The second malicious ChatGPT extension for Chrome has been discovered, giving malicious actors access to users' Facebook accounts through stolen cookies.

Yet another version of the malicious, Facebook account-stealing ChatGPT browser extension for Google Chrome has emerged, representing a new variant in a campaign affecting thousands of users daily.

The extension, discovered by Guardio Labs, was downloaded more than 9,000 times before Google removed it from the Chrome store on March 22.

The extension also had been advertised through sponsored Google search results, aiming at users who were searching for details about OpenAI's latest Chat GPT4 algorithm. Individuals who clicked on sponsored results for the popular generative AI app were directed to a counterfeit "ChatGPT for Google" webpage, then led to the malicious extension's page on Chrome's official store.

Once installed, the malware exploits the Chrome Extension API to pilfer session cookies for Facebook accounts, giving threat actors full access to a victim's Facebook account.

"Based on version 1.16.6 of the open source project, this FakeGPT variant does only one specific malicious action, right after installation, and the rest is basically the same as the genuine code — leaving no reasons to suspect it," Nati Tal, head of Guardio Labs, wrote in a blog post.

The latest version of the malicious extension follows one discovered earlier this month by the researchers at Guardio, which could hijack Facebook Business accounts.

From March 3 to March 9, a minimum of 2,000 individuals per day acquired that malicious "Quick access to ChatGPT" Chrome extension from the Google Play app store.

If the extension was able to access a Facebook Business account, it immediately collected all relevant data related to that account, such as ongoing promotions, available credit, currency, minimum billing threshold, and any linked credit facility.

**Malicious Chrome Extensions a Growing Threat**

Malicious Chrome extensions have been a global concern for users of the popular browser. In August 2022, a group of McAfee Labs analysts published a list of five browser extensions that engage in cookie stuffing, one of them using the video streaming service Netflix as a hook.

These extensions monitor the browsing activity of the user and insert illegitimate IDs into e-commerce websites, resulting in fabricated affiliate payments.

In that case, the applications were downloaded 1.4 million times, according to their findings.

In November 2022, researchers at Zimperium zLabs uncovered a "Swiss Army knife-like" malicious browser extension called Cloud9, aimed at Chrome and Microsoft Edge users. It enables attackers to seize control of a user's browser session remotely and execute a broad range of attacks.

The Zimperium report noted that because the Cloud9 malware does not target any specific group, it is as much an enterprise threat as it is a consumer threat.

**Kimsuky North Korean Threat Actors Target Chrome**

More recently, the German Federal Office for the Protection of the Constitution (BfV) and the South Korean intelligence service (NIS) issued a warning of a cyber-espionage group that is said to target government agencies and research organizations worldwide.

The Kimsuky group of cybercriminals, aka Velvet Chollima or Thallium, is thought to be based in North Korea and uses malicious Chrome browser extensions as well as app store services to target individuals conducting research on the inter-Korean conflict.

The hackers use so-called spear-phishing attacks. In these, targets are lured by emails to fake versions of well-known websites disguised as legitimate or tricked into installing a manipulated browser extension.

In the process, login data and other personal information could be intercepted by the attackers. Another method used by the hackers is to install malware unnoticed on Android smartphones via the Google Play app store.

Malicious ChatGPT Extensions Add to Google Chrome Woes

An issue was discovered in the Linux kernel before 5.8. lib/nlattr.c allows attackers to cause a denial of service (unbounded recursion) via a nested Netlink policy with a back reference.

Permalink

Browse files

netlink: limit recursion depth in policy validation

Now that we have nested policies, we can theoretically
recurse forever parsing attributes if a (sub-)policy
refers back to a higher level one. This is a situation
that has happened in nl80211, and we've avoided it there
by not linking it.

Add some code to netlink parsing to limit recursion depth.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

*   Loading branch information

CVE-2020-36691: netlink: limit recursion depth in policy validation · torvalds/linux@7690aa1

A contrarian mindset with applied imagination allows security professionals to assess problems in their organizations, prevent failures, and mitigate vulnerabilities.

During the global war on terror, a group of commissioned and noncommissioned officers in the United States military participated in a unique training event. Soldiers of various ranks, all with different specialties, assembled in a remote location where they were stripped of rank and other identifying markers. They changed clothes, adopted new names, and modified the very rhythm of their daily lives. And from there, they began planning a simulated attack on their own forces.

