Questions remain over what a corporate ban will achieve, since Canadians will still be able to use the app.

Source: SOPA Images Limited via Alamy Stock Photo

ByteDance is being exiled from Canada, though the TikTok app is not.

Following the US's example, Canada has spent recent years rubbing up against the world's most popular Chinese app. In February 2023, TikTok was banned from all government devices, citing security concerns. Later that year, the government called for a broader national security review under the 1985 Investment Canada Act, which empowers the government to scrutinize foreign investments.

In concluding that review, the minister of Innovation, Science and Economic Development Canada (ISED) — a federal agency responsible for regulating and supporting various aspects of the country's economy, industry, and scientific endeavors — unveiled a significant, though not comprehensive, development in his country's approach.

To address "specific national security risks," the minister said yesterday, the offices of TikTok Technology Canada Inc. — the Canadian subsidiary of ByteDance, TikTok's parent company — must now be shuttered. However, he noted, the government will not actually block any Canadians from using the app, as "the decision to use a social media application or platform is a personal choice."

**TikTok vs. Governments**

Ever since TikTok blew up during the COVID-19 pandemic, governments worldwide have struggled with how to administer: Ban it, to the chagrin of millions, or don't, and risk consequences to mass privacy and national security.

Concern is widespread that the Chinese Communist Party (CCP) could conduct data gathering and spying through TikTok, since it wields potentially unlimited authority over Chinese companies. And "The CCP has long been known for having an enormous capability to gather otherwise benign-looking datasets, and to process them to produce intelligence to further its national interests," notes Casey Ellis, founder and adviser at Bugcrowd. "While it can easily be argued that Western governments and companies are capable of the same, the CCP's national interests are at best competitive, and at worst disruptive to the national interests of the West."

Blocking the app to prevent CCP data gathering is controversial, however, since it's massively popular, and there is no definitive, significant proof of such malicious activity to date. A few scattered countries have done so (for varying reasons), most notably India in 2020, but most have taken up solutions somewhere in the middle.

In 2020, President Trump signed executive orders effectively forcing ByteDance to sell TikTok to an American company, or else face a national ban. President Biden's No TikTok on Government Devices Act banned the app in government settings, and his Protecting Americans from Foreign Adversary Controlled Applications Act carried the forced sale idea from the Trump administration. US policy is likely to subside now that Trump has been elected again. "Trump has made strong moves against ByteDance in the past," Ellis notes. "He has a reputation for being tough on China, and for operating on the assumption that China is competitive to the US as a great power. I think we'll see more activity around addressing 'creeping threats' from ByteDance and other Chinese companies, particularly those with a larger and established presence, both in the US and amongst its allies, over the coming year."

Meanwhile, in 2023, the Canadian government took parallel actions. And just as it had in the US, TikTok says it will challenge Canada's latest ruling in court.

**What Would Actually Solve TikTok Privacy?**

Debate has now begun over whether banning the corporate half of the TikTok operation will be helpful, if not abjectly harmful to Canada's national security aims.

As Canadian academic Michael Geist argued in a blog post, "banning the company rather than the app may actually make matters worse since the risks associated with the app will remain but the ability to hold the company accountable will be weakened," since it will no longer have a domestic presence. "It is hard to envision it prioritizing (or perhaps even complying) with Canadian regulatory processes if it is banned from formally operating in the jurisdiction."

Dark Reading has asked the ISED for its view of how the ban will benefit Canadian national security. This article will be updated when ISED's response is received.

A separate development poised to directly affect TikTok data collection in Canada is the legislation C-27, which would supersede the Personal Information Protection and Electronic Documents Act, Canada's primary privacy legislation since 2000.

C-27 packages three separate Acts: the Consumer Privacy Protection Act, the bit most relevant for TikTok user privacy; the Electronic Documents Act; and the Artificial Intelligence and Data Act. Though it may be viewed as efficient and ambitious to address so many issues at once, ongoing debates primarily around the artificial intelligence component are currently holding up the passage of the other two along with it.

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Canada Closes TikTok Offices, Citing National Security

Though Cisco reports of no known malicious exploitation attempts, three of its wireless access points are vulnerable to these attacks.

Source: Kristoffer Tripplaar via Alamy Stock Photo

Cisco is warning of a bug found in its Unified industrial Wireless Software for Cisco Ultra-Reliable Wireless Backhaul (URWB) access points that could allow an unauthenticated remote attacker to release command injection attacks.

