The 14th defendant behind The Infraud Organization contraband marketplace has been sentenced, this time for one count of racketeering.

Stolen identities, compromised credit-card data, computer malware, and more were collected and sold by The Infraud Organization, a transnational cybercrime syndicate — and the Department of Justice estimates the activity cost victims more than $568 million. 

Now a member of the cybercrime group has been sentenced to four years in prison for his role in Infraud: a 37-year-old Brooklyn, NY, resident named John Telusma, who pleaded guilty to one count of racketeering. He's the 14th defendant sentenced in the case.

The DoJ said Telsuma joined the Infraud Organization in August 2011 and over the subsequent five-and-a-half years became one of the "most prolific and active members of the Infraud organization, purchasing and fraudulently using compromised credit-card numbers for his own personal gain," the DoJ announcement of the sentencing said. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Scammer Behind $568M International Cybercrime Syndicate Gets 4 Years

The Chaos ransomware-builder was known for creating destructor malware that overwrote files and made them unrecoverable -- but the new Yashma version finally generates binaries that can encrypt files of all sizes.

The Chaos malware-builder, which climbed up as a wiper from the underground murk nearly a year ago, has shape-shifted with a rebranded binary dubbed Yashma that incorporates fully fledged ransomware capabilities.

That's according to researchers at BlackBerry, who say that Chaos is on track to become a significant threat to businesses of every size.

Chaos began life last June purporting to be a builder for a .NET version of the Ryuk ransomware – a ruse its operators leaned into hard, even using Ryuk branding on its user interface. However, a Trend Micro analysis at the time showed that binaries created with this initial version shared very little heritage with the well-known ransomware baddie. Instead, the sample was “more akin to a destructive trojan than to traditional ransomware,” the firm noted – mainly overwriting files and rendering them unrecoverable.  

BlackBerry researchers noted the same. Rather than using Ryuk’s AES/RSA-256 encryption process, the "initial edition of Chaos overwrites the targeted file with a randomized Base64 string," according to BlackBerry's new report. "Because the original contents of the files are lost during this process, recovery is not possible, thus making Chaos a wiper rather than true ransomware."

After putting the builder out in underground forums and catching plenty of snark and flak by fellow Dark Web denizens for hijacking the Ryuk brand, the group consequently named itself Chaos. The malware also cycled rapidly through several different versions, each with incremental changes that gave it more and more true ransomware capabilities. However, the wiper functionality persisted through version four.

"Based on the forums, the original ransomware is believed to be developed by a solo author," Ismael Valenzuela, vice president of threat research & intelligence at BlackBerry’s Cybersecurity Business Unit, tells Dark Reading. "This author appears new to the ransomware scene, as they were requesting feedback, bug reports, and feature requests, and the early releases were missing basic features, such as multi-threading, which are common in other ransomware."

**Inside the Chaos**

Chaos targets more than 100 default file extensions for encryption and also has a list of files it avoids targeting, including .DLL, .EXE, .LNK, and .INI – presumably to prevent crashing a victim’s device by locking up system files.

In each folder affected by the malware, it drops the ransom note as “read\_it.txt.”

"This option is highly customizable within all iterations of the builder, giving malware operators the ability to include any text they want as the ransom note," according to BlackBerry's analysis. "In all versions of Chaos Ransomware Builder, the default note stays relatively unchanged, and it includes references to the Bitcoin wallet of the apparent creator of this threat."

Over time, the malware has added more sophisticated capabilities, such as the ability to:

*   Delete shadow copies
*   Delete backup catalogs
*   Disable Windows recovery mode
*   Change the victim’s desktop wallpaper
*   Customizable file-extension lists
*   Better encryption compatibility
*   Run on startup
*   Drop the malware as a different process
*   Sleep prior to execution
*   Disrupt recovery systems
*   Propagate the malware over network connections
*   Choose a custom encryption file-extension
*   Disable the Windows Task Manager

Actual encryption capabilities (using AES-256) have been included only since the third version of the malware; even then, the builder could only encrypt files smaller than 1MB. It was still acting as a destructor for large files (such as photos or videos).