The exercise, an ongoing training opportunity called "Mirror Image" being conducted by the Terrorism Research Center, is part of a greater philosophy called red teaming. The simulation helped participants explore their predispositions and organizational weaknesses. Changing routines helped them better understand enemy motivations and anticipate possible insurgent attacks. It also revealed how biases and expectations interfered with reality.

In the business world, cybersecurity professionals use red teaming to test their organizations' defenses before something happens. But other groups can utilize the concept to test resilience, blind spots, and continuity in the face of a crisis.

Organizations should conduct red-teaming exercises at scale to manage risk holistically. The idea is to understand potential outcomes based on multiple strategic options, utilizing scenarios to identify blind spots and model threats to eliminate weaknesses before adversaries exploit them. It is a valuable tool in both policy and decision-making.

**Make the Most of Your Red-Teaming Exercise**

Here are some actions to take to ensure your organization gets the most out of red teaming:

**Ask where the enemy is going.** An effective red-team exercise reveals exploits in your security systems and processes. The entire point is to find failures. This isn't always easy for professionals to accept and encourage. Foster an environment of openness that allows teams to explore threats and how they'll try to overcome defenses in place. Ultimately, red teaming provides growth opportunities that improve threat response when the time comes.

**Evaluate the response, not just the defense.** Red teaming is more than a penetration test. Knowing where your gaps are is crucial, but knowing how your team reacts to a crisis is far more valuable. While defense, mitigation, and deterrence are essential, sometimes defenses fail or plans go awry. It's useful to model a scenario where your defenses or mitigation strategies fail, so your company can react and prepare for something similar in real life.

**Model information flow.** Critical information doesn't always get to the right people in a crisis. According to a recent survey, 51% of threats that disrupted business continuity or resulted in harm or death in 2022 could have been avoided if all functions shared risk intelligence and viewed it with a common approach and platform.

**Test your assumptions.** Many defensive measures are built on a set of assumptions about risk and their likelihood. However, our study reveals disagreement within companies and departments over which events threaten business continuity. Security gaps are more likely to occur when teams aren't on the same page. In such situations, people overlook problems or assume someone else will handle an issue. Red teaming clears up questions around responsibility and how to weigh risks.

**Test your processes.** Red teaming can be used to test physical defenses and cybersecurity, but it is also a useful tool to assess processes. In security, an overly complicated or ill-defined process can be just as harmful as inadequate barriers or cameras. Tabletop exercises or war games force organizations through their processes to see how well they work.

**Explore alternative futures.** Structural analytic techniques help business organizations and security professionals apply imagination to forecast alternative futures for their decisions. This kind of exercise is not about prognostication but expanding one's critical mindset to understand the many variables that impact the organization and possibilities for the future. This red-team approach offers organizations insight used for decision-making by recognizing the complexity of choices and their impacts on the company or security.

**Adopt a Holistic Viewpoint**

The concept of red teaming is based on the Catholic Church office of the devil's advocate, but it was greatly expanded to assess Soviet intentions and capabilities. That's where it got its name: The US adversary during the Cold War was the Soviet Union, aka the Reds. Recently, cybersecurity teams adopted red teaming to expose weaknesses in their systems and prevent threat exposure.

The fact is that enterprises face a wide variety of threats — from lawsuits, activists, insider threats, and even workplace violence. Yet nearly every Google search result for red teaming today relates to cybersecurity. As a result, few people know whether their crisis plans are up to date or how a crisis will test them and their teams.

Red teaming is a holistic, multidisciplinary effort that arms teams with practical enterprise risk-mitigation software and other tools across the entire threat landscape. At a minimum, risk-focused teams can use it to test defenses against a wide range of threat actors and identify unseen security gaps influenced by biases and assumptions.

However, its actual value is how it shapes the ways organizations prepare for crises and unforeseen events. Red teaming opens a window to how your organization will perform under duress, making it a valuable exercise to recognize and gauge real and potential risks.

Most importantly, red teaming is a mindset, not just a set of tools or putting security on offense. Red teams are the contrarians in the room, willingly saying what other people will not to challenge the status quo. That is the essence of red teaming, and any security professional can adopt that attitude to assess problems in their organization, prevent failure, or mitigate vulnerabilities. The mindset of a red teamer is what shapes organizations for the better.