An attacker could exploit the vulnerability by sending HTTP requests to the Web-based management interface of an affected system. If successful, the attacker could execute arbitrary commands with root privileges in the affected device's underlying operating system.

The vulnerability exists due to an improper validation of input to the Web-based management interface. It affects the three Cisco wireless access points (APs) if they have the URWB operating mode enabled and are running a vulnerable release: Catalyst IW9165D, Catalyst IW9165E (both APs and clients), and Catalyst IW9167E.

Devices not running URWB operating mode remain unaffected by this vulnerability. To ascertain whether URWB is enabled, users should use the "show mpls-config" CLI command.

"If the command is available, the URWB operating mode is enabled and the device is affected by this vulnerability," Cisco said. "If the command is not available, the URWB operating mode is disabled and the device is not affected by this vulnerability."

Cisco said it's unaware of any public exploitation of the vulnerability and has released a fix for the flaw, but there are no other workarounds to address it.

**About the Author**

Cisco Bug Could Lead to Command Injection Attacks

The malware combines a miner and data stealer, and it packs functions that make detection and mitigation a challenge.

Source: Wirestock Creators via Shutterstock

Thousands of people — including many using applications such as AutoCAD, JetBrains, and the Foxit PDF editor — have become victims of a sophisticated data-stealing and cryptomining malware campaign that's been active since at least February 2023.

The as-yet-unidentified threat actor behind it is distributing the malware via forum posts and illegal torrents. What makes the malware challenging to mitigate is its use of SSL pinning and TLSv1.3 encryption to protect its command-and-control (C2) communications and data exfiltration activities against interception and analysis.

Researchers at Kaspersky who discovered the malware are tracking it as "SteelFox." In a report this week, they described the threat as not targeting any user, group, or organization specifically. "Instead, it acts on a mass scale, extracting every bit of data that can be processed later," the security vendor's researchers noted. "The highly sophisticated usage of modern C++ combined with external libraries grant this malware formidable power."

More than 11,000 people appear to have fallen victim to the malware bundle, mostly across 10 countries, including Brazil, China, Russia, Mexico, and the United Arab Emirates.

The initial access in each case resulted from people acting on posts that advertised SteelFox as an efficient application activator — i.e., a tool that allows users to bypass licensing mechanisms and activate a commercial application for free. The apps that SteelFox purported to be an activator for included Foxit PDF Editor, JetBrains, and AutoCAD.

"While these droppers do have the advertised functionality, they also deliver sophisticated malware right onto the user’s computer," the researchers wrote.

**Sophisticated Execution Chain**

Kaspersky's analysis of the SteelFox activator for JetBrains showed that once it has initial access, the malware asks for administrative access to the user's system. It then uses that access to begin installing the application activator in the computer's Progra Files folder. During the process, SteelFox also drops a malicious Portable Executable file for 64-bit Windows systems (PE64). The file goes through a series of execution steps before retrieving and deploying a modified version of the XMRig coin miner with hardcoded credentials to a mining pool.

The malware then connects to its C2 server, at which point a separate data stealer component is triggered. The stealer first enumerates or determines the browsers on the victim's systems and deploys functions for stealing a range of data, including credit card data, cookies, browsing history, and a list of sites the user might have visited. Other data that Kaspersky found the stealer pilfering from compromised systems included information on all installed software, network info such as wireless interfaces and passwords, drive names and types, user information, and RDP session information.

The security vendor pointed to several mechanisms that the authors of the malware have implemented to make it hard for defenders to detect and mitigate against the threat. The initial stage executable, for instance, is encrypted, making analysis harder. The initial PE64 payload is modified, after deployment, by overwriting time stamps and inserting random junk data to avoid detection. For persistence, the second-stage payload creates a Windows service and configures it to auto start ensuring the malware remains active through system reboots. Before actual payload execution the malware launches and loads from inside a Windows service that requires privileges unavailable to most users.

"This makes any user actions against this loader impossible because even copying this sample requires NT\\SYSTEM privileges," Kaspersky said.

**A Growing Challenge for Defenders**

SteelFox's use of SSL pinning — where a client application or device uses a specific certificate or public key — and the TLSv.3 encryption protocol for C2 communication is another issue because they allow the malware to operate covertly with a low risk of detection.

"SteelFox has emerged recently, and it is a full-featured crimeware bundle. It is capable of stealing various user data that might be of interest to the actors behind this campaign," Kaspersky's researchers wrote.