"The code is written in such a way that the wiper function is certainly not accidental. It's unclear why the authors made this choice," Valenzuela says. "It's possible the malware authors made the decision for performance reasons. If the malware was working slowly through a directory of multi-GB videos or database files, there's a small chance the user might notice and be able to power off the device."

**Chaos, Version Four: 'Onyx' Ransomware, Still With Wiper**

Though version four of the Chaos builder was released late last year, it got a boost when a threat group named Onyx created its own ransomware with it last month. This version quickly became the most common Chaos edition directly observed in the wild today, according to the firm. Notably, while the ransomware was improved to be able to encrypt slightly larger files – up to 2.1MB in size – larger files are still overwritten and destroyed.

The latest attacks have been directed toward US-based services and industries, including emergency services, medical, finance, construction, and agriculture, according to BlackBerry.

"This particular threat group \[infiltrates\] a victim organization's network, \[steals\] any valuable data it found, then would unleash 'Onyx ransomware,' their own branded creation based on Chaos Builder v4.0," researchers said – something researchers were able to verify with sample tests that showed a 98% code match to a test sample generated via Chaos v4.0. The only changes were a customized ransom note and a refined list of file extensions.

Onyx has also implemented a leak site called “Onyx News” hosted on the Tor network, with information about its victims and publicly viewable stolen data. The site is also used to give victims more information on how to recover their data.

"The best advice we could offer companies \[targeted with the Onyx wiper\] is to maintain regular backups, which are stored separately, and to not pay the ransom as most of their files are not recoverable due to design," says Valenzuela. "Again, proper incident command is paramount, something that is always better planned in advance."

**Chaos Wiper Reined in With Yashma**

In early 2022, Chaos released a fifth version of its builder, which finally generated ransomware binaries capable of encrypting large files without irretrievably corrupting them.

"Though slower to complete its malicious tasks on the victim device than when it was simply destroying files, the malware finally operates as expected, with files of all sizes being properly encrypted by the malware and retaining the potential to be restored to their former unencrypted state," researchers noted.

A nearly identical sixth iteration soon followed in mid-2022 – renamed Yashma.

"Malware-as-a-service \[MaaS\] is a popular model these days; however, a unique selling point for Chaos is that up until the rebrand to Yashma, all releases have been free," Valenzuela notes. "That said, the Yashma versions are still only $17, making the ransomware widely accessible."

Yashma incorporates two advances over the fifth version: the ability to prevent the ransomware from running depending on the language set on the victim device, and the ability to stop various services.

Regarding the latter, Yashma terminates the following:

*   Antivirus (AV) solutions
*   Vault services
*   Backup services
*   Storage services
*   Remote Desktop services

Both of these versions have seen little action in the wild to date – meaning that Chaos ransomware attacks will most often incorporate a destructive wiper dimension. But it's likely that binaries based on all of the iterations of the builder will become more common over time.

"What makes Chaos/Yashma dangerous going forward is its flexibility and its widespread availability," researchers noted in the report. "As the malware is initially sold and distributed as a malware builder, any threat actor who purchases the malware can replicate the actions of the threat group behind Onyx, developing their own ransomware strains and targeting chosen victims."

**Every Business Is a Target**

Valenzuela points out that with Chaos, the level of technical expertise required to use it is relatively low, the builder is free, and the steps required to generate a binary of one's own are straightforward.

"No organization or industry is exempt from this risk," he said. "Every business needs to have a good defensive strategy – including a tested defensible architecture with a combination of technologies that provide prevention, visibility, and detection coverage, as well as continuous monitoring augmented with up-to-date threat intelligence – to respond early in the attack chain."

Valenzuela adds, "We have seen how many businesses have been compromised for days or weeks before the detonation of the ransomware payloads, so being able to respond to threats quickly is paramount to lessen the impact of these attacks."

New Chaos Malware Variant Ditches Wiper for Encryption

The malware’s abuse of PowerShell makes it more dangerous, allowing for more advanced attacks such as ransomware, fileless malware, and malicious code memory injections.

The browser-hijacking malware known as ChromeLoader is becoming increasingly widespread and growing in sophistication, according to two advisories released this week. It poses a big threat to business users.  

