Vendor threatened legal action following disclosure and fixes being issued, bug hunter claims

Vendor threatened legal action following disclosure and fixes being issued, bug hunter claims

A cybersecurity researcher was threatened with legal action for describing vulnerabilities in Powertek PDUs after patches were released.

The vulnerabilities – two deemed critical and a “handful” of more minor issues – were found by a Polish researcher going by the name Gynvael Coldwind who currently works for Google.

Collectively dubbed ‘Screams of Power’ – due to the researcher’s enjoyment of naming bugs with the help of a metal band name generator – the critical issues are tracked as CVE-2022-33174 and CVE-2022-33175.

Both impact Powertek, a manufacturer of power distribution units (PDUs), key hardware for distributing and managing electrical supplies in data centers.

**RECOMMENDED** GhostTouch: Hackers can reach your phone’s touchscreen without even touching it

In March, the researcher reviewed Powertek firmware and discovered multiple issues in v3.30.23 and “possibly prior”. The CVE assignments say that firmware versions before 3.30.30 are affected.

The first vulnerability, CVE-2022-33174, has been issued a CVSS severity score of 9.8 and is described as an authorization bypass issue.

The second bug, CVE-2022-33175, is also subject to a CVSS score of 9.8. This issue is an authenticated session token leak.

**Coordinated disclosure**

According to the researcher, a vulnerability report was sent to Powertek on February 10, and this was confirmed to have been viewed six days later. Powertek then requested a ‘short’ grace period in May and confirmed that fixes were underway.

Emails were exchanged concerning patch distribution between the vendor and researcher, and in June, CVEs were requested.

Read more of the latest hacking news from around the world

The cybersecurity researcher’s blog post, describing the vulnerabilities, was then published.

So far, so good. However, Powertek then sent a tart email to Coldwind, asking why they were “trying to damage the brand”. Coldwind then asked what the vendor meant, leading to a legal threat:

We did not sell anything to you, you can not \[sic\] talk like you are doing, you will be contacted by our lawyer.

**Crossed wires**

In an update posted on June 13, the security researcher said that a subsequent phone call with Schneikel, the firm’s Swiss reseller, demonstrated a shift in attitude – and it may have been that the threat was down to a lack of understanding of the disclosure process, as well as fear.

“In general, it’s the same old story: reasonable people mishandling the first ever vulnerability disclosure due to not knowing the industry-accepted standard,” Coldwind commented. “They are interested in upping their security game, which is great.”

Dawid Czarnecki suggested that researchers disclosing vulnerabilities could consider adding a FAQ or guide to their email to take the heat out of their first encounter with such a situation.

“For non-security folks, \[vulnerability disclosure\] can be perceived as an attack on the company so they sometimes react like that,” Czarnecki noted. “But seeing that after discussions with you they show willingness to improve is very admirable despite the poor first contact.”

_The Daily Swig_ has reached out to the researcher and Powertek and we will update when we hear back.

**YOU MIGHT ALSO LIKE** Oblivious DNS-over-HTTPS offers privacy enhancements to secure lookup protocol

Security researcher receives legal threat over patched Powertek data center vulnerabilities

What is post-quantum cryptography?
A new type of computer is being developed that can break many of our existing cryptographic algorithms. As a result, we need to develop new algorithms that are secure against those computers and that will run on our existing computers. This is called "post-quantum cryptography".

**What is post-quantum cryptography?**

A new type of computer is being developed that can break many of our existing cryptographic algorithms. As a result, we need to develop new algorithms that are secure against those computers _and_ that will run on our existing computers. This is called "post-quantum cryptography". 

**What is a quantum computer?**

In 1981, Richard Feynman proposed a new way to model quantum interactions in complex systems. There is a problem when modeling these interactions, however, in that we need to represent each linked particle as a set of probabilities. As we add particles, these arrays grow exponentially. For any sufficiently large system, we can no longer handle the storage and time requirements using existing computers.

Feynman’s suggestion is simple: Build a computer using entangled quantum objects to model the physical object we are interested in. Such a computer could efficiently handle a number of tasks with which we could figure out how to take advantage of changing entangled quantum states.

**What is a qubit?**

The idea behind a quantum computer is to replace our classical bits with "qubits". Classical bits can be either 0 or 1, while a qubit takes on a _probability_ of being 1 or 0, usually represented by a unit vector in three-dimensional space. The power of the qubit isn’t a single bit, but multiple bits which are entangled with each other. If you can devise an algorithm in which these qubits interfere with each other in the solution to your problem, you can force these bits to take on the state of your solution instantly.