Red Teaming at Scale to Uncover Your Big Unknowns

WordPress WooCommerce Payments plugin versions 5.6.1 and below suffer from authentication bypass and privilege escalation vulnerabilities. Details surrounding these issues seem minimal at this point.

**WordPress WooCommerce Payments 5.6.1 Authentication Bypass / Privilege Escalation**

**WordPress WooCommerce Payments 5.6.1 Authentication Bypass / Privilege Escalation**

    Vulnerability allows attackers to impersonate any user and puts as many as 500,000 sites at risk of takeover.PSA: Update Now! Critical Authentication Bypass in WooCommerce Payments Allows Site TakeoverThe Wordfence Threat Intelligence team regularly monitors plugin updates and reviews any indicating that a potential security issue may have been addressed. Today, March 23, 2023, we noticed that the “WooCommerce Payments – Fully Integrated Solution Built and Supported by Woo” plugin updated to version 5.6.2 with a changelog entry marked simply “Security update.”After reviewing the update we determined that it removed vulnerable code that could allow an unauthenticated attacker to impersonate an administrator and completely take over a website without any user interaction or social engineering required.We developed a Proof of Concept and began writing and testing a firewall rule immediately. The rule was released the same day, on March 23, 2023 to Wordfence Premium,  Wordfence Care, and Wordfence Response customers.Regardless of the version of Wordfence you are using, we urge you to update to the latest version of the WooCommerce Payments plugin, which is 5.6.2 as of this writing, immediately. WooCommerce Payments is installed on over 500,000 sites, and this is a critical-severity vulnerability.This email content has also been published on our blog and you're welcome to post a comment there if you'd like to join the conversation. Or you can read the full post in this email.Vulnerability InformationDescription: Authentication Bypass and Privilege Escalation Affected Plugin: WooCommerce PaymentsPlugin Slug: woocommerce-paymentsPlugin Developer: AutomatticAffected Versions: <= 5.6.1CVE ID: N/ACVSS Score: 9.8 (Critical)CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HFully Patched Version: 5.6.2The WooCommerce Payments plugin is a fully integrated payment solution for WooCommerce developed by Automattic. Unfortunately it contained functionality designed to integrate with the WooCommerce Payment Platform that allowed unauthenticated attackers to impersonate any user on the site in some contexts, which could then be used to gain full access to a site’s administrator account.We are withholding additional details at this time to give users time to update.We do not yet know whether this vulnerability was discovered internally by Automattic or reported by an external researcher, and have not yet determined whether it is actively being exploited in the wild.We expect to see large-scale attacks targeting this vulnerability once a proof of concept becomes available to attackers.ConclusionIn today’s PSA we are alerting our user base to a critical-severity vulnerability in WooCommerce Payments, a plugin installed on over 500,000 sites. This vulnerability allows unauthenticated attackers to completely take over a vulnerable site, and we expect to see mass exploitation in the near future. We recommend that all users update to the latest version available, which is 5.6.2 at the time of this writing.If your site has Wordfence Premium, Wordfence Care, or Wordfence Response installed, your site will have received a firewall rule today, March 23, 2023, protecting it against this vulnerability. If your site is running the free version of Wordfence, the rule will become available 30 days from now, on April 22, 2023.If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected. Please help make the WordPress community aware of this issue.If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.If you are a security researcher, you can responsibly disclose your finds to us and obtain a CVE ID and get your name on the Wordfence Intelligence leaderboard.

WordPress WooCommerce Payments 5.6.1 Authentication Bypass / Privilege Escalation

Cobalt Strike 4.7.1 fails to properly escape HTML tags when they are displayed on Swing components. By injecting crafted HTML code, it is possible to remotely execute code in the Cobalt Strike UI.

