Even as cyber threats become increasingly sophisticated, the number one attack vector for unauthorized access remains phished credentials (Verizon DBIR, 2024). Solving this problem resolves over 80% of your corporate risk, and a solution is possible. 
However, most tools available on the market today cannot offer a complete defense against this attack vector because they were architected to

Even as cyber threats become increasingly sophisticated, the number one attack vector for unauthorized access remains phished credentials (Verizon DBIR, 2024). Solving this problem resolves over 80% of your corporate risk, and a solution is possible.

However, most tools available on the market today cannot offer a complete defense against this attack vector because they were architected to deliver probabilistic defenses. Learn more about the characteristics of Beyond Identity that allow us to deliver deterministic defenses.

****The Challenge: Phishing and Credential Theft****

Phishing attacks trick users into revealing their credentials via deceptive sites or messages sent via SMS, email, and/or voice calls. Traditional defenses, such as end-user training or basic multi-factor authentication (MFA), lower the risk at best but cannot eliminate it. Users may still fall prey to scams, and stolen credentials can be exploited. Legacy MFA is a particularly urgent problem, given that attackers now bypass MFA at scale prompting NIST, CISA, OMB, and NYDFS to issue guidances for phishing-resistant MFA.

****Beyond Identity's Approach: Deterministic Security******Eliminate Phishing**

Shared secrets, like passwords and OTPs, are inherently vulnerable because they can be intercepted or stolen. Beyond Identity uses public-private key cryptography, or passkeys, to avoid these risks and never falls back to phishable factors like OTP, push notifications, or magic links.

While public key cryptography is robust, the safety of private keys is crucial. Beyond Identity utilizes secure enclaves—specialized hardware components that safeguard private keys and prevent unauthorized access or movement. By ensuring all authentications are phishing-resistant and leveraging device-bound, hardware-backed credentials, Beyond Identity provides assurance against phishing attacks.

**Prevent Verifier Impersonation**

Recognizing legitimate links is impossible for human beings. To address this, Beyond Identity authentication relies on a Platform Authenticator, which verifies the origin of access requests. This method helps prevent attacks that rely on mimicking legitimate sites.

**Eliminate Credential Stuffing**

Credential stuffing is an attack where bad actors test stolen username and password pairs to attempt to gain access. Typically, the attack is carried out in an automated manner.

Beyond Identity addresses this by eliminating passwords entirely from the authentication process. Our passwordless, phishing-resistant MFA allows users to log in with a touch or glance and supports the broadest range of operating systems on the market, including Windows, Android, macOS, iOS, Linux, and ChromeOS, so users can log in seamlessly no matter what device they prefer to use.

**Eliminate Push Bombing Attacks**

Push bombing attacks flood users with excessive push notifications, leading to accidental approvals of unauthorized access. Beyond Identity mitigates this risk by not relying on push notifications.

Additionally, our phishing-resistant MFA enables device security checks on every device, managed or unmanaged, using natively collected and integrated third-party risk signals so you can ensure device compliance regardless of the device.

**Enforce Device Security Compliance**

During authentication, it's not just the user that's logging in, it's also their device. Beyond Identity is the only IAM solution on the market that delivers fine-grained access control that accounts for real-time device risk at the time of authentication and continuously during active sessions.

The first benefit of a platform authenticator is the ability to provide verifier impersonation resistance. The second benefit is that, as an application that lives on the device, it can provide real-time risk data about the device, such as firewall enabled, biometric-enabled, disk encryption enabled, and more.

With the Beyond Identity Platform Authenticator in place, you can have guarantees of user identity with phishing-resistant authentication and enforce security compliance on the device requesting access.

**Integrating Risk Signals for Adaptive Access**

Given the proliferation of security tools, risk signals can come from various disparate sources ranging from mobile device management (MDM), endpoint detection and response (EDR), Zero Trust Network Access (ZTNA), and Secure Access Service Edge (SASE) tools. Adaptive, risk-based access is only as strong as the breadth, freshness, and comprehensiveness of risk signals that are fed into its policy decisions.

Beyond Identity provides a flexible integration architecture that prevents vendor lock-in and reduces the complexity of admin management and maintenance. Additionally, our policy engine allows for continuous authentication, so you can enforce comprehensive risk compliance even during active sessions.

**Ready to experience phishing-resistant security?**

Don't let outdated security measures leave your organization vulnerable when there are solutions available that can dramatically reduce your threat landscape and eliminate credential theft.

With Beyond Identity, you can safeguard access to your critical resources with deterministic security. Get in touch for a personalized demo to see firsthand how the solution works and understand how we deliver our security guarantees.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Say Goodbye to Phishing: Must-Haves to Eliminate Credential Theft

A technique to abuse Microsoft's built-in source code editor has finally made it into the wild, thanks to China's Mustang Panda APT.

Source: Postmodern Studio via Alamy Stock Photo

A Chinese state-aligned espionage group has become the first documented threat actor to weaponize a known exploit in VS Code in a malicious attack.

Visual Studio Code, or VS Code, is Microsoft's free source code editor for Windows, Linux, and macOS. According to Stack Overflow's 2023 survey of 86,544 developers, it's the most popular integrated development environment (IDE) among both new (78%) and professional developers (74%), by some distance. The next most popular IDE, Visual Studio, was used by 28% of respondents.

In September 2023, a threat researcher described how an attacker could take advantage of a VS Code feature called "Tunnel" to gain initial access to a target's environment. Initially, the tactic was just fodder for red teaming. Now, according to Palo Alto Networks' Unit 42, China's Mustang Panda (aka Stately Taurus, Bronze President, RedDelta, Luminous Moth, Earth Preta, and Camaro Dragon) has used it in an espionage attack against a government entity in southeast Asia.

"The technique described requires an attacker to have previously gained code execution privileges on a target machine," a Microsoft spokesperson tells Dark Reading. "As a security best practice, we encourage customers to practice good computing habits online, including exercising caution when clicking on links to web pages or opening unknown files."

**Turning VS Code Into a Reverse Shell**

"One of the worst fears as a cybersecurity expert is detecting and preventing a signed reverse shell binary," Truvis Thornton wrote, a whole year prior to Unit 42's latest research. "Guess what? Microsoft gladly gave us one."

