Company says it is making changes to its security controls to prevent malicious insiders from doing the same thing in future; reassures bug hunters their bounties are safe.

HackerOne has fired one of its employees for collecting bug bounties from its customers after alerting them to vulnerabilities in their products — bugs that had been found by other researchers and disclosed privately to HackerOne via its coordinated vulnerability disclosure program.

HackerOne discovered the caper when one of its customers asked the organization to investigate a vulnerability disclosure that was made outside the HackerOne platform in June. The customer, like other clients of bug bounty programs, uses HackerOne to collect and report vulnerabilities in its products that independent security researchers might have discovered. In return, the company pays a reward — or bug bounty — for reported vulnerabilities.

In this instance, the HackerOne customer said an anonymous individual had contacted them about a vulnerability that was very similar to another bug in its technology that a researcher had previously submitted via the HackerOne platform.

Bug collisions — where two or more researchers might independently unearth the same vulnerability — are not uncommon. "However, this customer expressed skepticism that this was a genuine collision and provided detailed reasoning," HackerOne said in a report summarizing the incident. The customer described the individual — who used the handle "rzlr" — as using intimidating language in communicating information about the vulnerability, HackerOne said.

**Malicious Insider**

The company's investigation of the June 22, 2022, tip almost immediately pointed to multiple customers likely being contacted in the same manner. HackerOne researchers began probing every scenario where someone might have gained access to its vulnerability disclosure data: whether someone might have compromised one of its systems, gained remote access some other way, or if the disclosure had resulted from a misconfiguration. The data quickly pointed to the threat actor being an insider with access to the vulnerability data.

HackerOne's investigators then looked at their log data on employee access to vulnerability disclosures and found that just one employee had accessed each of the disclosures that customers reported as being suspicious. "Within 24 hours of the tip from our customer, we took steps to terminate that employee's system access and remotely locked their laptop pending further investigation," HackerOne said.

The company found the former employee had created a fictitious HackerOne account and collected bounties for a handful of disclosures. HackerOne worked with the relevant payment providers in each instance to confirm the bounties were paid into a bank account connected with the now-former employee. By analyzing the individual's network traffic, the investigators were also able to link the fictitious account to the ex-employee's primary HackerOne account.

**Undermining Trust**

Mike Parkin, senior technical engineer at Vulcan Cyber, says incidents like this can undermine the trust that is key to the success of crowdsourced vulnerability disclosure programs such as the one that HackerOne manages. "Trust is a big factor in vulnerability research and can play a large part in many bug bounty programs," Parkin says. "So, when someone effectively steals another researcher's work and presents it as their own, that foundational trust can be stretched."

Parkin praised HackerOne for being transparent and acting quickly to address the situation. "Hopefully this incident won't affect the vulnerability research ecosystem overall, but it may lead to deeper reviews of bug bounty submissions going forward," he says.

HackerOne said the former employee — who started only on April 4 — directly communicated with a total of seven of its customers. It urged any other customers that might have been contacted by an individual using the handle rzlr to contact the company immediately, especially if the communication had been aggressive or threatening in tone.

The company also reassured hackers who have signed up for the platform that their eligibility for any bounties they might receive for vulnerability disclosures had not been adversely impacted. "All disclosures made from the threat actor were considered duplicates. Bounties applied to these submissions did not impact the original submissions."

HackerOne said it would contact hackers whose reports the ex-employee might have accessed and attempted to resubmit. "Since the founding of HackerOne, we have honored our steadfast commitment to disclosing security incidents because we believe that sharing security information is essential to building a safer Internet," the company said.

Following the incident, HackerOne has identified several areas where it plans to bolster controls. These include improvements to its logging capabilities, adding employees to monitor for insider threats, enhancing its employee screening practices during the hiring process, and controls for isolating data to limit damage from incidents of this type.

Jonathan Knudsen, head of global research at Synopsys Cybersecurity Research Center, says HackerOne's decision to communicate clearly about the incident and its response to it is an example of how organizations can limit damage. "Security incidents are often viewed as embarrassing and irredeemable," he says.

But being completely transparent about what happened can increase credibility and garner respect from customers. "HackerOne has taken an insider threat incident and responded in a way that reassures customers that they take security very seriously, are capable of responding quickly and effectively, and are continuously examining and improving their processes," Knudsen says.

HackerOne Employee Fired for Stealing and Selling Bug Reports for Personal Gain

A widespread campaign uses more than 24 malicious NPM packages loaded with JavaScript obfuscators to steal form data from multiple sites and apps, analysts report.