**What do quantum computers have to do with cryptography?**

When Feynman proposed quantum computers, such a machine was beyond anyone’s ability to build, but researchers still looked at not only _how_ to build such a computer, but also _how it could be used_.

In 1994, Peter Shor identified an algorithm that could use a quantum computer to break the RSA and Diffie Hellman cryptographic systems. Shor’s algorithm was then extended to break ECC (Elliptic Curve Cryptography) as well. These algorithms are the building blocks for all our public key exchange and digital signing algorithms. From that time on, we knew our primary public key systems were only secure until someone built a sufficiently large, working quantum computer. (There are quantum computers today which you can hire to run jobs, but they are still too small to be a risk to our existing algorithms.)

With our classical algorithms potentially broken, we will need new algorithms that are based on problems that aren’t easily solved with quantum computers, which is where post-quantum cryptography comes in. These algorithms run on existing computers and are based on problems that are difficult for both a classical computer and a quantum computer to solve. 

**Why should you care about post-quantum cryptography?**

Cryptography is pervasive in our modern world. When you enter your credit card number on the web, that communication is protected by an encrypted channel which depends on both digital signing (to make sure you are giving the credit card to the correct vendor), and public key exchange (to agree on a set of keys used between client and server to encrypt your communication). If a sufficiently large quantum computer were to be built, none of the security guarantees that you normally get with Transport Layer Security (TLS) could be depended on. Some forms of disk encryption also use public keys to provide recovery systems in case your users forget their passwords.

One of the most important things all of this means for the average person is that they need to identify what systems they use that could potentially be vulnerable. This is especially important for corporate IT.

**When do you need to care?**

Every talk and article on post-quantum cryptography answers this question with Mosca’s Theorem:

If the sum of the time to migrate to the new algorithm (y) and the time you need the secret to be kept (x) is greater than the time left before we have a quantum computer that can break our public key algorithm (z) then your data will be compromised before its usefulness expires. The problem is there is uncertainty in many of these numbers.

The time you need to keep the secret (x) is usually known based on the application. For your credit card on the internet, for example, this would be maybe two or three years depending on your card’s expiration date. For medical data, on the other hand, it could be decades.

This is further complicated by the fact that some entities (government and private) have begun recording TLS sessions, so even though the TLS session is short lived, the data in that connection may be stored and decrypted in the future. So, for example, If you are doing some aid work in an authoritarian country and you are working with people that could be arrested for working with you, you probably don’t want to trust communicating their names or other identifying information across a VPN or a TLS connection. This time-value is under your control, but you need to evaluate how long you need to keep certain data secret and from what kinds of entities.

The time to deploy can be lengthy (y), starting with standards, then moving on to actual deployment. In some instances it could be decades. The cryptographic community has been working on new standards proposals for years, and we only now expect them to get standardized. The only control you have here is once algorithms and protocols are available, you decide how quickly to deploy them on your systems.

The greatest unknown at this point, however, is the time before we have quantum computers which can break our existing algorithms (z). In 2015 Michael Mosca, a quantum computing researcher at the University of Waterloo, estimated that there was a 1/7 chance that 2048-bit RSA will be vulnerable by 2026 and a 50% chance it would be vulnerable by 2031. He updated that in 2017 to 1/6 chance that 2048 will be compromised by 2027. The research into quantum computers has accelerated — companies like IBM and Google have been building small, experimental quantum computers to help solve some of the intractable problems they and their customers have.

The upshot is this: There are some things you need to care about right now, but others you don’t have to worry about until we have post-quantum algorithms deployed.

**Why aren’t post-quantum algorithms deployed already?**

The cryptographic community has known about these issues for a while. The good news is there are several new algorithms that can replace our existing key exchange and signature algorithms. The bad news is all the well-studied algorithms have major barriers to deploying them, namely their key size or their encrypted data/signature size, or both, is very large (In some cases megabits large). The community has spent the last decade researching some of the more promising new algorithms that don’t have massive keys and data blobs. In future posts I’ll examine these families in detail, but for now we’ll just note a few facts.

In 2016 the National Institute of Standards and Technology (NIST) started the Post-Quantum Cryptography Standardization process to collect and evaluate potential algorithms. They received 82 submissions, 69 of which were considered complete at the end of 2017. These were evaluated in 2018 and, at the beginning of this year, 30 algorithms were selected for further refinement and evaluation through 2019.

Many of the original 69 were broken in that time frame, and 26 of the original 69 algorithms were selected for round two. In 2020 NIST selected seven finalists and eight alternates. Even among these 15 algorithms, three have now been broken. The number of broken algorithms justifies the wisdom behind proceeding at a careful pace.