First introduced in July 2023, VS Code Tunnel allows users to share their VS Code environments on the open Web, and only requires authentication through a GitHub account.

An attacker with their victim's GitHub credentials could do damage, but much worse is the fact that one can remotely install a portable version of VS Code on a targeted machine. Because it's a legitimate signed binary, it will not be flagged as suspicious by security software.

And yet, it will walk and talk like a reverse shell. By running the command "code.exe tunnel," the attacker opens a GitHub authentication page, which they can log into with their own account. Then they're redirected to a VS Code environment connected to their target's system, and free to execute commands and scripts and introduce new files at will.

Mustang Panda — a 12-year-old advanced persistent threat (APT) known for espionage against governments, nongovernmental organizations (NGOs), and religious groups in Asia and Europe — used this playbook to perform reconnaissance against its target, drop malware, and, most importantly for its purposes, exfiltrate sensitive data.

**How to Deal with VSCode**

"While the abuse of VSCode is concerning, in our opinion, it is not a vulnerability," Assaf Dahan, director of threat research for Unit 42, clarifies. Instead, he says, "It's a legitimate feature that was abused by threat actors, as often happens with many legitimate software (take lolbins, for example)."

And there are a number of ways organizations can protect against a bring-your-own-VSCode attack. Besides hunting for indicators of compromise (IoCs), he says, "It's also important to consider whether the organization would want to limit or block the use of VSCode on endpoints of employees that are not developers or do not require the use of this specific app. That can reduce the attack surface." 

"Lastly, consider limiting access to the VSCode tunnel domains '.tunnels.api.visualstudio\[.\]com' or '.devtunnels\[.\]ms' to users with a valid business requirement. Notice that these domains are legitimate and are not malicious, but limiting access to them will prevent the feature from working properly and consequently make it less attractive for threat actors," he adds.

**A Second, Overlapping Attack**

While investigating the Mustang Panda attack, Unit 42 came across a second threat cluster occupying the same target's systems.

In this case, the attacker abused imecmnt.exe — a legitimate and signed file associated with Microsoft's Input Method Editor (IME), used for generating text in languages not conducive to the QWERTY keyboard — with some dynamic link library (DLL) sideloading. The file they dropped, ShadowPad, is a 7-year-old modular backdoor popular among Chinese threat actors.

This compromise occurred at the same time as the VS Code exploitation, often on the same endpoints, and the overlaps didn't end there. Still, researchers couldn't say for certain whether this second cluster of malicious activity could be attributed to Mustang Panda. "There could also be other possible scenarios to explain this connection," they wrote. "For example, it could be a joint effort between two Chinese APT groups or perhaps two different groups piggybacking on each other's access."

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa, and forced to spend the night in jail — just for doing their pen-testing jobs. Listen now!

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Microsoft VS Code Undermined in Asian Spy Attack

A hacker claims to have stolen 440 GB of data from cybersecurity firm Fortinet, exploiting an Azure SharePoint…

A hacker claims to have stolen 440 GB of data from cybersecurity firm Fortinet, exploiting an Azure SharePoint vulnerability. The breach, dubbed “Fortileak,” was revealed on a forum with access credentials shared online.

A hacker using the alias “Fortibitch” has claimed responsibility for leaking 440 GB of data belonging to Fortinet, a prominent cybersecurity firm based in Sunnyvale, California. The hacker stated that the stolen data is now accessible for download via an Amazon S3 bucket, with details of the breach and access credentials shared on the popular underground forum, Breach Forum.

**The Breach: Fortileak**

Dubbed _Fortileak_ by the hacker, the breach allegedly originates from an exposure in Fortinet’s Azure SharePoint instance. In the forum post, the hacker pointed out recent acquisitions by Fortinet, including the Data Loss Prevention (DLP) firm Next DLP and the cloud security company Lacework. They then claimed that Fortinet’s Azure SharePoint had been compromised, allowing for the extraction of the substantial data cache.

The full scope of the compromised data remains unclear, though the hacker emphasized that the breach involves Fortinet’s cloud infrastructure. The hacker provided the following credentials for accessing the alleged stolen data:

Screenshot: Hackread.com

**Ransom Demands and Negotiation Breakdown**

In a further twist, the hacker claimed that Fortinet’s CEO, Ken Xie, walked away from ransom negotiations. In the forum post, the hacker ridiculed Xie, alleging that the CEO refused to engage, stating that he “would rather eat some p\*\*p than pay ransom.” The hacker also questioned why Fortinet had not filed an SEC 8-K form (PDF)—a document required by public companies to disclose major incidents.

The post also contained a mix of taunts and shout-outs to other individuals or groups, which seemed to further underline the hacker’s brash attitude toward the attack and its aftermath.

**Fortinet’s Response**

Hackread.com reached out to Fortinet for an official comment on the breach. A spokesperson for the company confirmed that an unauthorized individual had gained access to a limited number of files stored on a third-party cloud-based shared file drive. These files included data related to a “small” subset of Fortinet customers.

In their statement to Hackread.com, Fortinet reassured stakeholders that there has been no indication of any malicious activity affecting its customers. They emphasized that the company’s operations, products, and services have not been impacted by the breach. Fortinet stated that they have already communicated directly with the affected customers and are continuing to monitor the situation closely.

> _“An individual gained unauthorized access to a limited number of files stored on Fortinet’s instance of a third-party cloud-based shared file drive, which included limited data related to a small number of Fortinet customers, and we have communicated directly with customers as appropriate. To-date there is no indication that this incident has resulted in malicious activity affecting any customers. Fortinet’s operations, products, and services have not been impacted.”_
> 
> Fortinet Spokesperson

This is not the first time Fortinet has faced a cybersecurity incident. Last year, Chinese hackers were reported to be exploiting a zero-day vulnerability in the company’s products. In another instance, hackers were found exploiting a vulnerability in FortiOS, the operating system for Fortinet’s security appliances, to compromise organizations and customers.

Nevertheless, for now, the full extent of the breach remains under investigation, and it is unclear whether the alleged stolen data will be used maliciously or if the ransom negotiations will have any further developments. As more information emerges, both customers and cybersecurity professionals will be watching closely to assess the impact of this incident.

