As the market for initial access brokers matures, services like Genesis — which offers elite access to compromised systems and slick, professional services — are raising the bar in the underground economy.

The growing role of so-called initial access brokers (IABs) in the underground cybercrime economy is reflected in evolution of Genesis Marketplace, one of the earliest full-fledged markets for IABs, which has grown more sophisticated and polished over time.  

A report this week from Sophos takes a comprehensive look at Genesis, which started in 2017 and offers malicious actors access to other people’s data, from credentials and cookies to digital fingerprints, through its invitation-only marketplace.

Genesis currently lists more than 400,000 bots (compromised systems) in more than 200 nations, with Italy, France, and Spain topping the list of affected countries.

The market provides not just the data itself but well-maintained tools to facilitate that data's (mis)use. Those tools extend to bespoke anti-detection offerings that help its clients stay under the radar when deploying stolen credentials to access targeted bots — including a Google Chrome extension and even a "continually maintained and upgraded" Genesium browser on offer.

"Most attackers, especially less-experienced ones, do not want to waste time or effort on the reconnaissance and infiltration phases of an attack," explains Sophos threat researcher Angela Gunn. "The maturity of Genesis, both the ease of use and the serious-inquiries-only vibe that come with restricted access, speaks to not wasting time or effort."

The service is defined by the high quality level of data on offer, as well as the site's commitment to keeping stolen info up to date.

This means hackers who pay for stolen information are kept abreast by Genesis of when that information changes or gets updated. Users are charged an according rate based on the volume of information it has on the targeted bot.

"For instance, the single set of credentials that led to the June 2021 EA data breach, which famously allowed the attackers into EA’s system through the gaming giant’s Slack, were purchased on Genesis for $10," according to the report.

Genesis also offers its clientele a level of customer service and user interface (UI) polish that Sophos describes as "far from the old days of 133tsp34k and Matrix-wannabe interfaces." This includes a slick, contemporary interface, a page of frequently asked questions (FAQs), and multilingual tech support.

Returning users also have access to a dashboard with updated information about the compromised systems they've tapped into.

"The fact that Genesis actually has a customer-service function is a statement that bolsters the operation’s seriousness," Gunn points out.

**IABs Get More Professional as Demand Rises**

The evolution of Genesis points to the "growing professionalization and specialization" of the cybercrime economy, the report notes.

Ransomware groups and affiliates are assumed to be the service's most frequent customers, particularly criminals who are looking for an IAB site that gives them expedited access and faster lateral movement to their targets.

Gunn explains that the "Dark Web" — which of course is not just one thing — has been professionalizing for a while now.

"Applicant vetting, robust search, tech support, developers, and designers — that work doesn’t happen for free," she adds. "Paying for that work evidences just how high the profits are in this realm."

A high level of organization also distinguishes the Genesis market, giving malicious actors more contextual information surrounding stolen data, and allowing them greater insights into the compromised systems. This could in fact spur even more inventive attack vectors.

"For instance, a darknet manual that we found during a recent investigation suggests to other criminals that they use complementary data from Genesis for kicking victims out of their accounts if stolen credentials are no longer valid," according to the report.

This means that even if victims attempt to neutralize the threat of stolen credentials, attackers can use the complementary data to actively extort affected users.

**The Velvet Rope Treatment**

Adding to the air of exclusivity and sophistication is the service's invite-only accessibility, which has resulted in a smaller cybercrime ecosystem of fake sites promising access to Genesis and requiring gullible criminals to make a "deposit" with a credit card to access it.

In November 2021, Digital Shadows, which has been tracking IABs since 2016, reported an increase in the use of IABs among cybercriminals.

Gunn says if organizations want to avoid landing on the IAB auction block, they first must patch all vulnerabilities, keep their systems in order, and stay vigilant.

"Even if IABs are a newer development in the threat landscape, the processes of recon and infiltration are nothing new," she adds. "Organizations should have a detection strategy in place to recognize those unusual activities, but also you need to understand your network, what’s on it, what the potential attack surfaces are, and where to prioritize patching accordingly."

