An iframe that was not permitted to run scripts could do so if the user clicked on a <code>javascript:</code> link. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.

**Mozilla Foundation Security Advisory 2022-24**

Announced

June 28, 2022

Impact

high

Products

Firefox

Fixed in

*   Firefox 102

_Note_: While Bug 1771084 does not represent a specific vulnerability that was fixed, we recommend anyone rebasing patches to include it. 102 branch: Patch 1 and 2. 91 Branch: Patch 1 and 2 (Despite saying Parts 2 and 3, there is no Part 1)

**#CVE-2022-34479: A popup window could be resized in a way to overlay the address bar with web content**

Reporter

Irvan Kurniawan

Impact

high

**Description**

A malicious website that could create a popup could have resized the popup to overlay the address bar with its own content, resulting in potential user confusion or spoofing attacks.  
_This bug only affects Firefox for Linux. Other operating systems are unaffected._

**References**

*   Bug 1745595

**#CVE-2022-34470: Use-after-free in nsSHistory**

Reporter

Armin Ebert

Impact

high

**Description**

Session history navigations may have led to a use-after-free and potentially exploitable crash.

**References**

*   Bug 1765951

**#CVE-2022-34468: CSP sandbox header without \`allow-scripts\` can be bypassed via retargeted javascript: URI**

Reporter

Armin Ebert

Impact

high

**Description**

An iframe that was not permitted to run scripts could do so if the user clicked on a javascript: link.

**References**

*   Bug 1768537

**#CVE-2022-34482: Drag and drop of malicious image could have led to malicious executable and potential code execution**

Reporter

Attila Suszter

Impact

moderate

**Description**

An attacker who could have convinced a user to drag and drop an image to a filesystem could have manipulated the resulting filename to contain an executable extension, and by extension potentially tricked the user into executing malicious code. While very similar, this is a separate issue from CVE-2022-34483.

**References**

*   Bug 845880

**#CVE-2022-34483: Drag and drop of malicious image could have led to malicious executable and potential code execution**

Reporter

Eduardo Braun Prado

Impact

moderate

**Description**

An attacker who could have convinced a user to drag and drop an image to a filesystem could have manipulated the resulting filename to contain an executable extension, and by extension potentially tricked the user into executing malicious code. While very similar, this is a separate issue from CVE-2022-34482.

**References**

*   Bug 1335845

**#CVE-2022-34476: ASN.1 parser could have been tricked into accepting malformed ASN.1**

Reporter

Gustavo Grieco

Impact

moderate

**Description**

ASN.1 parsing of an indefinite SEQUENCE inside an indefinite GROUP could have resulted in the parser accepting malformed ASN.1.

**References**

*   Bug 1387919

**#CVE-2022-34481: Potential integer overflow in ReplaceElementsAt**

Reporter

Ronald Crane

Impact

moderate

**Description**

In the nsTArray_Impl::ReplaceElementsAt() function, an integer overflow could have occurred when the number of elements to replace was too large for the container.

**References**

*   Bug 1497246
*   Bug 1483699

**#CVE-2022-34474: Sandboxed iframes could redirect to external schemes**

Reporter

Amazon Malvertising Team

Impact

moderate

**Description**

Even when an iframe was sandboxed with allow-top-navigation-by-user-activation, if it received a redirect header to an external protocol the browser would process the redirect and prompt the user as appropriate.

**References**

*   Bug 1677138

**#CVE-2022-34469: TLS certificate errors on HSTS-protected domains could be bypassed by the user on Firefox for Android**

Reporter

Peter Gerber

Impact

moderate

**Description**

When a TLS Certificate error occurs on a domain protected by the HSTS header, the browser should not allow the user to bypass the certificate error. On Firefox for Android, the user was presented with the option to bypass the error; this could only have been done by the user explicitly.  
_This bug only affects Firefox for Android. Other operating systems are unaffected._

**References**

*   Bug 1721220

**#CVE-2022-34471: Compromised server could trick a browser into an addon downgrade**

Reporter

Rob Wu

Impact

moderate

**Description**

When downloading an update for an addon, the downloaded addon update's version was not verified to match the version selected from the manifest. If the manifest had been tampered with on the server, an attacker could trick the browser into downgrading the addon to a prior version.

**References**

*   Bug 1766047

**#CVE-2022-34472: Unavailable PAC file resulted in OCSP requests being blocked**

Reporter

Laurent Bigonville

Impact

moderate

**Description**

If there was a PAC URL set and the server that hosts the PAC was not reachable, OCSP requests would have been blocked, resulting in incorrect error pages being shown.

**References**

*   Bug 1770123

**#CVE-2022-34478: Microsoft protocols can be attacked if a user accepts a prompt**

Reporter

Gijs

Impact

moderate

**Description**

The ms-msdt, search, and search-ms protocols deliver content to Microsoft applications, bypassing the browser, when a user accepts a prompt. These applications have had known vulnerabilities, exploited in the wild (although we know of none exploited through Firefox), so in this release Firefox has blocked these protocols from prompting the user to open them.  
_This bug only affects Firefox on Windows. Other operating systems are unaffected._

**References**

*   Bug 1773717

**#CVE-2022-2200: Undesired attributes could be set as part of prototype pollution**

Reporter

Manfred Paul via Trend Micro's Zero Day Initiative

Impact

moderate

**Description**

If an object prototype was corrupted by an attacker, they would have been able to set undesired attributes on a JavaScript object, leading to privileged code execution.

**References**

*   Bug 1771381

**#CVE-2022-34480: Free of uninitialized pointer in lg\_init**

Reporter

Ronald Crane

Impact

low

**Description**

Within the lg_init() function, if several allocations succeed but then one fails, an uninitialized pointer would have been freed despite never being allocated.

**References**

*   Bug 1454072

**#CVE-2022-34477: MediaError message property leaked information on cross-origin same-site pages**

Reporter

jannis

Impact

low

**Description**

The MediaError message property should be consistent to avoid leaking information about cross-origin resources; however for a same-site cross-origin resource, the message could have leaked information enabling XS-Leaks attacks.