SteelFox is only the latest manifestation of what security researchers have described as the growing sophistication that threat actors have begun incorporating into their malware and tactics. Another recent example is CRON#TRAP, a campaign, where a threat actor is using custom-emulated QEMU Linux environments to stage malware and execute malicious commands in near-undetectable fashion. In May, Elastic Security reported GhostEngine a multimodal malware toolkit that, among other things, has functions for effectively killing endpoint detection and response mechanisms. The proliferation and easy availability of generative AI (GenAI) tools also has fueled some of the recent innovation around malware tactics, especially in influence operations and misinformation campaigns.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

'SteelFox' Malware Blitz Infects 11K Victims With Bundle of Pain

While training and credentialing organizations continue to talk about a "gap" in skilled cybersecurity workers, demand — especially for entry-level workers — has plateaued, spurring criticism of the latest rosy stats that seem to support a hot market for qualified cyber pros.

Source: Gorodenkoff via Shutterstock

When training and credential provider ISC2s released its latest workforce analysis recently, the report's continued focus on a gap between the number of "needed" cybersecurity professionals and the estimate of the current workforce touched off a backlash.

Following discussions with dozens of unemployed cybersecurity professionals, field CISO Ira Winkler of CYE Security wrote an open letter to ISC2, criticizing ISC2's continued focus on the gap as a measure of true demand. Ben Rothke, a senior information security manager at Experian, also took issue with the data, as well as the marketing that fuels get-rich-in-cybersecurity training programs.

Rather than a healthy market for cybersecurity labor, workforce estimates have plateaued — both in North America and worldwide — suppressed by a lack of budget to pay for cybersecurity hires. It's something even the ISC2 even flagged in its report. Essentially, no matter how much businesses may want to hire additional cybersecurity professionals — and 59% of professionals surveyed by ISC2 claim to need skilled workers — budgets are tight and being spent elsewhere, resulting in stagnating demand for cybersecurity workers.

It's high time to sit down prospective cybersecurity professionals for a real-world talk, Winkler says.

"My gut reaction was, hey, whatever the number of openings is, that should not be \[ISC2's\] concern — they should be worried about the members who are long-term unemployed, of which there are many," he says. "Many of these people are really frustrated hearing that there's all these openings, and they can't get one."

For years now, reports from a number of organizations estimating the cybersecurity workforce size (and its potential size) have focused on the "cybersecurity workforce gap" between the number of workers that security managers claim they need and the estimate of actual workers they have in place. The perceived gap has attracted potential students to train — or increasingly, retrain — for a job in cybersecurity. In late October, when the ISC2 released its aforementioned "2024 Cybersecurity Workforce Study" report, the organization estimated the gap had grown 4% to 543,000 for cybersecurity workers needed in North America, while its estimate of the existing workforce shrank by 2.7% to 1.45 million.

Overall, the cybersecurity jobs market continues to struggle with factors including overestimates of demand, a lack of well defined career paths, and subpar training, industry watchers say.

**Skills Gaps & Job Postings**

The ISC2's survey of more than 15,8000 practitioners and decision-makers is a good-faith attempt at determining how much cybersecurity expertise is needed by businesses worldwide. But even with the majority of those surveyed claiming a need to hire more help, when paired with other data — such as job openings and government data — the ISC2 noted that "the cybersecurity workforce growth is slowing" worldwide, essentially plateauing with a 0.1% growth rate.

Still, using the same data, the shortfall in cybersecurity workers is estimated to be 4.8 million globally.

"For clarity, that doesn't mean there is 4.8 million jobs out there," acknowledges Jon France, CISO for ISC2. "It means the profession — by asking nearly 16,000 people and using secondary data sources — reckons that to become secure as we need to be, 4.8 million people need to come into the market."

The cybersecurity workforce peaked in North America in 2023 and has plateaued globally, while the overall "needed" workforce continues to grow globally. Source: Author, using data from ISC2's Cybersecurity Workforce Studies 2021-2024

Cyberseek — a collaboration between certificate group CompTIA, workforce analysis firm Lightcast, and the US National Institute of Standards and Technology (NIST) — estimates that there are 457,000 cybersecurity-related job openings in the United States and a total workforce of 1.25 million, according to its website. The analysis counts any worker with significant cybersecurity responsibilities as related to cybersecurity, and it focuses on counting actual job postings with an emphasis on deduplicating, says Will Markow, formerly with Lightcast but now senior vice president of Workforce Solutions for Cyberwarrior, a training and consulting services firm.