A routine scan of the NPM open source code repository in April turned up several packages using a JavaScript obfuscator to hide their true function. 

After further investigation, analysts with ReversingLabs reported they have uncovered a campaign dating back at least six months that used more than two dozen malicious NPM modules to steal data from sites and applications. All together, the team found that 27,000 instances of the malicious NPM packages had been downloaded. 

"While the full extent of this attack isn’t yet known, the malicious packages we discovered are likely used by hundreds, if not thousands, of downstream mobile and desktop applications as well as websites," the ThreatLabs researchers explained in a blog post. "In one case, a malicious package had been downloaded more than 17,000 times."

**Attack Relies on Typo-Squatting **

The attack relies on so-called typo-squatting, where threat actors disguise malicious code packages with names very close to legitimate ones, including subtle naming variations and common misspellings, the researchers said. 

For instance, one of the malicious packages lurking in the NPM repository is named "umbrellaks," an attempt to hijack developers looking for the popular document object model (DOM) framework "umbrellajs," the ReversingLabs team added. 

What makes this supply chain reminiscent of the SolarWinds attack, the analysts pointed out, is the fact that the target isn't the developer inadvertently using the malicious code but, rather, the target site or application further down the software supply chain.

"This attack marks a significant escalation in software supply-chain attacks," according to the ReversingLabs malicious NPM report. "Malicious code bundled within the NPM modules is running within an unknown number of mobile and desktop applications and web pages, harvesting untold amounts of user data."

Most of the malicious open source modules are still are still available, despite the analysts reporting their findings to NPM on July 1, they added. The report contains a list of affected packages.

Supply Chain Attack Deploys Hundreds of Malicious NPM Modules to Steal Data

As a result of browser market consolidation, adversaries can focus on uncovering vulnerabilities in just two main browser engines.

Everyone uses browsers to access a wide range of networked systems, from shopping sites to enterprise management. As a result, browsers collect tons of sensitive information — from passwords to credit card data — that hackers are eager to get their hands on.

Moreover, browser vendors frequently add new features, which increases the risk of flaws in program code that hackers can exploit. And even though there seem to be a lot of different Web browsers, there are actually just two open source browser engines. Chrome, Vivaldi, Brave, and many other browsers are all built on the same engine, Chromium.

Even Microsoft killed Internet Explorer in 2021 and switched to Chromium with Edge. The only surviving alternative to Chromium is Mozilla Firefox, which uses a different engine; all the other browsers are proprietary corporate tools like Apple Safari. As a result of this consolidation, adversaries can closely focus on undercovering the vulnerabilities in the two browser engines.

**The Latest Critical Web Browser Vulnerabilities  
**Every month, we see myriad serious new Web browser vulnerabilities. In the first half of 2022, Chrome has announced three zero-day vulnerabilities. By exploiting CVE-2022-0609, hackers can corrupt data and execute code on vulnerable systems. CVE-2022-1096, which was discovered in the wild, affects the JavaScript V8 engine. CVE-2022-1364, which was also discovered in the wild, can be exploited to trigger remote code execution on a targeted system, and affects not just the nearly 3 billion users of Chrome, but also everyone using any other Chromium-based browser.

Mozilla is not immune from vulnerabilities, either. So far in 2022, we've seen CVE-2022-22753, a high-severity vulnerability that can enable an adversary to get admin rights in Windows; CVE-2022-22753, which could be abused to gain access to an arbitrary directory; and CVE-2022-1802 and CVE-2022-1529, which could be exploited to enable JavaScript code execution.

The problem is not just serious but growing: In the first quarter of 2022 alone, Chrome fixed 113 vulnerabilities, 13% more than in the same period in 2021, while Firefox fixed 88 vulnerabilities, a 12% jump from the first quarter of 2021. These increases make browsers a top target for hackers.

**How Hackers Attack Browsers  
**Hackers use multiple techniques to exploit browser vulnerabilities. Occasionally, they will discover a vulnerability that enables them to download and execute malicious code when a user simply visits a compromised site. From there, the code can download other malicious packages or steal sensitive data. Plug-ins are a common vector for these "drive-by download" attacks.

A more common tactic, however, is for hackers to send phishing emails that contain exploit kits targeting Web browsers. Indeed, Cisco's 2021 cybersecurity threat trend report found that about 90% of data breaches were due to phishing. A person clicks on a link in a phishing email, which opens a malicious page in their browser, which can exploit an unpatched vulnerability in the browser to deploy malware or steal data stored in the browser. For example, Magnitude actively targeted Chromium in October 2021.