Genesis IAB Market Brings Polish to the Dark Web

With names, email addresses, and mobile numbers from underground databases, one person in five is at risk of account compromise even with SMS two-factor authentication in place.

Companies that rely on texts for a second factor of authentication are putting about 20% of their customers at risk because the information necessary to attack the system is available in compromised databases for sale on the Dark Web.  

About 1 billion records synthesized from online databases — representing about one in every five mobile phone users in the world — contain users' names, email addresses, passwords, and phone numbers. This gives attackers everything they need to conduct SMS-based phishing attacks, also known as smishing, says Thomas Olofsson, CTO of cybersecurity firm FYEO. 

Cybersecurity experts have long known that the addition of an SMS one-time password is a weak form of two-factor authentication and the simplest form of two-factor authentication for attackers to compromise. However, combining such attacks with the readily available information on users produces a "perfect storm" for attacking accounts, he says.

At Black Hat USA, Olofsson plans to go over findings from research into the problem during a session on Wednesday, Aug. 10, called "Smishmash — Text-Based 2FA Spoofing Using OSINT, Phishing Techniques, and a Burner Phone."

"The research that we have done is two parts: How do you bypass 2FA, and how many phone numbers can we tie to an email address and a password," he tells Dark Reading. "So, for about one in five — a billion — people, we can connect your email address to your phone number, and that is really bad."

The analysis found that by collecting information from known databases of compromised usernames and passwords, researchers could create a database of 22 billion credentials. Linking those credentials to a phone number reduced the exposure to a bit more than 1 billion records, of which about half have been verified.

To make use of those records, attackers can conduct an adversary-in-the-middle attack, where the smishing attack goes to a proxy. When a targeted user opens a link in a malicious SMS message on a mobile device, browsers on iOS and Android rarely show any security information, such as a the URL, since screen real estate is so small. Because of that, few — if any — signs of the attack are presented to the user, making the attacks much more effective, Olofsson says.

In addition, smishing attacks are seven times more likely to succeed than phishing attacks conducted through email, he says.

"It makes it extremely likely that someone will click on the link," Olofsson says. "I even look at our attacks, and I said, wow, I could fall for this."

Attackers have used smishing to compromise financial accounts — especially those linked to cryptocurrency exchanges — during the past two years, with more than $1.6 billion of crypto stolen so far in 2022, according to an analysis published in May. 

**SMS for 2FA: Risky Biz**

Meanwhile, the US federal government has already put additional restrictions on any use of SMS for a second factor of authentication. In 2016, the National Institute of Standards and Technology (NIST) warned against using one-time passwords sent as text messages for a second factor to authenticate users.

"An SMS sent from a mobile phone might seamlessly switch to an internet message delivered to, say, a Skype or Google Voice phone number. Users shouldn't have to know the difference when they hit send — that’s part of the Internet’s magic. But it does matter for security," NIST wrote in an explanation of the policy, adding: "While a password coupled with SMS has a much higher level of protection relative to passwords alone, it doesn't have the strength of device authentication mechanisms inherent in the other authenticators allowable" by NIST guidelines.  

To make it less likely that such attacks succeed, users should ignore any notifications that come through SMS and instead log directly into their account.

"Never trust an SMS message," Olofsson says. "If you feel something is wrong, don't click on it, don't trust it. Go on a computer, and see if you have an e-mail, because at least you can verify the headers then."

Unfortunately, many financial institutions and other companies make it hard for users to implement better security because they only offer SMS as an option for the second factor of authentication. Adding reCAPTCHA checks can give users a hint that something is wrong, Olofsson notes, because any adversary-in-the-middle attack will display the proxy server, not the user's IP address.

Stolen Data Gives Attackers Advantage Against Text-Based 2FA

Cross-Site Request Forgery (CSRF) vulnerability in Rich Reviews by Starfish plugin <= 1.9.14 at WordPress allows an attacker to delete reviews.

*   Details
*   Reviews
*   Support
*   Development

This plugin has been closed as of August 2, 2022 and is not available for download. This closure is temporary, pending a full review.