"That's gives us a view into how many jobs there actually are, not how many jobs companies would like there to be," he says. "You can think of the estimates as two ends of the spectrum: They both still show a gap, but the data from Cyberseek is going to show a smaller gap, because it's looking at how many jobs are companies actively recruiting for and trying to fill, as opposed to how many in an ideal world security leaders would be hiring for if they had as much budget as they could possibly want."

**"Ghost Jobs" & Reverse Pyramids**

Jobseekers are likely also running afoul of the trend in ghost-job posting. Nearly half of hiring managers have admitted to keeping job postings open, even when they are not looking to fill a specific position. That's being used as a way to keep employees motivated, give the impression the company is growing, or to placate overworked employees, according to a survey conducted by Clarify Capital.

These ghost jobs are a significant problem for cybersecurity job seekers in particular, with one resume site estimating that 46% of listings for a cybersecurity analyst in the United Kingdom were positions that would never be filled--compared with about a third for all roles.

Budgets are getting tighter as well, with nearly half of security teams (49%) facing cutbacks in the past year, up from 48% in 2023, according to ISC2. Cutbacks include hiring freezes experienced by 38% of companies, budget cuts faced by 37% of teams, freezes on promotions (32%), and layoffs (25%).

Those economic pressures are another reason that purported jobs are not materializing, says Jon Brandt, director of professional practices and innovation at ISACA, an information-technology certification organization.

"People can respond to any survey and say, hey, we have a need for 20 more people," he says. "But at the end of the day, unless an organization is taking active steps to hire, then that's not a data point we should be looking at right now."

For entry-level workers without significant experience, the picture is especially grim. Cyberseek's career pathway data shows that demand for workers resembles a reverse pyramid. Entry-level jobs are more rare, with about 20,000 jobs available, while there are 34,000 midlevel positions and 73,000 advanced positions.

Entry-level cybersecurity professionals are not in high demand because most security positions require and automation and AI is exacerbating the issues, says Experian's Rothke.

"To a degree, entry-level security is a misnomer," he says. "Security roles really aren't entry level to begin with, because hiring managers want you to have this technical level of IT. So spend a few years to get work experience, and then you're going to get into security."

Job seekers with significant technical experience are still in demand, while those fresh out of a degree program are finding the job search more difficult.

**False Hopes & Expectations: "It's Criminal"**

While there remains a lot of potential in the industry for technical people, especially as the profession expands in the future, job seekers are not currently being well served, cybersecurity recruiter Jeff Combs said recently during a streamed discussion with ISACA's Brandt.

"I think one of the disservices that is being done to many people who are entering the field," Combs said, "is the promise of this new exciting field where, if you finish your degree or you go through this bootcamp or you get this specific certification, you're guaranteed an entry point into a $100,000 per year career path. Honestly, I think it is criminal."

In the end, between economic pressures on security budgets, a pipeline that does not adequately account for training, and training that struggles to provide the right mix of skills, the workforce trials of cybersecurity professionals will likely continue, says Cyberwarrior's Markow.

"I like to think of it right now as a tale of two job markets, because on the one hand, you do see strong evidence of a gap overall within cyber, but there are two different camps of workers who have very different job-hunting experiences," he says.

He adds: "Many companies are still asking for heightened experience requirements, heightened degree requirements, and heightened certification requirements that effectively constrain the talent pipeline into cyber security, and that means that we actually see very different dynamics across different corners of the workforce."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Has the Cybersecurity Workforce Peaked?

It's unclear what the threat actors have against this particular breed of cat, but it's taking down the kitty's enthusiasts with SEO-poisoned links and malware payloads.

Source: Juniors Bildarchiv GmbH via Alamy Stock Photo

New research is showing that criminal cyber actors are seemingly targeting Australians who have a penchant for Bengal cats, a breed of hybrid feline created from crossing of an Asian leopard with domestic breeds.

Armed with Gootloader, a popular malware strain often used as an infostealer or as a malware dropped prior to ransomware attacks, Sophos found that the threat actors are targeting users who search "Are Bengal cats legal in Australia?" and other similar questions.

The researchers found, in one example, that one website returned the following after this kind of search query: a search engine optimization (SEO)-poisoned forum containing hyperlinked texts leading the user to download a .zip file if clicked on. SEO poisoning is what the Gootloader gang is particularly known for, duping victims into clicking on malicious links disguised as legitimate resources.