We expect NIST to make a final selection in 2022 and to start the standardization process once the selection is made. When that process is complete, protocols like TLS can pick them up and vendors can start to deploy them.

**What should I do?**

You should first identify any use of the potentially-broken algorithms you have now and determine whether they are protecting long-term data. This means you need to examine your uses of:

*   RSA, DSA, ECC, DH – the actual vulnerable algorithms
    
*   TLS, SSH, S/MIME, PGP, IPSEC – protocols that depend on these vulnerable algorithms
    
*   VPNs, Kerberos – protocols that may depend on these vulnerable algorithms
    
*   Browsers, encrypted messaging, disk encryption, authentication schemes – applications that (potentially) use these protocols and vulnerable algorithms
    

You want to:

1.  Make sure the users aren’t trying to protect long-term data.
    
2.  Create a plan to replace the vulnerable algorithms with post-quantum algorithms as they become available. Prioritize those systems that store or transfer your most sensitive data. This will probably mean updating your old operating systems, and maybe even your old hardware.
    
3.  Identify systems not in your control (third-party websites, etc.) and make a plan on how you can mitigate your exposure to their systems.
    

Unfortunately, these new algorithms are not yet available, and won’t be until standards can be updated, but you can still get control over your potential exposures by at least knowing where they are. You can find more information in this Q&A with Matt Scholl from NIST.

**What’s next?**

In future blog posts I’ll explain how the new post-quantum algorithms work and what to watch for when implementing and deploying them.

Post-quantum cryptography, an introduction

Microsoft officially released fixes to address an actively exploited Windows zero-day vulnerability known as Follina as part of its Patch Tuesday updates.
Also addressed by the tech giant are 55 other flaws, three of which are rated Critical, 51 are rated Important, and one is rated Moderate in severity. Separately, five other shortcomings were resolved in the Microsoft Edge browser.
<!-

Microsoft officially released fixes to address an actively exploited Windows zero-day vulnerability known as Follina as part of its Patch Tuesday updates.

Also addressed by the tech giant are 55 other flaws, three of which are rated Critical, 51 are rated Important, and one is rated Moderate in severity. Separately, five other shortcomings were resolved in the Microsoft Edge browser.

Tracked as CVE-2022-30190 (CVSS score: 7.8), the zero-day bug relates to a remote code execution vulnerability affecting the Windows Support Diagnostic Tool (MSDT) when it's invoked using the "ms-msdt:" URI protocol scheme from an application such as Word.

The vulnerability can be trivially exploited by means of a specially crafted Word document that downloads and loads a malicious HTML file through Word's remote template feature. The HTML file ultimately permits the attacker to load and execute PowerShell code within Windows.

"An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application," Microsoft said in an advisory. "The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user's rights."

A crucial aspect of Follina is that exploiting the flaw does not require the use of macros, thereby obviating the need for an adversary to trick victims into enabling macros to trigger the attack.

Since details of the issue surfaced late last month, it has been subjected to widespread exploitation by different threat actors to drop a variety of payloads such as AsyncRAT, QBot, and other information stealers. Evidence indicates that Follina has been abused in the wild since at least April 12, 2022.

Besides CVE-2022-30190, the cumulative security update also resolves several remote code execution flaws in Windows Network File System (CVE-2022-30136), Windows Hyper-V (CVE-2022-30163), Windows Lightweight Directory Access Protocol, Microsoft Office, HEVC Video Extensions, and Azure RTOS GUIX Studio.

Another security shortcoming of note is CVE-2022-30147 (CVSS score: 7.8), an elevation of privilege vulnerability affecting Windows Installer and which has been marked with an "Exploitation More Likely" assessment by Microsoft.

"Once an attacker has gained initial access, they can elevate that initial level of access up to that of an administrator, where they can disable security tools," Kev Breen, director of cyber threat research at Immersive Labs, said in a statement. "In the case of ransomware attack, this leverages access to more sensitive data before encrypting the files."

The latest round of patches is also notable for not featuring any updates to the Print Spooler component for the first time since January 2022. They also arrive as Microsoft said it's officially retiring support for Internet Explorer 11 starting June 15, 2022, on Windows 10 Semi-Annual Channels and Windows 10 IoT Semi-Annual Channels.