****NAME****

**HelpSystems Cobalt Strike code execution**

*   **Platforms Affected:**  
    HelpSystems Cobalt Strike 4.7.1  
    
*   **Risk Level:**  
    9.8  
    
*   **Exploitability:  
    **Unproven  
    
*   **Consequences:**  
    Gain Access

****DESCRIPTION****

**HelpSystems Cobalt Strike could allow a remote attacker to execute arbitrary code on the system, caused by a vulnerability in the C2 framework. By creating Swing components from user input, an attacker could exploit this vulnerability to create arbitrary Java objects in the class path and invoke their setter methods, resulting in a code execution.**

**CVSS 3.0 Information**

*   **Privileges Required:** None
*   **User Interaction:** None
*   **Scope:** Unchanged
*   **Access Vector:** Network
*   **Access Complexity:** Low
*   **Confidentiality Impact:** High
*   **Integrity Impact:** High
*   **Availability Impact:** High
*   **Remediation Level:** Official Fix  
    

****MITIGATION****

**Upgrade to the latest version of Cobalt Strike (4.7.2 or later), available from the Cobalt Strike Web site. See References.**

*   **Reference Link:**  
    https://www.cobaltstrike.com/  
    
*   **Reference Link:**  
    https://securityintelligence.com/posts/analysis-rce-vulnerability-cobalt-strike/  
    

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on Patreon using the button below

To keep up to date follow us on the below channels.

Click Above for Telegram

Click Above for Discord

Click Above for Reddit

Click Above For LinkedIn

**Post navigation**

CVE-2022-42948: HelpSystems Cobalt Strike code execution | CVE-2022-42948 - RedPacket Security

The interrogation of CEO Shou Zi Chew highlighted US lawmakers’ own failure to pass privacy legislation.

In one sense, today’s US congressional hearing on TikTok was a big success: It revealed, over five hours, how desperately the United States needs national data-privacy protections—and how lawmakers believe, somehow, that taking swipes at China is a suitable alternative. 

For some, the job on Thursday was casting the hearing's only witness, TikTok CEO Shou Zi Chew, as a stand-in for the Chinese government—in some cases, for communism itself—and then belting him like a side of beef. More than a few of the questions lawmakers put to Chew were vague, speculative, and immaterial to the allegations against his company. But the members of Congress asking those questions feigned little interest in Chew’s responses anyway. 

Attempts by Chew, a 40-year-old former Goldman Sachs banker, to elaborate on TikTok’s business practices were frequently interrupted, and his requests to remark on matters supposedly of considerable interest to members of Congress were blocked and occasionally ignored. These opportunities to get the CEO on record, while under oath, were repeatedly blown in the name of expediency and for mostly theatrical reasons. Chew, in contrast, was the portrait of patience, even when he was being talked over. Even when some lawmakers began asking and, without pause, answering their own questions.

The hearing might’ve been a flop, had lawmakers planned to dig up new dirt on TikTok, which is owned by China-based ByteDance, or even hash out what the company could do next to allay their concerns. But that wasn't the aim. The House Energy and Commerce Committee was gathered, it said, to investigate “how Congress can safeguard American data privacy and protect children from online harms.” And on that, the hearing revealed plenty.

For one thing, it’s clear that the attempts to isolate TikTok from its competitors—to treat it differently than dozens of other companies with atrocious records of endangering kids and abusing private data—is a pointless exercise. Asking about TikTok's propensity for surveilling its own users, Chicago congresswoman Jan Schakowsky warned Chew against using legal, typical industry practices as a defense against these wrongs. “You might say, ‘not more than other companies,’” she said, adding that she preferred not to “go by that standard.” 

OK. But why not? 

The truth is that if TikTok were to vanish tomorrow, its users would simply flock to any number of other apps that have no qualms about surveilling the most private moments of their lives and amassing, manipulating, and selling off sensitive information about them. Excluding the most serious but largely unsubstantiated allegations leveled at TikTok—that it is acting or will act in coordination with Chinese intelligence services—there wasn’t a concern about privacy raised by lawmakers Thursday that couldn't be addressed by existing legislation supporting a national privacy law. 

Ensuring that companies and the data brokers they enrich face swift reprisals for blatantly abusing user trust would have the benefit of addressing not only the accusations levied against TikTok, but deceitful practices common across the entire social media industry. 

The irony of US lawmakers pursuing a solution to a problem that’s already been solved by draft legislation—but not actually fixed due to its own inaction—wasn’t entirely lost on the members. While primarily focused on a single company, the hearing, Florida congresswoman Kathy Castor said, should really serve as a broader call to action. “From surveillance, tracking, personal data gathering, and addictive algorithmic operations that serve up harmful content and have a corrosive effect on our kids’ mental and physical well-being,” she said, Americans deserve protection, no matter the source.