Very bad plugin. Google doesn't show the snippets. When I ask this to the support, they said that I need to wait more. But I've already waited more than 1 year! And still no Google snippets. Go with much more a better plugin.

After a week and no respons i deactivated the plugin. I, and support of Starfish, was not able to activate the license. I need to go on. I have a waiting customer.

This guys will help you everytime! Thanks for such simple and effective tool. Regards, Alex

The plugin code contains a bunch of errors. For example, you will never see a warning if you have not rated a review, even if the rating field in the settings is required. Very bad localization. Many text strings in the plugin are not translated at all, as they are hardcoded. Finally, reviews are sent multiple times. Several duplicate records appear in the database and the same number of notifications are sent to e-mail. So, I does NOT recommend this plugin at all!

Плагин не умеет в локализацию.

doesn't have product as an option.. definitely don't recommend for google snippet.

Read all 115 reviews

“Rich Reviews by Starfish” is open source software. The following people have contributed to this plugin.

Contributors

CVE-2021-36861: Rich Reviews by Starfish

Researcher bypasses email filter with inspired style tag trickery

Adam Bannister 05 August 2022 at 15:59 UTC

Researcher bypasses email filter with inspired style tag trickery

A cross-site scripting (XSS) vulnerability in AMP for Email, Gmail’s dynamic email feature, has netted a security researcher a $5,000 bug bounty payout.

AMP for Email brings AMP functionality to rich, interactive emails. AMP itself is an open source HTML framework used to optimize websites for web browsing on mobile.

Adi Cohen, who unearthed the security flaw, said he had no problem finding a vector that triggered an XSS within the AMP playground, but found bypassing Gmail’s XSS filter a much tougher assignment.

**Rendering contexts**

The “easiest way to circumvent an XSS filter is by tricking it into a different rendering context than what the browser will actually use to render a given piece of code”, observed Cohen in a blog post.

Since AMP for Email forbids the likes of templates, SVG, math, and CSS, he instead targeted stylesheets as a potential path to an XSS payload with multiple rendering contexts.

RELATED XSS vulnerabilities in Google Cloud, Google Play could lead to account hijacks

This required a discrepancy between how the stylesheet is rendered by the filter and browser, either by “tricking the filter into believing a fake style tag is real”, or “the exact opposite”.

Cohen’s initial vector worked in the sandbox because AMP “leaves the CSS context as soon as it encounters the string ‘’ even if it doesn’t have a closing bracket () or at least a whitespace after it”.

He was then able to “trick the filter into believing we’re back in HTML context, while the browser obviously ignores entirely and stays well within the realm of CSS”.

**</styl> over substance**

But “what looked like a promising vector in AMP, seemed way less interesting after Gmail ran its magic on it,” said Cohen.

A breakthrough came when he harnessed a CSS selector, which ensured the payload was returned unchanged by Gmail – “no escaping or other mutations”.

However, the malicious payload prompted an error after the AMP sandbox encountered ‘’, so Cohen tried , but Gmail’s filter was wise to its resemblance to .

What worked instead was testing a benign payload with an encoded selector – because Gmail decoded it, he could use the selector to inject a closing style tag.

Cohen reported the issue to Google on March 27, 2021, and noticed on July 7 that it had been fixed.

As previously reported by The Daily Swig, Google addressed an unrelated, notable XSS in AMP For Email back in 2019, after security researcher Michał Bentkowski leveraged id attributes in tags to enable ‘DOM clobbering’ attacks.

RELATED Authentication bypass bug in Nextauth.js could allow email account takeover

XSS in Gmail’s AMP For Email earns researcher $5,000

A threat actor working to further Iranian goals is said to have been behind a set of disruptive cyberattacks against Albanian government services in mid-July 2022.
Cybersecurity firm Mandiant said the malicious activity against a NATO state represented a "geographic expansion of Iranian disruptive cyber operations."
The July 17 attacks, according to Albania's National Agency of Information

A threat actor working to further Iranian goals is said to have been behind a set of disruptive cyberattacks against Albanian government services in mid-July 2022.