**Software Patches from Other Vendors**

In addition to Microsoft, security updates have also been released by other vendors since the start of the month to rectify several vulnerabilities, including —

*   Adobe
*   AMD
*   Android
*   Apache Projects
*   Atlassian Confluence Server and Data Center
*   Cisco
*   Citrix
*   Dell
*   GitLab
*   Google Chrome
*   HP
*   Intel
*   Lenovo
*   Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
*   MediaTek
*   Mozilla Firefox, Firefox ESR, and Thunderbird
*   Qualcomm
*   SAP
*   Schneider Electric
*   Siemens, and
*   VMware

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Patch Tuesday: Microsoft Issues Fix for Actively Exploited 'Follina' Vulnerability

By Deeba Ahmed
A Chinese-speaking, technically skilled threat actor distributes backdoored applications to extract cash from victims in the newly discovered…
This is a post from HackRead.com Read the original post: Hackers Using Web3 Backdoor Wallets to Steal Seed Phrases from iOS/Android Users

Confiant security researchers have shared details of a large-scale operation launched by a technically advanced, sophisticated threat actor. The actor distributes backdoored applications through fake versions of authentic cryptocurrency wallet websites to drain funds. The activity cluster is dubbed SeaFlower, reportedly targeting iOs and Android users.

Confiant researchers noted that the trojanized cryptocurrency apps are identical to their real versions. However, they contain a backdoor that can steal a user’s security phase, allowing attackers to access their digital assets.

**Attack Method**

The SeaFlower operation leverages website cloning, SEO poisoning, and black SEO techniques to distribute trojanized apps to a broader range of users. Targeted applications include iOS and Android versions of MetaMask, Coinbase wallet, imToken, and TokenPocket.

These apps are distributed through Chinese search engines such as Sogou and Baidu. The search terms are rigged, so when someone searches for Download MetaMask iOS, the drive-by download pages appear on the top of the results first page.

Unsuspecting users stumble upon the suspicious sites, which serve as a conduit for luring victims into downloading trojanized versions of wallet apps. These apps have been modified to appear the same as the original versions but have additional code to extract and send the seed phrase to a remote domain.

The attackers may promote the backdoored apps on social media platforms and forums and use malvertising, but the leading distribution channel is search engines.

**SeaFlower Objective**

According to a blog post by Confiant’s Taha Karim, the main objective behind this campaign appears to be modifying Web3 wallets with backdoor code to exfiltrate the seed phrase. SeaFlower operators have also engineered the activity for targeting iOS users through provisioning profiles to enable apps for sideloading onto the devices.

For your information, provision profiles help tie devices and developers to an unauthenticated development team. This way, devices can be used for testing app code and adding malicious apps to devices.

**The Chinese Connection**

The analysis of the source code comments in the backdoored coding, the macOS usernames, and the involvement of Alibaba’s CDN (content delivery network) links this campaign with a yet-to-be-revealed Chinese-speaking organization.

Researchers claim they discovered the campaign in March 2022 and refer to SeaFlower as “the most technically sophisticated threat targeting Web3 users, right after the infamous Lazarus Group.”

**Why SeaFlower?**

Regarding why Confiant researchers dubbed the activity SeaFlower, they noted that one of the .dylib files injected in the trojanized MetaMask app’s Mach-O leaked a macOS username “Zhang Haike.” When they Googled the term, many Chinese language references appeared, one of which was a character in the Chinese novel “Tibetan Sea Flower.”

**Security Measures**

Chinese hackers are always considered dangerous and highly sophisticated. It could be because of unlimited resources backed by the government or they are just good at it. Nevertheless, strictly refrain from downloading apps and software from third-party markets.

> Always download mobile apps from official stores: Apple AppStore & Play Store. Never install or accept random provisioning profiles on your iPhone, as you saw in this blog post, they allow the download of unverified software that could potentially steal your crypto.
> 
> Taha Karim – Confiant

**More Chinese Hackers in News**

1.  Irani and Chinese State Hackers Exploiting Log4j Vulnerability
2.  Russian language hacking forums warming up to Chinese hackers
3.  Chinese APT group spying on Vietnam military with FoundCore RAT
4.  Microsoft disrupts the activity of Chinese hackers by seizing 42 websites
5.  Unofficial Micropatch for Follina Released as Chinese Hackers Exploit 0-day

Hackers Using Web3 Backdoor Wallets to Steal Seed Phrases from iOS/Android Users

Here's a rundown of Dark Reading's reporting and commentary from and surrounding the first in-person RSA Conference since the pandemic began in 2020.

RSA Conference 2022 — If you didn't make the trip to San Francisco last week for the RSA Conference or were too busy watching the Golden State Warriors battle the Boston Celtics in the NBA Finals, Dark Reading has you covered. Here's a compilation of our news analysis and commentary before, during, and after the show:

Beware the 'Secret Agent' Cloud Middleware

New open source database details the software that cloud service providers typically silently install on enterprises' virtual machines — often unbeknownst to customers.