1.  **World’s Leading Cybersecurity Firm Kaspersky Hacked**
2.  **CISA and Fortinet Warns of New FortiOS Zero-Day Flaws**
3.  **X Account of Google Cybersecurity Firm Mandiant Hacked**
4.  **Cybersecurity Firm Hacks Itself, Finds AWS Credentials Leak**
5.  **Hackers dump plain-text login credentials of Fortinet VPN users**

Fortinet Confirms Limited Data Breach After Hacker Leaks 440 GB of Data

PRESS RELEASE

REDDING, Calif., Sept. 10, 2024 /PRNewswire/ -- According to a new market research report titled, 'SCADA Market by Type (Monolithic SCADA Systems, Distributed SCADA Systems, Networked SCADA Systems), Component (Hardware, Software, Services), Deployment Mode, End-use Industry (Oil & Gas, Automotive, F&B)—Global Forecast to 2031.

The rising adoption of automated technologies across Europe and Asia-Pacific, the advent of Industry 5.0, the growing demand for smart and digitized production processes, and the increasing emphasis on industrial automation are key factors driving the growth of SCADA. However, the high initial investment requirements for SCADA implementation are restraining the growth of this market.

Furthermore, the growing adoption of wireless sensor networks and the proliferation of smart factories are expected to generate growth opportunities for the players operating in this market. However, the risk of cyberattacks is a major challenge impacting market growth. Furthermore, the rising adoption of Industry 4.0 technologies and the increasing reliance on Human-Machine Interface (HMI) systems are prominent trends in the SCADA market.

Advent of Industry 5.0 Boosting the Demand for Scada Systems 

Industry 5.0, also known as the Fifth Industrial Revolution, is a new and emerging phase of industrialization that builds upon the principles of Industry 4.0 but emphasizes the human touch and the integration of human skills with advanced technologies. Industry 4.0 focused on technologies such as the Internet of Things and big data, whereas Industry 5.0 seeks to involve human, environmental, and social aspects.

As Industry 5.0 promotes enhanced collaboration between humans and machines, there is an increasing demand for sophisticated automation and control systems capable of effectively bridging the gap between these elements. SCADA systems facilitate real-time monitoring and control of industrial processes, playing an important role in enabling seamless interactions between humans and machines. They offer the necessary infrastructure for incorporating human input and feedback into automated workflows, thereby optimizing performance and efficiency. With Industry 5.0 driving the adoption of advanced technologies, the requirement for comprehensive monitoring and control solutions to ensure seamless integration and coordination is growing. SCADA systems have significantly improved the reliability and capability of automation. Centralized SCADA systems are increasingly utilized for decision-making in hazardous situations to prevent accidents in complex infrastructure. These systems oversee and manage entire sites, support informed decision-making, enhance efficiency, and minimize downtime. The advantages provided by SCADA systems, coupled with the escalating need to maintain the integrity and reliability of critical infrastructure, are driving market growth.

Governments are actively supporting industrial automation and digitalization initiatives. For example, in January 2021, the President of Spain introduced three new plans for SMEs (2021-2025)—the Connectivity Plan, the Strategy to Promote 5G Plan, and the National Strategy for Artificial Intelligence. These plans are part of the Spain 2025 Digital Agenda and aim to advance the development and deployment of SCADA systems across various industries. By enhancing capabilities and driving digital transformation, these initiatives are increasing demand for SCADA systems and contributing to market growth.

SCADA Market Analysis: Key Segmental Findings

*   By Type: In 2024, the networked SCADA systems segment is expected to account for the largest share of 47.5% of the SCADA market. Moreover, this segment is projected to register the highest CAGR of 8.2% during the forecast period from 2024 to 2031.
    
*   By Component: In 2024, the hardware segment is expected to account for the largest share of 55.9% of the SCADA market. However, the software segment is estimated to record the highest CAGR during the forecast period from 2024 to 2031.
    
*   By Deployment Mode: In 2024, the on-premise deployments segment is expected to account for the dominant share of the SCADA market. However, the cloud-based deployments segment is anticipated to register the highest CAGR of 10.5% during the forecast period from 2024 to 2031.
    
*   By End-use Industry: In 2024, the manufacturing segment is expected to account for the major share of 26.4% of the SCADA market. However, the automotive segment is slated to record the highest CAGR of 10.7% during the forecast period from 2024 to 2031.
    

Get A Glimpse Inside: Request Sample Pages \- https://www.meticulousresearch.com/request-sample-report/cp\_id=5186

Geographic Analysis:

By geography, the SCADA market is segmented into North America, Europe, Asia-Pacific, Latin America, and the Middle East & Africa. In 2024, North America is estimated to account for the largest share of 32.1% of the SCADA market. The North America SCADA market is expected to reach $5,488.3 million by 2031.

The industrial sector has seen extensive implementation of automation systems, especially in North America. Manufacturers in this region are increasingly deploying advanced automation technologies in their operations. North American countries are competing with their Asian and European counterparts to position themselves as key manufacturing centers, with the goal of lowering costs related to importing goods. The high labor costs in the U.S. are a primary impetus for the adoption of process control systems, such as SCADA (Supervisory Control and Data Acquisition), MES (Manufacturing Execution System), and DCS (Distributed Control System). These systems are instrumental in reducing the need for human oversight and management of automation processes.

Key market players are focusing on developing SCADA solutions with advanced features tailored for various industrial applications, including oil & gas, power, utilities, automotive, electronics, and F&B. For example, in October 2022, Emerson Electric Co. (U.S.) introduced Movicon.NExT 4.2, an advanced automation platform designed for seamless integration with field devices and enterprise systems. This software provides the data and insights necessary for achieving operational excellence across diverse applications in discrete and hybrid manufacturing sectors, including F&B, packaged consumer goods, energy, infrastructure, building automation, and machine automation.

Furthermore, in October 2022, AtomTech (U.S.) expanded its North American presence by launching AtomTech Canada. This move addresses the growing demand for automation, cybersecurity, SCADA, and IIoT 4.0 solutions across industries such as automotive, medical equipment, and warehouse logistics. Such developments support the growth of the SCADA market in the region during the forecast period.