And this is just the first stage of the malware's payload. 

Following a download, the user is redirected to a different website containing a large JavaScript file. This leads to multiple processes being run on the user's device, allowing threat actors to pass commands and establish persistence to deploy Gootkit — the second stage of the payload— and the malware then acts as a precursor to other tools, such as ransomware or Cobalt Strike.

The detection of the Gootloader variant used in the attacks led to a threat-hunting campaign by Sophos X-Ops MDR, with its researchers reporting that they've "seen continued growth in this approach to initial compromise, with several massive campaigns using this technique over the past year."

And while there are protection blocks that users can implement to detect for this kind of malware, it's best that they adhere to best practices and be wary of suspicious links or sources that may seem questionable. 

**About the Author**

Gootloader Cyberattackers Target Bengal-Cat Aficionados in Oz

Establishing realistic, practitioner-driven processes prevents employee burnout, standardizes experiences, and closes many of the gaps exposed by repeated one-offs.

Ian Campbell, Senior Security Operations Engineer, DomainTools

November 7, 2024

5 Min Read

Source: Andreas Prott via Alamy Stock Photo

COMMENTARY

The quality of information security guidance has increased in recent years — especially regarding the focus on fundamentals — but our industry often fails to emphasize establishing those fundamentals as replicable processes. 

Fundamentals, policies, training, tabletop exercises, and technology are resources that are limited in their respective usefulness — each is a finite and frequently subjective piece of a puzzle. In an industry epitomized by the executive phrase "Learn to do more with less," achieving consistent end goals requires recognizable, replicable, and flexible processes from start to finish.  

In order to adopt a common lexicon, let us define "process" as instituting, training on, evaluating, and rehabilitating a series of practitioner-defined expected actions a person may take in response to a stimulus. Examples of stimuli include a 911 call, endpoint detection, or an onboarding ticket from HR. Importantly, the process provides a framework for activity, is replicable, generalizable, and is driven by the practitioner's physical, mental, and digital capabilities. 

Psychology professor and human error expert James T. Reason first formally proposed the "Swiss Cheese Model" of causation in 1990. His model theorizes that the breakdown of complex systems often involves weaknesses across multiple defenses (slices) aligning across a moment of opportunity that results in the breakdown. Writer and technologist Cory Doctorow recently illustrated an excellent example of this in the alignment that results in a successful financial scam. In the context of security, the Swiss Cheese Model tells us that one cannot reliably anticipate how and when the weaknesses in your systems will line up to present an attacker opportunity without maintaining focus from the start on integrating replicable, dependable processes into your workflows. 

As a nascent technologist working technical support in Congress, my daily commute into Washington, DC, often centered around podcast listening. One favorite was the defense-themed podcast Bombshell, often repeating mid-episode the tagline "Process is my Valentine," analogizing the criticality of process to something as important and unpredictable as national security. The phrase resonated with me not only due to autism (after all, we love our self-imposed routines) but also because of my decade of experience in emergency services response prior to my career in tech.  

As a 911 dispatcher responsible for responding to thousands of people myself, the process became necessary. I had to work out: 

*   Order of actions: What needs to happen and when? 
    

*   Kinetics of actions: Does the order line up with the environment? Are the suitable radios and keyboards in the right places? Are the right tools within reach and in the right direction? 
    

*   Laterality of actions: What can I parallelize, moving from initiating one to the next, that will then develop alongside each other with minimal direct interaction and minimal viable attention diverted? 
    

*   Assessment: What can I measure? How can I evaluate the systems that interact here? How well did they adopt the process or warp it into a one-off? What needs improving? 
    

Figuring this out was the only way to move forward in an unpredictable environment with countless important elements demanding simultaneous attention. Tech security, like dispatch work, requires one to master the process. Hurtling into the Capitol from suburban Virginia to pound the marble amidst a never-ending ticket queue, and later helping to stand up a robust and thriving security program from scratch in private employment, process became my valentine once again.  

**The Policy Is Prescriptive, the Process Is Kinetic**

Consider it a stimulus response through muscle memory. The process directly considers the physiology, neurology, biases, and capabilities of the practitioner it seeks to guide. It can't be a product of the back office. Process is necessarily practitioner-centric; sit in their chair, see it with their eyes, run it with their tools, and most of all, challenge the process with practitioner's fatigue. Can someone on their 13th hour of a double shift carry it out effectively?  