How 4 Young Musicians Hacked Sheet Music to Help Fight the Cold War  
In 1985, a group of klezmer musicians from the US rendezvoused with underground dissidents in Tbilisi, Georgia. This is the story of how they pulled it off with homebrew cryptography.

An Emerging Threat: Attacking 5G via Network Slices

A successful attack against 5G networks could disrupt critical infrastructure, manipulate sensor data, or even cause physical harm to humans.

In a Quickly Evolving Landscape, CISOs Shift Their 2022 Priorities

Cloud migration, DevSecOps, cyber insurance, and more have emerged as important motivators for cybersecurity investment and focus.

Why AIs Will Become Hackers

At a 2022 RSA Conference keynote, technologist Bruce Schneier asserted that artificial intelligence agents will start to hack human systems — and what that will mean for us.

Meet the 10 Finalists in the RSA Conference Innovation Sandbox

This year's finalists tackle such vital security concerns as permissions management, software supply chain vulnerability, and data governance.

Talon Grasps Victory at a Jubilant RSAC Innovation Sandbox

Spirits were high at the return of the in-person contest, which kicked off by bringing last year's virtual event winner on stage.

RSAC Startup Competition Focuses on Post-Cloud IT Infrastructure

A secure Web browser takes the top prize, and for the second year in a row malware detection is an afterthought.

Now Is the Time to Plan for Post-Quantum Cryptography

Panelists from an RSA Conference keynote agreed that organizations need to begin work on PQC migration, if they haven't already.

Mandia: Keep 'Shields Up' to Survive the Current Escalation of Cyberattacks

As Mandiant CEO Kevin Mandia's company prepares to become part of Google, the incident response company continues to investigate many of the most critical cyber incidents.

RSAC Opens With Message of Transformation

Cybersecurity needs to shift its thinking ahead of the next disruption, RSA's CEO said during the opening 2022 conference keynote.

Ransomware's ROI Retreat Will Drive More BEC Attacks

Crackdowns are driving down ransomware profits, and analysts see signs that operators are pivoting to business email compromise attacks, security researcher warned.

Communication Is Key to CISO Success

A panel of CISOs at the RSA Conference outlined what a successful first 90-day plan looks like, and it boiled down to effective communication and listening.

IBM to Buy Attack Surface-Management Firm Randori

Randori's attack-surface management software will be integrated into IBM Security QRadar extended detection and response (XDR) features.

The CISO Shortlist: Top Priorities at RSAC 2022

The buzz on the show floor during RSA Conference is about aligning the organization's security priorities with the right technology. Will Lin, managing director and founding member at Forgepoint Capital, weighs in on the biggest security priorities for 2022 — and what kind of tech senior-level executives are looking for.

Data Transformation: 3 Sessions to Attend at RSAC 2022

Three RSAC 2022 sessions take deep dives into the security considerations around data cloud transformation.

MITRE Creates Framework for Supply Chain Security

System of Trust includes data-driven metrics for evaluating the integrity of software, services, and suppliers.

5 Years That Altered the Ransomware Landscape

WannaCry continues to be a reminder of the challenges that organizations face dealing with the ransomware threat.

In Case You Missed RSA Conference 2022: A News Digest

Organizations do not have good visibility into all the software-as-a-service applications that connect to and access data stored in core business.

While software-as-a-service helps organizations improve productivity and agility, it also adds complexity to the enterprise environment as IT security teams need to have visibility over the data stored in each of the applications.

And when organizations integrate SaaS applications with other SaaS applications, the attack surface grows even more because more applications have access to the corporate data. For example, connecting Asana to Google Workspace gives the task management platform access to data stored in the productivity suite.

In a recent report from Valence Threat Labs, 56% of CISOs said they don't have a process in place, or are not satisfied with the process they have, for discovering and managing SaaS-to-SaaS connections and integrations.

**Understanding SaaS Mesh**

_SaaS mesh_ refers to connecting a SaaS application with another SaaS, using methods such as OAuth and API tokens, low-code/no-code workflow, and SaaS marketplaces. Examples include using third-party platforms such as Heroku to access GitHub repositories via OAuth user tokens, or creating and sending email campaigns from the organization's website using the API instead of logging into Mailchimp's platform. It is possible to complete a task in Asana and have a corresponding notification message be printed in Slack.

Connecting SaaS tools to core business applications such as Office 365, Salesforce, and Google Workspace within a SaaS mesh helps enhance the organization's agility, productivity, and collaboration. However, if the mesh isn't managed correctly, it can expose data stored in business-critical applications, according to Valence Threat Labs.