Cybersecurity firm Mandiant said the malicious activity against a NATO state represented a "geographic expansion of Iranian disruptive cyber operations."

The July 17 attacks, according to Albania's National Agency of Information Society, forced the government to "temporarily close access to online public services and other government websites" because of a "synchronized and sophisticated cybercriminal attack from outside Albania."

The politically motivated disruptive operation, per Mandiant, entailed the deployment of a new ransomware family called ROADSWEEP that included a ransom note with the text: "Why should our taxes be spent on the benefit of DURRES terrorists?"

A front named HomeLand Justice has since claimed credit for the cyber offensive, with the group also allegedly claiming to have used a wiper malware in the attacks. Although the exact nature of the wiper is unclear as yet, Mandiant said an Albanian user submitted a sample for what's called ZeroCleare on July 19, coinciding with the attacks.

ZeroCleare, first documented by IBM in December 2019 as part of a campaign targeting the industrial and energy sectors in the Middle East, is designed to wipe the master boot record (MBR) and disk partitions on Windows-based machines. It's believed to be a collaborative effort between different Iranian nation-state actors, including OilRig (aka APT34, ITG13, or Helix Kitten).

Also deployed in the Albanian attacks was a previously unknown backdoor dubbed CHIMNEYSWEEP that's capable of taking screenshots, listing and collecting files, spawning a reverse shell, and supporting keylogging functionality.

The implant, besides sharing numerous code overlaps with ROADSWEEP, is delivered to the system via a self-extracting archive alongside decoy Microsoft Word documents that contain images of Massoud Rajavi, the erstwhile leader of People's Mojahedin Organization of Iran (MEK).

The earliest iterations of CHIMNEYSWEEP date back to 2012 and indications are that the malware may have been utilized in attacks aimed at Farsi and Arabic speakers.

The cybersecurity firm, which was acquired by Google earlier this year, said it didn't have enough evidence linking the intrusions to a named adversarial collective, but noted with moderate confidence that one or more bad actors operating in support of Iran's objectives are involved.

The connections to Iran stem from the fact that the attacks took place less than a week prior to the World Summit of Free Iran conference on July 23-24 near the port city of Durres by entities opposing the Iranian government, particularly the members of the MEK.

"The use of ransomware to conduct a politically motivated disruptive operation against the government websites and citizen services of a NATO member state in the same week an Iranian opposition groups' conference was set to take place would be a notably brazen operation by Iran-nexus threat actors," the researchers said.

The findings also come two months after the Iranian advanced persistent threat (APT) group tracked as Charming Kitten (aka Phosphorus) was linked to an attack directed against an unnamed construction company in the southern U.S.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Iranian Hackers likely Behind Disruptive Cyberattacks Against Albanian Government

Smishing attacks, or phishing attempts via SMS, are on the rise, and Americans are fighting off billions of spam messages each month.
The post FCC warns of steep rise in phishing over SMS appeared first on Malwarebytes Labs.

After the FCC (Federal Communications Commission) made a huge splash weeks ago when it told Google and Apple to pull TikTok from their respective app stores, the federal agency is now warning Americans of an increased wave of SMS phishing attacks.

SMS phishing, otherwise known as smishing or robotexts (FCC’s own terminology), is a form of phishing that attempts to trick people into handing over their personally identifiable information (PII) and/or money using SMS instead of email, which standard phishing usually starts. The FCC has noted that scammers use various lures to trick someone into replying, giving out their information, or clicking a link.

“Like robocallers, a robotexter may use fear and anxiety to get you to interact,” the FCC consumer alert reads. “Texts may include false-but-believable claims about unpaid bills, package delivery snafus, bank account problems or law enforcement action against you. They may provide confusing information—as if they were texting someone else—, incomplete information, or utilize other techniques to spur your curiosity and engagement.”

What motivates criminals to engage in smishing tactics is to get money and personal information or to simply confirm that the number they’re messaging is active, so they can target it in future scam campaigns.