**Strategies to Mitigate Risk From Browser Vulnerabilities  
**Organizations should combine multiple techniques to reduce their risk from browser vulnerabilities. The first is to keep all browsers updated. However, patching browsers can be problematic. Research shows that 83% of users run versions of Chrome that are vulnerable to zero-day attacks that have already been identified by Google. One reason is simply that many users do not like rebooting their browsers, which is often required as part of an update.

Another barrier to patching is that many people install browsers under their user profiles, into folders that system administrators cannot access without special tools. To overcome these issues, automate patching for third-party apps, including browsers; ensure your IT teams can force reboots remotely in a way that is convenient to end users; and manage applications installed under user profiles.

The second measure is to enforce multifactor authentication (MFA) on all critical systems and services. That way, hackers will be unable to access those resources even if they manage to steal a user's credentials.

Third, regularly clear the browser history on users' machines to erase stored passwords, and to clear their cookies as well, since they can enable attackers to access services such as email without the user's credentials. Ensure your IT teams can perform these tasks remotely and, ideally, automate them.

Fourth, remember the human factor. Be sure to roll out an extensive cybersecurity awareness program that educates all your users about security best practices and why they should follow them. In particular, teach them how to spot phishing emails and why to avoid using browser plug-ins or extensions, especially those that don't receive regular updates. In addition, train them to choose strong and unique passwords for each website they visit and not to store passwords in their browsers; to facilitate this, give them a password management app.

Why Browser Vulnerabilities Are a Serious Threat — and How to Minimize Your Risk

The heap buffer-overflow issue in Chrome for Android could be used for DoS, code execution, and more.

A zero-day security vulnerability in Google Chrome for Android is being actively exploited in the wild, the Internet giant says.

The issue is a high-severity heap-buffer overflow bug (tracked as CVE-2022-2294) in WebRTC. WebRTC is an HTML5 specification that allows webpages to play real-time audio and video content inside the browser.

"Google is aware that an exploit for CVE-2022-2294 exists in the wild," the company said in its advisory on the issue.

As usual, Google is keeping the vulnerability's technical details close to the vest until a majority of users have updated their browsers, but heap-buffer overflows in general are memory issues that can lead to a range of bad outcomes if exploited. Possible outcomes include crashing the device, denial of service (DoS), remote code execution (RCE), and security-service bypasses.

Patrick Tiquet, vice president of security and architecture at Keeper Security, did some delving into the issue, and says that bug does indeed allow RCE.

"CVE-2022-2294 is a serious vulnerability that could lead to arbitrary remote code-execution by simply visiting a malicious website," he says. "This could enable an attacker to perform a variety of actions on a target system, such as install malware or steal information. Windows and Android Chrome users should ensure that they install the latest updates to protect themselves."  

To address the flaw, Google released Chrome 103 (103.0.5060.71) for Android on Monday – it said that the update would be rolling out on Google Play "over the next few days."

The update fixes two other security bugs as well: One is a high-severity type-confusion bug (CVE-2022-2295) in Google's V8 open source JavaScript engine, which earned a $7,500 bug bounty for reporters avaue and Buff3tts at S.S.L.; and the other is an unspecified fix that was discovered internally. Type-confusion issues can also lead to code execution, crashes, and logical efforts.

Tiquet adds, "Web browsers are essential applications that nearly all cloud-based services have in common and are therefore high-priority targets - compromise of a web browser could be leveraged to compromise any cloud-based service accessed by that browser."

**Fourth Exploited Chrome Zero-Day Bug in 2022**

The WebRTC flaw is the fourth zero-day in Chrome so far this year. Notably, in April Google disclosed a type-confusion vulnerability that is already being exploited in the wild (CVE-2022-1364), which affects the JavaScript and WebAssembly engine in the browser.

Another type-confusion problem in V8 (CVE-2022-1096) was patched in March; and the third was patched in February (CVE-2022-0609), after it was exploited by a North Korean-backed state advanced persistent threat, according to the Google Threat Analysis Group (TAG).

"With so many business and cloud applications depending on a web interface, browser vulnerabilities can be problematic," Mike Parkin, senior technical engineer at Vulcan Cyber, says. "Especially one as widely used as Chrome. It’s even worse when there are known exploits in the wild that leverage the vulnerability. Fortunately, Google has already developed patches for this vulnerability on both desktop and mobile platforms and will have them rolled out quickly."

Google Chrome WebRTC Zero-Day Faces Active Exploitation

Companies need to consider the cost to disengage from the cloud along with proactive risk management that looks at governance issues resulting from heavy use of low- and no-code tools.

