Head of German national cybersecurity agency was fired over ties to a member of Russian intelligence once honored by Vladimir Putin.

The chief of Germany's national cybersecurity agency, Arne Schönbohm, has lost his job as a result of allegations about his ties to a cybersecurity firm called Protelion (formerly Infotecs), which was founded by a reported member of Russian intelligence.

Interior Minister Nancy Faeser formally dismissed Schönbohm on Tuesday, according to Deutsche Welle (DW).

"The background to this is not least the allegations, which are well known and widely discussed in the media, and which have permanently damaged the necessary public confidence in the neutrality and impartiality of the conduct of his office as president of Germany's most important cybersecurity authority," the spokesperson told DW.

Schönbohm has held the post since February 2016 but faced mounting scrutiny following the Russian invasion of Ukraine, the report explained. A public-private advisory group Schönbohm founded 10 years ago called the Cyber Security Council of Germany included Protelion, which was run by someone whose ties to the Kremlin were so close they were reportedly honored by Vladimir Putin. Protelion has since been removed from the Council.

Although the Council declares itself politically neutral, according to DW, Minister Faeser began to question Schönbohm's affiliation with the group after he attended the organization's anniversary party last month.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

German Cybersecurity Boss Sacked Over Kremlin Connection

Attack surge blamed on ‘avoidable’ bugs

Charlie Osborne 18 October 2022 at 15:21 UTC  
Updated: 18 October 2022 at 16:07 UTC

Attack surge blamed on ‘avoidable’ bugs

Researchers warn that there has been a 633% year-over-year increase in cyber-attacks launched against open source software repositories.

Open source components, frameworks, libraries, and whole platforms are relied upon by organizations during multiple stages of the software development lifecycle. These components provide the lynchpins for communication, software capabilities, security, and user interactions – and as they are developed and reviewed by communities, open source promotes innovation in the software space.

However, the other side of the coin is that open source contributors are volunteers; therefore, security issues can sometimes slip through the net. Furthermore, IT teams may not be aware of what open source software is in use and so they might easily miss patch alerts and upgrades that impact their business.

Catch up on the latest open source software news and analysis

New research suggests that cyber-attackers – well aware of organizational reliance on open source software – are increasing their attempts to compromise repositories year on year.

According to Sonatype’s 8th Annual State of the Software Supply Chain report, known attacks against open source repositories have increased by 633% year-over-year, and there has been an annual, overall increase of 742% since 2019.

After analyzing data from public and proprietary sources, the software supply chain security firm said that the popularity and growth of open source software continues to climb. The four main ecosystems – Java, JavaScript, Python, and .NET – tied to open source development are set to go beyond three trillion downloads in the near future.

However, this popularity has security ramifications.

**Technical debt**

“The amount of third-party code flowing through software supply chains occurs on a massive scale,” the researchers said. “Yet published code accrues technical debt over time, creating the potential for compounded security vulnerabilities, if not kept up-to-date.”

According to the researchers, 1.2 billion Java dependencies known to be vulnerable, for example, are downloaded each month while new, patched, or improved versions are ignored.

Sonatype said this is a prime example of “non-optimal consumption behaviors as the root of open source risk”.

“This is in contrast to public discussion, which often associates security risk with open source maintainers,” the report added.

**Risky business**

Risky behavior is not necessarily anyone’s fault. Developers tasked with managing dependencies face more complexity in their roles than ever, with the average Java application containing 148 dependencies – 20 more than 2021’s average – and going through an average ten updates a year.

Each dependency could contain vulnerabilities, so developers must track potentially thousands of changes per year, per app. Therefore, mistakes will be made.

Brian Fox, co-founder and CTO of Sonatype said that “the overwhelming tide of dependency intelligence that developers must interpret in their daily development process is at odds with prioritizing good software quality”.

It is, therefore, critical that education on the potential risk of outdated, vulnerable open source software is understood, and teams should consider adopting automation to lighten the load.

Fox added: “\[The\] sobering reality demonstrates the immediate need for organizations to prioritize software supply management so that they can better deal with security risk, increase developer efficiency, and enable faster innovation.”