**References**

*   Bug 1731614

**#CVE-2022-34475: HTML Sanitizer could have been bypassed via same-origin script via use tags**

Reporter

Gareth Heyes

Impact

low

**Description**

SVG <use> tags that referenced a same-origin document could have resulted in script execution if attacker input was sanitized via the HTML Sanitizer API. This would have required the attacker to reference a same-origin JavaScript file containing the script to be executed.

**References**

*   Bug 1757210

**#CVE-2022-34473: HTML Sanitizer could have been bypassed via use tags**

Reporter

Armin Ebert

Impact

low

**Description**

The HTML Sanitizer should have sanitized the href attribute of SVG <use> tags; however it incorrectly did not sanitize xlink:href attributes.

**References**

*   Bug 1770888

**#CVE-2022-34484: Memory safety bugs fixed in Firefox 102 and Firefox ESR 91.11**

Reporter

Mozilla developers and community

Impact

high

**Description**

The Mozilla Fuzzing Team reported potential vulnerabilities present in Firefox 101 and Firefox ESR 91.10. Some of these bugs showed evidence of JavaScript prototype or memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 102 and Firefox ESR 91.11

**#CVE-2022-34485: Memory safety bugs fixed in Firefox 102**

Reporter

Mozilla developers and community

Impact

moderate

**Description**

Mozilla developers Bryce Seager van Dyk and the Mozilla Fuzzing Team reported potential vulnerabilities present in Firefox 101. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 102

CVE-2022-34468: Security Vulnerabilities fixed in Firefox 102

Less is often more when it comes to both infosec and eco-friendly computing practices

Adam Bannister 22 December 2022 at 15:35 UTC  
Updated: 22 December 2022 at 15:42 UTC

Less is often more when it comes to both infosec and eco-friendly computing practices

Reducing the carbon footprint of computing architecture could play a role not just in tackling climate change but another growing, borderless threat too – cyber-attacks.

That’s according to co-authors of a white paper that highlights how best practices for making cloud infrastructure secure and sustainable sometimes happily overlap with the common pursuit of efficiencies.

“The lowest hanging fruit for sustainability is to do less and save less data, which should also reduce attack surfaces,” Anne Currie, co-author of draft paper ‘The State of Green Cloud Software Practices’ and community chair at Green Software Foundation, told The Daily Swig.

Read more of the latest news about secure development

Fellow co-author Paul Johnston, founder of UK tech consultancy Roundabout Labs and former senior developer advocate for serverless at Amazon Web Services (AWS), echoes these sentiments.

“My take is that generally, greener means fewer lines of code and that means smaller attack surface,” he told The Daily Swig. Johnston said this also means “better use of managed services which, again, generally means that your attack surface is reduced (services tend to be better for infosec)”.

Shutting down defunct applications and services has the same effect. “Unmaintained, zombie, workloads are bad for the environment as well as being a security risk,” reads the white paper, which also has contributors from Red Hat, Microsoft, and the Green Web Foundation.

**Memory-safe languages**

Developers are urged to “rewrite code to use a more lightweight framework or language. Moving from Python to Rust could result in a 10-fold cut in CPU requirements, for example,” says the white paper. This could have security benefits insofar as Rust is, unlike Python, memory safe by default.

The white paper also endorses Golang as “an efficient language and easier than the classic HPC options of C or C++”.

Again, there is some positive correlation here with security best practices given the US National Security Agency (NSA) recently urged (PDF) organizations to abandon languages lacking “inherent memory protection, such as C/C++”, in favor of memory-safe alternatives like Golang, C#, Java, Ruby, and Swift.

Indeed, C and C++ have been blamed for the fact 70% of Microsoft and Google Chrome flaws are memory safety vulnerabilities.

Rust is seen as considerably more energy-efficient than Python

**Security and C, C++**

However, it’s perhaps reductive to conclude that ‘lightweight’ languages – generally defined in terms of syntax, memory footprint, and implementation complexity – are inherently more secure or sustainable in every context.

After all, it’s perfectly possible to write a super-efficient, ‘green’ program in C++, but this is obviously contingent on the developer’s aptitude.

“Vulnerabilities are less likely if the language constructs make it so the easy or obvious way either can’t or is unlikely to be a vulnerability,” David A Wheeler, director of open source supply chain security at the Linux Foundation, told The Daily Swig.

DON’T MISS ‘We don’t teach developers how to write secure software’: David A Wheeler on reversing CVE surge

“C is a relatively simple programming language in the sense that it has relatively few constructs; in that view, it’s lightweight. However, many operations in C (array deference, pointer assignment, or dereference, etc) provide no automatic protections, so any mistake can quickly lead to a vulnerability.

“In contrast, C++ is a much larger and more complex language than C,” continued Wheeler. “In at least some measures it wouldn’t be considered lightweight. However, its lack of many safety mechanisms by default leads to the same problems.”

**Managed cloud services**

Managed cloud services are also endorsed by the sustainable computing white paper because, among other things, they offer high compute density and autoscaling via serverless services.

Yet some enterprises are still nervous about moving data security into shared environments. Ann Currie, a software engineer as well as sci-fi author, considers these fears completely unjustified.

“The cloud puts way more effort into infosec than companies,” says Currie. “It’s a classic area where specialists kick the butt of the (usually) generalists in enterprises.”

Nevertheless, Paul Johnston warns that delegating security functions does create risks.

Catch up with the latest articles about security best practices

“The benefits of a ‘greener’ approach (even if unintentional) are very positive from an infosec view,” he explains.

“However, there is a possible downside in that the security side that you resolve by using managed services or by reducing code can then lead to an element of complacency about the elements that are often a little more complicated.”

The white paper also recommends “moving more work to the client or edge”, which generates security challenges, albeit solvable ones, by extending the attack surface beyond the data center.