ChromeLoader is a sophisticated malware that uses PowerShell, an automation and configuration management framework, to inject itself into the browser and add a malicious extension. This kind of threat drastically increases the attack surface, as today’s enterprises rely more on software-as-a-service (SaaS) apps amid flexible working environments and diverse endpoints.

“The browser is the front door to the Internet, and therefore the user’s first line of defense when they access SaaS applications,” Ohad Bobrov, Talon Cyber Security's CTO and co-founder, tells Dark Reading. “Attackers have identified the browser as an opportunity to steal remote information from SaaS applications, as well as create malicious extensions they can easily manipulate.”  

In this case, the malware is using malicious optimal disc image (ISO) files — often hidden in cracked or pirated versions of software or games — to take over the browser and redirect it to display bogus search results in a malvertising scheme.  

Both a MalwarebytesLabs advisory and a Red Canary warning point out that ChromeLoader’s abuse of PowerShell, combined with the use of ISO files, make ChromeLoader particularly aggressive.

“PowerShell, like any other advanced shell, can be used as an administration tool to automate tasks,” explains Mike Parkin, senior technical engineer at Vulcan Cyber, a provider of SaaS for enterprise cyber-risk remediation. “Admins use benign shell scripts for myriad tasks because they can be versatile and easily accessible on almost every platform.”

He points out that the use of an ISO file to carry the script, which then drops a malicious extension, is not a new technique, but it remains effective because ISOs are still commonly used in business settings. While this campaign is relying on a ruse of pirated software, ISOs are also important in network and system management and are used for installing packages on servers and containers. Linux is installed via ISO, as are some Windows upgrades.

**Infecting the Browser Helps Bypass Security Measures**

Parkin adds that with so many applications being now browser-based, it’s a logical place for cybercriminal to put their malicious code.

In addition, the browser is an application that is not monitored by most security programs, and extensions are usually not scanned by most endpoint protection solutions to determine whether they are malicious.

“By infecting the browser, the attacker gets around a number of security measures, such as traffic encryption, that would otherwise impede their attack,” Parkin says. “It’s like adding a malicious hard drive to your system.”

Having access to a browser provides attackers access to victim data and could, in some cases, provide the opportunity to perform actions on the compromised person's behalf. With such easy access and high-value information inside browsers, malware operators can achieve big results for minimal effort.

To boot, ChromeLoader's capabilities do not end with installing malicious extensions — it could carry out more advanced attacks as well.

“Most security tools don't detect it,” says Talon's Bobrov. “The fact that ChromeLoader abuses PowerShell makes it incredibly dangerous, since this can allow for more advanced attacks, such as ransomware, fileless malware, and malicious code memory injections.”

He adds that ISO files can hold a lot of data, so there's plenty of room for malware to hide. In addition, these files are confusing for end users and have some automatic actions that the operating system might perform.

**Cyber Hygiene, User Education Needed to Stop Malicious ISO Files**

Bobrov says that to prevent exposure to malicious ISO files, the first step is related to basic cyber hygiene: You need to understand and trust the data you download and where you download it from.

“Do not launch ISO files that are not from trusted sources, and never run files inside ISO without verifying their safety,” he advises. “When browsing the Internet, make sure you have security controls in place to help monitor the websites you browse and help protect you from malicious content.”

From Parkin’s perspective, user education is a good first step to prevent exposure to malicious ISO files, which includes teaching users to be wary of downloading suspect files. (Any cracked software falls into this bucket.)

“Beyond user education, admins can deploy tools and enforce policies that restrict mounting ISO files, though that may be a challenge in \[bring-your-own-device\] BYOD environments,” he says.

A step beyond that is using remote desktop environments such as VNC, Citrix, or Windows Remote Desktop, which can shift policy enforcement back into the IT admin’s hands.

ChromeLoader Malware Hijacks Browsers With ISO Files

Here's how physical security teams can integrate with the business to identify better solutions to security problems.

The responsibilities of physical security teams have expanded well beyond traditional security roles. However, these security teams all too often are seen only as a cost center instead of being recognized as risk management professionals who can help move the business forward in areas far beyond "guns, guards, gates, and locks."