According to the FCC, it tracks consumer complaints instead of text volume. The agency noted a steady climb of unwanted SMS messages, from approximately 5,700 in 2019 to 8,500 by June 30, 2022.

A separate study confirmed this, too, but revealed more sobering numbers. RoboKiller, an app that screens scammy calls and messages, found that Americans were sent a mind-blowing 12 billion spam texts in July 2022.

“That’s nearly **_44 spam texts_** for every person in the country!” And the numbers were no different in June and May 2022.

RoboKiller also pointed out in the report that spam texts have outpaced spam calls for two consecutive years. And one of the notable reasons for this is the FCC mandating the STIR (Secure Telephone Identity Revisited) and SHAKEN (Signature-based Handling of Asserted information using toKENs) framework, which was designed to curb spam calls. It’s effective, which is why scammers switched to spam texts.

The FCC posted bite-sized, back-to-back tweets on signs of scam text messages and how Americans can avoid getting scammed.

> How to protect yourself from #scam robotexts:  
> ▪️ Do not respond  
> ▪️ Do not click on any links  
> ▪️ Do not provide any info  
> ▪️ File an FCC complaint  
> ▪️ Forward unwanted texts to SPAM (7726)  
> ▪️ Delete all suspicious texts
> 
> — The FCC (@FCC) July 28, 2022

When you receive a spam text, do not engage with the sender.

Ignore them, but file a complaint to the FCC.

Finally, if you think you were the victim of an SMS text scam, the FCC recommends you report the incident to your local law enforcement agency and notify your bank and mobile carrier.

Stay safe!

FCC warns of steep rise in phishing over SMS

Ittiam libmpeg2 before 2022-07-27 uses memcpy with overlapping memory blocks in impeg2_mc_fullx_fully_8x8.

CVE-2022-37416: Google Issue Tracker

At Black Hat USA, Igal Gofman plans to address how machine identities in the cloud and the explosion of SaaS apps are creating risks for IAM, amid escalating attention from attackers.

Cybercriminals always look for blind spots in access management, be they misconfigurations, poor credentialing practices, unpatched security bugs, or other hidden doors to the corporate castle. Now, as organizations continue their modernizing drift to the cloud, bad actors are taking advantage of an emerging opportunity: access flaws and misconfigurations in how organizations use cloud providers' identity and access management (IAM) layers.

In a talk on Wednesday, Aug. 10 at Black Hat USA entitled "IAM The One Who Knocks," Igal Gofman, head of research for Ermetic, will offer a view into this emerging risk frontier. "Defenders need to understand that the new perimeter is not the network layer as it was before. Now it's really IAM — it's management layer that governs all," he tells Dark Reading.

**Complexity, Machine Identities = Insecurity**

The most common pitfall that security teams step into when implementing cloud IAM is not recognizing the sheer complexity of the environment, he notes. That includes understanding the ballooning amount of permissions and access that software-as-a-service (SaaS) apps have created.

"Adversaries continue to put their hands on tokens or credentials, either via phishing or some other approach," explains Gofman. "At one time, those didn't give much to the attacker beyond what was on a local machine. But now, those security tokens have much more access, because everyone in the last few years moved to the cloud, and have more access to cloud resources."

The complexity issue is particularly piquant when it comes to machine entities — which, unlike humans, are always working. In the cloud context, they're used to access cloud APIs using API keys; enable serverless applications; automate security roles (i.e., cloud access service brokers or CASBs); integrate SaaS apps and profiles with each other using service accounts; and more.

Given that the average company now uses hundreds of cloud-based apps and databases, this mass of machine identities presents a highly complex web of interwoven permissions and access that underpin organizations' infrastructures, which is difficult to gain visibility into and thus difficult to manage, Gofman says. That's why adversaries are seeking to exploit these identities more and more.

"We are seeing a rise in the use of non-human identities, which have access to different resources and different services internally," he notes. "These are services that speak with other services. They have permissions, and usually broader access than humans. The cloud providers are pushing their users to use those, because at the basic level they consider them to be more secure. But, there are some exploitation techniques that can be used to compromise environments using those non-human identities."