The TikTok Hearing Revealed That Congress Is the Problem

Nexus, offered in a malware-as-a-service model, is the latest in a vast and growing array of trojans targeting mobile banking and cryptocurrency applications.

A threat actor is targeting customers of 450 banks and cryptocurrency services worldwide with a dangerous Android trojan that has multiple features for hijacking online accounts and potentially siphoning funds out of them.

The authors of the so-called "Nexus" Android Trojan have made the malware available to other threat actors via a newly announced malware-as-a-service (MaaS) program, where individuals and groups can rent or subscribe to the malware and use it in their own attacks.

Researchers at Italian cybersecurity firm Cleafy first spotted Nexus last June, but at the time assessed it to be a rapidly evolving variant of another Android banking Trojan they were tracking as "Sova.. The malware contained several chunks of Sova code and had capabilities at the time for targeting more than 200 mobile banking, cryptocurrency and other financial apps. Cleafy researchers observed what they assumed was the Sova variant hidden in fake apps with logos that suggested they were Amazon, Chrome, NFT and other trusted apps.

But in January, Cleafy researchers spotted the malware—now more evolved—surfacing on multiple hacking forums under the name Nexus. Shortly thereafter, the malware authors began making the malware available to other threat actors via its new MaaS program for the relatively price of $3,000 a month.

Federico Valentini, head of Cleafy's threat intelligence team, says it's unclear how threat actors are delivering Nexus on Android devices. "We didn't have access to specific details on Nexus's initial infection vector, as our research was mainly focused on analyzing its behavior and capabilities," Valentini says. "However, based on our experience and knowledge of similar malware, it is common for banking trojans to be delivered through social engineering schemes such as smishing," he says referring to phishing via SMS text messages.

**Multiple Features for Account Takeover  
**

Cleafy's analysis of Nexus showed the malware to contain several features for enabling account takeover. Among them is a function for performing overlay attacks and logging keystrokes to steal user credentials. When a customer of a target banking or cryptocurrency app, for instance, attempts to access their account using a compromised Android device, Nexus serves up a page that looks and functions exactly like the login page for the real app. The malware then uses its keylogging feature to grab the victim's credentials as entered in the login page.

Like many banking Trojans, Nexus can intercept SMS messages to grab two-factor authentication codes for accessing online accounts. Cleafy found Nexus capable of abusing Android's Accessibility Services feature to steal seeds and balance information from cryptocurrency wallets, cookies from websites of interest, and two-factor codes of Google's Authenticator app.

The malware authors also appear to have added new functionalities to Nexus that were not present in the version that Cleafy observed last year and initially assumed was a Sova variant. One of them is a feature that quietly deletes received SMS two-factor authentication messages and another is a function for stopping or activating the module for stealing Google Authenticator 2FA codes. The latest Nexus variant also has a function for periodically checking its command-and-control server (C2) for updates and for automatically installing any that might become available. A module that appears to be still under development suggests that the authors might implement an encryption capability in the malware, most likely to obfuscate its tracks after completing an account takeover.

**Nexus: A Work in Progress?**

Valentini says Cleafy's research suggests that Nexus has compromised potentially hundreds of systems. "What's particularly noteworthy is that the victims do not appear to be concentrated in a particular geographical region but are well distributed globally."

Despite the malware's many functions for taking over online financial accounts, Cleafy's researchers assessed Nexus to still be a work-in-progress. One indication, according to the security vendor, is the presence of debugging strings and the lack of usage references in certain modules of the malware. Another giveaway is the relatively high number of logging messages in the code which suggest the authors are still in the process of tracking and reporting on all actions the malware performs, Cleafy said.

Notably, the malware in its present avatar does not include a Virtual Network Computing, or VNC, module that would give the attacker a way to take complete remote control of a Nexus-infected device. "The VNC module allows threat actors to perform on-device fraud, one of the most dangerous types of fraud since money transfers are initiated from the same device used by victims daily."

**One of Many Android Banking Trojans**

Nexus is one of several Android banking trojans that have surfaced just over the past few months and have added to the already large number of similar tools in the wild currently. Earlier this month for instance, researchers from Cyble reported observing new Android malware dubbed GoatRAT targeting a recently introduced mobile automated payment system in Brazil. In December 2022, Cyble spotted another Android banking trojan tracked as "Godfather" resurfacing after a hiatus, with advanced new obfuscation and anti-detection features. Cyble cyber-researchers found the malware masquerading as legitimate software on the Google Play store.