Have specific research needs? Request a customized research report:- https://www.meticulousresearch.com/request-customization/cp\_id=5186

Asia-Pacific: The Fastest-growing Regional Market

The SCADA market in Asia-Pacific is poised to register the highest CAGR during the forecast period. In 2024, China is expected to account for the major share of the SCADA market in Asia-Pacific. Asia-Pacific generates significant growth opportunities for the adoption of industrial process control solutions, given its extensive and diverse manufacturing sector. Traditionally, manual or semi-automatic control processes have characterized industrial production in the region. However, advanced automation solutions are becoming essential for achieving the flexibility required in high-volume production lines, thereby enhancing overall operational efficiency.

Asia-Pacific is a prominent manufacturing hub across multiple sectors, including automotive, electronics, consumer goods, pharmaceuticals, and more. This manufacturing prominence is a significant driver of automation technology adoption in the region. SCADA solutions are increasingly being adopted in countries such as China, Japan, South Korea, and India, driven by efforts to modernize manufacturing facilities and the need for SCADA software to interface with Remote Terminal Units (RTUs), Programmable Logic Controllers (PLCs), and Human-Machine Interface (HMI) components. The focus on improving process efficiencies and reducing production costs further fuels market growth, enabling operators to analyze and make decisions from remote locations.

The rapid advancement of automation and artificial intelligence (AI) is having a profound impact on economies in the APAC region. Asiais expected to be the fastest-growing automation market, driven by factors such as population growth, urbanization, economic development, rising wages, and decreasing costs associated with automated industrial technologies. The increasing awareness of advanced industrial control solutions, including SCADA systems for comprehensive manufacturing process monitoring, is a key driver of this market growth.

The U.K. Continues to Dominate the SCADA Market in Europe

In 2024, the U.K. is expected to account for the largest share of the SCADA market in Europe. Several factors are driving the adoption of industrial control systems in the U.K., including the expansion of the manufacturing industry, stringent manufacturing and industrial safety regulations, increased diversity in consumer products, growing awareness of automated systems, and rising labor costs. Many enterprises and industries in the U.K. are increasingly adopting automated machines and control solutions to enhance operational process monitoring. Key sectors such as oil & gas, power, automotive, F&B, electronics, and semiconductors are leading the way in implementing industrial control systems. In response to the evolving needs of these industries, market players are actively developing advanced SCADA solutions. For example, in September 2020, Severn Trent plc (U.K.) invested USD 6.4 million to upgrade its SCADA monitoring and management systems to a cloud-based platform.

SCADA Market: Competition Analysis

This report offers a competitive analysis based on an extensive assessment of the leading players' product portfolios, geographic presence, and key growth strategies adopted over the past three to four years. Major companies in the SCADA market have implemented various strategies to expand their product offerings and global footprints and augment their market shares. The key strategies followed by most companies in the SCADA market were product launches & enhancements, acquisitions, expansion, partnerships, agreements, and collaborations. The key market players operating in the SCADA market include Rockwell Automation, Inc. (U.S.), Siemens AG (Germany), Eaton Corporation plc (Ireland), Schneider Electric SE (France), ABB Ltd (Switzerland), Yokogawa Electric Corporation (Japan), General Electric Company (U.S.), Emerson Electric Co. (U.S.), Honeywell International, Inc. (U.S.), Mitsubishi Electric Corporation (Japan), OMRON Corporation (Japan), Pilz GmbH & Co. KG (Germany), Survalent Technology Corporation (Canada), Valmet (Finland), and Hitachi, Ltd. (Japan).

Browse In-Depth Report Now - https://www.meticulousresearch.com/product/scada-market-5186

SCADA Industry Overview: Latest Developments from Key Industry Players

*   In June 2023, Siemens AG introduced the SICAM 8 power automation platform, which includes two new software solutions: the SICAM HMI (Human Machine Interface) visualization tool and the SICAM S8000 software solution for power automation. This platform is part of the Siemens Xcelerator portfolio, an open digital platform designed to help customers accelerate their digital transformation at scale.
    
*   In April 2023, Siemens AG partnered with Gujarat Metro Rail Corporation Limited (GMRCL) (India) to advance rail electrification technologies. Siemens Limited will deliver project management services and cutting-edge rail electrification technologies, including advanced power supply and distribution systems. Additionally, Siemens Limited will provide sophisticated digital solutions, such as Supervisory Control and Data Acquisition (SCADA) systems, for both metro projects.
    
*   In March 2023, Rockwell Automation launched FactoryTalk Optix, a new addition to the company's visualization portfolio. FactoryTalk Optix is a modern, cloud-enabled human-machine interface (HMI) platform that allows users to design, test, and deploy applications directly from a web browser remotely, in real time.
    
*   In February 2023, ABB launched the ABB Ability Symphony Plus distributed control system that delivers seamless and secure access to an extended digital ecosystem for power generation and water industries. It increases performance and enables plant-wide digitalization, offering a noninvasive modernization of the installed base.
    
*   In October 2022, Emerson released a new version of its DeltaV distributed control system (DCS). Version 15 helps plants digitally transform operations through improved production optimization and enhanced operator performance.
    
*   In April 2022, ABB partnered with Ramboll (Denmark) to explore new opportunities in offshore substations. ABB will leverage its expertise in the design and supply of electrical, SCADA, automation, and telecommunications equipment. This includes engineering, products, installation, commissioning, and operational maintenance of these systems.
    
*   In January 2022, Schneider Electric entered into an agreement with AVEVA, a leading technology company. This collaboration was designed to further AVEVA's digital and sustainability objectives. Schneider Electric's extensive reach and profound market expertise will support AVEVA in sustaining, expanding, and enhancing its leadership in the industrial automation software and SCADA sectors across the Pacific region.
    
*   In April 2021, Mitsubishi Electric updated its SCADA lineup with GENESIS64, introducing two new software products for system monitoring and process control. This new software suite replaced the MC Works64 SCADA software, which was designed for monitoring small production lines and managing multi-site monitoring.
    