Another sustainability goal is surely an unequivocal plus for security. Currie, Johnston, and their fellow co-authors envisage a future where firmware remains backwards-compatible with devices that are at least 10 years old – keeping users protected by security patches for longer.

**Eco incentives**

Compliance and shareholder pressures plus lower running costs surely persuaded tech giants like Microsoft to set ambitious targets for becoming fully carbon neutral or even carbon negative.

Nevertheless, Currie suspects the potentially dire reputational and financial costs of neglecting cybersecurity are an even stronger incentive for change.

“Getting sustainability to the top of the priority list is harder than getting security there,” she says. “The good news is cloud managed services are usually fairly sustainable and secure.”

In other words: anyone trying to persuade organizations to make their computing practices greener would be wise to flag any incidental security benefits when doing so.

RECOMMENDED Deserialized WebSec roundup – Fortinet, Citrix bugs; another Uber breach; hacking NFTs

Lean, green coding machine: How sustainable computing drive can reduce attack surfaces

**SAN FRANCISCO****,** **Dec. 22, 2022** **/PRNewswire/ --** The global passwordless authentication market size is expected to reach USD 55.70 billion by 2030, growing at promising 18.2% CAGR, according to a new report by Grand View Research, Inc. Passwordless authentication is a security procedure that uses unique biological traits of a person to validate their authenticity.

**Key Industry Insights & Findings from the report:**

*   Growing investments in developed countries such as the U.S., Canada, Germany, France, and the U.K. for implementing passwordless authentication technology is a crucial factor driving the growth.
*   Fingerprint recognition and facial recognition provide various benefits. The increased security, accountability, convenience, and their non-transferable nature are crucial drivers for the growth.
*   The surge in e-commerce and internet banking, as well as legislations by various authorities such as central banks mandates large organizations to utilize robust authentication mechanisms to authenticate customers.
*   Multi-factor authentication protects clients from phishing attempts and fraudulent purchases and secures transactions.

Read 117-page market research report, "Passwordless Authentication Market Size, Share & Trends Analysis Report By Component, By Product Type (Facial Recognition, Fingerprint, Iris), By Authentication Type, By Portability, By End-user, By Region, And Segment Forecasts, 2022 - 2030", published by Grand View Research.

**Passwordless Authentication Market Growth & Trends**

The increasing adoption of smartphones and other electronic gadgets is a crucial element driving the biometric authentication market forward. According to a July 2022 Oxford Economics and Samsung study, up to 85% of small and midsize enterprises allow all or most of their staff to use mobile devices for work. Personal laptops and smartphones used by employees might expose a small firm to the dangers of unauthorized access to proprietary data, files, and systems. Such solutions remain the need of the hour and growing focus of many companies around the world.

For instance, in September 2022, AaDya Security, a cyber-security firm, announced the availability of passwordless authentication for Judy, the first all-in-one cybersecurity solution for SMEs. The new security feature protects how small business employees access company resources, mainly when they operate remotely and on mobile phones and personal laptops.

The growing requirement for an additional layer of protection beyond passwords fuels the growth of the passwordless authentication industry. To authenticate identities, fingerprint sensors and smartcards are utilized, and these security points allow for a seamless experience and data flow across locations. Most businesses are using voice biometric authentication in their workplaces for their personnel.

Reduced fraud exposure and lower authentication costs often drive organizations to implement voice biometric technology in their facilities. For instance, in July 2022, Turant Inc., a voice biometric AI firm, launched its cutting-edge AI solution in India. The company seeks to eliminate OTP-related fraud in transactions across use cases across business/industry domains, including e-commerce deliveries, by making it available in all Indian languages and roughly 20,000 dialects.

Furthermore, due to the increasing number of incidences of data theft around the world, passwordless authentication has gained popularity. Data theft issues in devices such as computers, cellphones, and tablets have increased the requirement for protection beyond passwords. fingerprint sensors and facial recognition are ways modern gadgets can be secured to prevent data theft.

For instance, in August 2022, ForgeRock, an international identity and access management software business, established strategic cooperation with Israeli software company Secret Double Octopus. ForgeRock will use SDO technology to provide employees, contractors, and vendors with a unified multi-factor secure experience. ForgeRock Enterprise Connect, the new solution, connects effortlessly with any ForgeRock deployment option, allowing organizations to gain increased security for databases, workstations, VPNs, and servers.

**Passwordless Authentication Market Segmentation**

Grand View Research has segmented the global passwordless authentication market based on component, product type, authentication type, portability, end-user, and region:

**Passwordless Authentication Market - Component Outlook (Revenue, USD Million, 2017 - 2030)**

*   Hardware
*   Software
*   Services

**Passwordless Authentication Market - Product Type Outlook (Revenue, USD Million, 2017 - 2030)**

*   Fingerprint Authentication
*   Palm Recognition
*   Iris Recognition
*   Face Recognition
*   Voice Recognition
*   Smart Card
*   Others

**Passwordless Authentication Market - Type Outlook (Revenue, USD Million, 2017 - 2030)**

*   Single-factor Authentication
*   Multi-factor Authentication

**Passwordless Authentication Market - Portability Outlook (Revenue, USD Million, 2017 - 2030)**

*   Fixed
*   Mobile

**Passwordless Authentication Market - End-user Outlook (Revenue, USD Million, 2017 - 2030)**

*   IT & Telecom
*   Retail
*   Transportation & Logistics
*   Aerospace & Defense
*   BFSI
*   Healthcare
*   Government
*   Others

**Passwordless Authentication Market - Regional Outlook (Revenue, USD Million, 2017 - 2030)**

*   North America

*   U.S.
*   Canada
*   Mexico

*   Europe

*   U.K.
*   Germany
*   France

*   Asia Pacific

*   China
*   India
*   Japan

*   Central & South America

*   Brazil

*   Middle East and Africa (MEA)

**List of Key Players in the Passwordless Authentication Market**

*   ASSA ABLOY
*   DERMALOG Identification Systems GmbH
*   East Shore Technology, LLC
*   Fujitsu
*   HID Global Corporation
*   M2SYS Technology
*   Microsoft
*   NEC Corporation
*   Safran
*   Thales.