Nearly 59% of businesses have accelerated their journey to digitalization while public cloud spending is seeing record growth and adoption in organizations worldwide. There is also a seismic shift in customer expectations when it comes to digital. Yet the business environment continues to remain fluid and uncertain. Decisions made for short-term gains are bound to inflict longer-term pain because such choices, made at speed, often tend to bite back. According to recent research, almost three-quarters of cyberattacks in the last 12 months can be attributed to technologies adopted during the pandemic.

The Information Security Forum (ISF) now believes that the technologies to manage customer and employee expectations that organizations have rapidly adopted to accelerate their digital transformation could slowly result in a dead end. By 2024, businesses will encounter three major cyber threats resulting from today's hasty technology decisions.

**Threat 1: The Cloud Risk Bubble Bursts**

The benefits bestowed by moving more and more operational and business infrastructure to the cloud will be seen to have a hidden and rising cost as this strategy begins to stifle the flexibility that organizations need to innovate and respond to incidents.

Organizations will find that their technology choices are stunted and their options for switching suppliers are limited by their reliance on particular cloud platforms and their partners. Further, several unforeseen issues surrounding trust such as governance, compliance, security, predictable pricing, performance, and resiliency might emerge.

As privacy regulations tighten around the world, data sovereignty is a major topic of concern. Businesses that fail to comply with local regulations will face lawsuits, investigations, penalties, and risk losing competitive edge, reputation, customer trust and confidence. Additionally, cloud mismanagement and misconfigurations (probably due to a widening cloud talent shortage) will continue to be a huge threat to organizations — an estimated 63% of security incidents are said to be caused by cloud misconfigurations.

**Threat 2: Activists Pivot to Cyberspace**

While social movements sparked from social media aren't new, ISF predicts that in the coming years traditional activists will increasingly leverage established cybercriminal attack patterns to score political points and halt what they regard as unethical or unnecessary corporate or government behavior. The Ukraine-Russia crisis is a great example of this where global hacktivists are coming to Ukraine's aid by collaborating on online forums and targeting Russian infrastructure, websites and key individuals with malicious software and crippling cyberattacks.

Activists can be motivated by moral, religious, or political beliefs; they can also serve as puppets of rogue nations or political regimes trying to gain competitive advantage or influence over foreign policy. As factories, plants, and other industrial installations leverage the power of edge computing, 5G, and IoT, online activism will enter a new era where these so-called "hacktivists" will increasingly target and sabotage critical infrastructure.

**Threat 3: Misplaced Confidence Disguises Low-Code Risks**

Resource constraints and the shortage in supply of software developers is giving rise to no-code, low-code technologies — platforms that nondevelopers use to create or modify applications. Per Gartner, 70% of new applications will be developed using low-code and no-code technologies by 2025.

However, low-code/no-code technologies present some serious risks. As these tools permeate organizations, the challenging work of ensuring that developers follow secure guidelines when creating apps and code will be undermined. Enthusiastic users keen to get their projects running will turn to these tools beyond the oversight of the IT teams, creating shadow development communities that are ignorant of compliance demands, security standards, and data-protection requirements. According to recent research, governance, trust, application security, visibility, and knowledge/awareness are some of the major concerns cited by security experts surrounding low-code/no-code tools.

**What Can Organizations Do to Protect Themselves?**

ISF outlines best practices that can help mitigate above-mentioned risks:

*   Organizations must seek clarity internally regarding cloud strategy and ensure that it meets desired business outcomes. In the short term, organizations should enumerate their cloud footprint to determine current levels of integration and highlight any potential lock-ins. Next, they must establish appropriate governance around cloud orchestration to ensure understanding of the overall footprint, and control of its sprawl. In the longer run, businesses must maintain dedicated in-house or perhaps third-party teams to oversee the development of the cloud both from a supplier management standpoint and from a technical architecture and operations perspective. They must identify and understand single points of failure and mitigate against those points of failure by building in redundancy and parallel processing.

*   Security practitioners must take a broad view of how their organization works and assess the likelihood of them being targeted. Ethical and geopolitical motivations should be considered when drawing up a list of potential adversaries. They must also engage with threat-intelligence teams to identify early indicators of compromise, conduct purple team exercises on remote installations to determine whether they can withstand attacks, and monitor access to mission-critical information assets to deter insiders keen on harming the organization. It's also important that they develop relationships with other departments to combat multivector attacks.