Machine entities with management permissions are particularly attractive for adversaries to use, he adds.

"This is one of the main vectors we see cybercriminals targeting, especially in Azure," he explains. "If you don't have an intimate understanding of how to manage them within the IAM, you're offering up a security hole."

**How to Boost IAM Security in the Cloud**

From a defensive standpoint, Gofman plans to discuss the many options that organizations have for getting their arms around the problem of implementing effective IAM in the cloud. For one, organizations should make use of cloud providers' logging capabilities to build a comprehensive view of who — and what — exists in the environment.

"These tools are not actually used extensively, but they're good options to better understand what's going on in your environment," he explains. "You can use logging to reduce the attack surface too, because you can see exactly what users are using, and what permissions they have. Admins can also compare stated policies to what is actually being used within a given infrastructure, too."

He also plans to break down and compare the different IAM services from the top three public cloud providers — Amazon Web Services, Google Cloud Platform, and Microsoft Azure — and their security approaches, all of which are slightly different. Multi-cloud IAM is an added wrinkle for corporations using different clouds from different providers, and Gofman notes that understanding the subtle differences between the tools they offer can go a long way to shoring up defenses.

Organizations can also use a variety of third-party, open source tools to gain better visibility across the infrastructure, he notes, adding that he and his co-presenter Noam Dahan, research lead at Ermetic, plan to demo one option.

"Cloud IAM is super-important," Gofman says. "We're going to speak about the dangers, the tools that can be used, and the importance of understanding better what permissions are used and what permission are not used, and how and where admins can identify blind spots."

Cyberattackers Increasingly Target Cloud IAM as a Weak Link

A month after the algorithms were revealed, some companies have already begun incorporating the future standards into their products and services.

A month after the National Institute of Standards and Technology (NIST) revealed the first quantum-safe algorithms, Amazon Web Services (AWS) and IBM have swiftly moved forward. Google was also quick to outline an aggressive implementation plan for its cloud service that it started a decade ago.

It helps that IBM researchers contributed to three of the four algorithms, while AWS had a hand in two. Google contributed to one of the submitted algorithms, SPHINCS+.

A long process that started in 2016 with 69 original candidates ends with the selection of four algorithms that will become NIST standards, which will play a critical role in protecting encrypted data from the vast power of quantum computers.

NIST's four choices include CRYSTALS-Kyber, a public-private key-encapsulation mechanism (KEM) for general asymmetric encryption, such as when connecting websites. For digital signatures, NIST selected CRYSTALS-Dilithium, FALCON, and SPHINCS+. NIST will add a few more algorithms to the mix in two years.

Vadim Lyubashevsky, a cryptographer who works in IBM's Zurich Research Laboratories, contributed to the development of CRYSTALS-Kyber, CRYSTALS-Dilithium, and Falcon. Lyubashevsky was predictably pleased by the algorithms selected, but he had only anticipated NIST would pick two digital signature candidates rather than three.

Ideally, NIST would have chosen a second key establishment algorithm, according to Lyubashevsky. "They could have chosen one more right away just to be safe," he told Dark Reading. "I think some people expected McEliece to be chosen, but maybe NIST decided to hold off for two years to see what the backup should be to Kyber."

**IBM's New Mainframe Supports NIST-Selected Algorithms**

After NIST identified the algorithms, IBM moved forward by specifying them into its recently launched z16 mainframe. IBM introduced the z16 in April, calling it the "first quantum-safe system," enabled by its new Crypto Express 8S card and APIs that provide access to the NIST APIs.

IBM was championing three of the algorithms that NIST selected, so IBM had already included them in the z16. Since IBM had unveiled the z16 before the NIST decision, the company implemented the algorithms into the new system. IBM last week made it official that the z16 supports the algorithms.

Anne Dames, an IBM distinguished engineer who works on the company's z Systems team, explained that the Crypto Express 8S card could implement various cryptographic algorithms. Nevertheless, IBM was betting on CRYSTAL-Kyber and Dilithium, according to Dames.