**Check out more related studies published by Grand View Research:**

*   Facial Recognition Market **\-** The global facial recognition market size is expected to reach USD 12.11 billion by 2028 according to a new report by Grand View Research, Inc. The market is anticipated to expand at a CAGR of 15.4% from 2021 to 2028. Facial recognition is a contactless biometric solution that is a critical factor contributing the market growth.
*   Multi-factor Authentication Market \- The global multi-factor authentication (MFA) market size is expected to reach USD 17.76 billion by 2025, according to a new study by Grand View Research, Inc., experiencing a CAGR of 15.07% during the forecast period. Increasing implementation of BYOD and cloud-based services across enterprises, along with the growing security regulations and mandates, is benefiting market growth.
*   3D Secure Payment Authentication Market \- The global 3D secure payment authentication market size is expected to reach USD 2.76 billion by 2030, growing at a CAGR of 12.2% from 2022 to 2030, according to a new study conducted by Grand View Research, Inc. The rising demand for e-commerce has augmented the use of Card Not Present (CNP) transactions. As a result of such an increase in CNP transactions, the growth in CNP fraud transactions has been observed over the past few years.

**Browse through Grand View Research's** Next Generation Technologies Industry **Research Reports.**

**About Grand View Research**

Grand View Research, U.S.-based market research and consulting company, provides syndicated as well as customized research reports and consulting services. Registered in California and headquartered in San Francisco, the company comprises over 425 analysts and consultants, adding more than 1200 market research reports to its vast database each year. These reports offer in-depth analysis on 46 industries across 25 major countries worldwide. With the help of an interactive market intelligence platform, Grand View Research Helps Fortune 500 companies and renowned academic institutes understand the global and regional business environment and gauge the opportunities that lie ahead.

Passwordless Authentication Market to Be Worth $55.7 Billion by 2030: Grand View Research, Inc.

With a recession potentially coming, some companies are cutting security teams. But moving more infrastructure to the cloud and reducing the number of vendors through consolidation may be the best ways to prepare.

As economic forecasters and businesses raise expectations of a recession in 2023, information-security budgets will likely be pressured in the coming year, experts tell Dark Reading.

Because of latent demand, the call for cybersecurity workers is in flux. While some companies — Patreon, for example — have laid off their cybersecurity teams, other businesses are pausing hiring, as many have open requisitions for cybersecurity specialists. It would be difficult to fill positions anyway: There are currently only enough cybersecurity workers to fill 65% of positions, according to CyberSeek US.

Instead, security teams will have to make do with what they have going forward. The best way to do that is consolidating vendors to reduce costs, and find ways to bring in managed security service providers (MSSPs) to help with areas in which they lack expertise, says Mike Hamilton, chief information security officer at threat-detection and management firm Critical Insight.

"Enterprises have the ability to hire and maintain large teams, so they will continue to do that, but in the mid-market, IT has just got to suck it up and do more security as part of their job," he says. "That's pretty much they way it is everywhere."

While economists and business leaders do not have a great track record for forecasting recessions, current surveys of sentiment have set historical records for recessionary predictions. The Wall Street Journal's quarterly survey of economists found that 63% expect a recession in the next 12 months, the highest registered negative sentiment from economists in the nation outside of an ongoing recession.

Half of companies are already considering instituting IT technology austerity measures, a share that will likely increase if a recession takes hold. Yet, information security should not relax their defensive vigilance, says Merritt Maxim, vice president and research director at Forrester Research.

"Companies need to be as diligent as before," he says. "Hackers and others are not going to stop doing what they have been doing, because of a recession. That will actually spur more activity."

**Turning to the Cloud to Cut IT Security Costs**

Companies should consider moving more infrastructure to the cloud as an austerity measure, experts say. While US firms have moved less than half (45%) of current infrastructure to cloud services, they expect to have 58% of their applications in the cloud in two years, according to Forrester.

While cloud costs have risen and cloud-native application require a different set of skills to secure, they still cost less than equivalent on-premise technologies, Forrester stated in its "Planning Guide 2023: Security & Risk" report. Based on the costs for maintenance, licensing, upgrades, and other investments, on-premises technology consumes the largest percentage of security costs — 41% for companies spending 20% or less of their IT budget on security.

Other experts also recommended cloud infrastructure as being easier and less costly to secure.

"Budget pressure also poses an opportunity and added incentive to accelerate this transformation rather than continue to execute on previous templates," enterprise software firm SAP stated in its security recommendations for 2023. "The cloud poses new security challenges, but also capabilities to optimize and make use of economies of scale."

**Security Vendor Consolidation Reigns: But It May Not Be a Choice**

Managing the disparate security, compliance, and threat-intelligence systems necessary to have visibility and control in a corporate environment has ballooned in the past decade. The average large company has 75 security solutions, according to Microsoft. Over all businesses, the number is smaller but still large, with 13% of companies having more than 20 vendors, according to Cisco's 2020 CISO Benchmark Study.

No wonder, then, that consolidation has become a major strategy going into 2023, with three-quarters of businesses planning to reduce the number of security vendors on which they rely. And many vendors are leaning into that consolidation strategy, not surprisingly. Microsoft, for example, touts cost savings as one of the benefits of consolidating to a single vendor's products and services, claiming that unifying security, compliance, and identity solutions can save up to 60% in costs.

"Managing multiple vendors can be burdensome for IT, while valuable security insights sit siloed in separate dashboards," Vasu Jakkal, corporate vice president for security, compliance, identity, and management at Microsoft, stated in a blog post. "And siloed solutions can result in fragmented visibility and can be exploited."

As part of the strategy, many vendors are buying up smaller firms and rivals — a mixed blessing for companies given that they may have fewer choices in the future. Companies may get more capabilities for less, but they may also find themselves paying for unwanted features, says Forrester's Maxim.