The average organization uses around 80 SaaS applications — BetterCloud estimates that organizations with more than 1,000 employees use more than 150 applications, while organizations with 50 employees or less use only 16 SaaS applications. When asked how many SaaS-to-SaaS connections and third-party integrations are connected to core SaaS applications (such as Office 365, Salesforce, and Google Workspace), 50% of CISOs said they have 200 or fewer integrations, or that they didn't know, Valence Threat Labs found.

    

How many SaaS-to-SaaS connections and third-party integrations are connected to core SaaS applications? (Source: Valence Threat Labs)

In actuality, the average organization has 917 SaaS-to-SaaS third-party integrations, according to Valence Threat Labs.

While 76% of CISOs think under 20 new integrations are added every month to their environment, in reality, 76 new third-party integrations are onboarded every 30 days.

**Over-Provisioned Connections**

When asked if they had a process in place to determine if an integration is overprivileged, 53% of CISOs in the Valence Threat Labs report said they didn’t. This is a problem because nearly half, or 48%, of SaaS integrations (443 integrations, to be specific) are unused, and many of them have more privileges than they need. A SaaS-to-SaaS integration is usually inactive because someone forgot to turn it off after testing out the integration and then deciding not to use it. But because the integration is still there, someone else who gains access to one application now has access to the other and can move laterally.

"Most organizations do not have a continuous process in place that allows them to assess the business justification of non-human identities and properly offboard unnecessary third-party vendors," Valence Threat Labs said in its report.

Low-code/no-code platforms such as Workato, Zapier, and Microsoft Power Platform are powerful because non-developers can pull together workflows to access data from multiple sources. However, if they aren't configured correctly, they can expose data erroneously. Because these platforms often are not managed by application security or IT security teams, CISOs may not even know these tools exist or are accessing business applications. In the Valence Threat Labs report, 35% of CISOs said they do not have low-code/no-code platforms in their environment, when it turns out over 96% of companies have at least one such platform in use. In fact, the average organization has four or five, according to the report.

In the report, 85% of CISOs said they did not have appropriate visibility and protection from the risks of SaaS-to-SaaS connections and third-party integrations. "The fact that 85% of CISOs were unhappy with the current solutions suggests the need for more solutions specifically designed to protect the SaaS mesh," Valence Threat Labs said in its report.

Quantifying the SaaS Supply Chain and Its Risks

SBOMs should be connected with vulnerability databases to fulfill their promise of reducing risk, Google security team says.

Software bills of materials (SBOMs) — a detailed list of components, modules, and libraries used to build products — are being endorsed by the National Institute of Standards and Technology (NIST) and US regulators as a way to drive down supply chain cybersecurity risks for consumers. 

But Google's Open Source Security Team points out in a blog post today that SBOM use alone isn't an effective tool for assessing exposure. Rather, the documentation should be compared with a database of known vulnerabilities to identify any known software flaws. 

"By connecting these two sources of information, consumers will know not just what's in ... their software, but also its risks and whether they need to remediate any issues," the team explains. 

The Google analysts detail how they were able to map a Kubernetes SBOM document using the Open Source Vulnerabilities (OSV) database. The OSV database offers both a standardized format for comparison across several databases, including the Github Advisory Database (GHSA) and Global Security Database (GSD), as well as aggregated data across multiple ecosystems, ranging from Python and Golang to Rust, according to the post.  

"Our example queried the OSV database, but we will soon see the same success in mapping SBOM data to other vulnerability databases and even using them with new standards like VEX (Vulnerability-Exploitability eXchange), which provides additional context around whether vulnerabilities in software have been mitigated," the blog states. 

To make it easier for security teams to assess the full risk picture, the Google researchers recommend that SBOM creators begin to include a reference using a naming convention like a Purl URL for all packages in the software supply chain. 

"This type of identification scheme both specifies the ecosystem and also makes package identification easier, since the scheme is more resilient to small deviations in package descriptors like the suffix example above," they say. 

**SBOM Evolution  
**Steps toward marrying the software components with known flaws will help SBOMs fulfill their intended purpose: to help manage the prospect of cyberattack, the Google security blog states. 

"Continuing on this path of widespread SBOM adoption and tooling refinement, we will hopefully soon be able to not only request and download SBOMs for every piece of software, but also use them to understand the vulnerabilities affecting any software we consume," they said.

Google: SBOMs Effective Only if They Map to Known Vulns

By Waqas
Matthew Gatrel was arrested after an extensive crackdown by the FBI and other agencies against 15 booter service…
This is a post from HackRead.com Read the original post: Admin of DDoS-For-Hire Service “Downthem” Gets 2 Years Prison Sentence

****Matthew Gatrel was arrested after an extensive crackdown by the FBI and other agencies against 15 booter service domains in 2018.****

A 33-year-old St. Charles, Illinois resident, identified as Matthew Gatrel, is sentenced to two years in prison after being convicted last year for facilitating the DDoS-for-hire service. According to the US Department of Justice, Gatrel helped customers launch powerful DDoS attacks against thousands of websites and innocent users.