"We are very fortunate in that it went in the direction we hoped it would go," she told Dark Reading. "And because we chose to implement CRYSTALS-Kyber and CRYSTALS-Dilithium in the hardware security module, which allows clients to get access to it, the firmware in that hardware security module can be updated. So, if other algorithms were selected, then we would add them to our roadmap for inclusion of those algorithms for the future."

A software library on the system allows application and infrastructure developers to incorporate APIs so that clients can generate quantum-safe digital signatures for both classic computing systems and quantum computers.

"We also have a CRYSTALS-Kyber interface in place so that we can generate a key and provide it wrapped by a Kyber key so that could be used in a potential key exchange scheme," Dames said. "And we've also incorporated some APIs that allow clients to have a key exchange scheme between two parties."

Dames noted that clients might use Kyber to generate digital signatures on documents. "Think about code signing servers, things like that, or documents signing services, where people would like to actually use the digital signature capability to ensure the authenticity of the document or of the code that's being used," she said.

**AWS Engineers Algorithms Into Services**

During Amazon's AWS re:Inforce security conference last week in Boston, the cloud provider emphasized its post-quantum cryptography (PQC) efforts. According to Margaret Salter, director of applied cryptography at AWS, Amazon is already engineering the NIST standards into its services.

During a breakout session on AWS' cryptography efforts at the conference, Salter said AWS had implemented an open source, hybrid post-quantum key exchange based on a specification called s2n-tls, which implements the Transport Layer Security (TLS) protocol across different AWS services. AWS has contributed it as a draft standard to the Internet Engineering Task Force (IETF).

Salter explained that the hybrid key exchange brings together its traditional key exchanges while enabling post-quantum security. "We have regular key exchanges that we've been using for years and years to protect data," she said. "We don't want to get rid of those; we're just going to enhance them by adding a public key exchange on top of it. And using both of those, you have traditional security, plus post quantum security."

Last week, Amazon announced that it deployed s2n-tls, the hybrid post-quantum TLS with CRYSTALS-Kyber, which connects to the AWS Key Management Service (AWS KMS) and AWS Certificate Manager (ACM). In an update this week, Amazon documented its stated support for AWS Secrets Manager, a service for managing, rotating, and retrieving database credentials and API keys.

**Google's Decade-Long PQC Migration**

While Google didn't make implementation announcements like AWS in the immediate aftermath of NIST's selection, VP and CISO Phil Venables said Google has been focused on PQC algorithms "beyond theoretical implementations" for over a decade. Venables was among several prominent researchers who co-authored a technical paper outlining the urgency of adopting PQC strategies. The peer-reviewed paper was published in May by Nature, a respected journal for the science and technology communities.

"At Google, we're well into a multi-year effort to migrate to post-quantum cryptography that is designed to address both immediate and long-term risks to protect sensitive information," Venables wrote in a blog post published following the NIST announcement. "We have one goal: ensure that Google is PQC ready."

Venables recalled an experiment in 2016 with Chrome where a minimal number of connections from the Web browser to Google servers used a post-quantum key-exchange algorithm alongside the existing elliptic-curve key-exchange algorithm. "By adding a post-quantum algorithm in a hybrid mode with the existing key exchange, we were able to test its implementation without affecting user security," Venables noted.

Google and Cloudflare announced a "wide-scale post-quantum experiment" in 2019 implementing two post-quantum key exchanges, "integrated into Cloudflare's TLS stack, and deployed the implementation on edge servers and in Chrome Canary clients." The experiment helped Google understand the implications of deploying two post-quantum key agreements with TLS.

Venables noted that last year Google tested post-quantum confidentiality in TLS and found that various network products were not compatible with post-quantum TLS. "We were able to work with the vendor so that the issue was fixed in future firmware updates," he said. "By experimenting early, we resolved this issue for future deployments."

**Other Standards Efforts**

The four algorithms NIST announced are an important milestone in advancing PQC, but there's other work to be done besides quantum-safe encryption. The AWS TLS submission to the IETF is one example; others include such efforts as Hybrid PQ VPN.