"Whether companies are planning to consolidate or not, I think a lot of consolidation is going to happen on its own, either through strategic M&A or fire-sale M&A, because of where we at in this economy," he says. "Private equity still has a huge amount of capital, and the operations benefits from reducing the number of vendors is significant."

Finally, organizations will find that there are some costly security and risk areas that they simply cannot jettison, such as compliance and governance costs, Critical Insight's Hamilton says. Publicly traded companies, in particular, have little leeway in cutting the costs associated with some regulations.

"You cannot neglect things like governance," he tells Dark Reading, "and you have to make sure your compliance is being met every year."

Security on a Shoestring? Cloud, Consolidation Best Bets for Businesses

Our growing interconnectedness poses almost as many challenges as it does benefits.

The number of cyberattacks around the world jumped 28% in the third quarter of 2022. Such a figure is not surprising because recent years have brought more and bigger attacks on almost every sector. The coming year will no doubt also be filled with attacks and risks, despite companies spending even more on solutions and both governments and the private sector taking further steps to prioritize security.

While many of the current trends will continue, there also will be significant changes and developments in the year ahead. The increasingly efficient and business-minded manner of both cybercriminals and state-backed attackers will drive many of these growing trends and new challenges.

**Expect More Disruptive Attacks**

Business disruption due to cyberattacks is on track to become a bigger problem. During the past 12 months, 93% of organizations have suffered a data-related business disruption, and 43% reported permanent data loss, according to a recent survey. This comes as attackers move away from ransomware attacks, which hold data hostage for money and have fallen by 8% in recent months, and carry out attacks simply to disrupt services and activities, sometimes by erasing data, rather than to raise money. 

Political motivations are often behind such purely disruptive attacks, including Russia-linked or Russia-backed hackers who have targeted businesses in Ukraine, or those that support Ukraine. The public nature of these disruptive attacks, including denial-of-service (DoS) attacks, is also an effective way for hacking groups to build up their brands. This public relations effort is important as more groups, including the infamous Conti group that shut down several government websites and services for months in Costa Rica, seek affiliates to work with on attacks.

**Signs Are Pointing to a Catastrophic Attack**

We will not likely get through the coming year without some sort of catastrophic attack on a very strategic and important network or service provider like Gmail, WhatsApp, or Microsoft. We have long known — and it became even more clear from Twitter whistleblower and former head of security Peiter Zatko, who exposed lax data security practices at the social media giant — that the biggest tech companies, with the biggest security budgets, still have severe challenges. 

If a global software provider or communication platform is attacked it could lead to significant disruption of business and communication, and put the personal data of billions at risk. It would be a worldwide event with lasting economic, social, and political consequences.

**Supply Chain Attacks Will Persist — and Grow**

Supply chain attacks, in which bad actors gain access to organizations through third parties, enabling one attack to include hundreds of victims, will continue to increase as hacking groups become more business-oriented and concerned with efficiency. These types of attacks have already increased by nearly eightfold over the past three years. Many of the largest and most threatening groups are no longer operating alone. In addition to working with affiliates, they are working with states. States are hiring them, funding them, or simply providing them a safe harbor from which to operate. With more at stake, including funding from government or affiliates, these groups are under pressure to accomplish more damage in shorter amounts of time, in the most efficient way possible.

These bad actors are evolving into a modern form of organized crime, and as long as efficiency and results remain important to them, they will pursue supply chain attacks. Such attacks put every sort of organization that uses any type of cloud software at risk, meaning every company must embrace intelligence and be prepared for attacks from sophisticated criminal gangs or state-backed attackers.

**Personalized Attacks Will Target Executives and Their Friends and Family**

We will see more personalization of attacks, including bad actors using tactics like demanding money or network access credentials in return for not releasing valuable or sensitive data they already have. A growing related tactic is "sextortion," or threatening to release embarrassing information, photos, or videos unless the victim gives over money, information, or network credentials. In other cases, attackers offer to pay money in return for passwords or other information that can help them carry out a future cyberattack. 

What all of these attacks have in common is that they are very personal in nature, especially those that rely on sextortion. They can affect business executives, public figures, and anyone else who has a public profile or access to confidential or valuable data and information. But in addition, these types of attacks also often involve friends or family members of their ultimate victims. For example, in one case my company dealt with, a teenager received emails threatening to reveal that he was gay — something his family did not know — unless he installed some files on his home network. Acting out of fear, he installed the files, and this eventually gave a cyberattacker potential access to his mother, an executive at a large company.

With attackers growing more sophisticated and more focused on efficiency, it is more important than ever for businesses to understand and improve their security posture. In the constantly evolving threatscape, no organization can consider itself immune to attacks by the biggest hacking groups, including those backed or sheltered by governments. We are entering a new era in which interconnectedness poses almost as many challenges as it does benefits.

'Sextortion,' Business Disruption, and a Massive Attack: What Could Be in Store for 2023

New technical chatbot capabilities raise the promise that their help in threat modeling could free humans for more interesting work.

There's been a flood of news about OpenAI's new GPT-3 Chatbot. For all the very real critiques, it does an astounding and interesting job of producing reasonable responses. What does it mean for threat modeling? There's real promise that it will transform threat modeling as we know it. 

For readability, I'll just call it "chatbot." The specific examples I use are from OpenAI's implementation, but we can think about this as a new type of technical capability that others will start to offer, and so I'll go beyond what we see today. 

Let's start with what it can do, ask what can go wrong, see if we can manage those issues, and then evaluate. 

**What Chatbots Can Do**

On the Open Web Application Security Project® (OWASP) Slack, @DS shared a screenshot where he asked it to "list all spoofing threats for a system which has back-end service to back-end service interaction in Kubernetes environment in a table format with columns — threats, description, and mitigations."