YOU MAY ALSO LIKE Linux Foundation’s David A Wheeler on reversing the CVE surge

Researchers find 633% increase in cyber-attacks aimed at open source repositories

Categories: Awareness
Categories: News
Tags: FaceStealer

Tags:  Facebook stealer

Tags:  Facebook

Tags:  Nathan Collier

Tags:  Meta

Tags:  fake Android apps

Tags:  fake iOS apps

FaceStealer is back. As a seasoned threat to legitimate app stores, expect it to be gone and then back again.



(Read more...)




The post Warning: "FaceStealer" iOS and Android apps steal your Facebook login appeared first on Malwarebytes Labs.

Earlier this month, security researchers from Meta found 400 malicious Android and iOS apps designed to steal user Facebook login credentials.

Such mobile malware, which Malwarebytes detects typically as **Android/Trojan.Spy.Facestealer**, usually arrives as an app disguised as a useful or entertaining tool. But before the app can be fully used, it asks users to login to their accounts, at which point their usernames and passwords are sent to the fraudsters.

Stolen credentials can be used to compromise Facebook accounts. From there, the criminals can harvest more data about the original account owner, message friends or family members and scam them, or use these accounts to promote the FaceStealer app (among other things).

Meta listed a short description of FaceStealer apps listed on both the Google Play Store and the Apple App Store:

> *   Photo editors, including those that claim to allow you to "turn yourself into a cartoon"
> *   VPNs claiming to boost browsing speed or grant access to blocked content or websites
> *   Phone utilities such as flashlight apps that claim to brighten your phone's flashlight
> *   Mobile games falsely promising high-quality 3D graphics
> *   Health and lifestyle apps such as horoscopes and fitness trackers
> *   Business and ad management apps claiming to provide hidden or unauthorized features not found in official apps by tech platforms.

If the apps appear to have positive reviews, that's because the developers are thought to be creating five-star reviews to bury the negative ones. This is a known social engineering tactic to entice users further to try an app.

FaceStealer has been around for a while. The apps disappear after making headlines, and then FaceStealer pops up again as a different app. And while some apps are reported or actively detected, many evade detection and end up on legitimate app stores.

"The industry, in general, has not been great at detecting these, and everyone is playing catch-up," said Nathan Collier, Malwarebytes Senior Malware Intelligence Analyst for Android.

Meta said it is alerting Facebook users who may have inadvertently "self-compromised" themselves by using their Facebook credentials to use the malicious apps.

If you think you've entereed your Facebook credentials into a dodgy app, change your password immediately. Don't reuse passwords you use on other accounts, and make sure you enable two-factor authentication (2FA) on your Facebook account. You can also let Facebook alert you of attempted log-ins to your account.

Finally, report all suspicious apps using Meta's Data Abuse Bounty program.

Warning: "FaceStealer" iOS and Android apps steal your Facebook login

New Crypto Source program extends Mastercard’s safe, secure, and trusted services.

Mastercard today introduces Crypto SourceTM, a new program to enable financial institutions to bring secure crypto trading capabilities and services to their customers.

The 2022 Mastercard New Payments Index reported that 29% of respondents globally hold cryptocurrency as an investment, with another 65% indicating a preference for crypto-related services to be provided by their current trusted financial institution.\*

In partnership with regulated and licensed crypto custody providers, Mastercard's financial institution partners will gain access to a comprehensive suite of buy, hold and sell services for select crypto assets, augmented with proven identity, cyber, security and advisory services. This Crypto Source offering is complemented by Mastercard Crypto SecureTM to bring additional security to the crypto ecosystem and support card issuers in their compliance with complex regulations.

Now, Mastercard’s suite of crypto-related offerings for banks and fintechs includes:

*   **Technology and partnership support to enable buy, hold and sell** of select crypto assets
*   **Security management** including Mastercard’s identity solutions, crypto analytics, transaction monitoring, anti-money laundering, ‘Know Your Business’ and lifecycle stages, cybersecurity, and biometrics
*   **Crypto spend and cash out capabilities offered** through a range of products, including crypto cards, open banking and cross border services. Financial institutions would also be able to offer additional functionality using Mastercard’s technology such as digital receipts and loyalty solutions
*   **Crypto program management** including program design, product development and technology implementation, as well as go-to-market optimization and marketing consultancy services, providing end-to-end support for banks, fintechs and issuers to offer crypto programs at scale

“At Mastercard, trust is our business. What we are announcing today is a connected approach to services that will help bring users safely and securely into the crypto ecosystem. Our recent investments in this space, such as the acquisition of CipherTrace and Ekata, are providing us with a unique set of capabilities to help provide our customers and consumers with the most technically advanced solutions available in the market,” **said** **Ajay Bhalla, President, Cyber & Intelligence at Mastercard.**

To support this program, Mastercard is expanding its partnership and work with Paxos Trust Company, a leading regulated blockchain infrastructure platform. The partnership aims for Paxos to provide crypto-asset trading and custody services on behalf of the banks, while Mastercard will leverage its technology to integrate those capabilities into banks’ interfaces, resulting in a seamless experience for the consumer.