*   In January 2021, Rockwell Automation acquired Fiix Inc. (Canada), an AI-enabled computerized maintenance management system (CMMS) company. This acquisition bolsters Rockwell Automation's software strategy and strengthens its Lifecycle Services business. The addition of Fiix enhances the company's ability to offer a comprehensive range of industrial automation services, aimed at maximizing the value of customers' production assets, systems, plants, and processes.

SCADA Market Is Set to Reach $18.7B by 2031

A vendor honeypot caught two attacks intended to leverage the tens of thousands of exposed Selenium Grid Web app testing servers.

Source: Olekcii Mach via Alamy Stock Photo

Threat actors are infecting Internet-exposed Selenium Grid servers, with the goal of using victims' Internet bandwidth for cryptomining, proxyjacking, and potentially much worse.

Selenium is an open source suite of tools for browser automation that, according to data from Wiz, can be found in 30% of cloud environments. Selenium Grid is its open source tool for automatically testing Web applications across multiple platforms and browsers in parallel, used by millions of developers and thousands of organizations worldwide. Its Selenium/hub docker image has more than 100 million pulls on Docker Hub.

Though it's an internal tool by nature, tens of thousands of Selenium Grid servers are exposed on the Internet today. In turn, at least some hackers have deployed automated malware intended to hijack these servers for various malicious purposes.

To gauge the kinds of threats that face these untended servers, Cado Security recently launched a honeypot. As Al Carchrie, R&D lead solutions engineer for Cado Security, remembers, "We deployed the honeypot on a Tuesday, and then we started to see activity within 24 hours."

**Selenium Proxyjacking**

During the research period, two primary threats kept automatically trying to attack the honeypot day after day.

The first deployed a series of scripts, including one labeled "y," which dropped the open source networking toolkit GSocket. GSocket is designed to allow two users behind firewalls to establish a secure TCP connection. In this and other cases, though, threat actors used it as a means of command-and-control (C2).

Two scripts followed, "pl" and "tm," which performed various reconnaissance functions — analyzing system architecture, checking for root privileges, and other functions — and dropped the campaign's primary payloads: Pawns.app (IPRoyal Pawn) and EarnFM. Each of these are proxyware — programs that allow users to essentially rent out their unused internet bandwidth.

Though services like these are sold legitimately, hackers can easily weaponize them for their own purposes. Called "proxyjacking," it involves hijacking an unwitting Internet user's IP to use as one's own personal proxy server for further malicious activities or selling it to another cybercriminal.

"It allows people to hide behind legitimate IP addresses, and the reason for doing that is to try and bypass IP filtering that organizations would put in place," Carchrie explains. "So if you're using Tor to try and anonymize yourselves, organizations might blacklist Tor IP addresses from accessing their infrastructure. This gives them an opportunity. This is the first time I've personally come across proxyjacking being used as the end goal of a campaign."

**More Significant Threats to Selenium**

The second attack snagged by the honeypot was similar in its initial means of infection, but dropped a Golang-based executable and linkable format (ELF) binary. The ELF, in turn, attempted to use "PwnKit," a public exploit for CVE-2021-4043, an old, medium severity Linux privilege escalation bug (CVSS score 5.5).

Next, the malware connected to an attacker's C2 infrastructure and dropped "perfcc," a cryptominer. In this way, it paralleled a different, yearlong campaign revealed by Wiz back in July, which used Selenium Grid as a vector to deploy the XMRig miner.

As Ami Luttwak, CTO and co-founder of Wiz, explains, the same kind of attack can be used to do a lot worse.

"Remember, Selenium runs usually in test environments," he says. "Test environments have proprietary code, and many times from test environments you can actually get access back to either engineering environments or production. So this could be used by a more advanced attacker to start actually attacking the exposed organization."

**30,000 Publicly Exposed Servers**

Being an internal tool by nature, Selenium Grid does not have any authentication to barricade attackers from breaking in. Its maintainers have warned in documentation that it "must be protected from external access using appropriate firewall permissions."

In July, though, Wiz found around 15,000 updated but Internet-exposed Selenium Grid servers. Worse: More than 17,000 were both exposed to the Internet, and running outdated versions. (That number has since dropped below 16,000.) The vast majority of these were based in the US and Canada.

It was only a matter of time, then, before threat actors capitalized on the opportunity. The first documented sign of it was reported in a Reddit post.

"Selenium is built to be an internal service for testing," Luttwak emphasizes. "In most scenarios, it's not supposed to be publicly accessible. If it is, then there is a risk there you have to mitigate."

Carchrie advises, "If you need your Selenium Grid accessible via the Internet, we recommend that you deploy an appropriately configured authentication proxy server in front of the Selenium Grid application using multifactor authentication as well as username and passwords."

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa, and forced to spend the night in jail — just for doing their pen-testing jobs. Listen now!

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Hackers Proxyjack &amp; Cryptomine Selenium Grid Servers

WordPress.org has announced a new account security measure that will require accounts with capabilities to update plugins and themes to activate two-factor authentication (2FA) mandatorily.
The enforcement is expected to come into effect starting October 1, 2024.
"Accounts with commit access can push updates and changes to plugins and themes used by millions of WordPress sites worldwide," the

Web Security / Content Management

WordPress.org has announced a new account security measure that will require accounts with capabilities to update plugins and themes to activate two-factor authentication (2FA) mandatorily.

The enforcement is expected to come into effect starting October 1, 2024.

"Accounts with commit access can push updates and changes to plugins and themes used by millions of WordPress sites worldwide," the maintainers of the open-source, self-hosted version of the content management system (CMS) said.

"Securing these accounts is essential to preventing unauthorized access and maintaining the security and trust of the WordPress.org community."

Besides requiring mandatory 2FA, WordPress.org said it's introducing what's called SVN passwords, which refers to a dedicated password for committing changes.

This, it said, is an effort to introduce a new layer of security by separating users' code commit access from their WordPress.org account credentials.

"This password functions like an application or additional user account password," the team said. "It protects your main password from exposure and allows you to easily revoke SVN access without having to change your WordPress.org credentials."

WordPress.org also noted that technical limitations have prevented 2FA from being applied to existing code repositories, as a result of which it has opted for a "combination of account-level two-factor authentication, high-entropy SVN passwords, and other deploy-time security features (such as Release Confirmations)."