"What you will see happening is those organizations that work on TLS protocols, or SSH, or VPN type protocols, will now come together and put together proposals which they will evaluate in their communities to determine what's best and which protocols should be updated, how the certificates should be defined, and things like things like that," IBM's Dames said.

Dustin Moody, a mathematician at NIST who leads its PQC project, shared a similar view during a panel discussion at the RSA Conference in June. "There's been a lot of global cooperation with our NIST process, rather than fracturing of the effort and coming up with a lot of different algorithms," Moody said. "We've seen most countries and standards organizations waiting to see what comes out of our nice progress on this process, as well as participating in that. And we see that as a very good sign."

Amazon, IBM Move Swiftly on Post-Quantum Cryptographic Algorithms Selected by NIST

By Deeba Ahmed
This hasn’t been a great week for the crypto community. On Monday, the Nomad bridge got exploited and…
This is a post from HackRead.com Read the original post: Thousands of GitHub Repositories Cloned in Supply Chain Attack

This hasn’t been a great week for the crypto community. On Monday, the Nomad bridge got exploited and lost nearly $200 million. Then on Wednesday, Hackread.com **reported** that roughly 8,000 Solana blockchain wallets were hacked, and approx. $8 million worth of crypto drained from its wallets.

Now, the GitHub developer platform has become the victim of a malware attack in which the attackers cloned thousands of repositories. This supply chain attack allows attackers to exfiltrate data and perform RCE.

**GitHub Facing Widespread Malware Attack**

According to developer **Stephen Lucy**, around 35,000 GitHub repositories have been cloned with malware. The incident was reported on Wednesday when the developer was confronted with the issue while reviewing a GitHub project found through Google search (search phrase= ovz1.j19544519.pr46m.vps.myjinoru).

Lucy noticed a malicious URL included in the code, and when GitHub repositories were scanned for this URL, it gave over 35,000 results.

It is however worth noting that crypto repositories weren’t targeted in the malware attack. However, these are among the impacted repositories. GitHub was notified about the issue on August 3.

**More Github Security News**

*   **New backdoor malware hits Slack and Github platforms**
*   **GitHub Will Now Support Security Keys for SSH Git Operations**
*   **Hackers use Github bot to steal $1,200 in ETH within 100 seconds**
*   **GitHub: Hackers Stole OAuth Access Tokens to Target Dozens of Firms**
*   **Hackers can spoof commit metadata to create false GitHub repositories**

**Were the Repositories Hacked?**

Bleeping Computer **wrote** that the repositories weren’t hacked, but actually, these were copied with their clones. These clones were modified to insert malware.

For your information, cloning open source code is common among developers. But, in this case, the attackers injected malicious code/links into genuine GitHub projects to target innocent users.

Furthermore, over 13,000 search results were obtained from a single repository identified as ‘redhat-operator-ecosystem.’ The malicious link exfiltrated the environment variables, which contain sensitive data like **Amazon AWS credentials**, API keys, and crypto keys, and also contained a one-line backdoor. The malware also lets remote attackers execute arbitrary code on those systems that install/run the clones.

The attack has impacted many crypto projects. These include Golang, Bash, Python, Docker, JavaScript, and Kubernetes. GitHub confirmed that the original repositories weren’t compromised, and the clones have been quarantined and cleaned.

This attack is difficult to spot because genuine GitHub user accounts are spoofed on commits. It is possible because GitHub requires an email address to attribute commits to users, and they can sign commits with GPG.

Since fakes of legit projects can retain past commits and pull requests from genuine users, it becomes difficult to detect fakes. This supply chain attack will not affect those using original GitHub projects.

1.  Iran’s Largest Steel Producer Hit By Crippling Cyberattack
2.  Access:7 Supply Chain Flaws Impact ATMs, Medical, IoT devices
3.  DDoS Attacks by Hacktivists Disrupted Russian Alcohol Supply Chain
4.  VirusTotal Reveals Apps Most Exploited by Hackers to Spread Malware
5.  Cloud video platform abused in web skimmer attack against real estate sites

Tag

#google