“Our commitment is simple – to explore crypto and the underlying digital assets technology to support consumer choice in payments. Today is an exciting step in our crypto journey that draws on the strengths of our global businesses, from open banking and identity verification to analytics and fraud monitoring to settlement solutions. We’re excited to build on our long-term partnership with Paxos – co-innovating to bring safe and secure technology to financial institutions. Our crypto product innovations will provide choice at scale and continue to bring one-of-a-kind opportunities to financial institutions as they seek to offer new, advanced services to their customers,” **said Jorn Lambert, Chief Digital Officer at Mastercard.**

“Mastercard has a powerful network of financial institutions around the world. This exciting offering developed by Paxos and Mastercard will give FIs the fastest and most trusted way to offer safe, reliable crypto access for their consumers globally. We’re thrilled to partner with Mastercard to further accelerate the mainstream adoption of digital assets,” **said Walter Hessert, Head of Strategy at Paxos.**

Over the past few years, Mastercard has been working alongside its customers and partners to bring new services and capabilities that help make crypto more accessible, safe and secure. These efforts have been complemented with the addition of new technologies through Finicity, Ekata, RiskRecon and CipherTrace. This unique combination of services provides eligible financial institutions the opportunity to directly manage crypto asset investments for consumers. Mastercard also continues to support banks, governments and others through its Crypto & Digital Currencies Consulting Services.

Mastercard Crypto Source is currently being prepared for pilot programs. Additional details on broader availability will be made available at a later date.

Mastercard To Bring Crypto Trading Capabilities To Banks

Categories: News
Tags: Europol

Tags:  Eurojust

Tags:  French cars

Tags:  key-less entry

Europol says it's helped bust an organized crime gang that specialized in stealing French keyless cars.



(Read more...)




The post Criminal group busted after stealing hundreds of keyless cars appeared first on Malwarebytes Labs.

Europol has disclosed an international operation in which 31 suspects were arrested, 22 locations were searched, and over one million Euros in criminal assets were seized. The organized criminal gang specialized in stealing French keyless cars.

Among the arrested were the software developers that created so-called automotive diagnostic solutions which allowed the criminals to replace the original software of the vehicles, allowing the doors to be opened and the ignition to be started without the actual key fob. Others include the software resellers and the actual car thieves who used the tool to steal vehicles.

The arrests were made by French, Latvian, and Spanish law enforcement agencies with the assistance of Europol. Europol said it's supported the investigation since March 2022 by providing extensive analysis and the dissemination of intelligence packages to each of the affected countries.

**Suspects**

The fraudulent software duplicated the vehicles’ ignition keys in order to aid in the theft of the car. Marketed as an automotive diagnostic solution, the tool was able to replace the original software of the targeted vehicles without respecting the protocol and without the original key.

Details about the method the car thieves used are sparse (for understandable reasons), but what we could gather is that the developers ran a website—on a domain that has been seized—where they sold a package that included a tablet, connectors, and software. The software was constantly adapted and updated to counteract the measures implemented by companies to reinforce the security of their vehicles.

**Stealing keyless cars**

Europol said the gang focused on cars from two unnamed French car manufacturers, which probably means the developers found a vulnerability in the car’s firmware that allowed them to replace the original software.

Vulnerabilities in the keyless entry systems have been found in the firmware of other car manufactures. To thwart intercepting and replaying authentication codes, many modern cars rely on a rolling codes mechanism. This method was introduced to prevent replay attacks by providing a new code for each authentication of a remote keyless entry. But this method is not available for all brands and models, and some brands were found to be using predictable codes.

The Europol and Eurojust statements both say that the tools provided by the developers enabled criminals to replace the original software of the targeted vehicles. This indicates a very different methodology from intercepting and replaying authentication codes.

