly-by-night cryptocurrency exchanges serving to launder ransoms have stopped advertising their services, suggesting that as cash-outs surged — essentially, creating a bank run — they could not satisfy demand, according to a new blog post from cyber-threat intelligence firm Cybersixgill.

And according to new data released this week from the Identity Theft Resource Center, ransomware attacks leading to data breaches fell 20% in the second quarter of 2022 compared with the first quarter of this year, and have declined quarter over quarter.

Most major ransomware groups cash out cryptocurrency quickly, but smaller players are more likely to hold onto their assets, leading to a panicked response, says Dov Lerner, security research lead at Cybersixgill.

"I don't know how much reserves Binance or Coinbase might have, but these Dark Web exchanges, they certainly don't have millions of dollars in reserves," he says. "If everyone is dumping cryptocurrency for dollars, they can't keep up."

The volatility in cryptocurrency markets has led to massive disruption among the nascent companies attempting to find their place in what had been a burgeoning marketplace. This week, cryptocurrency lending firm Celsius Network filed for Chapter 11 bankruptcy after locking out customers from making withdrawals last month. Two other firms — crypto hedge fund Three Arrows Capital and Voyager Digital — have both declared bankruptcy in the past two weeks. The whereabouts of the two founders of Three Arrows Capital are currently unknown.

Behind the financial culling is a 71% drop in the value of Bitcoin — and similar drops in other cryptocurrencies — since November 2021.

    

Bitcoin has dropped 71% since its peak in November 2021. Chart: Robert Lemos, Source: Yahoo Finance historical prices

**Dark Web Shaken by Crypto's Decline**

The underground market has fared no better. In an analysis of 34 Dark Web cryptocurrency exchanges, which typically charge high fees of 2% to 15% of transactions for anonymity, Cybersixgill found that every one of them no longer advertises any capability to exchange cryptocoins for cash.

Yet cybercriminals are typically agnostic to fluctuations in cryptocurrency. They typically sell services and tools in US dollars, and they research business victims' revenues before making a ransom demand in dollars or euros.

"If the value of Bitcoin declines, ransomware attackers will simply ask for more Bitcoin," says Jackie Koven, head of threat intelligence at cryptocurrency-monitoring firm Chainalysis. "They generally cash out ransom payments quickly and do not hold them in crypto as investments."

The shake-up in Dark Web cryptocurrency exchanges could account for the drop in ransomware since the beginning of the year. However, cybercriminals may also be shifting tactics.

Business email compromise (BEC), for instance, has always outpaced ransomware in terms of profitability for the cybercriminals and damages to companies. In 2017, for example, ransomware accounted for only 0.2% of losses tracked by the Internet Crime Complaint Center (IC3), while BEC accounted for 27% of losses. In 2021, BEC accounted for 35% of dollar losses, while ransomware had climbed slightly to 0.7%, according to IC3 data.

As governments focus more on dissuading the criminal use of cryptocurrencies, schemes that do not rely on cryptocurrency — BEC steals actual funds from businesses — will take off, says Crane Hassold, director of threat intelligence for cybersecurity firm Abnormal Security. The company has observed a growing number of BEC-related emails over the past five years — a trend he expects to continue.

"Inserting more friction into cryptocurrency transactions and making them more difficult to use for illicit purposes ... are things that cybercriminals can't compensate for and would likely drive down the overall ROI for cryptocurrency-driving cybercrimes, like ransomware," he says, adding: "We've ... observed a growing number of more sophisticated actors from countries like Russia and Israel enter the BEC space in recent years, which indicates that an expanding population of actors are realizing how lucrative BEC attacks can be."

Other explanations for a drop in ransomware attacks include the disruption of the Conti — associated with an 18% drop in ransomware activity — and Russia's invasion of Ukraine, since both countries are home to some of the primary actors in the ransomware scene.

**"Ebb and Flow"**

However, other data suggests that ransomware groups are recovering quickly. Threat intelligence firm Digital Shadows found that the 88 data-leakage websites that it tracks had listed 705 victims in the second quarter of 2022, up 21% from the previous quarter.

The recovery suggests that ransomware groups are fairly immune to the price fluctuations in their primary way of monetizing infections. The groups have few other options for getting paid, and until cryptocurrency poses more risk, they will continue, says Mark Manglicmot, senior vice president of security services at Arctic Wolf.

"There is no good alternative to cryptocurrency at this point, so I don't see cybercriminals asking for anything else," he says. "I don't think that cryptocurrency will totally collapse and go away, so what we see happening — the ebb and flow — will continue."

However, the volatility may convince cybercriminals to make the handling of cryptocurrency more flexible in their tools kits. The cryptocurrency used in different campaigns could just be a swappable piece that cybercriminals will change regularly, like servers, IP addresses, and malware signatures, says Manglicmot.

"Changing the way they operate, changing the infrastructure, while maintaining the fundamental infrastructure behind the operations is something that they already do, so I could see them seeing them using one cryptocurrency for some time and then switching to another," he says. "It would be almost like diversifying their portfolio."

Source

DARKReading