The measures are seen as a way to counter scenarios where a malicious actor could seize control of a publisher's account, thereby introducing malicious code into legitimate plugins and themes, resulting in large-scale supply chain attacks.

The disclosure comes as Sucuri warned of ongoing ClearFake campaigns targeting WordPress sites that aim to distribute an information stealer called RedLine by tricking site visitors into manually running PowerShell code in order to fix an issue with rendering the web page.

Threat actors have also been observed leveraging infected PrestaShop e-commerce sites to deploy a credit card skimmer to siphon financial information entered on checkout pages.

"Outdated software is a primary target for attackers who exploit vulnerabilities in old plugins and themes," security researcher Ben Martin said. "Weak admin passwords are a gateway for attackers."

Users are recommended to keep their plugins and themes up-to-date, deploy a web application firewall (WAF), periodically review administrator accounts, and monitor for unauthorized changes to website files.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

WordPress Mandates Two-Factor Authentication for Plugin and Theme Developers

Torrance, United States / California, 12th September 2024, CyberNewsWire

**Torrance, United States / California, September 11th, 2024, CyberNewsWire**

Criminal IP, a distinguished leader in Cyber Threat Intelligence (CTI) search engine developed by AI SPERA, announced that it has successfully integrated its IP address-related risk detection data with IPLocation.io, one of the most visited IP analysis and lookup tools on the internet.

Through the integration, IPLocation.io, a prominent IP address geolocation tracker platform with a substantial user base, now offers more detailed insights on IP addresses from Criminal IP’s accurate and up-to-date threat intelligence database.

**Innovative Data Ecosystem Driven by Search Engine and AI Expertise**

This is a groundbreaking advancement because Criminal IP’s database, built on a search engine framework, is more than a collection of information; it’s a refined machine learning ecosystem honed through extensive scanning and detection of malicious IP addresses. The system continuously enhances its accuracy by transforming self-collected threat data, particularly behavioral patterns for IP address evasion, into actionable intelligence using AI and machine learning techniques.

**Tracking Down Threat History with Snort and Scanner Information**

Unlike traditional IP tracking methods, which only provide the geographic location of IP addresses, Criminal IP data in IPLocation.io now delivers information from ‘Snort’, a network intrusion detection system, and vulnerability scanners on open ports. This, along with newly provided inbound and outbound scores of IP addresses, enables the comprehensive identification of threat information related to IP addresses. Users can now compile the information themselves to assess the risk of an IP address, supported by a variety of fact-based evidence.

Threat data from Criminal IP accessible on IPLocation.io website

Among IP Location Lookup data sources, Criminal IP provides the most comprehensive data, offering 25 distinct data points for a single IP address.

**Evasion-Focused Dynamic Pattern Analysis Unveils Potential Attack Scenarios**

Users can also detect IP address obfuscation and protect their assets with new VPN, Proxy, and Tor data in IP Location. The aforementioned data helps identify discrepancies between actual and reported locations of an IP address, as well as traffic routed through multiple servers, thus revealing potential threats. The system goes beyond a mere review of past records; it offers predictive insights into future risks by analyzing behavioral patterns and potential attack scenarios. This underscores the CTI database’s distinctive capability to continuously learn and analyze attack patterns executed online.

**About AI SPERA**

AI SPERA equips cybersecurity professionals with advanced tools and insights to protect digital assets. Its flagship products include Criminal IP, renowned for its AI-based search engine, as well as attack surface management and fraud detection for enterprise solutions. The firm’s established presence in major marketplaces like AWS and Snowflake further underscores its credibility and the trust placed in its services by leading industry players. Recently, AI SPERA achieved Level 1 certification under PCI DSS v4.0, overseen by the six leading global card issuers, showcasing its commitment to top-tier data security.

**Contact**

**Michael Sena**  
**AI SPERA**  
**\[email protected\]**

Criminal IP Teams Up with IPLocation.io to Deliver Unmatched IP Solutions to Global Audiences

The Institute for Security and Technology's UnDisruptable27 project connects technology firms with the public sector to strengthen US cyber defenses in case of attacks on critical infrastructure.

Source: Nico El Nino via Alamy Stock Photo

What would a worst-case scenario look like for your town? The power grid going out, leaving your community without electricity for days on end? Or a disruption to the local water supply? Or a cyberattack on the emergency medical response system and medical facilities, leaving people stranded, without access to care during life-threatening situations? 

These are the kinds of scenarios that UnDisruptable27 seeks to prepare for–cyberattacks against critical infrastructure in local communities across the United States–focusing on four principal areas: water and wastewater; emergency medical care and hospital services; food supply chains; and local power supplies. 

The program is led by the Institute for Security and Technology, a nonprofit think tank that seeks to connect the technology world and the public sector, and kicked off this summer with a pilot program, funded by a $700,000 grant from Craig Newmark Philanthropies as part of the organization’s Cyber Civil Defense initiative. The initial phase will focus on the nexus of water and emergency medical care. The project is spearheaded by Josh Corman, Executive in Residence at IST and co-founder of I am The Cavalry and CyberMedSummit. 

"Whether it’s food or shelter or warmth, everyone relies on infrastructure to live. Bad actors know that, too. This isn’t alarmism. It’s a very real threat our country faces today. It’s all our job to push governments and utilities and companies to be better on this stuff. That means extra work for maybe understaffed IT, and they can get very annoyed with me, okay if it helps prepare for the worst," Craig Newmark says. "In the meantime, I’m putting my money where my mouth is."

The project’s initial phase involves engaging stakeholders and listening to their concerns and limitations, whether they’re financial, technical or a combination of the two, says Megan Stifel, Chief Strategy Officer for the Institute for Security and Technology.

Like the scramble to prepare for Y2K, the UnDisruptable27 initiative benefits from having a tangible timeline, whether any specific threats materialize, Stifel says. 

The call-to-action was spurred by public hearings earlier this year where Congress and U.S. government cybersecurity leaders explored the potential threats to infrastructure posed by China’s Volt Typhoon group or other state-sponsored actors. The project's goal is to make critical infrastructure supporting basic human needs "undisruptable" by 2027. 