**Mitigation**

Now that law enforcement has found and disabled the source of the software it shouldn't take too long to find out which method was used, and the car manufacturers should be able to make the necessary adjustments.

Updating your car’s firmware is usually not an easy job or one we recommend doing yourself. We would recommend checking with your local dealer whether one is available and needed. It usually requires a special device to be hooked up to a port hidden under your dashboard. Your dealer will have such a device and knows where to find the port.

Criminal group busted after stealing hundreds of keyless cars

While tensions over a possible nuclear attack on Ukraine remain high, experts say surveillance will likely catch Russia if it plans to do the unthinkable.

This week, NATO is conducting its regular, long-planned nuclear strike exercise known as “Steadfast Noon" to practice deploying fighter jets used to carry nuclear weapons. And Russia is expected to conduct its own nuclear drills sometime this month—as it typically does—in reaction to NATO's exercises.  While these rehearsals don't involve actual bombs, they come at a fraught moment, given Russian president Vladimir Putin's recent suggestion that the Kremlin could deploy nuclear weapons in its war against Ukraine. 

Officials from the United States and the United Kingdom have emphasized that they do not see indications that Russia is actively preparing to launch a nuclear strike. And the signals the global community has to draw on in monitoring the Russian nuclear weapons program, while not infallible, are robust. That means the world would likely know if a nuclear attack were imminent.

 “We take any nuclear weapons or nuclear saber-rattling very seriously here," White House press secretary Karine Jean-Pierre told reporters earlier this month. But, she added, “we have not seen any reason to adjust our own strategic nuclear posture, nor do we have any indication that Russia is preparing to imminently use nuclear weapons."

Similarly, Jeremy Fleming, director of the UK's GCHQ intelligence agency, said last week, “I would hope that we will see indicators if they started to go down that path.” He added that there would be a “good chance” of detecting Russian preparations.

“With Russia, the arsenal is old and established, much like the US's nuclear weapons program," says Eric Gomez, a senior fellow at the Cato Institute focused on arms control and nuclear stability. “Russia is very much enmeshed in the international and bilateral arms control treaties that provide a lot of transparency. They’re not an open book—no country is. Everyone still has certain secrets that they preserve. But if you can keep satellite or aircraft sensors trained on key spots, you can catch it if things are moving or dispersing.”

As is the case in the US and among other world nuclear powers, Russia's intercontinental ballistic missiles and submarine-launched ballistic missiles are always deployed and in a constant state of readiness. Known as “strategic” nuclear weapons, these bombs are meant to target cities or large industrial targets—probably what you think of when you imagine a nuclear bombing. The “tactical” nuclear weapons that are of more immediate concern in a Russian strike on neighboring Ukraine are smaller and meant for more contained attacks, namely in battle zones. These bombs are also known as “battlefield” or “nonstrategic” nuclear weapons and have never been used in combat.

Russia's nuclear bombs are stored in military facilities and would need to be transported and loaded into either aircraft or launchers for deployment. Pavel Podvig, who runs the research organization Russian Strategic Nuclear Forces, notes that the global community knows the location of the roughly 12 nuclear weapons storage facilities around Russia where this activity would likely originate. He adds that the US has intimate knowledge of most of the sites because it worked with Russia to improve the physical security of the repositories between 2003 and 2012 as part of an initiative called Cooperative Threat Reduction.

“The procedure for deploying these weapons would include a number of steps,” says Podvig, who is also a senior research fellow at the UN Institute for Disarmament Research. “First taking these weapons out of their bunkers, loading them on trucks, and driving them to an airfield—moving them closer to the delivery systems—and doing a checkup procedure. My understanding is, you would see the movement of the launchers, the missiles, the aircraft. It would be a pretty visible operation, and quite frankly, I think Russia would want it to be visible."

Global powers monitor each others' nuclear weapons programs through a combination of aerial and satellite surveillance and other signals intelligence. The analysis is part art, part science, as monitoring of North Korea's nuclear program has particularly shown, given the country's extreme isolation. And while GCHQ's Fleming and other researchers caution that there is never perfect information, global knowledge of Russia's nuclear program and long-standing intelligence operations inside the country will likely allow international observers to spot any Russian nuclear preparations.