Those two malware variants are barely even the tip of the iceberg. A Kaspersky analysis showed that some 200,000 new banking trojans surfaced in 2022, representing a 100% increase over 2021.

'Nexus' Android Malware Targets Customers of 450 Financial Institutions Worldwide

A use-after-free flaw was found in the Linux kernel’s Ext4 File System in how a user triggers several file operations simultaneously with the overlay FS usage. This flaw allows a local user to crash or potentially escalate their privileges on the system. Only if patch 9a2544037600 ("ovl: fix use after free in struct ovl_aio_req") not applied yet, the kernel could be affected.

CVE-2023-1252: [PATCH 5.15 138/917] ovl: fix use after free in struct ovl_aio_req

Google has stepped in to remove a bogus Chrome browser extension from the official Web Store that masqueraded as OpenAI's ChatGPT service to harvest Facebook session cookies and hijack the accounts.
The "ChatGPT For Google" extension, a trojanized version of a legitimate open source browser add-on, attracted over 9,000 installations since March 14, 2023, prior to its removal. It was originally

Browser Security / Artificial Intelligence

Google has stepped in to remove a bogus Chrome browser extension from the official Web Store that masqueraded as OpenAI's ChatGPT service to harvest Facebook session cookies and hijack the accounts.

The "ChatGPT For Google" extension, a trojanized version of a legitimate open source browser add-on, attracted over 9,000 installations since March 14, 2023, prior to its removal. It was originally uploaded to the Chrome Web Store on February 14, 2023.

According to Guardio Labs researcher Nati Tal, the extension is propagated through malicious sponsored Google search results that are designed to redirect unsuspecting users searching for "Chat GPT-4" to fraudulent landing pages that point to the fake add-on.

Installing the extension adds the promised functionality – i.e., enhancing search engines with ChatGPT – but it also stealthily activates the ability to capture Facebook-related cookies and exfiltrate it to a remote server in an encrypted manner.

Once in possession of the victim's cookies, the threat actor moves to seize control of the Facebook account, change the password, alter the profile name and picture, and even use it to disseminate extremist propaganda.

The development makes it the second fake ChatGPT Chrome browser extension to be discovered in the wild. The other extension, which also functioned as a Facebook account stealer, was distributed via sponsored posts on the social media platform.

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.

RESERVE YOUR SEAT

If anything, the findings are yet another proof that cybercriminals are capable of swiftly adapting their campaigns to cash in on the popularity of ChatGPT to distribute malware and stage opportunistic attacks.

"For threat actors, the possibilities are endless — using your profile as a bot for comments, likes, and other promotional activities, or creating pages and advertisement accounts using your reputation and identity while promoting services that are both legitimate and probably mostly not," Tal said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Fake ChatGPT Chrome Browser Extension Caught Hijacking Facebook Accounts

Cloud-based System of Trust application now available for test-driving quantitative risk assessment of suppliers of hardware, software, services.

MITRE has quietly released a cloud-based prototype platform for its new System of Trust (SoT) framework that defines and quantifies risks and cybersecurity concerns for the supply chain.

The so-called Risk Model Manager (RMM) platform is now available for organizations to assess supply chain risk and security, as well as to view, edit, and customize the SoT framework content, or export it for use as a subset framework. MITRE first debuted the SoT framework concept at the 2022 RSA Conference (RSAC), and it will officially announce the RMM prototype platform next month at RSAC 2023 in San Francisco.

Software supply chain risk and security received a loud wake-up call after high-profile attacks like SolarWinds and Log4j painfully punctuated the dangers of threat actors compromising vendors' software and then in turn compromising customers' software installations. There has been no common, agreed-upon way to define or measure these risks to date. Enter MITRE's SoT, a framework for providing a sort of standard way to evaluate suppliers, service providers, and supplies that can be used by cybersecurity teams as well across the business for assessing a vendor or a software product.

The SoT framework, which is a cloud-native app hosted on AWS, is centered around 14 top-level risk areas related to suppliers, service providers, and supplies, including the financial stability and cybersecurity practices of the supplier, as well as risk of counterfeit and compromise to products. These risk categories are then used to evaluate a supplier or product during the acquisition process, digging into detailed questions on how a supplier tracks and ensures the security of third-party software components used in their product, for example.