The same knowledge, skills, and abilities that help your security team excel when dealing with high-stress, high-anxiety physical security risks and threats can be focused to help confront other risks your business is facing. In fact, your team may already have significant knowledge and skills to handle risks that may not fall directly within the physical security realm, such as insider threats, third-party risks, cybersecurity risks, operational risks, and personnel issues.

Here are some tips to help security leaders reimagine how physical security teams can integrate with other business areas to find better solutions to the security problems their organizations are facing.

**Connect With the Business to See the Big Picture  
**Expanding collaboration with counterparts in other business divisions — specifically, HR, legal, information technology, compliance, and risk management — can help security teams connect their day-to-day contributions to the larger goals and successes of the organization. It's pretty clear that when we connect security to the organization’s larger risk management strategy, the organization will be able to leverage the unique perspective of physical security risk managers to find effective solutions to other problems. It starts, as with many major improvements, with conversations across the organization among multiple stakeholders.

Indeed, it’s crucial for the engagement between security and its counterparts to be a two-way dialogue. When there is mutual understanding between the physical security team and other counterparts in the organization, that knowledge can motivate all sides to find more common-sense solutions and compromises that everyone can get behind.

**Learn Something New  
**How much does your team know about other areas of the business or about the industry? In some cases, having additional knowledge and skills could be the difference between managing risks with a business-as-usual mindset and creating an innovative solution that could save your team time and resources. Encourage your teams to learn new skills, get training to accomplish a goal, or explore new tools helps keep everyone engaged and looking at their work with fresh eyes. Even a few hours spent learning a new skill in an online learning platform like LinkedIn Learning or Udemy can create enormous time and resource savings. Where possible, create opportunities for individuals to share their knowledge with others to reinforce their own learning and help motivate more growth throughout the team.

**Use Technology More Effectively  
**Physical security teams are investing more resources in technology solutions that help identify and monitor threats, streamline and automate workflows, and protect personnel and resources. These solutions should ultimately make your team more efficient and effective, but that's possible only if team members understand a tool's features and know how to use them correctly. The right technology can provide a tactical advantage and instill greater confidence in times of uncertainty.

Encourage your team to spend time learning about the technology products they use, as well as the most efficient and effective ways to use them. In addition, use these opportunities to consider how the information and data your team is collecting could assist others within the organization. Many security-focused tools and platforms contain useful data and features that other departments would find valuable as they work to manage similar threats or investigate emerging problems. Ensuring that data and tools are shared with the appropriate stakeholders could save your organization money and your team time.

**Demonstrate Value  
**As security teams have taken on more responsibility and managed a more comprehensive threat landscape, they have increasingly sought a seat at the executive decision-making table. While those in executive protection may naturally have greater access and be received more readily by those at the top, at too many organizations, the physical security team is still viewed through the antiquated lens of a cost center, solely focused on physical safety and security threats.

While upskilling the staff and integrating the security team into broader risk management functions will help the security team get its seat at the table, It's critical for security teams to create metrics that measure their activities, develop baselines, and document improvements over time. This can be challenging for physical security teams that successfully prevent problems — after all, it’s difficult to prove your team is effective and valuable if nothing happens — but it is possible.

I'll give you an example that came up in a recent discussion of security professionals hosted by Ontic. A security team initiated a conversation with its real estate and risk management team and found that they tracked metrics on the financial impact to the organization when and if specific buildings saw their operations disrupted. What’s more, a few buildings suffered from a disproportionate number of false fire alarms that disrupted operations. The security team worked with others to swap smoke detectors for heat sensors, resulting in a drastic reduction in false alarms. This resulted in a documentable reduction in costs to the organization.

**Conclusion**  
Physical security teams can (and should) be much more than a cost center. By focusing efforts on training, collaboration, and value demonstration, physical security teams' reach and impact will help move the organization forward.

Physical Security Teams' Impact Is Far-Reaching

The Colonial Pipeline attack highlighted the risks of convergence. Unified security provides a safer way to proceed.

This month marks the first anniversary of the Colonial Pipeline shutdown — a hugely impactful ransomware attack against critical US infrastructure that has had significant diplomatic and legislative consequences. Among the numerous talking points the attack raised was the issue of IT/OT convergence.