“What we’ve mostly seen from North Korea is technology tests where they're showing off a lot in the public space to send specific signals internationally and domestically,” Cato's Gomez says. “With the Russians, it's a different situation. In the lead-up to Russia's invasion of Ukraine in February, the Biden administration was putting out a lot of intelligence saying, ‘We’re seeing a buildup of troops here and these units moving to these places,’ and I think that would very likely be the playbook if they saw signs of Russian nuclear preparations.”

Podvig also notes that another version of Russia's nuclear weapons staging could involve transporting the weapons to forests and then readying the strike under tree cover to minimize aerial visibility. Such an approach would still be detectable during the transport phase and could offer a sort of hybrid in which the exact nature of Russia's plan remains unknown, but the activity still sends an escalatory signal to Ukraine and the world.

“I don’t see why Russia would want to hide the deployment,” Podvig says. “But even if it wanted to, I think they will not have the certainty that they could be successful. I would assume that US intelligence and everybody is watching those sites. The Americans cannot have absolute certainty that they will see it, but Russia does not have certainty that they will not.”

How the World Will Know If Russia Is Preparing to Launch a Nuclear Attack

The China-aligned espionage-focused actor dubbed Winnti has set its sights on government organizations in Hong Kong as part of an ongoing campaign dubbed Operation CuckooBees.
Active since at least 2007, Winnti (aka APT41, Barium, Bronze Atlas, and Wicked Panda) is the name designated to a prolific cyber threat group that carries out Chinese state-sponsored espionage activity, predominantly

The China-aligned espionage-focused actor dubbed Winnti has set its sights on government organizations in Hong Kong as part of an ongoing campaign dubbed **Operation CuckooBees**.

Active since at least 2007, Winnti (aka APT41, Barium, Bronze Atlas, and Wicked Panda) is the name designated to a prolific cyber threat group that carries out Chinese state-sponsored espionage activity, predominantly aimed at stealing intellectual property from organizations in developed economies.

The threat actor's campaigns have targeted healthcare, telecoms, high-tech, media, agriculture, and education sectors, with infection chains primarily relying on spear-phishing emails with attachments to initially break into the victims' networks.

Earlier this May, Cybereason disclosed long-running attacks orchestrated by the group since 2019 to siphon technology secrets from technology and manufacturing companies mainly located in East Asia, Western Europe, and North America.

The intrusions, clubbed under the moniker Operation CuckooBees, are estimated to have resulted in the exfiltration of "hundreds of gigabytes of information," the Israeli cybersecurity company revealed.

The latest activity, according to the Symantec Threat Hunter team, part of Broadcom Software, is a continuation of the proprietary data theft campaign, but with a focus on Hong Kong.

The attackers remained active on some of the compromised networks for as long as a year, the company said in a report shared with The Hacker News, adding the intrusions paved the way for the deployment of a malware loader called Spyder, which first came to light in March 2021.

"\[Spyder\] is being used for targeted attacks on information storage systems, collecting information about corrupted devices, executing mischievous payloads, coordinating script execution, and C&C server communication," the SonicWall Capture Labs Threat Research Team noted at the time.

Also deployed alongside Spyder were other post-exploitation tools, such as Mimikatz and a trojanized zlib DLL module that's capable of receiving commands from a remote server or loading an arbitrary payload.

Symantec said that it did not observe the delivery of any final-stage malware, although the motives of the campaign are suspected to be linked to intelligence gathering based on tactical overlaps with previous attacks.

"The fact that this campaign has been ongoing for several years, with different variants of the Spyder Loader malware deployed in that time, indicates that the actors behind this activity are persistent and focused adversaries, with the ability to carry out stealthy operations on victim networks over a long period of time," Symantec said.

**Winnti targets Sri Lankan government entities**

As a further sign of Winnti's sophistication, Malwarebytes uncovered a separate set of attacks targeting government entities in Sri Lanka in early August with a new backdoor referred to as DBoxAgent that leverages Dropbox for command-and-control.

"To our knowledge, Winnti (a China-backed APT) is targeting Sri Lanka for the first time," the Malwarebytes Threat Intelligence team said.

The killchain is also notable for making use of an ISO image hosted on Google Drive that purports to be a document containing information about economic assistance, indicating an attempt by the threat actor to capitalize on the ongoing economic crisis in the nation.