    

The output is fascinating. It starts "Here is a table listing some examples …" Note the switch from "all" to "some examples." But more to the point, the table isn't bad. As @DS says, it provided him with a base, saving hours of manual analysis work. Others have used it to explain what code is doing or to find vulnerabilities in that code. 

Chatbots (more specifically here Large Language Models, including GPT-3) don't really know anything. What they do under the hood is pick statistically likely next words to respond to a prompt. What that means is they'll parrot the threats that someone has written about in their training data. On top of that, they'll use symbol replacement for something that appears to our anthropomorphizing brains to be reasoning by analogy. 

When I created the Microsoft SDL Threat Modeling Tool, we saw people open the tool and be unsure what to do, so we put in a simple diagram that they could edit. We talked about it addressing "blank page syndrome." Many people run into that problem as they're learning threat modeling. 

**What Can Go Wrong?**

While chatbots can produce lists of threats, they're not really analyzing the system that you're working on. They're likely to miss unique threats, and they're likely to miss nuance that a skilled and focused person might see. 

Chatbots will get good enough, and that "mostly good enough" is enough to lull people into relaxing and not paying close attention. And that seems really bad.  

To help us evaluate it, let's step way back, and think about why we threat model. 

**What Is Threat Modeling? What Is Security Engineering?**

We threat model to help us anticipate and address problems, to deliver more secure systems. Engineers threat model to illuminate security issues as they make design trade\-offs. And in that context, having an infinite supply of inexpensive possibilities seems far more exciting than I expected when I started this essay.

I've described threat modeling as a form of reasoning by analogy, and pointed out that many flaws exist simply because no one knew to look for them. Once we look in the right place, with the right knowledge, the flaws can be pretty obvious. (That's so important that making that easier is the key goal of my new book.) 

Many of us aspire to do great threat modeling, the kind where we discover an exciting issue, something that'll get us a nice paper or blog post, and if you just nodded along there … it's a trap. 

Much of software development is boring management of a seemingly unending set of details, such as iterating over lists to put things into new lists, then sending them to the next stage in a pipeline. Threat modeling, like test development, can be useful because it gives us confidence in our engineering work.

**When Do We Step Back?** 

Software is hard because it's so easy. The apparent malleability of code makes it easy to create, and it's hard to know how often or how deeply to step back. A great deal of our energy in managing large software projects (including both bespoke and general-use software) goes to assessing what we're doing, and getting alignment on priorities — all these other tasks are done occasionally, slowly, rarely, because they're expensive. 

It's not what the chatbots do today, but I could see similar software being tuned to report how much any given input changes its models. Looking across software commits, discussions in email and Slack, tickets, and helping us assess its similarity to other work could profoundly change the energy needed to keep projects (big or small) on track. And that, too, contributes to threat modeling. 

All of this frees up human cycles for more interesting work.

Threat Modeling in the Age of OpenAI's Chatbot

Threat actors continue to evolve the malicious botnet, which has also added a list of new vulnerabilities it can use to target devices.

A recently discovered botnet that attacks organizations through Internet of things (IoT) vulnerabilities has added brute-forcing and distributed denial-of-service (DDoS) attack vectors, as well as the ability to exploit new flaws to its growing arsenal, Microsoft security analysts have found. 

The updates to Zerobot, a malware first observed earlier this month by Fortinet researchers, pave the way for more advanced attacks as the threat continues to evolve, according to the Microsoft Security Threat Intelligence Center (MSTIC).

MSTIC revealed in a blog post on Dec. 21 that the threat actors have updated Zerobot to version 1.1, which can now target resources through DDoS and make them inaccessible, widening the possibilities for attack and further compromise.

"Successful DDoS attacks may be used by threat actors to extort ransom payments, distract from other malicious activities, or disrupt operations," the researchers wrote in the post. "In almost every attack, the destination port is customizable, and threat actors who purchase the malware can modify the attack according to their target."

**Brute-Forcing and Other Tactics**

Fortinet researchers already had tracked two previous versions of Zerobot — one that was quite basic and another that was more advanced. The botnet's principal mode of attack originally was to target various IoT devices — including products from D-Link, Huawei, RealTek, TOTOLink, Zyxel, and more — through flaws found in those devices, and then spread to other assets connected on the network that way to propagate the malware and grow the botnet.

Microsoft researchers now have observed the botnet getting more aggressive in its attacks on devices, using a new brute-force vector to compromise weakly secured IoT devices rather than just trying to leverage a known vulnerability, the researchers revealed.

"IoT devices are often internet-exposed, leaving unpatched and improperly secured devices vulnerable to exploitation by threat actors," they wrote in the post. "Zerobot is capable of propagating through brute-force attacks on vulnerable devices with insecure configurations that use default or weak credentials."

The malware attempts to to gain device access by using a combination of eight common usernames and 130 passwords for IoT devices over SSH and telnet on ports 23 and 2323 to spread to devices, the researchers wrote. In their observations alone, the MSTIC team identified numerous SSH and telnet connection attempts on default ports 22 and 23, as well as attempts to open ports and connect to them by port-knocking on ports 80, 8080, 8888, and 2323.

**An Expanded Security Vulnerability Exploit List**

Zerobot hasn't abandoned its original way to access devices, however, and has even expanded this practice. Prior to its new version, Zerobot already could exploit more than 20 flaws in assorted devices, including routers, webcams, network-attached storage, firewalls, and other products from a host of well-known manufacturers.

The botnet has now added seven new exploits for flaws to its quiver, found in Apache, Roxy-WI, Grandstream, and other platforms, the researchers found.

MSTIC also found new evidence that Zerobot propagates by compromising devices with known vulnerabilities that are not included in the malware binary, such as CVE-2022-30023, a command injection vulnerability in Tenda GPON AC1200 routers, they added.

**Zerobot's Post-Compromise Behavior**

Researchers also observed more about Zerobot's behavior once it gains device access. For one, it immediately injects a malicious payload — which may be a generic script called "zero.sh" that downloads and attempts to execute the bot, or a script that downloads the Zerobot binary of a specific architecture, they said.