*   Investigations must be set up to uncover applications that are being produced by no-code/low-code tools. This starts with defining policies and procedures and then assessing their organization's use of no-code/low-code tools and discovering which applications have been created with them. Some employees may not be aware that they are using them or might even fail to declare their existence. So, this comes back to things like training, awareness, and monitoring. It is also recommended that security teams investigate data use by application, to see if business data and information is being accessed by these tools or resulting programs. This is a large task and shouldn't be underestimated.

The reality is that technology evolves so fast that it's nearly impossible to factor in all security risks. What businesses need is proactive risk management. This means regular assessment of where your organization is, regular assessment of where your vulnerabilities lie, regular assessment of your security priorities, and regular security training for your employees and extended partner ecosystem.

3 Cyber Threats Resulting From Today's Technology Choices to Hit Businesses by 2024

Come up with a clever caption, and our panel of experts will reward the winner with a $25 Amazon gift card.

You don't have to be in the security biz for safety to be your top concern. What do you think is going on here? Send us your caption ideas for the above cartoon, and the winner of The Edge's July contest will receive a $25 Amazon gift card. We offer four convenient ways for you to submit your ideas:

*   Email _\[email protected\]_ with the subject line "The Edge July 2022 Toon."
*   Via social media: Twitter, Facebook, and LinkedIn_._

The contest closes on Wednesday, July 28, 2022.

**Last Month's Winner**

Many readers stepped up to the plate with witty captions for last month's cartoon contest. (We thank you!) Congratulations go to Beth Lawler, case manager at Lowenstein Sandler LLP, for the caption appears below. Your Amazon gift card is on the way.

    

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Name That Edge Toon: On Guard

Dark Reading's digest of the other don't-miss stories of the week, including YouTube account takeovers and a sad commentary on cyber-pro hopelessness.

There's no such thing as a slow week for cybercrime, which means that covering the waterfront on all of the threat intelligence and interesting stories out there is a difficult, if not impossible, task. This week was no exception and, in fact, seemed to offer a veritable trove of important happenings that we would be remiss not to mention.

To wit: Dangerous malware campaigns! Info-theft! YouTube Account Takeovers! Crypto under siege! Microsoft warnings!

In light of this, Dark Reading is debuting a weekly "in case you missed it" (ICYMI) digest, rounding up important news from the week that our editors just didn't have time to cover before.

This week, read on for more on the following, ICYMI:

*   Smart Factories Face Snowballing Cyberactivity
*   Lazarus Group Likely Behind $100M Crypto-Heist
*   8220 Gang Adds Atlassian Bug to Active Attack Chain
*   Critical Infrastructure Cyber Pros Feel Hopeless
*   Hacker Impersonates TrustWallet in Crypto Phishing Scam
*   Cookie-Stealing YTStealer Takes Over YouTube Accounts
*   Follina Bug Used to Spread XFiles Spyware

**Smart Factories Face Snowballing Cyberactivity**

A whopping 40% of smart factories globally have experienced a cyberattack, according to a survey out this week.

Smart factories – in which industrial Internet of things IIoT) sensors and equipment are used to reduce costs, obtain telemetry, and bolster automation – are officially a thing, with the digitization of manufacturing well underway. But cyberattackers are taking notice too, according to Capgemini Research Institute.

Among sectors, heavy industry faced the highest volume of cyberattacks (51%). Those attacks take many forms, too: 27% of firms have seen an increase of 20% or more in bot-herders taking over IIoT endpoints for distributed denial-of-service (DDoS) attacks; and 28% of firms said they have seen an increase of 20% or more in employees or vendors bringing in infected devices, for instance.

"With the smart factory being one of the emblematic technologies of the transition to digitization, it is also a prime target for cyberattackers, who are scenting new blood," according to the report.

At the same time, the firm also uncovered that in nearly half (47%) of organizations, smart factory cybersecurity is not a C-level concern.

**Lazarus Group Likely Behind $100M Crypto-Heist**

Security researchers are laying the $100 million hack of the Horizon Bridge crypto exchange at the feet of North Korea's notorious Lazarus Group advanced persistent threat.

Horizon Bridge enables users of the Harmony blockchain to interact with other blockchains. The heist occurred June 24, with the culprits making off with various cryptoassets, including Ethereum (ETH), Tether (USDT), Wrapped Bitcoin (WBTC), and BNB.

According to Elliptic, there are strong indications that Lazarus is behind the incident. The group not only carries out classic APT activity like cyber-espionage, but also acts as a money-earner for the North Korean regime, researchers noted.

The thieves in this case have so far sent 41% of the $100 million in stolen crypto assets into the Tornado Cash mixer, Elliptic noted, which essentially acts as a money launderer.