Although forming process is also interactive and not necessarily consensus-based, it is at least consensus informed. It requires stakeholder input and buy-in from both the immediate team and from those who touch the scenario around it.   

Once the first iteration of the process is constructed, document it in a way that emphasizes revision. Build the living nature of it into the documentation, including after-action assessment around specific and measurable elements. Do not discount the subjective, as it invariably affects how any situation plays out. How your practitioners encounter the process determines how successfully the process survives reality.  

Then revise, take a breath, and start all over.  

Establishing a realistic, practitioner-driven process wherever possible is critical for running a successful security program. It prevents employee burnout, standardizes experiences, and closes many of the gaps exposed by repeated one-offs. By centering practitioners, evaluating environments, and instituting flexible frameworks alongside attention to fundamentals and proactive communications schemas, we can all move toward a more secure posture. Let's make it harder for the bad actors out there. 

**About the Author**

Senior Security Operations Engineer, DomainTools

Ian Campbell is a senior security operations engineer with DomainTools, with previous experience in the US House of Representatives and Silicon Valley. Before working in technology, he spent a decade in emergency services, a period that continues to inform his evolving perspective on security.

The Power of Process in Creating a Successful Security Posture

The company comes out of stealth with a tool that integrates directly into the developer's IDE to find flaws, offer remediation advice, and training materials to write secure code.

Source: Kirbyphoto via iStock Photo

The concept of shift left, or integrating security earlier in the software development life cycle, is important for application security, but it can be difficult to achieve. Developers need to take on some security responsibilities, but that means they need to be properly equipped with integrated security tools that fit their workflows.

This is the issue that Symbiotic Security, which launched this week, is tackling with its software-as-a-service platform, which integrates vulnerability detection and remediation capabilities directly into the application developer's integrated development environment (IDE). The platform also provides just-in-time training to developers so that they have the information on how to write secure code.

"Using Symbiotic is like having a personal security coach right next to you as you code," says Jerome Robert, co-founder and CEO of Symbiotic Security. "It provides real-time feedback on the security mistakes you're making, and it's training you so you don't repeat these mistakes."

The plug-in in the developer's IDE continuously scans code — as the developer types as well as the code that has already been written — and identifies potential security threats. The developer gets contextual remediation advice right in the IDE.

"Our security nudges are perceived as coaching," Robert says. "It's a tool that'll make them save time by not having to come back to fix old code."

Developers can also access the training materials — in the form of capture-the-flag (CTF) content — to learn what the problem is and why it is a problem. They see examples of secure and vulnerable code and are presented with a snippet of insecure code to find and fix as part of a game to help improve secure coding skills.

The difference between Symbiotic Security's plug-in and other code security tools is where the issues are identified, Robert says. Many of the others catch mistakes after the code has been written, often during code commits or when integrated with the rest of the build.

"Nobody feels bad making a few mistakes here and there in a draft, and that's the mental state we want developers to be when we advise them on security," Robert says. "If we were at commit \[or, more commonly, in the CI\], we'd be basically flagging issues after a developer said, 'This is my final release, this code is good to go.'"

As part of the launch, Symbiotic Security also raised $3 million in seed funding from investors including Lerer Hippeau, Axeleo Capital, and Factorial Capital. Symbiotic Security said its product is currently deployed at eight companies.

**About the Author**

As Dark Reading’s managing editor for features, Fahmida Y Rashid focuses on stories that provide security professionals with the information they need to do their jobs. She has spent over a decade analyzing news events and demystifying security technology for IT professionals and business managers. Prior to specializing in information security, Fahmida wrote about enterprise IT, especially networking, open source, and core internet infrastructure. Before becoming a journalist, she spent over 10 years as an IT professional -- and has experience as a network administrator, software developer, management consultant, and product manager. Her work has appeared in various business and test trade publications, including VentureBeat, CSO Online, InfoWorld, eWEEK, CRN, PC Magazine, and Tom’s Guide.

Symbiotic Security Launches Scanning Tool to Help Fix Flaws in Code

Attackers are triggering victims' deep-seated fear of getting in trouble in order to spread the sophisticated stealer across continents.

Source: Charles Walker Collection via Alamy Stock Photo

Hundreds of companies worldwide have been targeted with spear-phishing emails claiming copyright infringement that actually deliver an infostealer.