"The bash script that attempts to download different Zerobot binaries tries to identify the architecture by brute-force, attempting to download and execute binaries of various architectures until it succeeds," the researchers wrote.

Once Zerobot achieves persistence, it scans for other devices exposed to the Internet that it can infect, by randomly generating a number between 0 and 255 and scanning all IPs starting with this value.

"Using a function called _new\_botnet\_selfRepo\_isHoneypot_, the malware tries to identify honeypot IP addresses, which are used by network decoys to attract cyberattacks and collect information on threats and attempts to access resources," the Microsoft researchers wrote. "This function includes 61 IP subnets, preventing scanning of these IPs."

Zerobot 1.1 uses scripts targeting various architectures, including ARM64, MIPS, and x86\_64. The researchers also have observed samples of the botnet on Windows and Linux devices, exhibiting different persistence methods based on the OS.

**Protecting the Enterprise**

Fortinet researchers already had stressed the importance of organizations immediately updating to the latest versions of any devices affected by Zerobot. Given that businesses are losing up to $250 million a year on unwanted botnet attacks, according to a report published last year from Netacea, the danger is real.

To help identify if an organization is vulnerable, Microsoft researchers included an updated list of CVEs that Zerobot can exploit in their post. The MSTIC team also recommended that organizations use security solutions with cross-domain visibility and detection capabilities to detect Zerobot malware variants and malicious behavior related to the threat.

Enterprises should also adopt a comprehensive IoT security solution that allows for visibility and monitoring of all IoT and operational technology (OT) devices, threat detection and response, and integration with SIEM/SOAR and extended detection and response (XDR) platforms, according to Microsoft.

As part of this strategy, they should ensure secure configurations for devices by changing default passwords to strong ones and blocking SSH from external access, as well as use least-privileges access including VPN service for remote access, the researchers said.

Another way to avoid compromise by Zerobot is to harden endpoints with a comprehensive security solution that manages the apps that employees can use and provides application control for unmanaged solutions, they said. This solution also should perform timely cleanup of unused and stale executables sitting on an organization's devices.

Zerobot Adds Brute Force, DDoS to Its IoT Attack Arsenal

An exhaustive analysis of FIN7 has unmasked the cybercrime syndicate's organizational hierarchy, alongside unraveling its role as an affiliate for mounting ransomware attacks.
It has also exposed deeper associations between the group and the larger threat ecosystem comprising the now-defunct ransomware DarkSide, REvil, and LockBit families.
The highly active threat group, also known as Carbanak,

An exhaustive analysis of **FIN7** has unmasked the cybercrime syndicate's organizational hierarchy, alongside unraveling its role as an affiliate for mounting ransomware attacks.

It has also exposed deeper associations between the group and the larger threat ecosystem comprising the now-defunct ransomware DarkSide, REvil, and LockBit families.

The highly active threat group, also known as Carbanak, is known for employing an extensive arsenal of tools and tactics to expand its "cybercrime horizons," including adding ransomware to its playbook and setting up fake security companies to lure researchers into conducting ransomware attacks under the guise of penetration testing.

More than 8,147 victims have been compromised by the financially motivated adversary across the world, with a majority of the entities located in the U.S. Other prominent countries include China, Germany, Canada, Italy, and the U.K.

FIN7's intrusion techniques, over the years, have further diversified beyond traditional social engineering to include infected USB drives, software supply chain compromise and the use of stolen credentials purchased from underground markets.

"Nowadays, its initial approach is to carefully pick high-value companies from the pool of already compromised enterprise systems and force them to pay large ransoms to restore their data or seek unique ways to monetize the data and remote access," PRODAFT said in a report shared with The Hacker News.

According to the Swiss cybersecurity company, the threat actors have also been observed to weaponize flaws in Microsoft Exchange such as CVE-2020-0688, CVE-2021-42321, ProxyLogon, and ProxyShell flaws in Microsoft Exchange Server to obtain a foothold into target environments.

The use of double extortion tactics notwithstanding, attacks mounted by the group have deployed backdoors on the compromised systems, even in scenarios where the victim has already paid a ransom.

The idea is to resell access to other ransomware outfits and re-target the victims as part of its illicit money-making scheme, underscoring its attempts to minimize efforts and maximize profits, not to mention prioritize companies based on their annual revenues, founded dates, and the number of employees.

This "demonstrates a particular type of feasibility study considered a unique behavior among cybercrime groups," the researchers said.

Put differently, the modus operandi of FIN7 boils down to this: It utilizes services like Dun & Bradstreet (DNB), Crunchbase, Owler, and Zoominfo to shortlist firms and organizations with the highest revenue. It also uses other website analytics platforms like MuStat and Similarweb to monitor traffic to the victims' sites.

Initial access is then obtained through one of the many intrusion vectors, followed by exfiltrating data, encrypting files, and eventually determining the ransom amount based on the company's revenue.

These infection sequences are also designed to load the remote access trojans such as Carbanak, Lizar (aka Tirion), and IceBot, the latter of which was first documented by Recorded Future-owned Gemini Advisory in January 2022.

Other tools developed by FIN7 encompass modules to automate scans for vulnerable Microsoft Exchange servers and other public-facing web applications as well as Cobalt Strike for post-exploitation.

In yet another indication that criminal groups function like traditional companies, FIN7 follows a team structure consisting of top-level management, developers, pentesters, affiliates, and marketing teams, each of whom are tasked with individual responsibilities.

While two members named Alex and Rash are the chief players behind the operation, a third managerial member named Sergey-Oleg is responsible for delegating duties to the group's other associates and overseeing their execution.

However, it has also been observed that operators in administrator positions engage in coercion and blackmail to intimidate team members into working more and issue ultimatums to "hurt their family members in case of resigning or escaping from responsibilities."

The findings come more than a month after cybersecurity company SentinelOne identified potential links between FIN7 and the Black Basta ransomware operation.