"We are seeing more disruptions, larger disruptions, longer disruptions, and more public life- and safety-affecting disruptions. And that's not okay. That trajectory is unsustainable," says Corman. He calls areas like water and power delivery systems and other infrastructure "target-rich and cyber-poor," meaning they represent a massive attack surface, yet lack the resources to adequately protect themselves from cyberattacks. 

"If we see hybrid conflict on top of the disruption trend that we already see, the average citizen is not prepared," Corman says. "We don't want panic and we don't want preppers, but what we do think is no one should be blindsided or surprised by this, and we can make choices between now and an era of potential heightened geopolitical context or conflict context."

To help stress the need and get the public onboard, UnDisruptable27 is taking a page from the natural disaster preparedness playbook and leveraging communications strategies and narrative to influence communities to prepare. 

"We really haven't reached the public, and that's why the public continues to be disrupted and surprised every time there's a Crowd Strike or NotPetya or an Ascension Health," Corman says. "So we're going to go down to meet owners and operators of these critical infrastructure sectors, municipal leadership in the last mile in these communities, and possibly, and probably even citizens directly for this education campaign. And what that means is we have to meet them where they are."

The group chose to initially focus on the intersection of water and health care because it’s already in the public eye, according to Corman. 

One potential resource for local communities could come in the form of help from the Consortium of Cyber Security Clinics, a network of university-based clinics that train students to do direct engagement with under-resourced organizations who need help regarding their cybersecurity maturity. While in its early phases, Corman and UnDisruptable27 will identify areas of need and connect with municipalities and utilities. In later stages, the group hopes to partner with the clinics to connect those needing help with resources. 

Smaller organizations in local communities are incredibly vulnerable, says Sarah Powazek, Program Director of Public Interest Cybersecurity at the UC Berkeley Center for Long-Term Cybersecurity. These under-resourced communities can provide very attractive targets for cyber attackers, and projects like UnDisruptable27 have the potential to have significant impact.

“I think that the most important institutions to protect aren't always the largest. I think we're really missing this network of care at the community level. And I think we're missing a strategy to help them protect themselves in a long term sustainable fashion. And I think that the UnDisruptable project is going to be one of many initiatives that is needed to help serve these institutions,” Powazek says.

**About the Author**

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

UnDisruptable27 Project Wants to Shore Up Critical Infrastructure Security

Private Cloud Compute is an entirely new kind of infrastructure that, Apple’s Craig Federighi tells WIRED, allows your personal data to be “hermetically sealed inside of a privacy bubble.”

The generative AI boom has, in many ways, been a privacy bust thus far, as services slurp up web data to train their machine learning models and users’ personal information faces a new era of potential threats and exposures. With the release of Apple’s iOS 18 and macOS Sequoia this month, the company is joining the fray, debuting Apple Intelligence, which the company says will ultimately be a foundational service in its ecosystem. But Apple has a reputation to uphold for prioritizing privacy and security, so the company took a big swing. It has developed extensive custom infrastructure and transparency features, known as Private Cloud Compute (PCC), for the cloud services Apple Intelligence uses when the system can't fulfill a query locally on a user's device.

The beauty of on-device data processing, or “local” processing, is that it limits the paths an attacker can take to steal a user's data. The data never leaves the computer or phone, so that's what the attacker has to target. It doesn't mean an attack will never be successful, but the battleground is defined and constrained. Giving data to a company to process in the cloud isn't inherently a security issue—an unfathomable amount of data moves through global cloud infrastructure safely every day. But it expands that battlefield immensely and also creates more opportunities for mistakes that inadvertently expose data. The latter has particularly been an issue with generative AI given the unintended ways that a system tasked with generating content may access and share information.

With Private Cloud Compute, Apple has developed an array of innovative cloud security technologies. But the service is also significant for pushing the limits of what is an acceptable business proposition for a cloud service, seemingly prioritizing secure architecture over what would be most technically efficient or economical.

“We set out from the beginning with a goal of how can we extend the kinds of privacy guarantees that we’ve established with processing on-device with iPhone to the cloud—that was the mission statement," Craig Federighi, senior vice president of software engineering at Apple, tells WIRED. “It took breakthroughs on every level to pull this together, but what we’ve done is achieve our goal. I think this sets a new standard for processing in the cloud in the industry.”

To remove many of the potential attack points and pitfalls that cloud computing can introduce, Apple says its developers focused on the idea that “security and privacy guarantees are strongest when they are entirely technically enforceable” rather than implemented through policies.

In other words, you can have a plate of cupcakes on the counter and make a policy for yourself that you're not going to eat any of them. Or you could have a policy that you never make or buy cupcakes. But the Private Cloud Compute approach would be to move to a town with no bakeries, rip out your kitchen, and close your credit cards to prevent yourself from buying Easy Bake Ovens. That way there's no question about your cupcake access or the possibility of accidental cupcake hoarding.

**Starting Fresh**

Apple created purpose-built servers running Apple processors for PCC and developed a custom PCC server operating system that's a stripped down, hybrid version of iOS and macOS. The scheme incorporates hardware and software security features the company has developed for Macs and iPhones over the past two decades.

Unlike these consumer devices, though, PCC servers are as bare-bones as possible. For example, they don't include “persistent storage,” meaning that they don't have a hard drive that can keep processed data long-term. They do incorporate Apple's dedicated hardware encryption key manager known as the Secure Enclave and randomize each file system's encryption key at every boot up as well. This means that once a PCC server is rebooted, no data is retained and, as an additional precaution, the entire system volume is cryptographically unrecoverable. At that point, all the server can do is start fresh with a new encryption key.

PCC servers also use Apple's Secure Boot to validate the integrity of the operating system and use a code verification feature the company debuted with iOS 17, known as Trusted Execution Monitor. Instead of using Trusted Execution Monitor in the usual way for oversight, though, PCC runs it in a much stricter mode where once the server restarts and completes the boot sequence, the system locks down and can't load any new code whatsoever. Essentially, all the software the server needs to run gets pummeled with checks and validation and then goes into an envelope that's sealed before user requests and data can begin to process through.