Launching an LNK file contained within the ISO image leads to the execution of the DBoxAgent implant that enables the adversary to remote commandeer the machine and export sensitive data back to the cloud storage service. Dropbox has since disabled the rogue account.

The backdoor further acts as a conduit to drop exploitation tools that would open the door for other attacks and data exfiltration, including activating a multi-stage infection sequence that culminates in the use of an advanced C++ backdoor named KEYPLUG, which was documented by Google's Mandiant in March 2022.

The development marks the first time APT41 has been observed utilizing Dropbox for C&C purposes, illustrating the growing use by attackers of legitimate software-as-a-service and cloud offerings to host malicious content.

"Winnti remains active and its arsenal keeps growing as one of the most sophisticated groups nowadays," the cybersecurity firm said. "Sri Lanka's location in South Asia is strategic for China as it has open access to the Indian Ocean and is close to India."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Chinese 'Spyder Loader' Malware Spotted Targeting Organizations in Hong Kong

There's nothing yet to suggest CVE-2022-42889 is the next Log4j. But proof-of-concept code is available, and interest appears to be ticking up.

Researchers are closely tracking a critical, newly disclosed vulnerability in Apache Commons Text that gives unauthenticated attackers a way to execute code remotely on servers running applications with the affected component.

The flaw (CVE-2022-42889) has been assigned a severity ranking of 9.8 out of a possible 10.0 on the CVSS scale and exists in versions 1.5 through 1.9 of Apache Commons Text. Proof-of-concept code for the vulnerability is already available, though so far there has been no sign of exploit activity.

**Updated Version Available**

The Apache Software Foundation (ASF) released an updated version of the software (Apache Commons Text 1.10.0) on September 24 but issued an advisory on the flaw only last Thursday. In it, the Foundation described the flaw as stemming from insecure defaults when Apache Commons Text performs variable interpolation, which basically is the process of looking up and evaluating string values in code that contain placeholders. "Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers," the advisory said.

NIST, meanwhile, urged users to upgrade to Apache Commons Text 1.10.0, which it said, "disables the problematic interpolators by default."

The ASF Apache describes the Commons Text library as providing additions to the standard Java Development Kit's (JDK) text handling. Some 2,588 projects currently use the library, including some major ones such as Apache Hadoop Common, Spark Project Core, Apache Velocity, and Apache Commons Configuration, according to data in the Maven Central Java repository.

In an advisory today, GitHub Security Lab said it was one of its pen testers that had discovered the bug and reported it to the security team at ASF in March.

Researchers tracking the bug so far have been cautious in their assessment of its potential impact. Noted security researcher Kevin Beaumont wondered in a tweet on Monday if the vulnerability could result in a potential Log4shell situation, referring to the infamous Log4j vulnerability from late last year.

"Apache Commons Text supports functions that allow code execution, in potentially user supplied text strings," Beaumont said. But in order to exploit it, an attacker would need to find Web applications using this function that also accept user input, he said. "I won't be opening up MSPaint yet, unless anybody can find webapps that use this function and allow user supplied input to reach it," he tweeted.

**Proof-of-Concept Exacerbates Concerns**

Researchers from threat intelligence firm GreyNoise told Dark Reading the company was aware of PoC for CVE-2022-42889 becoming available. According to them, the new vulnerability is nearly identical to one ASF announced in July 2022 that also was associated with variable interpolation in Commons Text. That vulnerability (CVE-2022-33980) was found in Apache Commons Configuration and had the same severity rating as the new flaw.

"We are aware of Proof-Of-Concept code for CVE-2022-42889 that can trigger the vulnerability in an intentionally vulnerable and controlled environment," GreyNoise researchers say. "We are not aware of any examples of widely deployed real-world applications utilizing the Apache Commons Text library in a vulnerable configuration that would allow attackers to exploit the vulnerability with user-controlled data."

GreyNoise is continuing to monitor for any evidence of "proof-in-practice" exploit activity, they added.

Jfrog Security said it is monitoring the bug and so far, it appears likely that the impact will be less widespread than Log4j. "New CVE-2022-42889 in Apache Commons Text looks dangerous," JFrog said in a tweet. "Seems to only affect apps that pass attacker-controlled strings to-StringLookupFactory.INSTANCE.interpolatorStringLookup().lookup()," it said.