Starting in July, Check Point Research began to track the emails as they spread across the Americas, Europe, and Southeast Asia, coming from a new domain each time. Hundreds of its customers have been targeted, indicating that the real reach of the campaign may be far greater still.

The goal of the emails is to bait guilt-riddled victims into downloading Rhadamanthys, a sophisticated infostealer equally capable of pilfering nation-state intelligence or, in this case, cryptocurrency wallet passphrases.

**CopyR(ight)hadamantys**

No two emails in the campaign that researchers have dubbed "CopyR(ight)hadamantys" come from the same address, indicating that there must be some kind of automation behind their distribution. This automation proves awkward in some circumstances — like when an Israeli target receives an email almost entirely in Korean — and limits the emails' ability to realistically impersonate known brands.

Each one is made to seem as if it came from legal representatives of specific, known companies. Nearly 70% of those companies come from either technology — like Check Point itself — or from media and entertainment industries.

The profile of impersonated brands weaves in neatly with the story the attackers peddle: that recipients have posted some sort of content on social media that violated a copyright. "I assume everyone has done it to some degree in his life," says Sergey Shykevich, threat intelligence group manager at Check Point. "It just makes people hesitate and think, 'Oh, did I use some wrong image? Did I copy some text \[by accident\]?' Even if you didn't."

Recipients are asked to remove specific images and videos, the details of which are contained in a password-protected file. The file is actually a link that redirects the user to download an archive from Dropbox or Discord. The archive contains a decoy document, a legitimate executable, and a malicious dynamic link library (DLL) containing the Rhadamanthys stealer.

**What to Know About Rhadamanthys**

Rhadamanthys is a popular and accomplished information stealer. As Shykevich explains, "It's without any doubt the most sophisticated of those infostealers which are sold as commodity malware in the Dark Web. It's more expensive than other infostealers: Mostly you'll rent other infostealers from between $100 to $200. Rhadamanthys is more, around $1,000. It's much more modular, more obfuscated, and more complicated in how it's built: The way it loads itself, hides itself, all this makes detection much more complicated."

Among other features, the newest Rhadamanthys version 0.7 sports a slightly archaic machine-learning-based optical character recognition (OCR) component. It's hardly advanced artificial intelligence (AI) — it struggles with text in mixed colors, can't read handwriting, and only interprets the most popular fonts. Nonetheless, it helps the malware read data from static documents (like PDFs) and images.

In CopyR(ight)hadamantys, the OCR module comes loaded with a dictionary of 2,048 words associated with Bitcoin wallet protection codes. This might suggest that the attackers are after cryptocurrencies, which, if true, would also align with the campaign's broad targeting, characteristic of financially motivated campaigns. In recent months, Rhadamanthys has also been associated with nation-state threat actors like Iran's Void Manticore, and the pro-Palestine group "Handala."

**One Strange Stealth Feature**

Organizations looking to defend against CopyR(ight)hadamantys should start with phishing protections, but there's another quirk of the campaign worth noting as well.

After making landfall, the malicious DLL writes a significantly larger version of itself to the victim computer's Documents folder, which masquerades as a component of Firefox. This version of the file is functionally equivalent to the first. What makes it so much heavier is an "overlay" — useless data that serves two meta-functions. First, it changes the file's hash value, a common means by which antivirus programs identify malware.

Some antivirus programs also avoid scanning extra large files. "For example, they don't want to run files associated with games, with a huge number of gigabytes, because it makes for an intense load," Shykevich explains. By this logic, an otherwise uselessly larger Rhadamanthys file might improve its chances of avoiding detection. Though, he adds, "It's not extremely common because it's also not convenient for the attackers to deal with huge files. With some email solutions, you can't attach files more than 20MB, so you need to send the victim to some external resource. So it's a tactic, but it's not some crazy tactic that always works."

Organizations might want to sniff out at any particularly large files that employees may be downloading from emails. "It's not easy, because there are many reasons why some legitimate files will be big," he says. "But I think it's possible to implement some \[effective\] rules for what you can download."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Fake Copyright Infringement Emails Spread Rhadamanthys

Campaigns like Silver Fox and Void Arachne are deploying the framework, using social media and messaging platforms to lure in victims.

Source: RaymondAsiaPhotography via Alamy Stock Photo

Researchers are warning of an advanced malicious framework called Winos4.0 that's getting distributed in the installation tools, speed boosters, and optimization utilities for gaming applications.