The accused was found guilty of violating the Computer Fraud and Abuse Act (CFAA) for operating two DDoS-for-hire services through downthemorg and ampnodecom. Through these websites, the accused facilitated people to launch over 200,000 attacks in exchange for money.

Site seized

**Case Details**

Initially, Gatrel admitted to operating these “booter” services and even provided “incriminating evidence” to the authorities. However, he opted to take the case to trial and used public defenders to defend the case.

Before the trial started, his business partner and co-accused, Juan Severon Martinez had already pleaded guilty. Prosecutors alleged that the accused sold subscriptions through Downthem and AmpNode helped provide bulletproof server hosting service to customers, focusing more on spoofing servers pre-configured with DDoS attack scripts.

Dashboard of DownThem

Furthermore, the servers contained lists of vulnerable attack amplifiers used to launch repeated cyberattacks against targets. Prosecutors also claimed that Martinez and Gatrel continuously scanned the web for misconfigured devices and sold lists of their internet addresses to other Booter service providers.

The trial continued for nine days in the Central District of California. Eventually, the court found Gatrel guilty of all three counts, including conspiracy to commit wire fraud, conspiracy to commit unauthorized impairment of a protected computer, and unauthorized impairment of a protected computer.

**More DDoS and Cyber Crime News**

1.  Imperva mitigated a series of massive ransom DDoS attacks
2.  DDoS booter customers received warning letters from Dutch police
3.  Teen arrested for 8 DDoS attacks that disrupted school’s online classes
4.  Teen arrested for DDoS attack on ProtonMail & making fake bomb threats
5.  Hacker arrested for Jamming 911 Emergency Call System with DDoS Attack

**Previous Coverage**

In 2018, the FBI, Dutch Police, National Crime Agency of UK, tech giant Google, cybersecurity firm Flashpoint, and Cloudflare joined hands to launch an operation to take down fifteen popular DDoS-for-hire websites.

These sites were used to launch DDoS attacks against private individuals and businesses such as email service providers, gaming services, and hosting sites.

Resultantly, all the websites were seized and shut down. Criminal charges were filed against three facilitators of these services. One of the defendants operated two of the seized websites, AmpNode and Downthem.

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Admin of DDoS-For-Hire Service “Downthem” Gets 2 Years Prison Sentence

Service ingests AWS, GCP and Microsoft Azure data.

DENVER, June 14, 2022 /PRNewswire/ -- Enterprise security teams face unprecedented attack surface expansion as technology evolution, employee fatigue and complicated cloud or digital transformation initiatives strain resources. Optiv, the cyber advisory and solutions leader, today announced the expansion of its Managed XDR (MXDR) offering to ease clients' burden of safeguarding critical data, applications and systems in the cloud (public or multi-cloud) in near real-time with an all-star roster of integrated platforms, including:

*   Amazon Web Services (AWS), which provides clients with additional detection and response capabilities to protect them from increasingly complex cyberattacks.
*   Google Cloud (GCP), which adds comprehensive visibility and workload protection at scale across multi-cloud environments.
*   Microsoft Azure, which offers extensive data protection and integrated services.

Users rely on Optiv MXDR's unique ability to aggregate, organize and prioritize security alerts and configuration changes and correlate them across multiple cloud sources. By chaining services together with leading platforms, Optiv streamlines data collection and enrichment to provide customizable insights to strengthen security controls. Clients are able to address threat detection and visibility on a scale that meets their individual level of cloud adoption. In addition, the service's expansion ensures in-depth coverage and access to rapid investigation and response measures.

"Organizations require enhanced and fully integrated solutions to counter the evolving methods and increased number of cyberattacks by threat actors. As part of Optiv's Advanced Detection and Response solution, MXDR and AWS, GCP and Azure help our clients reduce their risk and focus their valuable resources on the things that matter most," said Rocky Destefano, Optiv's chief technology officer. "By innovating with world-class cloud partners, we're taking Optiv's security analysis expertise to the next level and helping our clients secure their future by focusing on the very best of what the market has to offer."

Optiv's MXDR was launched in August 2021. A collaborative approach to cutting-edge services, products and technical experts is necessary to defend against a wide-range of adversaries. With expanded integration in the cloud, organizations have the potential to lean on Optiv to provide enhanced detection and response, quicker returns to operational normalcy and business-centric outcomes across every stage of the security lifecycle, no matter the level of maturity.