**8220 Gang Adds Atlassian Bug to Active Attack Chain**

The 8220 Gang has added the latest critical security vulnerability affecting Atlassian Confluence Server and Data Center to its bag of tricks in order to distribute cryptominers and an IRC bot, Microsoft warned this week.

The Chinese-speaking threat group has been actively exploiting the bug since it was disclosed in early June.

"The group has actively updated its techniques and payloads over the last year. The most recent campaign targets i686 and x86\_64 Linux systems and uses RCE exploits for CVE-2022-26134 (Confluence) and CVE-2019-2725 (WebLogic) for initial access," Microsoft's Security Intelligence Centre tweeted.

**Critical Infrastructure Cyber Pros Feel Hopeless**

A staggering 95% of cybersecurity leaders at critical national infrastructure organizations in the UK say they could see themselves leaving their jobs in the next year.

According to a survey from Bridewell, 42% feel a breach is inevitable and don't want to tarnish their career, while 40% say they are experiencing stress and burnout which is impacting their personal life.

Meanwhile more than two -thirds of the respondents say that the volume of threats and successful attacks has increased over the past year – and 69% say it is harder to detect and respond to threats.

**Hacker Impersonates TrustWallet in Crypto Phishing Scam**

More than 50,000 phishing emails sent from a malicious Zendesk account made their way to email boxes in recent weeks, looking to take over TrustWallet accounts and drain funds.

TrustWallet is an Ethereum wallet and a popular platform for storing non-fungible tokens (NFTs). Researchers at Vade said that the phish impersonates the service, using a slick and convincing TrustWallet-branded site to ask for users' password recovery phrases on a sleek TrustWallet phishing page.

The emails, meanwhile, are unlikely to trigger email gateway filters, since they're being sent from Zendesk.com, which is a trusted, high-reputation domain.

"As NFTs and cryptocurrencies overall have seen a significant downturn in recent weeks, on-edge investors are likely to react quickly to emails about their crypto accounts," according to Vade's analysis this week.

**Cookie-Stealing YTStealer Takes Over YouTube Accounts**

A never-before-seen malware-as-a-service threat has emerged on Dark Web forums, aimed at taking over YouTube accounts.

Researchers at Intezer noted that the malware, which it straightforwardly calls YTStealer, works to steal YouTube authentication cookies from content creators in order to feed the underground demand for access to YouTube accounts. The cookies are extracted from the browser’s database files in the user’s profile folder.

"To validate the cookies and to grab more information about the YouTube user account, the malware starts one of the installed web browsers on the infected machine in headless mode and adds the cookie to its cookie store," according to the analysis. "\[That way\] the malware can operate the browser as if the threat actor sat down on the computer without the current user noticing anything."

From there, YTStealer navigates to YouTube’s Studio content-management page and nabs data, including the channel name, how many subscribers it has, how old it is, if it is monetized, if it's an official artist channel, and if the name has been verified.

**Follina Bug Used to Spread X-Files Spyware**

A rash of cyberattacks is underway, looking to exploit the Microsoft Follina vulnerability to lift scores of sensitive information from victims.

Follina is a recently patched remote code-execution (RCE) bug that's exploitable through malicious Word documents. It started life as an unpatched zero-day that quickly caught on among cybercrime groups.

According to a Cyberint Research Team report shared with Dark Reading via email, analysts found several XFiles stealer campaigns where Follina vulnerability was exploited as part of the delivery phase.

"The group that is selling the stealer is a Russia-region based and is currently looking to expand," researchers said. "Recent evidence suggests worldwide threat actor campaigns \[underway\]."

The stealer sniffs out data from all Chromium-based browsers, Opera, and Firefox, including history, cookies, passwords, and credit card information. It also lifts FTP, Telegram and Discord credentials, and looks for predefined file types that are located on the victim's Desktop along with a screenshot. It also targets other clients, such as Steam, and crypto-wallets.

ICYMI: A Microsoft Warning, Follina, Atlassian, and More

OpenSea warns users that they are likely to be targeted in phishing attacks after a vendor employee accessed and downloaded its email list.

OpenSea, the largest nonfungible token (NFT) marketplace, this week announced that an employee of one of its email vendors, Customer.io, accessed and downloaded the company's email list. It added that anyone who has ever shared their email address with the platform in the past should assume they are impacted. 

OpenSea currently has nearly 2 million users. 

"Please be aware that malicious actors may try to contact you using an email address that looks visually similar to our official email domain, ‘opensea.io’ (such as ‘opensea.org’ or some other variation)," the company told its users in a statement about the data leak. 

Paul Laudanski, head of threat intelligence at email security company Tessian, notes that insider abuse is inherently difficult to discover and even more so when the individual is an authorized user. He advises all organizations to examine third-party risk management protocols and have a clear understanding of how and where data is stored.

“The data breach disclosed today is a stark reminder of the dangers of insider threats," he says. "In this case, an authorized user misused their employee access to download and share email addresses of OpenSea’s users and newsletter subscribers with an unauthorized external party."

The company is working with law enforcement to investigate the incident, according to the OpenSea statement.

**Lucrative Dataset for Cybercrooks**

Stephen Banda, a senior manager at Lookout, says the breach was most likely financially motivated, given that the OpenSea email list is a potentially lucrative dataset for cybercriminals.

"There is a lucrative market for stolen information and credentials.," he notes. "In this case, 2 million email addresses of customers of the world’s biggest marketplace for NFTs will be highly attractive to bad actors looking to launch broad phishing attacks."

It's also likely that attackers will use the email list to steal NFTs from unsuspecting OpenSea users, predicts Karl Steinkamp, director at Coalfire. 

"The disclosure of the email list certainly gives the attacker a solid base of active individuals from which to attempt to steal their NFTs and, likely, distribute malware," Steinkamp warns. "Individuals and companies who receive emails from OpenSea about new and ongoing activities should instead conduct these manually through the opensea.io website." 

As more businesses turn to NFTs for marketing and brand-awareness purposes, Laudanski says they should keep in mind that the OpenSea incident is part of a larger phenomenon of cybercriminals taking notice of the segment.

"Generally, we are seeing a trend emerge with attacks on crypto startups with hackers attempting to get transactions signed by wallet owners through fraudulent means," he notes. "Today’s announcement should serve as a wake-up call for all crypto startups to take audit of their security measures and practices and those of their third-party partners and outside vendors."

OpenSea NFT Marketplace Faces Insider Hack

Even as more attacks target humans, lack of dedicated staff, relevant skills, and time are making it harder to develop a security-aware and engaged workforce, SANS says.

The increasingly complex threat landscape and the porous IT environment – driven by the shift to permanent remote/hybrid work and digital transformation – make the need for a security-aware workforce and healthy security culture more critical than ever. Enterprise defenders say that phishing and social-engineering attacks, ransomware, and business email compromise (BEC) are among their biggest day-to-day headaches.

Security awareness programs can help lessen them, but no one seems to have time to create them, according to the "SANS 2022 Security Awareness Report." The three top challenges for building a mature awareness program cited are lack of time for project management, limits on time available to train employees, and not having enough time to focus on security awareness because of staffing shortages. Lack of budget and lack of leadership support also made the list.

“People have become the primary attack vector for cyberattackers around the world,” says Lance Spitzner, SANS Security Awareness director and co-author of the SANS report. "Humans rather than technology represent the greatest risk to organizations, and the professionals who oversee security awareness programs are the key to effectively managing that risk."

Security awareness professionals lack relevant skills, the report shows. Security awareness responsibilities are very commonly assigned to staff with highly technical backgrounds who may lack the skills needed to effectively engage their workforce and communicate security risks in simple-to-understand terms, according to the report.

More than 69% of security awareness professionals are spending less than half their time on security awareness, the report also shows. That's because they have other security responsibilities. Enterprises should focus on having more professionals focused on security awareness rather than making it part of an already long to-do list. The report encourages documenting and contrasting how many people on the security team are focused on technology versus how many on the team are focused on human risk in order to create a case for a more dedicated team.

The report suggests that a successful security awareness program requires strong leadership support, a larger dedicated team, and a training schedule for employees that emphasizes frequency. Organizations should also communicate to, interact with, or train their workforces at least once a month. Keeping training simple and easy to follow is key toward an engaged workforce, the report says.

“Organizations can no longer justify an annual training to check the compliance box, and it remains critical for organizations to dedicate enough personnel, resources, and tools to manage their human risk effectively," said Spitzner.

Time Constraints Hamper Security Awareness Programs

The latest evolution in social engineering could put fraudsters in a position to commit insider threats.

Security experts are on the alert for the next evolution of social engineering in business settings: deepfake employment interviews. The latest trend offers a glimpse into the future arsenal of criminals who use convincing, faked personae against business users to steal data and commit fraud.

The concern comes following a new advisory this week from the FBI Internet Crime Complaint Center (IC3), which warned of increased activity from fraudsters trying to game the online interview process for remote-work positions. The advisory said that criminals are using a combination of deepfake videos and stolen personal data to misrepresent themselves and gain employment in a range of work-from-home positions that include information technology, computer programming, database maintenance, and software-related job functions.

Federal law-enforcement officials said in the advisory that they’ve received a rash of complaints from businesses.

“In these interviews, the actions and lip movement of the person seen interviewed on-camera do not completely coordinate with the audio of the person speaking,” the advisory said. “At times, actions such as coughing, sneezing, or other auditory actions are not aligned with what is presented visually.”

The complaints also noted that criminals were using stolen personally identifiable information (PII) in conjunction with these fake videos to better impersonate applicants, with later background checks digging up discrepancies between the individual who interviewed and the identity presented in the application.

**Potential Motives of Deepfake Attacks**

While the advisory didn’t specify the motives for these attacks, it did note that the positions applied for by these fraudsters were ones with some level of corporate access to sensitive data or systems.

Thus, security experts believe one of the most obvious goals in deepfaking one's way through a remote interview is to get a criminal into a position to infiltrate an organization for anything from corporate espionage to common theft.

“Notably, some reported positions include access to customer PII, financial data, corporate IT databases and/or proprietary information,” the advisory said.

“A fraudster that hooks a remote job takes several giant steps toward stealing the organization’s data crown jewels or locking them up for ransomware,” says Gil Dabah, co-founder and CEO of Piiano. “Now they are an insider threat and much harder to detect.”

Additionally, short-term impersonation might also be a way for applicants with a “tainted personal profile” to get past security checks, says DJ Sampath, co-founder and CEO of Armorblox. 

“These deepfake profiles are set up to bypass the checks and balances to get through the company's recruitment policy," he says.

There’s potential that in addition to getting access for stealing information, foreign actors could be attempting to deepfake their way into US firms to fund other hacking enterprises.

“This FBI security warning is one of many that have been reported by federal agencies in the past several months. Recently, the US Treasury, State Department, and FBI released an official warning indicating that companies must be cautious of North Korean IT workers pretending to be freelance contractors to infiltrate companies and collect revenue for their country,” explains Stuart Wells, CTO of Jumio. “Organizations that unknowingly pay North Korean hackers potentially face legal consequences and violate government sanctions.”

**What This Means for CISOs**

A lot of the deepfake warnings of the past few years have been primarily around political or social issues. However, this latest evolution in the use of synthetic media by criminals points to the increasing relevance of deepfake detection in business settings.

“I think this is a valid concern,” says Dr. Amit Roy-Chowdhury, professor of electrical and computer engineering at University of California at Riverside. “Doing a deepfake video for the duration of a meeting is challenging and relatively easy to detect. However, small companies may not have the technology to be able to do this detection and hence may be fooled by the deepfake videos. Deepfakes, especially images, can be very convincing and if paired with personal data can be used to create workplace fraud.”

Sampath warns that one of the most disconcerting parts of this attack is the use of stolen PII to help with the impersonation.

“As the prevalence of the DarkNet with compromised credentials continues to grow, we should expect these malicious threats to continue in scale,” he says. “CISOs have to go the extra mile to upgrade their security posture when it comes to background checks in recruiting. Very often these processes are outsourced, and a tighter procedure is warranted to mitigate these risks.”

**Future Deepfake Concerns**

Prior to this, the most public examples of criminal use of deepfakes in corporate settings have been as a tool to support business email compromise (BEC) attacks. For example, in 2019 an attacker used deepfake software to impersonate the voice of a German company’s CEO to convince another executive at the company to urgently send a wire transfer of $243,000 in support of a made-up business emergency. More dramatically, last fall a criminal used deepfake audio and forged email to convince an employee of a United Arab Emirates company to transfer $35 million to an account owned by the bad guys, tricking the victim into thinking it was in support of a company acquisition.

According to Matthew Canham, CEO of Beyond Layer 7 and a faculty member at George Mason University, attackers are increasingly going to use deepfake technology as a creative tool in their arsenals to help make their social engineering attempts more effective.

“Synthetic media like deepfakes is going to just take social engineering to another level,” says Canham, who last year at Black Hat presented research on countermeasures to combat deepfake technology.

The good news is that researchers like Canham and Roy-Chowdhury are making headway on coming up with detection and countermeasures for deepfakes. In May, Roy-Chowdhury’s team developed a framework for detecting manipulated facial expressions in deepfaked videos with unprecedented levels of accuracy.

He believes that new methods of detection like this can be put into use relatively quickly by the cybersecurity community.

“I think they can be operationalized in the short term -- one or two years -- with collaboration with professional software development that can take the research to the software product phase,” he says.

Source

DARKReading