The security vendor said people using Java version 15 and later should be safe from code execution since script interpolation won't work. But other potential vectors for exploiting the flaw — via DNS and URL — would still work, it noted.

Researchers Keep a Wary Eye on Critical New Vulnerability in Apache Commons Text

Just 65 cybersecurity professionals are in the workforce for every 100 available jobs, new study shows.

Widely reported shortages of trained cybersecurity professionals are driving the industry to try to come up with some with creative recruiting and training solutions. But it's complicated. 

At the very same time, automation is increasingly performing the tedious entry-level tasks that early-career threat hunters once built their chops working on, making it harder to gain early experience. 

The result is demand for job openings requiring some previous cybersecurity experience over the past year grew 2.4 times faster than the rate of the rest of the economy, while only 65 cybersecurity professionals are in the workforce for every 100 available jobs, according to newly released research from CyberSeek and partners National Initiative for Cybersecurity Education at NIST, Lightcast, and ComTIA. Overall there were some 769,736 cybersecurity job openings listed over the 12-month period ending in September of this year.

"The CyberSeek data reaffirms the critical importance of feeder roles and thinking more creatively about on-ramps and career pathways," Ron Culler, vice president cyber learning officer, CompTIA said about the cybersecurity employee recruitment study findings. "We see this trend continuing and are committed to ensuring that cybersecurity professionals are prepared for the current and future challenges this will bring."

Besides staffing up the security operations, employers are increasingly searching for potential hires with cybersecurity skill sets across other specialized areas of business including auditor, software developer, cloud architect, and tech support engineer, CyberSeek found. 

**Cybersecurity Experience Expectations Unrealistic **

In many cases, those demands for cybersecurity experience are unnecessary, Timothy Morris, chief security adviser with Tanium, tells Dark Reading.

"Degrees are not required for most cybersecurity jobs," Morris explains. "Provide on-the-job training with tuition assistance for degrees. Building great, world-class cybersecurity teams requires a skill diversity. I've had success with folks that have varied backgrounds (teachers, retailers, mechanics) seeking a new career." 

Instead, Morris suggests employers search out job seekers with curiosity and a passion for solving problems. 

Phil Neray, vice president of cyber-defense strategy at CardinalOps, agrees and suggests hiring managers looking for cybersecurity talent consider applicants with past job experience in crime and fraud investigations, history and foreign policy, data science, IT networking, and music.

"Hiring in a tough labor market requires a certain level of open-mindedness and intellectual humility on the part of the hiring manager," Neray tells Dark Reading. "There are lots of people with nontraditional backgrounds who can become excellent cybersecurity professionals because they exhibit key traits like a willingness to learn, an analytical 'hacker mindset' when discovering the unknown, creativity, and attention to detail."

Cybersecurity's Hiring Spree Requires a Recruiting Rethink

Excessive statefulness hurts the ability to scale networks, applications, and ancillary supporting infrastructure, thus affecting an entire service delivery chain's ability to withstand a DDoS attack.

In this era of accelerated digital transformation, organizations have come to rely on increasingly complex application and service delivery chains to seamlessly and consistently deliver goods and services across the Internet. In turn, they expect similar levels of service and consistency from business partners and suppliers — and all at Internet speed and scale.

This is why, of the three elements of information security — confidentiality, integrity, and availability — it is availability that is at the forefront of the organization's ability to conduct business and attain its goals. The growing reliance on remote work and education has only served to increase the criticality of availability across all verticals, at all levels of contribution.

As a result of this wholesale shift in operational models, it is now possible for threat actors to disrupt not only an organization's public-facing applications and services — which is bad enough, both in terms of revenue and of brand reputation — but to negatively impact the ability of front-line workers to execute their responsibilities. This is the goal of distributed denial-of-service (DDoS) attacks.

**Scaling Defenses as DDoS Attacks Increase**

Threat actors launch DDoS attacks for a variety of reasons, including extortion, contracted attacks from business competitors, ideological motivations, disputes related to online gaming, and even simple nihilism. And DDoS attacks against an organization's supply chain partners or external services vendors can be just as disruptive as a direct attack against the organization's organic assets. The record-breaking number of DDoS attacks observed during 2021 exhibited significant increases in preattack reconnaissance, the introduction of multiple new DDoS vectors, and unprecedented growth in multivector DDoS attacks targeted across multiple verticals.