For the latest news and updates from Optiv, visit https://www.optiv.com/newsroom/.

**Follow Optiv**

Twitter: www.twitter.com/optiv  
LinkedIn: www.linkedin.com/company/optiv-inc  
Facebook: www.facebook.com/optivinc  
YouTube: www.youtube.com/c/OptivInc  
Blog: www.optiv.com/explore-optiv-insights/blog

**Optiv** **Security: Secure greatness™**

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to more than 7,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.

Optiv MXDR Enhances Detection Coverage With Expanded Cloud Integration

New open source database details the software that cloud service providers typically silently install on enterprises' virtual machines — often unbeknownst to customers.

RSA CONFERENCE 2022 – If cloud services weren't complicated enough for the typical business today to properly configure and secure, there's also a lesser-known layer of middleware that cloud providers run that can harbor hidden security flaws.

Researchers from Wiz.io last week at RSA Conference in San Francisco unveiled an open source, cloud middleware database on GitHub that details the specific middleware agents that Amazon Web Services (AWS), Google, and Microsoft install on their cloud customers' virtual machines. The goal is to shine a light on this traditionally hidden proprietary software layer and its potential software flaws that can leave a cloud customer unknowingly at risk of attack.

Cloud providers often silently install these "secret agent" middleware programs on their customers' virtual machines, and with the highest privileges, as a "bridge" between their cloud services and their customers' VMs. The Cloud Middleware Dataset database project aims to provide cloud customers insight into this layer of software they rarely know exists on their virtual machines in a cloud service — and the potential security risks associated with it.

"These agents are adding an additional attack surface and cloud customers don't know about those agents ...; most are installed silently. If they come pre-installed, they have no idea" either, Shir Tamari, head of research at Wiz.io, told Dark Reading in an interview at the RSA Conference last week.

The most high-profile example of cloud middleware gone wrong was the discovery of major flaws in Microsoft Azure's Open Management Infrastructure (OMI) agent software last fall. Tamari and his fellow researchers unearthed major remote execution and privilege escalation vulns in Azure, with a collection of flaws they dubbed OMIGOD. OMI runs on many Linux VMs in Azure to provide configuration management functions for cloud customers.

Of the four OMIGOD vulnerabilities (CVE-2021-38647, CVE-2021-38648, CVE-2021-38645, and CVE-2021-38649), the most painful one was CVE-2021-38647, which could allow an attacker to gain root on a VM with a single packet, merely by stripping the authentication header. The problem: A default configuration for OMI was exposed the HTTPS management port on the public Internet. Microsoft provided auto-updates for Azure to address the flaws, after initially releasing patches that most Azure customers had no idea applied to them since they weren't aware of OMI.

"There was confusion over how to handle this middleware" patching, Tamari said.

The Cloud Middleware Dataset so far includes several agents used in Azure in addition to OMI, such as Microsoft Azure Guest Agent (WALinuxAgent), which is preconfigured in all Azure Linux images and has root privileges. WALinuxAgent's listing in the database notes that the agent previously contained an information disclosure vulnerability, CVE-2019-0804. If exploited, it could allow an attacker to access memory in the kernel from a user process.

Other Azure middleware detailed in the database are Operations Management Suite, dependency agent, pipelines agent, and RD Agent service, each of which is employed in various Azure services.

AWS, meanwhile, has four such middleware agents listed in the dataset, AWS Systems Manager Agent (SSM Agent), AWS PV Drivers, AWS ECS container agent, and AWS EC2 Hibernation Initialization Agent. A local privilege escalation flaw CVE-2022-29527 was found this year in SSM Agent that an attacker could use to gain root access. That agent comes preconfigured in Windows, Linux, and macOS VM images.

Google Cloud runs Accounts Daemon, OSConfig agent, and a guest agent in its cloud services, all of which are Linux-based. OSConfig and guest also run on Windows. Accounts Daemon, which works in Google's OS Login service, previously was patched for a local privilege escalation flaw, CVE-2020-8933, that would have given root access. OSConfig, which is built into GCP VM images, also had a local privilege escalation vuln in 2020 that Google later fixed.

**What to Ask About Cloud Middleware**

So, how can organizations pinpoint these "secret agents," as Wiz researchers refer to them?

In an interview with Dark Reading at RSAC, Wiz co-founder and CTO Ami Luttwak said organizations should ask questions of cloud providers to get a clear view of what their software environment looks like: "Whose middleware is it \[and\] how do you know if it's running on your environment" and does the software contain vulnerabilities, and how are updates and patches handled?

"This is a different attack surface. It's a gray area," he said. "It needs transparency and a clear process for updates for agents, VMs."

Tag

#google