The framework is rebuilt from Gh0strat with several modular components, each of them handling different functions; the framework has been deployed in several attack campaigns such as Silver Fox and Void Arachne.

"Winos4.0 is an advanced malicious framework that oﬀers comprehensive functionality, a stable architecture, and efficient control over numerous online endpoints to execute further actions," Fortinet FortiGuard Labs researchers stated.

The campaigns using this framework have been previously documented by Trend Micro and the KnownSec 404 Team and have been observed targeting Chinese-speaking users, leveraging SEO tactics, social media, and messaging platforms like Telegram to distribute the malware.

Once the victim runs the application, it retrieves a fake BMP file from the server ad59t82g\[.\]com. The file then extracts the DLL, which is responsible for setting up the execution environment, according to the researchers.

The attack chain involves multiple encrypted data and C2 communication to complete the injection of the malware.

"Threat campaigns leverage game-related applications to lure a victim to download and execute the malware without caution and successfully deploy deep control of the system," the Fortinet researchers added. Users should be wary of any new applications' source and only download software from reputable sources.

Don't miss the latest Dark Reading Confidential podcast, where we talk about NIST's post-quantum cryptography standards and what comes next for cybersecurity practitioners. Guests from General Dynamics Information Technology (GDIT) and Carnegie Mellon University break it all down. Listen now!

**About the Author**

Chinese Gamers Targeted in Winos4.0 Framework Scam

Google Cloud will take a phased approach to make multifactor authentication mandatory for all users.

Source: Genius Studio via Adobe Stock Photo

In a bid to improve account security, Google will enforce mandatory multifactor authentication (MFA) for all Google Cloud users by the end of 2025. Currently, 70% of Google users have MFA enabled.

This requirement will apply to all Google Cloud users who currently use passwords for authentication and all new users; it will not apply to general consumer Google accounts. The company will begin the first phase of a year-long implementation this month.

*   In Phase 1, Google Cloud administrators will receive information on how to prepare for the transition. Phase 1 will raise awareness and provide materials to help plan a rollout and conduct testing.
    
*   Phase 2, to begin in early 2025, will require all new users and existing Google Cloud users who use passwords for authentication to enable MFA on their accounts. The notifications and guidance will be displayed in Google Cloud Console, Firebase Console, gCloud, and other platforms.
    
*   Phase 3, at the end of 2025, will require users who federate authentication into Google Cloud to turn on MFA. Users can enable MFA with their primary identity providers before accessing Google Cloud — or add an extra layer of MFA through the Google account.
    

"Beginning this month, you'll find helpful reminders and information in the Google Cloud console, including resources to help raise awareness, plan your rollout, conduct testing, and smoothly enable MFA for your users," the company said.

MFA adoption is one of the key recommendations in the Cybersecurity and Infrastructure Security Agency's (CISA) Secure By Design initiative. The shift to mandatory MFA is happening throughout the industry. In June, Amazon started requiring mandatory MFA for Amazon Web Services. Customers signing into the AWS Management Console with the root user of an AWS Organizations management account also had to start using MFA, which has since been extended to stand-alone accounts outside of AWS Organizations.

Mandatory MFA has also be adopted by Snowflake, which in July introduced an option to allow administrators to enforce mandatory MFA for all users. The following monty, Microsoft announced its rollout for Microsoft Azure. Microsoft's plan, similar to Google Cloud's, takes a phased approach. Phase 1 for Microsoft started last month, with MFA required to sign in to Azure portal, Microsoft Entra admin center, and Intune admin center. Phase 2, also beginning early next year, will gradually enforce MFA for Azure CLI (command-line interface), Azure PowerShell, Azure mobile app, and infrastructure-as-code tools.

While CISA has said that MFA means users are 99% less likely to be hacked, it is important to remember that MFA is not foolproof.

"Mandatory MFA is necessary but not sufficient for enterprise security," says Jasson Casey, CEO of Beyond Identity. "This is because MFA is not created equal and doesn't offer the same level of security assurances."

MFA and two-factor authentication has been in use in some shape or form for more than 20 years, and attackers have had time to innovate against it, said Kris Bondi, CEO and co-founder of Mimoto, in an emailed statement. Threat actors are increasingly launching phishing operations that can bypass legacy MFA, which is why the National Institute of Standards and Technology and CISA have urged adopting phishing-resistant MFA.

Source

DARKReading