"FIN7 has established itself as an extraordinarily versatile and well-known APT group that targets enterprise companies," PRODAFT concluded.

"Their signature move is to thoroughly research the companies based on their revenue, employee count, headquarters and website information to pinpoint the most profitable targets. Although they have internal issues related to the unequal distribution of obtained monetary resources and somewhat questionable practices towards their members, they have managed to establish a strong presence in the cybercrime sphere."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

FIN7 Cybercrime Syndicate Emerges as Major Player in Ransomware Landscape

The Zerobot DDoS botnet has received substantial updates that expand on its ability to target more internet-connected devices and scale its network.
Microsoft Threat Intelligence Center (MSTIC) is tracking the ongoing threat under the moniker DEV-1061, its designation for unknown, emerging, or developing activity clusters.
Zerobot, first documented by Fortinet FortiGuard Labs earlier this month,

Internet of Things / Patch Management

The **Zerobot** DDoS botnet has received substantial updates that expand on its ability to target more internet-connected devices and scale its network.

Microsoft Threat Intelligence Center (MSTIC) is tracking the ongoing threat under the moniker DEV-1061, its designation for unknown, emerging, or developing activity clusters.

Zerobot, first documented by Fortinet FortiGuard Labs earlier this month, is a Go-based malware that propagates through vulnerabilities in web applications and IoT devices like firewalls, routers, and cameras.

"The most recent distribution of Zerobot includes additional capabilities, such as exploiting vulnerabilities in Apache and Apache Spark (CVE-2021-42013 and CVE-2022-33891 respectively), and new DDoS attack capabilities," Microsoft researchers said.

Also called ZeroStresser by its operators, the malware is offered as a DDoS-for-hire service to other criminal actors, with the botnet advertised on social media by its operators.

Microsoft said that one domain with connections to Zerobot – zerostresser\[.\]com – was among the 48 domains that were seized by the U.S. Federal Bureau of Investigation (FBI) this month for offering DDoS attack features to paying customers.

The latest version of Zerobot spotted by Microsoft not only targets unpatched and improperly secured devices, but also attempts to brute-force over SSH and Telnet on ports 23 and 2323 for spreading to other hosts.

The list of newly added known flaws exploited by Zerobot 1.1 is as follows -

*   **CVE-2017-17105** (CVSS score: 9.8) - A command injection vulnerability in Zivif PR115-204-P-RS
*   **CVE-2019-10655** (CVSS score: 9.8) - An unauthenticated remote code execution vulnerability in Grandstream GAC2500, GXP2200, GVC3202, GXV3275, and GXV3240
*   **CVE-2020-25223** (CVSS score: 9.8) - A remote code execution vulnerability in the WebAdmin of Sophos SG UTM
*   **CVE-2021-42013** (CVSS score: 9.8) - A remote code execution vulnerability in Apache HTTP Server
*   **CVE-2022-31137** (CVSS score: 9.8) - A remote code execution vulnerability in Roxy-WI
*   **CVE-2022-33891** (CVSS score: 8.8) - An unauthenticated command injection vulnerability in Apache Spark
*   **ZSL-2022-5717** (CVSS score: N/A) - A remote root command injection vulnerability in MiniDVBLinux

Upon successful infection, the attacks chain proceeds to download a binary named "zero" for a specific CPU architecture that enables it to self-propagate to more susceptible systems exposed online.

Additionally, Zerobot is said to proliferate by scanning and compromising devices with known vulnerabilities that are not included in the malware executable, such as CVE-2022-30023, a command injection vulnerability in Tenda GPON AC1200 routers.

Zerobot 1.1 further incorporates seven new DDoS attack methods by making use of protocols such as UDP, ICMP, and TCP, indicating "continuous evolution and rapid addition of new capabilities."

"The shift toward malware as a service in the cyber economy has industrialized attacks and has made it easier for attackers to purchase and use malware, establish and maintain access to compromised networks, and utilize ready-made tools to perform their attacks," the tech giant said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Zerobot Botnet Emerges as a Growing Threat with New Exploits and Capabilities

Okta, a company that provides identity and access management services, disclosed on Wednesday that some of its source code repositories were accessed in an unauthorized manner earlier this month.
"There is no impact to any customers, including any HIPAA, FedRAMP or DoD customers," the company said in a public statement. "No action is required by customers."
The security event, which was first

Software Security / Data Breach

Okta, a company that provides identity and access management services, disclosed on Wednesday that some of its source code repositories were accessed in an unauthorized manner earlier this month.

"There is no impact to any customers, including any HIPAA, FedRAMP or DoD customers," the company said in a public statement. "No action is required by customers."

The security event, which was first reported by Bleeping Computer, involved unidentified threat actors gaining access to the Okta Workforce Identity Cloud (WIC) code repositories hosted on GitHub. The access was subsequently abused to copy the source code.

The cloud-based identity management platform noted that it was alerted to the incident by Microsoft-owned GitHub in early December 2022. It also emphasized that the breach did not result in unauthorized access to customer data or the Okta service.

Upon discovering the lapse, Okta said it placed temporary restrictions on repository access and that it suspended all GitHub integrations with other third-party applications.

The San Francisco-headquartered firm further said it reviewed the repositories that were accessed by the intruders and examined the recent code commits to ensure that no improper changes were made. It has also rotated GitHub credentials and informed law enforcement of the development.

"Okta does not rely on the confidentiality of its source code for the security of its services," the company noted.

The alert comes nearly three months after Auth0, which Okta acquired in 2021, revealed a "security event" pertaining to some of its code repository archives from 2020 and earlier.

Okta has emerged as an appealing target for attackers since the start of the year. The LAPSUS$ data extortion group broke into the company's internal systems in January 2022 after obtaining remote access to a workstation belonging to a support engineer.

Then in August 2022, Group-IB unearthed a campaign dubbed 0ktapus targeting a number of companies, including Twilio and Cloudflare, that was designed to steal users' Okta identity credentials and two-factor authentication (2FA) codes.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#microsoft