More broadly, Apple says it completely replaced its normal server management tools for PCC. For example, most cloud platforms have policies and controls to prevent unauthorized access, but they also build “break in case of emergency”-type options so highly trusted system administrator accounts can take quick action in case of a bug or failure. In keeping with Apple's focus on technically enforceable guarantees versus policy guarantees, PCC doesn't allow privileged access and drastically limits remote management options.

In recent years, Apple took a major security step by offering its users end-to-end encryption for iCloud backups, in which the company simply holds data in its cloud infrastructure for its customers and doesn't have the technical capability to decrypt and read that data. With current technology, such a scheme is impossible to implement for generative AI because the system needs to process the inputs to give an output. For example, if you want Apple Intelligence to give you a summary of all the text messages and emails you've received in the past three hours, the system needs access to those messages. End-to-end encryption would make that access virtually impossible.

Apple says it is still committed to doing as much Apple Intelligence processing as possible on-device, and a brand new iPhone 16 with its A18 chip, for example, will be able to do more AI processing locally than an iPhone 15 with an A16 chip. Still, the reality seems to be that Apple will need to do a substantial amount of Apple Intelligence processing in the cloud—hence the investment in developing PCC. (In iOS 18.1, users can go to Settings > Privacy & Security > Apple Intelligence Report to view a log of which requests are processed on device versus in the cloud.)

“What was really unique about the problem of doing large language model inference in the cloud was that the data had to at some level be readable by the server so it could perform the inference. And yet, we needed to make sure that that processing was hermetically sealed inside of a privacy bubble with your phone," Federighi says. “So we had to do something new there. The technique of end-to-end encryption—where the server knows nothing—wasn’t possible here, so we had to come up with another solution to achieve a similar level of security.”

Still, Apple says that it offers “end-to-end encryption from the user’s device to the validated PCC nodes, ensuring the request cannot be accessed in transit by anything outside those highly protected PCC nodes.” The system is architected so Apple Intelligence data is cryptographically unavailable to standard data center services like load balancers and logging devices. Inside a PCC cluster, data is decrypted and processed, but Apple emphasizes that once a response is encrypted and sent on its journey to the user, no data is retained or logged and none of it is ever accessible to Apple or its individual employees.

**Open Book, Closed System**

Apple says the overarching vision for PCC is that an attacker should have to compromise the entire system—a difficult thing to do at all much less without being detected—in order to target a specific user's personal data. Even if an attacker could physically compromise an individual live PCC node, the system is devised with an anonymous relay feature so the queries and data on any one node can't be connected to individual users.

It all sounds pretty groovy, but the notoriously secretive company seems to be aware that professing to do all of these things and claiming to offer technical guarantees is ultimately only compelling with proof and transparency. So PCC includes an external auditing mechanism that serves a crucial dual purpose.

Apple is making every production PCC server build publicly available for inspection so people unaffiliated with Apple can verify that PCC is doing (and not doing) what the company claims, and that everything is implemented correctly. All of the PCC server images are recorded in a cryptographic attestation log, essentially an indelible record of signed claims, and each entry includes a URL for where to download that individual build. PCC is designed so Apple can't put a server into production without logging it. And in addition to offering transparency, the system works as a crucial enforcement mechanism to prevent bad actors from setting up rogue PCC nodes and diverting traffic. If a server build hasn't been logged, iPhones will not send Apple Intelligence queries or data to it.

PCC is part of Apple's bug bounty program, and vulnerabilities or misconfigurations researchers find could be eligible for cash rewards. Apple says, though, that since the iOS 18.1 beta became available in late July, no on has found any flaws in PCC so far. The company recognizes that it has only made the tools to evaluate PCC available to a select group of researchers so far.

Multiple security researchers and cryptographers tell WIRED that Private Cloud Compute looks promising, but they haven't spent significant time digging into it yet.

“Building Apple silicon servers in the data center when we didn’t have any before, building a custom OS to run in the data center was huge,” Federighi says. He adds that “creating the trust model where your device will refuse to issue a request to a server unless the signature of all the software the server is running has been published to a transparency log was certainly one of the most unique elements of the solution—and totally critical to the trust model.”

To questions about Apple's partnership with OpenAI and integration of ChatGPT, the company emphasizes that partnerships are not covered by PCC and operate separately. ChatGPT and other integrations are turned off by default, and users must manually enable them. Then, if Apple Intelligence determines that a request would be better fulfilled by ChatGPT or another partner platform, it notifies the user each time and asks whether to proceed. Additionally, people can use these integrations while logged into their account for a partner service like ChatGPT or can use them through Apple without logging in separately. Apple said in June that another integration with Google's Gemini is also in the works.

Apple said this week that beyond launching in United States English, Apple Intelligence is coming to Australia, Canada, New Zealand, South Africa, and the United Kingdom in December. The company also said that additional language support—including for Chinese, French, Japanese, and Spanish—will drop next year. Whether that means that Apple Intelligence will be permitted under the European Union's AI Act and whether Apple will be able to offer PCC in its current form in China is another question.

“Our goal is to bring ideally everything we can to provide the best capabilities to our customers everywhere we can,” Federighi says. “But we do have to comply with regulations, and there is uncertainty in certain environments we’re trying to sort out so we can bring these features to our customers as soon as possible. So, we’re trying.”

He adds that as the company expands its ability to do more Apple Intelligence computation on-device, it may be able to use this as a workaround in some markets.

Those who do get access to Apple Intelligence will have the ability to do far more than they could with past versions of iOS, from writing tools to photo analysis. Federighi says that his family celebrated their dog’s recent birthday with an Apple Intelligence–generated GenMoji (viewed and confirmed to be very cute by WIRED). But while Apple's AI is meant to be as helpful and invisible as possible, the stakes are incredibly high for the security of the infrastructure underpinning it. So how are things going so far? Federighi sums it up without hesitation: “The rollout of Private Cloud Compute has been delightfully uneventful.”

Apple Intelligence Promises Better AI Privacy. Here’s How It Actually Works

An attacker with authenticated access to VICIdial version 2.14-917a as an agent can execute arbitrary shell commands as the root user. This attack can be chained with CVE-2024-8503 to execute arbitrary shell commands starting from an unauthenticated perspective.

Tag

#ios