The attack, orchestrated by ransomware group DarkSide, targeted the pipeline's IT billing systems rather than its operation technology (OT), but Colonial was still forced to shut down physical operations for several days. Despite its oil-pumping systems retaining functionality, Colonial believed the risk of continuing operations with an IT compromise was too great. This was largely due to the proximity of its IT and OT systems: Had the attackers moved laterally to the company's operational networks, they could have imposed a longer and more costly shutdown, potentially tampering with safety mechanisms and damaging equipment — even endangering the pipeline's employees.

The risk of IT attacks spilling over into OT has grown as the organizations operating these systems look to gain an edge over their competitors. IT/OT convergence makes industrial control systems (ICS) cheaper, easier to manage, and more rapidly available to different administrators. At the same time, as the Colonial Pipeline instance showed us, it presents new risks and avenues for cyber disruption.

This is partly because most OT security tools today look at industrial systems in isolation — as a disconnected silo, separate to the rest of the business. The same is true of network security, email systems, and the cloud. And when many of these tools were being developed, there was nothing wrong with this approach. But as these digital environments converge, relying on disjointed point solutions to stop cyberattacks isn't effective, especially because a single attack can now target and traverse multiple fields of operation.

By unifying their security stack, defenders can use IT/OT convergence to their advantage and turn vulnerability into strength.

This requires a move away from tools trained on historical attacks and toward self-learning technology that can learn its digital surroundings from scratch, without any prior assumptions. By understanding the unique behavior of every IT and OT device — no matter how bespoke or complex the technology — this approach enables the detection of novel threats. By definition, a cyberattack causes a machine or user account to behave in a way it normally does not, and these deviations can be picked up, no matter where they appear.

**How Ransomware Groups Exploit IT/OT Convergence**

The risk of connecting cloud platforms to ICS was demonstrated in an attack against a European OT R&D investment firm last year.

Two of the firm's Industrial Internet of Things (IIoT) devices, which ran Windows OS and made regular connections to an industrial cloud platform, were compromised when they used the server message block (SMB) protocol to connect to an infected domain controller and read a malicious executable file. Security teams are often stymied by IIoT devices, which can lack CPUs, traditional operating systems, or sufficient disk space for putting security measures in place.

A malicious payload lay dormant for almost a month within the two IIoT devices, one of which was a human-machine interface (HMI) and the other an ICS historian. Darktrace's investigation showed that, while network segregation was sufficient to stop the attack's command-and-control (C2) communications on the HMI device, connections from the ICS historian reached around 40 unique external endpoints.

Both devices then wrote suspicious shell scripts to network servers and, finally, used SMB to encrypt files stored in network shares. A ransomware note was written by the ICS to targeted devices, and the attack was complete. This kind of attack life cycle, which demonstrates the limitations of network segregation and air-gapping, has been the basis for widespread concerns around IT/OT convergence.

No signatures or threat intelligence were associated with this attack, and so it flew under the radar of the company's traditional security tools. Only through self-learning technology from Darktrace was the security team able to gain full visibility into the attack.

**Riding the Changing Tides**

Reference architectures that rely on air-gapping ICS from IT are increasingly incompatible with the technological advancements many organizations are making in order to remain competitive. If attackers no longer view IT and OT as distinct, partitioned regions, neither should security teams.

It is possible for businesses to safely embrace interconnectivity, with all of its advantages, by adopting security that learns the business from the ground up to address sophisticated threats across both their IT and OT environments.

Unified security efforts reflect the reality of converging systems and ensure that no gaps are left for attackers to exploit. When the entire digital environment can be viewed through a single pane of glass and no single, exploitable system is left without protection, organizations will be able to interconnect systems without taking on undue risk.

Taking the Danger Out of IT/OT Convergence

Microsoft Dev Box will make it easier for developers and hybrid teams to get up and running with workstations already preconfigured with required applications and tools.

Microsoft's cloud-based developer workstation comes preconfigured with all of the required applications so that developers and hybrid teams have access to everything they need directly through the Web browser.

Microsoft Dev Box is a virtual machine that provides developers with a "ready-to-code" workstation, Microsoft said this week during Build 2022, its annual developer conference. Teams can configure images, assign or remove team members, and start coding on a new project without first dealing with a complex and time-consuming set-up process.