"The System of Trust is very appealing because it gives a structure that's more comprehensive, well laid-out, and explains what kinds of risks" you have in your supply chain, in detail, explains Robert Martin, senior software and supply chain assurance principal engineer at MITRE Labs. That goes beyond traditional risk measurement and assessment tools, he notes.

There are some 40 organizations currently involved in shaping the SoT platform, which now includes some 660 specific supply chain categories and risk factors. MITRE is gathering input to flesh out the tool from businesses with supply chains, supply chain security vendors, and standards groups that touch some elements of supply chain operations. Among some of the big name members of the SoT community are Microsoft, BlackBerry, CISA, Cisco, Dell Technologies, Intel, Mastercard, NASA, Raytheon, Schneider Electric, Siemens, and The Open Group.

SoT is yet another project by MITRE that builds a reference framework for the cybersecurity industry: its wildly popular ATT&CK framework, for instance, maps the common steps threat groups use to infiltrate networks and breach systems, while its newer D3FEND model specifies a common way to define defensive capabilities and technologies. But SoT provides a wider lens of risk than just cybersecurity — factoring in financial, quality, and integrity risk as well, for example.

"The big thing they have here is they are doing what they have done with ATT&CK and D3FEND: provide a common language for everyone to use when we are talking about not only the position in the chain but the specific vulnerabilities or attack methods and defenses," says Curt Franklin, principal analyst for enterprise security management at Omdia.

Franklin says MITRE's pedigree with its other cybersecurity programs should help propel the SoT, but wide adoption likely will take time. "I can imagine some of the third-party risk assessment \[vendors\] building SoT into their products like they build FAIR \[Factor Analysis of Information Risk\] or ATT&CK into theirs," Franklin says. "I think the odds are good that \[SoT\] will be more widely adopted. I think the odds are just as good that it will take a while."

That's because there still are multiple ways to define and measure risk in cybersecurity, and no two models work together, he says. "It's very difficult to say how my risk posture compares to my peers in the industry. What something like this does is provide a particular framework for some common quantification of risk."

**How SoT Works**

Each risk item in the RMM is scored using data measurements that are then applied to a scoring algorithm. The resulting scores identify the strengths and weaknesses of a supplier, for example, against the specific risk categories. That would allow a business to assess quantitatively the security risk of a software vendor or its product, for example.

One of the organizations closely working the project is Schneider Electric, whose vice president of supply chain security Cassie Crossley will join Martin in an RSAC 2023 session on SoT called "Creating the Standard for Supply Chain Risk — MITRE's System of Trust." Crossley says Schneider has multiple, comprehensive supply chain risk assessment processes currently in place across different parts of the company, and Schneider plans to provide input and feedback to the SoT based on its own requirements and metrics.

"We would want to work with those teams \[across Schneider\] to identify some areas where we can provide suggestions and also see how we can better align or sort of adopt more of the \[SoT\] framework," Crossley says. "I don't know yet if we will have a full, 'hey, we are 100% SoT.' But we would make our own processes and identify areas where we want to incorporate more of a structure" for supply chain risk assessment, she says.

For Schneider, supply chain risk and security issues apply both to its own products and ones it buys for internal use, including the "third and fourth parties we work with," she says. She sees SoT possibly helping with visibility into risks associated with "upstream" suppliers that aren't typically part of a supplier evaluation process.

"I think by using SOT, if it could become a common model for a lot, we can get those answers faster for those upstream" suppliers, she says, if an organization can ask vendors to map it to their upstream suppliers.

**MITRE's Open Source Plan**

Martin says the main challenges for SoT to become the go-to standard for supply chain assessments are enough bandwidth to expand the project as it catches on, as well as getting the word out to avoid duplication of effort. "I'm worried about people not being aware of this and off trying to solve something that overlaps. We are making sure people are aware" and can help contribute to SoT, he says.

MITRE plans to offer RMM as an open source tool when it's fully baked. For now, Martin says, organizations can use it to assist MITRE in fleshing out the tool itself or for their own internal use. "They can take it offline," he says, "and do an assessment against" the SoT.

Tag

#intel