While metrics such as attack volume (bits-per-second, or bps), throughput (packets-per-second, or pps), and application-layer load (transactions-per-second \[tps\] or queries-per-second \[qps\]) are necessary for understanding attack dynamics and scaling DDoS defenses, it is important to realize that DDoS attacks are attacks against both capacity and state.

In the networking context, maintaining state means tracking the current status or condition of a given network communication session. In terms of applications and services, it means doing so for discrete transactions or processes. While stateful operation can be desirable in some specific circumstances and for short time frames, excessive instantiations of state impose significant constraints on the ability to scale networks, applications, and ancillary supporting infrastructure, thus affecting the ability of the entire service delivery chain to withstand DDoS attacks.

**How DDoS Attacks Overcome Stateful Firewalls, IPSes, and Load-Balancers**

Placing a stateful firewall — a category that encompasses Web application firewalls (WAFs) — on an enterprise network enhances security by dropping all incoming network traffic not directly related to outgoing user-initiated network requests. However, it does not help secure public-facing Web servers, authoritative DNS servers, application servers, and the like because incoming packets to those servers and services are unsolicited.

Also, low-volume DDoS attacks can overwhelm even the highest-capacity stateful firewalls. This is due to the significant memory and processing overhead consumed in tracking connection state for all incoming Internet traffic; it simply isn't possible to do so at Internet scale. When stateful firewalls — or the applications, services, and servers sited behind them — are subjected to a DDoS attack, the firewall state-tables are quickly exhausted, and either the firewalls themselves will be rendered inoperable under the increased traffic load or the programmatically generated attack traffic will crowd out legitimate incoming connections by exhausting the ability of the firewall to track state.

This allows attackers to successfully disrupt the organization's public-facing services, including e-commerce, high-demand content, customer service and support applications, and DNS, as well as the VPN infrastructure for the remote workforce.

Stateful load-balancers, intrusion prevention systems (IPSes), and the applications and services behind them are also susceptible to state exhaustion as a result of DDoS attacks. The same is true of applications that carry excessive state at key points in the service delivery chain. Accordingly, state minimization and state distribution should be key in network and application design.

**Best Current Practices for Network Infrastructure**

Industry coalition Mutually Agreed Norms for Routing Security (MANRS) suggests a set of network infrastructure self-protection best current practices (BCPs) to implement to ensure that the network itself is resilient and can maintain availability even in the face of attack. Critical service delivery elements, such as authoritative and recursive DNS servers, application and content farms, etc., must also be configured and deployed in a scalable, distributed, and resilient manner. Stateless access-control lists (ACLs) should be implemented to enforce situationally appropriate network access control policies for servers, services, and applications, reducing the options available to attackers.

Out-of-band (OOB) management capabilities and edge-to-edge visibility into all network traffic are crucial to maintaining situational awareness and control when under attack.

Flow telemetry, such as NetFlow and IPFIX, should be exported from edge routers and layer-3 switches to provide visibility into all traffic ingressing, egressing, and traversing the network. All network edges should be instrumented. Flow telemetry collection and analysis allows network operators to detect, classify, and trace back DDoS attack traffic in real time.

Network infrastructure-based DDoS mitigation techniques such as flowspec and source-based remote triggered blackholing (S/RTBH) allow edge routers and layer-3 switches to be leveraged against DDoS attacks. Along with flow telemetry export, these mechanisms should be supported in all peering- and customer aggregation-edge network infrastructure elements.

Intelligent DDoS mitigation systems (IDMSes) are intended to protect against volumetric, application-layer, and state-exhaustion DDoS attacks. They incorporate DDoS-specific countermeasures that are either fully stateless or which instantiate into a minimal, ephemeral state that is quickly shed in order to differentiate between DDoS attack traffic and legitimate user/partner traffic. IDMSes can typically evaluate all contents of the packet header and payload, reassemble fragmented packets and application-layer messages, and evaluate incoming requests to ensure that they are sourced from legitimate clients, rather than DDoS-capable botnets.

By implementing these BCPs and ensuring that they have the ability to detect, classify, trace back, and mitigate DDoS attacks, organizations can ensure that their public-facing applications, services, and content remain available — even in the face of attack.

Tag

#intel