Application testing becomes easier, since each Dev Box can be set up to re-create a specific customer environment. Developers who have to support multiple versions of the same software can have multiple Dev Boxes and switch back and forth between different environments. There is no need to worry about software conflicts and dependency issues, the company says.

Dev Box is based on the same cloud foundations as Windows 365, which offers users Windows machines in the cloud. As a result, Dev Box has similar security benefits as Windows 365 Cloud PC, such as the fact that workstations will automatically be fixed up with the latest security updates and administrators can apply Azure’s access control and authentication policies to control how developers access Dev Box. IT administrators can manage Dev Boxes and Cloud PCs together in Microsoft Intune and Microsoft Endpoint Manager, wrote Kathleen Mitford, corporate vice president of Azure Marketing, on the Azure blog.

Dev Box can wind up making it easier to securely manage remote development teams. Since the developer is going through the Web browser to access the workstation, security teams don’t have to worry about the security of the physical device the developer is using or whether source code and other corporate intellectual property are being downloaded onto a personal device.

While Microsoft did not announce an exact release data for Dev Box, there is a waiting list for private preview.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Microsoft Unveils Dev Box, a Workstation-as-a-Service

Massive merger will put Broadcom's Symantec and VMware's Carbon Black under one roof.

Semiconductor vendor Broadcom plans to buy cloud computing firm VMware for a whopping $61 billion in cash and stock.

Broadcom described the acquisition as part of its move to create a global infrastructure technology company. The company also announced that its Broadcom Software Group will be rebranded as VMware.

"VMware has long been recognized for its enterprise software leadership, and through this transaction we will provide customers worldwide with the next generation of infrastructure software. VMware's platform and Broadcom's infrastructure software solutions address different but important enterprise needs, and the combined company will be able to serve them more effectively and securely," said Tom Krause, president of Broadcom Software Group, in a statement. "We have deep respect for VMware's customer focus and innovation track record, and look forward to bringing together our two organizations."

Security-wise, the deal will bring Broadcom's Symantec security division and VMware's Carbon Black unit under one roof. Broadcom acquired Symantec in for $10.7 billion in August 2019, and VMware bought cloud-native endpoint security firm Carbon Black for $2.1 billion in October 2019. 

The deal is expected to close in Broadcom's fiscal year 2023, pending regulatory and VMware shareholder approvals.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Broadcom Snaps Up VMware in $61B Deal

The cloud-security company blames "seismic" market shifts for shakeup.

Lacework co-CEOs David "Hat" Hatfield and Jay Parikh have announced that the cloud security company will restructure and lay off an undisclosed number of employees.

The move comes less than a year after Parikh, a former Facebook VP, joined the Lacework board of directors and was brought on as a co-CEO to manage the company's product, engineering, and infrastructure.

The CEOs said in an announcement of the Lacework layoffs that the move was prompted by a "seismic shift ... in both public and private markets" that has occurred "over the past several weeks and months." It's not clear to which specific incidents the statement is referring.

"Lacework, as we know, is the disruptive leader in cloud security, a growing market that is still in the early innings," the statement said. "Our opportunity ahead remains unchanged, but to preserve and strengthen our leadership position in this market for the long term, we must make these changes."

The execs added that despite the headcount reduction, Lacework will continue to expand its technology teams.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Lacework Announces Layoffs, Restructuring

Nearly half of the world's largest websites use externally generated JavaScript that makes them ripe targets for cyberattackers interested in stealing data, skimming credit cards, and executing other malicious actions.

Many organizations may be significantly more vulnerable to risks from third-party JavaScript in their websites than they think.

New analysis from Source Defense finds there to be a high prevalence of third-party (and even fourth-party) scripts on most websites — which is concerning because of the relative ease with which they could be used to sneak in malicious code. 

Typically, when a webpage calls a third-party script, it is loaded directly into a browser from an external server belonging to the third party. This means the script bypasses controls such as perimeter and Web application firewalls and network monitoring tools, according to the security vendor. The process gives threat actors a way to introduce malicious code into the environment via third-party scripts. The problem is exacerbated by the fact that developers of third-party scripts often include code from other developers that in many cases have sourced code from another developer, Source Defense said.

Yet most organizations use third-party scripts for integrating shopping carts, dynamic forms, processing orders and payments, presenting social media buttons, visitor tracking, and a variety of other functions. The scripts are readily available — often for free — from numerous sources, including open source organizations, social media companies, cloud providers, advertising networks, and content delivery networks, the Source Defense report says.

In an analysis of 4,300 of the world's largest websites, the firm found that each site had 15 externally generated scripts on average — with an average of 12 of them on sensitive pages, such as those for collecting user information or for processing orders and payments. Nearly half (49%) of the websites in Source Defense's study had external code with functionality for retrieving form input and monitoring users' button clicks. More than 20% had external code that could modify forms. Most sites had multiple scripts on every single webpage.

Source Defense found that websites belonging to organizations in some sectors had a substantially higher than average number of third-party scripts than others. Financial services websites, for instance, had an average of 19 scripts on sensitive pages, or 60% more than the average across all sectors. Healthcare organizations had 15 of them on average.

**A Tempting Attack Vector for Adversaries**

"Adversaries remain hyper-focused on data theft from websites that conduct transactions or capture sensitive data," says Hadar Blutrich, CTO and co-founder of Source Defense.

In recent years, there have been numerous incidents where attackers have manipulated or used third-party scripts to steal user and payment card data, to redirect users to malicious sites, log keystrokes, and carry out a variety of other malicious activity. One well-known example is Magecart, a hacker collective that over the years has pilfered data on hundreds of millions of payment cards by sneaking card-skimming software into third-party scripts on retail websites. 

Such attacks can have big consequences for businesses. For example, in one incident in 2018, Magecart hackers sneaked a few lines of code into a British Airways website page that ended up exposing personal data belonging to some 380,000 customers. The airline was later hit was a massive fine of more than $200 million over the incident.  

"The attack vector remains broad and open for even the world's largest sites, and the risk of significant material loss is quite real," Blutrich says.

To compromise third-party scripts, threat actors sometimes infiltrate public code repositories, he notes. In other instances, they identify organizations that have large networks of clients and compromise scripts from those organizations to perpetrate one-to-many attacks, he says. As one example, Blutrich points to an attack earlier this year in which over 100 sites related to real estate were compromised after an attack planted malware in a cloud-video component on a site belonging to Sotheby's real-estate arm.

**How to Combat External Script Risk**

The maturity of enterprise processes for mitigating risk from third- and fourth-party scripts tends to vary, Blutrich notes. In some instances, there's no oversight: Digital and marketing teams act on their own to implement new website functionality and engage with third parties, without involving the enterprise security team. 

However, "in more mature cases, we've heard of 'script councils' being in place where digital must work with security/compliance to vet and approve any supply chain partners," he says.

Regardless of the internal processes for approval, more must be done for managing and securing the script, Blutrich says. "Once on the site, even if approved, benign changes from the partners themselves may jeopardize compliance and, obviously, malicious changes from threat actors can lead to major data theft and fraud concerns."

Third-Party Scripts on Websites Present a 'Broad & Open' Attack Vector

Twitter is charged with using emails and phone numbers ostensibly collected for account security to sell targeted ads.

The Federal Trade Commission (FTC) has issued a $150 million fine against Twitter for misrepresenting its security and privacy practices.

The FTC, in cooperation with the Department of Justice (DoJ), says that Twitter has been using the email addresses and phone numbers it collects from users to enable two-factor authentication to serve targeted advertising.   

In addition to the fine for the violation, Twitter has been given a list of do's and don'ts: It's prohibited from making a profit on data collected under the guise of security; it must allow users to use mobile authentication apps and security keys for multifactor authentication, which don't require a user to provide their phone number; it must notify users if their data has been misused; it must implement a comprehensive information security policy; it must limit employee access to personal user data; and it must notify the FTC of any company breaches. 

“As the complaint notes, Twitter obtained data from users on the pretext of harnessing it for security purposes but then ended up also using the data to target users with ads," said FTC Chair Lina M. Khan in a statement about the Twitter security data misuse ruling. "This practice affected more than 140 million Twitter users, while boosting Twitter’s primary source of revenue.”

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading