Plus: Patches for Apple iOS 16, Google Chrome, Windows 10, and more.

The holiday season is almost over, but security patches are still continuing to arrive thick and fast in December. The month has seen updates released by Apple, Google, and Microsoft, as well as enterprise software companies including the likes of SAP, Citrix, and VMWare. 

Many of the patches fix zero-day vulnerabilities already being exploited in attacks, making it important that they are applied as soon as possible. Here’s the lowdown on all the patches released in December.

Apple iOS and iPadOS 16.2, iOS 15.7.2, iOS 16.1.2

Apple released a major point upgrade to its iOS 16 operating system in December: iOS 16.2. The update comes with features including end-to-end encryption in iCloud, but it also fixes 35 security vulnerabilities.

None of the issues patched in iOS 16.2 are known to have been used in attacks; however, many are pretty serious. The flaws include six in the Kernel and nine in the engine that powers Apple’s Safari browser, WebKit, which could allow an attacker to execute code. 

Apple also released iOS 15.7.2 for users of older iPhones that can’t run iOS 16, fixing a flaw already being used in attacks. Tracked as CVE-2022-42856, the WebKit vulnerability could allow an attacker to execute code, according to Apple’s support page. At the end of November, Apple fixed the same WebKit flaw in iOS 16.1.2.

Since the launch of iOS 16 in September, Apple has been offering security updates to those who don’t want to upgrade to the new operating system. But iOS 15.7.2 is only for older iPhones, so if you’ve got an iPhone 8 or above, you now need to upgrade to iOS 16 to stay secure. 

The iPhone maker also released macOS Ventura 13.1, watchOS 9.2, tvOS 16.2, macOS Big Sur 11.7.2, macOS Monterey 12.6.2, and Safari 16.2.

Google Android 

December was a hefty patch month for Google’s Android operating system, with fixes for dozens of security vulnerabilities issued during the month. Tracked as CVE-2022-20411, the most severe is a critical vulnerability in the System component that could lead to remote code execution over Bluetooth with no additional execution privileges needed, Google said in a security bulletin. 

Google also fixed two critical flaws in the Android Framework component, CVE-2022-20472 and CVE-2022-20473. Meanwhile, 151 Pixel-specific bugs were patched by Google in December. 

The December patch is available for Google’s own Pixel devices as well as Samsung smartphones, including the hardware maker’s flagship Galaxy range. 

Google Chrome 108

Google has issued an emergency update for its Chrome browser to fix the ninth zero-day vulnerability of the year. Tracked as CVE-2022-4262, the high-severity type confusion issue in Chrome’s V8 JavaScript engine could allow a remote attacker to exploit heap corruption via a crafted HTML page. “Google is aware that an exploit for CVE-2022-4262 exists in the wild,” the browser maker said in a blog.

The emergency update arrived just days after Google released Chrome 108, patching 28 security flaws. Among the fixes are CVE-2022-4174—a type confusion flaw in V8—and several use-after-free bugs. None of these vulnerabilities have been exploited in attacks, according to Google. But given that the latest bug is already in the hands of attackers, it’s a good idea to update Chrome as soon as possible.

Microsoft Patch Tuesday 

Microsoft’s December Patch Tuesday was another big one, fixing 49 security vulnerabilities, including a flaw being used in attacks. Tracked as CVE-2022-44698, the issue is a Windows SmartScreen security feature bypass vulnerability that could lead to loss of integrity and availability.

“An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging,” Microsoft said.

Update Android Right Now to Fix a Scary Remote-Execution Flaw

New web targets for the discerning hacker

New web targets for the discerning hacker

  

As 2022 draws to a close, HackerOne has revealed that cloud-based vulnerabilities became increasingly common this year as organizations embark on digital transformation.

The bug bounty platform reported that researchers uncovered more than 65,000 software vulnerabilities through its service during the year, up 21% on 2021.

Misconfiguration vulnerabilities also rose 150% and improper authorization issues by 45% – largely because organizations are instituting ever-more granular permissions as they migrate to the cloud.

Intel recently paid out a $10,000 bug bounty to Julien Ahrens of RCE Security – despite disputing the seriousness of the flaw.

Ahrens bypassed Intel Data Center Manager (DCM) authentication by spoofing Kerberos and LDAP (Lightweight Directory Access Protocol) responses, claiming this led to remote code execution (RCE).

Intel acknowledged the vulnerability and gave it a severity score of 8.8, but says the issue amounted only to a privilege elevation flaw. It was persuaded to make the payout anyway as a one-off.

Meanwhile, a security researcher known by the moniker Peter M demonstrated this month how he bypassed Akamai web application firewalls (WAF) running Spring Boot, potentially leading to remote code execution (RCE).

He says it took 500 crafted attempts and over 14 hours to find an entry point as part of a private Bugcrowd program.

The attack, carried out with the assistance of Synack pentester Usman Mansha, used Spring Expression Language (SpEL) injection.

Read more of the latest bug bounty news

In other bug bounty news, Intigriti says it has paid out nearly three times as much this year compared to last, with the average amount having doubled.

It says ethical hackers increasingly see bug bounty hunting as a full-time career, with 96% saying they’d like to spend more time on it. The biggest draw is the money, along with the ability to work anywhere in the world, the ability to work alone, and the chance to outsmart cybercriminals.

And Meta’s review of its own bug bounty program this year has revealed that it paid out more than $2 million, receiving around 10,000 reports in total, of which it paid out on 750.

Meta also released updated payout guidelines for mobile RCE bugs, and there are new payout guidelines for account takeover (ATO) and two-factor authentication (2FA) bypass vulnerabilities, too. These go up to $130,000 for ATO reports and $300,000 for mobile RCE bugs.

Finally, bug bounty and security services platform for web3 Immunefi says it has paid out just under $66 million this year, with the biggest bounty amounting to $10 million for a vulnerability discovered in Wormhole, a generic cross-chain messaging protocol.

Critical vulnerabilities took the lead with a total of $61 million paid out, accounting for 92.7% of all bounties paid.

**The latest bug bounty programs for January 2023**

The past month saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

**Axis Communications**

Program provider:  
Bugcrowd

Program type:  
Public

Max reward:  
TBC

Outline:  
Video surveillance vendor Axis Communications has launched a bug bounty program to find vulnerabilities in its network security products, excluding its 2N products.

Notes:  
Axis Communications has yet to release details of payment rewards for finding such bugs, but has released details of how these bugs are scored using the CVSS method.

Check out the Axis Communications bug bounty page for more details

**Contentsquare**

Program provider:   
YesWeHack  

Program type: Public

Max reward: €2,500 ($2,670)

Outline: UX analytics provider Contentsquare has launched a bug bounty program focussed on finding issues with its mobile software development kit and collection endpoints, details of which are listed on its bug bounty page.

Notes: Contentsquare asks ethical hackers to consult the list of in-scope topics beforehand, as the targets are specific.

Check out the Contentsquare bug bounty page for more details

**Doppler**

Program provider:  
HackerOne

Program type: Public

Max reward: $2,500

Outline: Doppler bills itself as a “SecretOps platform developers and security teams trust to provide secrets management at enterprise scale”.

Notes: Again, there are multiple domains to explore plus Doppler’s source code. There are also five domains that are out of scope for testing.

Check out the Doppler bug bounty page for more details

**Engel & Völkers Technology GmbH**

Program provider:  
HackerOne

Program type: Public

Max reward: $1,000

Outline: IT consulting firm Engel & Völkers Technology GmbH has opened its domains to testing by bug bounty hunters.

Notes: There are more than 10 domains available to attack, ranging from critical to medium severity. There are also a handful of domains that are out of scope and shouldn’t be tested.

Check out the Engel & Völkers Technology GmbH bug bounty page for more details

**Harman International**

Program provider:  
YesWeHack

Program type: Public

Max reward: $5,000

Outline: Electronics manufacturer Harman, a Samsung company, is asking for help with “hardening of the entire ecosystem” related to JBL devices.

Notes: There are 16 targets in scope including physical devices, web APIS, and applications, so there’s something for everyone to get stuck into.

Check out the Harman International bug bounty page for more details

**Moonpay**

Program provider:  
HackerOne

Program type: Public

Max reward: $20,000

Outline: Crypto exchange platform Moonpay is offering big rewards for security vulnerabilities in multiple domains and its source code.

Notes: There are four domains out of scope, so these should be checked before proceeding. Moonpay also details an extensive list of vulnerabilities that aren’t eligible for reward, so this should be checked, too.

Check out the Moonpay bug bounty page for more details

**Navitas**

Program provider:  
Bugcrowd

Program type:  
Private

Max reward:  
$2,500

Outline:  
Australian education provider Navitas is offering rewards for reproducible bugs in its services, with rewards based on the severity of the issue.

Notes:  
Although the company is based in Australia, the rewards are open to ethical hackers worldwide, on an invite basis.

Check out a press release regarding the Navitas bug bounty program for more details

**OVO**

Program provider:  
YesWeHack

Program type:  
Public

Max reward:  
$3,000

Outline:  
Indonesian payment, rewards and financial services platform is asking hackers to find bugs in four of its mobile and web apps, providing plenty of opportunity to seek a reward.

Notes:  
OVO has explicitly noted that staging environments are out of scope, as are any other targets that aren’t specifically listed on its bug bounty page.

Check out the OVO bug bounty page for more details

**Swapcard**

Program provider:  
YesWeHack

Program type:  
Public

Max reward:  
€2,000 ($2,140)

Outline:  
Swapcard describes itself as an event app and matchmaking platform powered by artificial intelligence, which holds events in the sectors of security, government, and health.

Notes:  
There is an extensive list of applications and APIs that can be targeted, so this is worth checking out before making a start. Also note that Swapcard states that reports with a detailed proof of concept will be rewarded at a quicker rate, if eligible, than those without.

Check out the Swapcard bug bounty page for more details

**VFS**

Program provider:  
YesWeHack

Program type:  
Public

Max reward:  
$1,500

Outline:  
VFS manages the administrative and non-judgmental tasks related to visa, passport and consular services for its client governments.

Notes:  
The maximum reward is for vulnerabilities deemed as ‘critical’. Examples include, but aren’t limited to, the leaking of visa applicant personally identifiable information, Insecure Direct Object References (IDOR) issues resulting in significant leak of sensitive user information, and scripts that can automate the completion of the user registration flow.

Check out the VFS bug bounty page for more details

**Yuga Labs**

Program provider:  
HackerOne

Program type:  
Public

Max reward:  
$25,000

Outline:  
Yuga Labs is offering an impressive $25,000 for the discovery of critical vulnerabilities in its web3 platform.

Notes:  
The company is asking for reports on bugs in not only its domains but its Discord servers too. Anyone wanting to attack the Discord servers should check out the separate policy on Yuga Labs’ bug bounty page first.

Check out the Yuga Labs bug bounty page for more details

PREVIOUS EDITION Bug Bounty Radar // The latest bug bounty programs for December 2022

Bug Bounty Radar // The latest bug bounty programs for January 2023

KrebsOnSecurity turns 12 years old today. That's a crazy long time for an independent media outlet these days, but then again I'm liable to keep doing this as long as they keep letting me!

Thanks to your readership and support, I was able to spend more time in 2022 on in-depth investigative stories -- the really satisfying kind with the potential to affect positive change. Some of that work is highlighted in the 2022 Year in Breaches review below.

KrebsOnSecurity turns 13 years old today. That’s a crazy long time for an independent media outlet these days, but then again I’m bound to keep doing this as long as they keep letting me. Heck, I’ve been doing this so long I briefly forgot which birthday this was!

Thanks to your readership and support, I was able to spend more time in 2022 on some deep, meaty investigative stories — the really satisfying kind with the potential to affect positive change. Some of that work is highlighted in the 2022 Year in Review review below.

Until recently, I was fairly active on **Twitter**, regularly tweeting to more than 350,000 followers about important security news and stories here. For a variety of reasons, I will no longer be sharing these updates on Twitter. I seem to be doing most of that activity now on Mastodon, which appears to have absorbed most of the infosec refugees from Twitter, and in any case is proving to be a far more useful, civil and constructive place to post such things. I will also continue to post on LinkedIn about new stories in 2023.

Here’s a look at some of the more notable cybercrime stories from the past year, as covered by KrebsOnSecurity and elsewhere. Several strong themes emerged from 2022’s crop of breaches, including the targeting or impersonating of employees to gain access to internal company tools; multiple intrusions at the same victim company; and less-than-forthcoming statements from victim firms about what actually transpired.

**JANUARY**

You just knew 2022 was going to be _The Year of Crypto Grift_ when two of the world’s most popular antivirus makers — Norton and Avira — kicked things off by installing cryptocurrency mining programs on customer computers. This bold about-face dumbfounded many longtime Norton users because antivirus firms had spent years broadly classifying all cryptomining programs as malware.

Suddenly, hundreds of millions of users — many of them old enough to have bought antivirus from **Peter Norton** himself back in the day — were being encouraged to start caring about and investing in crypto. Big Yellow and Avira weren’t the only established brands cashing in on crypto hype as a way to appeal to a broader audience: The venerable electronics retailer **RadioShack** wasted no time in announcing plans to launch a cryptocurrency exchange.

By the second week of January, Russia had amassed more than 100,000 troops along its southern border with Ukraine. The Kremlin breaks with all tradition and announces that — at the request of the United States — it has arrested 14 people suspected of working for REvil, one of the more ruthless and profitable Russian ransomware groups.

Security and Russia experts dismiss the low-level arrests as a kind of “**ransomware diplomacy**,” a signal to the United States that if it doesn’t enact severe sanctions against Russia for invading Ukraine, Russia will continue to cooperate on ransomware investigations.

The Jan. 19th story IRS Will Soon Require Selfies For Online Access goes immediately viral for pointing out something that apparently nobody has noticed on the **U.S. Internal Revenue Service** website for months: Anyone seeking to create an account to view their tax records online would soon be required to provide biometric data to a private company in Virginia — **ID.me**.

Facing a backlash from lawmakers and the public, the IRS soon reverses course, saying video selfies will be optional and that any biometric data collected will be destroyed after verification.

**FEBRUARY**

Super Bowl Sunday watchers are treated to no fewer than a half-dozen commercials for cryptocurrency investing. **Matt Damon** sells his soul to **Crypto.com**, telling viewers that “fortune favors the brave” — basically, “only cowards would fail to buy cryptocurrency at this point.” Meanwhile, Crypto.com is trying to put space between it and recent headlines that a breach led to $30 million being stolen from hundreds of customer accounts. A single bitcoin is trading at around $45,000.

**Larry David**, the comedian who brought us years of awkward hilarity with hits like **Seinfeld** and **Curb Your Enthusiasm**, plays the part of the “doofus, crypto skeptic” in a lengthy Super Bowl ad for **FTX,** a cryptocurrency exchange then valued at over $20 billion that is pitched as a “safe and easy way to get into crypto.” \[Last month, FTX imploded and filed for bankruptcy; the company’s founder now faces civil and criminal charges from three different U.S. agencies\].

On Feb. 24, Russia invades Ukraine, and fault lines quickly begin to appear in the cybercrime underground. Cybercriminal syndicates that previously straddled Russia and Ukraine with ease are forced to reevaluate many comrades who are suddenly working for The Other Side.

Many cybercriminals who operated with impunity from Russia and Ukraine prior to the war chose to flee those countries following the invasion, presenting international law enforcement agencies with rare opportunities to catch most-wanted cybercrooks. One of those is **Mark Sokolovsky**, a 26-year-old Ukrainian man who operated the popular “**Raccoon**” malware-as-a-service offering; Sokolovsky was busted in March after fleeing Ukraine’s mandatory military service orders.

Also nabbed on the lam is **Vyacheslav “Tank” Penchukov**, a senior Ukrainian member of a transnational cybercrime group that stole tens of millions of dollars over nearly a decade from countless hacked businesses. Penchukov was arrested after leaving Ukraine to meet up with his wife in Switzerland.

Tank, seen here performing as a DJ in Ukraine in an undated photo from social media.

Ransomware group **Conti** chimes in shortly after the invasion, vowing to attack anyone who tries to stand in Mother Russia’s way. Within hours of that declaration several years worth of internal chat logs stolen from Conti were leaked online. The candid employee conversations provide a rare glimpse into the challenges of running a sprawling criminal enterprise with more than 100 salaried employees. The records also reveal how Conti dealt with its own internal breaches and attacks from private security firms and foreign governments.

Faced with an increasing brain drain of smart people fleeing the country, Russia floats a new strategy to address a worsening shortage of qualified information technology experts: Forcing tech-savvy people within the nation’s prison population to perform low-cost IT work for domestic companies.

Chipmaker **NVIDIA** says a cyberattack led to theft of information on more than 71,000 employees. Credit for that intrusion is quickly claimed by **LAPSUS$**, a group of 14-18 year-old cyber hooligans mostly from the United Kingdom who specialized in low-tech but highly successful methods of breaking into companies: Targeting employees directly over their mobile phones.

LAPSUS$ soon employs these skills to successfully siphon source code and other data from some of the world’s biggest technology firms, including **Microsoft**, **Okta**, **Samsung**, **T-Mobile** and **Uber**, among many others.

**MARCH**

We learn that criminal hackers are compromising email accounts and websites for police departments worldwide, so that they can impersonate police and send legal requests to obtain sensitive customer data from mobile providers, ISPs and social media companies. That story prompts revelations that several companies — including **Apple**, **Discord** and **Meta/Facebook** — have complied with the fake requests, and draws the attention of Congress to the problem.

**APRIL**

It emerges that email marketing giant **Mailchimp** got hacked. The unknown intruders gained access to internal Mailchimp tools and customer data by social engineering employees at the company, and then started sending targeted phishing attacks to owners of **Trezor** hardware cryptocurrency wallets.

The **FBI** warns about a massive surge in victims from “**pig butchering**” scams, in which flirtatious strangers online lure people into investing in cryptocurrency scams. Investigative reports reveal pig butchering’s link to organized crime gangs in Asia that attract young job seekers with the promise of customer service jobs. Instead, those who show up at the appointed time and place are kidnapped, trafficked across the border into neighboring countries like Cambodia, and pressed into a life of indentured servitude scamming others online.

The now-defunct and always phony cryptocurrency trading platform xtb-market\[.\]com, which was fed by pig butchering scams.

**MAY**

KrebsOnSecurity reports that hackers who specialize in filing fake police requests for subscriber data gained access to a **U.S. Drug Enforcement Administration** (DEA) portal that taps into 16 different federal law enforcement databases.

The government of **Costa Rica** is forced to declare a state of emergency after a ransomware attack by Conti cripples government systems. Conti  publishes nearly 700 GB worth of government records after the country’s leaders decline to pay a $20 million ransom demand.

**JUNE**

KrebsOnSecurity identifies Russian national **Denis Emelyantsev** as the likely owner of the RSOCKS botnet, a collection of millions of hacked devices that were sold as “proxies” to cybercriminals looking for ways to route their malicious traffic through someone else’s computer. Emelyantsev was arrested that same month at a resort in Bulgaria, where he requested and was granted extradition to the United States —  reportedly telling the judge, “America is looking for me because I have enormous information and they need it.”

The employees who kept things running for RSOCKS, circa 2016. Notice that nobody seems to be wearing shoes.

**JULY**

Big-three consumer credit bureau **Experian** comes under scrutiny after KrebsOnSecurity reveals identity thieves are reliably seizing control over consumer credit files by simply re-registering using the target’s personal information and an email address tied to the crooks. Two months later, Experian would be hit with a class-action lawsuit over these security and privacy failures.

**Twitter** acknowledges that it was relieved of phone numbers and email addresses for 5.4 million users. The security weakness that allowed the data to be collected was patched in January 2022.

**AUGUST**

Messaging behemoth **Twilio** confirms that data on 125 customers was accessed by intruders, who tricked employees into handing over their login credentials by posing as employees of the company’s IT department.

Among the Twilio customers targeted was encrypted messaging service **Signal**, which relied on Twilio to provide phone number verification services. Signal said that with their access to Twilio’s internal tools, the attackers were able to re-register those users’ phone numbers to another device.

Food delivery service **DoorDash** discloses that a “sophisticated phishing attack” on a third-party vendor allowed attackers to gain access to some of DoorDash’s internal company tools. Thanks to data left exposed online by the intruders, it becomes clear that DoorDash was victimized by the same group that snookered employees at Twilio, Mailchimp, **CloudFlare**, and dozens of other major companies throughout 2022.

Mailchimp discloses another intrusion involving targeted phishing attacks against employees, wherein hackers stole data on more than 200 Mailchimp customers. Web hosting giant **DigitalOcean** discloses it was one of the victims, and that the intruders used their access to send password reset emails to a number of DigitalOcean customers involved in cryptocurrency and blockchain technologies. DigitalOcean severs ties with Mailchimp after that incident, which briefly prevented the hosting firm from communicating with its customers or processing password reset requests.

Password manager service **LastPass** discloses that its software development environment was breached, and that intruders made off with source code and some proprietary LastPass data. LastPass emphasizes the intruders weren’t able to access any customer data or encrypted password vaults, and that “there is no evidence of any threat actor activity beyond the established timeline,” and “no evidence that this incident involved any access to customer data or encrypted password vaults.”

**SEPTEMBER**

Uber discloses another breach, forcing the company to take several of its internal communications and engineering systems offline as it investigates. The intrusion only comes to light when the hacker uses the company’s internal Slack channel to boast about their access, listing several internal databases they claimed had been compromised. The intruder told The New York Times they got in by sending a text message to an employee while posing as an employee from Uber’s IT department. Uber blames LAPSUS$ for the intrusion.

Australian telecommunications giant **Optus** suffers a data breach involving nearly 10 million customers, including passport or license numbers on almost three million people. The incident dominates headlines and politics in Australia for weeks, as the hacker demands a million dollars in cryptocurrency not to publish the information online. Optus’s CEO calls the intrusion a “sophisticated attack,” but interviews with the hacker reveal they simply enumerated and scraped the data from the Optus website without authentication. After briefly posting 10,000 records from the intrusion, the hacker announces they made a mistake, and deletes the auction.

**OCTOBER**

A report commissioned by **Sen. Elizabeth Warren** (D-Mass.) reveals that most big U.S. banks are stiffing account takeover victims. Even though U.S. financial institutions are legally obligated to reverse any unauthorized transactions as long as the victim reports the fraud in a timely manner, the report cited figures showing that four of the nation’s largest banks collectively reimbursed only 47 percent of the dollar amount of claims they received.

**Joe Sullivan**, the former chief security officer for Uber, is found guilty of two felonies after a four-week trial. In 2016, while the **U.S. Federal Trade Commission** was already investigating a 2014 breach at Uber, another security breach affected 57 million Uber account holders and drivers. The intruders demand $100,000, but Sullivan and his team paid the ransom under the company’s bug bounty program, made the hackers sign a non-disclosure agreement, and concealed the incident from users and investors. The two hackers involved pleaded guilty in 2019; by this time, it has become a nearly everyday occurrence for victim companies to pay to keep a ransomware attack quiet.

**NOVEMBER**

A ransomware group with ties to REvil begins publishing names, birth dates, passport numbers and information on medical claims on nearly 10 million current and former customers of Australian health insurer **Medibank**. The data is published after Medibank reportedly declines to pay a US$10 million ransom demand.

**DECEMBER**

KrebsOnSecurity breaks the news that **InfraGard**, a program run by the **U.S. Federal Bureau of Investigation** (FBI) to build cyber and physical threat information sharing partnerships with the private sector, saw its database of contact information on more than 80,000 members put up for sale on an English-language cybercrime forum. Meanwhile, the hackers responsible were communicating directly with members through the InfraGard portal online — using a new account under the assumed identity of a financial industry CEO that was vetted by the FBI itself.

A cybercriminal starts selling account data scraped from 400 million Twitter users, including email addresses and in many cases phone numbers. The seller claims their data was scraped in late December 2021 using the same vulnerability that Twitter patched in January 2022, and that led Twitter to acknowledge the data scraping of 5.4 million user accounts earlier this year. Twitter no longer has a press office, and the company’s Chief Twit has remained silent about the 400 million claim so far, despite many indications that the data is legitimate.

Two days before Christmas, LastPass posted an update on its investigation into the August data breach, saying the intruder was able to use data stolen in the August breach to come back and copy a backup of customer vault data from the encrypted storage container. LastPass’s lackadaisical disclosure timeline and failure to answer follow-up questions has done little to assuage the fears of many users, leaving _Wired.com_ to recommend users abandon the platform in favor of the password managers 1Password and Bitwarden.

Also two days before Christmas, KrebsOnSecurity notifies Experian that anyone can bypass security questions in their application for a free credit report, meaning identity thieves can access your full credit file with just your name, address, date of birth and Social Security number. Unfortunately, this static data on most Americans has been for sale in the cybercrime underground for years. Experian has yet to say whether it has fixed the problem, but expect to see a full report about this early in the New Year.

Happy 13th Birthday, KrebsOnSecurity!

The year was marked by sinister new twists on cybersecurity classics, including phishing, breaches, and ransomware attacks.

With the pandemic evolving into an amorphous new phase and political polarization on the rise around the world, 2022 was an uneasy and often perplexing year in digital security. And while hackers frequently leaned on old chestnuts like phishing and ransomware attacks, they still found vicious new variations to subvert defenses.

Here's WIRED's look back on the year's worst breaches, leaks, ransomware attacks, state-sponsored hacking campaigns, and digital takeovers. If the first years of the 2020s are any indication, the digital security field in 2023 will be more bizarre and unpredictable than ever. Stay alert, and stay safe out there.

For years, Russia has pummeled Ukraine with brutal digital attacks causing blackouts, stealing and destroying data, meddling in elections, and releasing destructive malware to ravage the country's networks. Since invading Ukraine in February, though, times have changed for some of Russia's most prominent and most dangerous military hackers. Shrewd long-term campaigns and grimly ingenious hacks have largely given way to a stricter and more regimented clip of quick intrusions into Ukrainian institutions, reconnaissance, and widespread destruction on the network—and then repeated access over and over again, whether through a new breach or by maintaining the old access. The Russian playbook on the physical battlefield and in cyberspace seems to be the same: one of ferocious bombardment that projects might and causes as much pain as possible to the Ukrainian government and its citizens.

Ukraine has not been digitally passive during the war, though. The country formed a volunteer “IT Army” after the invasion, and it, along with other actors around the world, have mounted DDoS attacks, disruptive hacks, and data breaches against Russian organizations and services.

Over the summer, a group of researchers dubbed 0ktapus (also sometimes known as “Scatter Swine”) went on a massive phishing bender, compromising nearly 10,000 accounts within more than 130 organizations. The majority of the victim institutions were US-based, but there were dozens in other countries as well, according to researchers. The attackers primarily texted targets with malicious links that led to fake authentication pages for the identity management platform Okta, which can be used as a single sign-on tool for numerous digital accounts. The hackers' goal was to steal Okta credentials and two-factor authentication codes so they could get access to a number of accounts and services at once.

One company hit during the rampage was the communications firm Twilio. It suffered a breach at the beginning of August that affected 163 of its customer organizations. Twilio is a big company, so that only amounted to 0.06 percent of its clients, but sensitive services like the secure messaging app Signal, two-factor authentication app Authy, and authentication firm Okta were all in that slice and became secondary victims of the breach. Since one of the services Twilio offers is a platform for automatically sending out SMS text messages, one of the knock-on effects of the incident was that attackers were able to compromise two-factor authentication codes and breach the user accounts of some Twilio customers. 

As if that wasn't enough, Twilio added in an October report that it was also breached by 0ktapus in June and that the hackers stole customer contact information. The incident highlights the true power and menace of phishing when attackers choose their targets strategically to magnify the effects. Twilio wrote in August, “we are very disappointed and frustrated about this incident.”

In recent years, countries around the world and the cybersecurity industry have increasingly focused on countering ransomware attacks. While there has been some progress on deterrence, ransomware gangs were still on a rampage in 2022 and continued to target vulnerable and vital social institutions, including health care providers and schools. The Russian-speaking group Vice Society, for example, has long specialized in targeting both categories, and it focused its attacks on the education sector this year. The group had a particularly memorable showdown with the Los Angeles Unified School District at the beginning of September, in which the school ultimately took a stand and refused to pay the attackers, even as its digital networks went down. LAUSD was a high-profile target, and Vice Society may have bitten off more than it could chew, given that the system includes more than 1,000 schools serving roughly 600,000 students. 

Meanwhile, in November, the US Cybersecurity and Infrastructure Security Agency, the FBI, and the Department of Health and Human Services released a joint warning about the Russia-linked ransomware group and malware maker known as HIVE. The agencies said the group's ransomware has been used to target over 1,300 organizations around the world, resulting in roughly $100 million in ransom payments from victims. “From June 2021 through at least November 2022, threat actors have used Hive ransomware to target a wide range of businesses and critical infrastructure sectors,” the agencies wrote, “including Government Facilities, Communications, Critical Manufacturing, Information Technology, and especially Healthcare and Public Health.”

The digital extortion gang Lapsus$ was on an intense hacking spree at the beginning of 2022, stealing source code and other sensitive information from companies like Nvidia, Samsung, Ubisoft, and Microsoft and then leaking samples as part of apparent extortion attempts. Lapsus$ has a sinister talent for phishing, and in March, it compromised a contractor with access to the ubiquitous authentication service Okta. The attackers appeared to be based primarily in the United Kingdom, and at the end of March, British police arrested seven people in association with the group and charged two at the beginning of April. In September, though, the group flared back to life, mercilessly breaching the ride-share platform Uber and seemingly the _Grand Theft Auto_ developer Rockstar as well. On September 23, police in the UK said they had arrested an unnamed 17-year-old in Oxfordshire who seems to be one of the individuals previously arrested in March in connection with Lapsus$.

The beleaguered password manager giant LastPass, which has repeatedly dealt with data breaches and security incidents over the years, said at the end of December that a breach of its cloud storage in August led to a further incident in which hackers targeted a LastPass employee to compromise credentials and cloud storage keys. The attackers then used this access to steal some users' encrypted password vaults—the files that contain customers' passwords—and other sensitive data. Additionally, the company says that “some source code and technical information were stolen from our development environment” during the August incident. 

LastPass CEO Karim Toubba said in a blog post that in the later attacks, hackers compromised a copy of a backup that contained customer password vaults. It is not clear when the backup was made. The data is stored in a “proprietary binary format" and contains both unencrypted data, like website URLs, and encrypted data, like usernames and passwords. The company did not provide technical details about the proprietary format. Even if LastPass's vault encryption is strong, hackers will attempt to brute-force their way into the password troves by attempting to guess the “master passwords” that users set to protect their data. With a strong master password, this may not be possible, but weak master passwords could be at risk of being defeated. And since the vaults have already been stolen, LastPass users can't stop these brute-force attacks by changing their master password. Users should instead confirm that they have deployed two-factor authentication on as many of their accounts as they can, so even if their passwords are compromised, attackers still can't break in. And LastPass customers should consider changing the passwords on their most valuable and sensitive accounts.

The Worst Hacks of 2022

From SBF to the GRU, these were the most disruptive forces of online chaos this year.

Russian soldiers poured into Ukraine, accompanied by a wave of cyberattacks across the country. A major cryptocurrency exchange imploded and declared bankruptcy, vaporizing billions of dollars from that digital economy. The once-biggest dark-web drug market—after being demolished by law enforcement—clawed back to the top of the online underworld after doggedly resurrecting itself.

It's not 2014, though you could be forgiven for being confused. No, all these episodes of global chaos occurred in 2022, each one a rerun of previous events, but now with the threat they posed vastly multiplied in scale.

This year, some of the phantoms of the Trump era and the Covid-19 pandemic finally seemed to recede—only to make room for new threats and the return of ghosts of years past. The same dictators—Vladimir Putin, Xi Jinping, Kim Jong Un—who have long threatened the global order, their geographic neighbors, and their countries' own citizens. Fresher digital threats like India's slide into online repression, and brazen cybercriminals displaying more ruthlessness than ever. And then there were some vestiges of the Trump era that seemed to have hung on, such as one particularly loud and quixotic billionaire with a large, cultlike following, seemingly doing his best to singlehandedly corrupt social media.

Every year, WIRED assembles a list of the most dangerous people on the internet. For the first time since 2015, Donald Trump doesn't top this list. But there's no shortage of new sources of instability and disruption online. Here are our picks for 2022.

Sam Bankman-Fried

For its entire existence, the cryptocurrency world has been plagued with money laundering, theft, and scams, from Bitcoin-powered dark-web drug markets to billions of dollars stolen from crypto companies by rogue hackers. But one of the most dangerous players in the crypto economy, it seems, was hiding in plain sight. In the collapse of cryptocurrency exchange FTX, a poster boy for cryptocurrency’s growing legitimacy, Sam Bankman-Fried, now stands accused of more than $8 billion in fraud. The rippling fallout for the cryptocurrency economy could be far larger, and the tangled dealings and mismanagement of user funds in FTX's meltdown have yet to be fully unraveled—even the company's new CEO John Ray, who also handled the bankruptcy of Enron, says he's never seen a bigger mess. Under Bankman-Fried's hands-on leadership, FTX invested vast sums of users' cryptocurrency in his own trading platform Alameda Research, which has also gone bankrupt. Aside from those enormous losses, Bankman-Fried represents a particularly troubling figure for the ills of the crypto economy: Unlike so many others in the crypto world, he had appeared to actually _welcome_ tighter government controls of the industry. Now, like a hybrid of Elizabeth Holmes and Lehman Brothers, he's come to represent the face of regulatory capture.

Elon Musk

The antics of Elon Musk, as a Willy Wonka figure with his mercuriality dialed up to 11, seemed harmless enough—or possibly even a net good for human progress—when he was focused on next-generation rockets and electric cars. But with his acquisition of Twitter, the dark side of Musk was put on display, and the fickle power of the (sometimes) world's richest man suddenly threatened a central institution of the internet. Musk's immediate, summary layoffs of thousands of Twitter's staffers put at risk key functions of a service that serves as a central artery of digital conversation. Sure, he justified lifting Twitter's ban on neo-Nazis like Andrew Anglin as well as former president Donald Trump (after the latter was removed from Twitter after using it to incite the January 6 riots and invasion of the US Capitol building) with free speech arguments. But Twitter's new emperor has also decimated its staff of content moderators, leading to situations like a single staffer being left to police child abuse content on Twitter for all of Japan and the Asia-Pacific region. Under Musk's watch, Twitter has also banned left-wing accounts he described as "antifa," contradicting his stance on free speech. Just days after the acquisition, Musk briefly tweeted—then deleted—disinformation that the man who attacked US House speaker Nancy Pelosi’s husband in October was his gay lover. Later, he seemed to call for the prosecution of the White House’s chief medical advisor Anthony Fauci for his handling of the Covid-19 pandemic, without explanation. In doing so, he offered a glimpse of the conspiracy-minded politics and trolling that truly drive his actions. Twitter hasn't collapsed under Musk, as some of its doomsayers predicted. But it may be morphing into the worst version of itself.

Xi Jinping

Xi Jinping has presided over some of China's worst human rights abuses, including its mass internment of Uyghur Muslims in Xinjiang and the crackdown on protestors in Hong Kong. Each of those waves of repression has come with its own accompanying tightening of restrictions online, as censors scoured social media for any reference to protests and Han Chinese police in Xinjiang even demanded that Uyghurs download an app that scans their phones for banned content. This year, the protests against China's draconian zero-Covid lockdowns have triggered a new online crackdown, one in which even "liking" a post about protests is deemed illegal and signs of misbehavior are tracked in a regulated "credit system" that can lead to users being summarily banned from online platforms. Xi has already established himself as the most powerful figure in China's government in decades, taking an unprecedented third term as head of the Chinese Communist Party. He's made clear that authoritarian power will extend deep into the digital lives of the world's biggest population of internet users.

Narendra Modi

Under Modi and his party, the BJP, India has become increasingly China-like in its repression of protests both physical and digital. In just the past few years, the Indian government temporarily shut down the internet in the embattled region of Kashmir, banned a large collection of China-based apps including TikTok, and just weeks ago delegated oversight of content moderation decisions on social media to a three-person group—a move widely seen as the latest step in the government's attempts to tighten its grip on those platforms. In perhaps the most appalling case of digital repression, security researchers this year revealed that hackers who fabricated evidence on the computers of activists in the region near the city of Pune had ties to the very same Pune police who arrested those activists. One of the activists targeted in that frame job died in detention. Eleven other defendants in the case remain in jail. Modi's India has proven that even a so-called democracy offers no guarantees of a remotely free internet.

GRU

Russia's GRU military intelligence agency has, for years, been home to some of the most aggressive and dangerous hackers in the world. The GRU groups known as Sandworm and APT28 have, in just the past seven years, triggered two blackouts in Ukraine, launched the hack-and-leak operation designed to sway the US 2016 election, released the NotPetya malware that spread worldwide and caused at least $10 billion in damage, and tried to destroy the backend of the 2018 Olympics. In 2022, thanks to Russia's unprovoked and brutal war in Ukraine, the GRU's focus zeroed in again on the country that has long been Russia's favorite hacking victim. In 2022, it launched countless cyberattacks designed to destroy data on Ukrainian government and corporate networks, often in tandem with physical attacks carried out by the invasion forces. One GRU malware attack went so far as to disable communications to 5,000 wind turbines across Germany in a case of collateral damage reminiscent of NotPetya. The GRU's Sandworm hackers also attempted a third blackout attack in Ukraine, which—according to Ukraine's government at least—defenders managed to foil this time. A+ for continued wanton, reckless aggression. B- for execution.

DeSnake

When the dark-web market for drugs and hacked data known as AlphaBay was shut down in 2017 and its creator Alexandre Cazes was found dead in a Thai jail cell, it seemed the story of AlphaBay was over. Then, in the summer of last year, fully four years after that massive bust, AlphaBay relaunched under the command of its cofounder and Cazes' top lieutenant, known only as DeSnake. In the year-plus since then, DeSnake has dragged AlphaBay back to the top of the dark web's competing scrum of criminal markets. To his credit, he's set more rules for what can be sold on his black market than Cazes ever did, banning the sale of fentanyl and ransomware tools, for instance. But AlphaBay remains a bustling criminal bazaar for hard drugs and stolen data, and it may be harder to shut down than ever. DeSnake has implemented security upgrades to the site, such as allowing only the harder-to-trace cryptocurrency Monero instead of Bitcoin. And he also claims to be located in the former Soviet Union—potentially putting him far farther beyond the reach of law enforcement than his unlucky predecessor.

Lazarus

In 2022, North Korea continued to distinguish itself as the world's top perpetrator of state-sponsored cybercrime: Its government hackers continued to steal hundreds of millions of dollars worth of loot, largely in the form of cryptocurrency, from targets around the globe. That spree of burglaries actually seems to be escalating. According to the blockchain analysis firm Chainalysis, North Korean thieves took in $840 million in the first five months of 2022 alone, more than the previous two years combined. Some $600 million of that came from just one heist. All of it goes toward funding one of the worst regimes in the world, with hundreds of thousands of political prisoners in concentration camps and a tendency to fire missiles over its neighbors' heads.

Conti

The scourge of ransomware continued to plague the world in 2022, and no group illustrated that threat better than Conti. In the first months of the year, the group hit dozens of corporate and government targets. Most catastrophically, it launched a wave of crippling cyberattacks across Costa Rica, shutting down 27 government bodies and medical services there and leading to a national state of emergency. After Russia's invasion of Ukraine, Conti declared its full support for that war—a decision that led to one of its disgruntled members leaking a vast trove of the group's internal communications online. Conti has subsequently shut down, but likely only in name. Its hackers may have rebranded and splintered, but the chaos that is their business model will no doubt persist.

Lapsus$

The only thing more dangerous than a group of ruthless ransomware hackers is a group of ruthless ransomware hackers who are also teenagers. In December of 2021, Lapsus$ made its entrance onto the hacking scene with a cyberattack on the Brazilian Ministry of Health in the midst of its Covid-19 response. It's since carried out a spree of splashy, often nihilistic breaches of major tech firms including Uber, Okta, Rockstar Games, Nvidia, Microsoft, Samsung, and Vodafone. Last spring, British law enforcement arrested seven people suspected of being members of the group, all ages 16 to 21. Those arrests included Lapsus$'s alleged 16-year-old "mastermind." But inexplicably, those suspects were released without charges, and the group's "hacker joyride" rolls on.

APT41

For years, China's hackers focused on by-the-book espionage. But more recently, one group, known as APT41, has proven itself to be the closest thing China has to North Korean state-sponsored cybercriminals. That group, which the US Department of Justice tied in an indictment to the Ministry of State Security contractor known as Chengdu 404, has for years moonlighted as a for-profit cybercriminal outfit. Just this month, the group was linked to the theft of $20 million in Covid-19 relief funds, an unprecedented robbery of US government money by a Chinese state-sponsored hacking outfit. Meanwhile, APT41 was also responsible for dozens of espionage-focused intrusions across the world this year, according to analysts at PricewaterhouseCoopers, which calls the group the most prolific cyberspying operation in the world. Despite the Justice Department charging seven of the group's members in 2020, they remain at large, and their unique blend of espionage and outright theft continues unabated.

The Most Dangerous People on the Internet in 2022

**SAN FRANCISCO****,** **Dec. 22, 2022** **/PRNewswire/ --** The global passwordless authentication market size is expected to reach USD 55.70 billion by 2030, growing at promising 18.2% CAGR, according to a new report by Grand View Research, Inc. Passwordless authentication is a security procedure that uses unique biological traits of a person to validate their authenticity.

**Key Industry Insights & Findings from the report:**

*   Growing investments in developed countries such as the U.S., Canada, Germany, France, and the U.K. for implementing passwordless authentication technology is a crucial factor driving the growth.
*   Fingerprint recognition and facial recognition provide various benefits. The increased security, accountability, convenience, and their non-transferable nature are crucial drivers for the growth.
*   The surge in e-commerce and internet banking, as well as legislations by various authorities such as central banks mandates large organizations to utilize robust authentication mechanisms to authenticate customers.
*   Multi-factor authentication protects clients from phishing attempts and fraudulent purchases and secures transactions.

Read 117-page market research report, "Passwordless Authentication Market Size, Share & Trends Analysis Report By Component, By Product Type (Facial Recognition, Fingerprint, Iris), By Authentication Type, By Portability, By End-user, By Region, And Segment Forecasts, 2022 - 2030", published by Grand View Research.

**Passwordless Authentication Market Growth & Trends**

The increasing adoption of smartphones and other electronic gadgets is a crucial element driving the biometric authentication market forward. According to a July 2022 Oxford Economics and Samsung study, up to 85% of small and midsize enterprises allow all or most of their staff to use mobile devices for work. Personal laptops and smartphones used by employees might expose a small firm to the dangers of unauthorized access to proprietary data, files, and systems. Such solutions remain the need of the hour and growing focus of many companies around the world.

For instance, in September 2022, AaDya Security, a cyber-security firm, announced the availability of passwordless authentication for Judy, the first all-in-one cybersecurity solution for SMEs. The new security feature protects how small business employees access company resources, mainly when they operate remotely and on mobile phones and personal laptops.

The growing requirement for an additional layer of protection beyond passwords fuels the growth of the passwordless authentication industry. To authenticate identities, fingerprint sensors and smartcards are utilized, and these security points allow for a seamless experience and data flow across locations. Most businesses are using voice biometric authentication in their workplaces for their personnel.

Reduced fraud exposure and lower authentication costs often drive organizations to implement voice biometric technology in their facilities. For instance, in July 2022, Turant Inc., a voice biometric AI firm, launched its cutting-edge AI solution in India. The company seeks to eliminate OTP-related fraud in transactions across use cases across business/industry domains, including e-commerce deliveries, by making it available in all Indian languages and roughly 20,000 dialects.

Furthermore, due to the increasing number of incidences of data theft around the world, passwordless authentication has gained popularity. Data theft issues in devices such as computers, cellphones, and tablets have increased the requirement for protection beyond passwords. fingerprint sensors and facial recognition are ways modern gadgets can be secured to prevent data theft.

For instance, in August 2022, ForgeRock, an international identity and access management software business, established strategic cooperation with Israeli software company Secret Double Octopus. ForgeRock will use SDO technology to provide employees, contractors, and vendors with a unified multi-factor secure experience. ForgeRock Enterprise Connect, the new solution, connects effortlessly with any ForgeRock deployment option, allowing organizations to gain increased security for databases, workstations, VPNs, and servers.

**Passwordless Authentication Market Segmentation**

Grand View Research has segmented the global passwordless authentication market based on component, product type, authentication type, portability, end-user, and region:

**Passwordless Authentication Market - Component Outlook (Revenue, USD Million, 2017 - 2030)**

*   Hardware
*   Software
*   Services

**Passwordless Authentication Market - Product Type Outlook (Revenue, USD Million, 2017 - 2030)**

*   Fingerprint Authentication
*   Palm Recognition
*   Iris Recognition
*   Face Recognition
*   Voice Recognition
*   Smart Card
*   Others

**Passwordless Authentication Market - Type Outlook (Revenue, USD Million, 2017 - 2030)**

*   Single-factor Authentication
*   Multi-factor Authentication

**Passwordless Authentication Market - Portability Outlook (Revenue, USD Million, 2017 - 2030)**

*   Fixed
*   Mobile

**Passwordless Authentication Market - End-user Outlook (Revenue, USD Million, 2017 - 2030)**

*   IT & Telecom
*   Retail
*   Transportation & Logistics
*   Aerospace & Defense
*   BFSI
*   Healthcare
*   Government
*   Others

**Passwordless Authentication Market - Regional Outlook (Revenue, USD Million, 2017 - 2030)**

*   North America

*   U.S.
*   Canada
*   Mexico

*   Europe

*   U.K.
*   Germany
*   France

*   Asia Pacific

*   China
*   India
*   Japan

*   Central & South America

*   Brazil

*   Middle East and Africa (MEA)

**List of Key Players in the Passwordless Authentication Market**

*   ASSA ABLOY
*   DERMALOG Identification Systems GmbH
*   East Shore Technology, LLC
*   Fujitsu
*   HID Global Corporation
*   M2SYS Technology
*   Microsoft
*   NEC Corporation
*   Safran
*   Thales.

**Check out more related studies published by Grand View Research:**

*   Facial Recognition Market **\-** The global facial recognition market size is expected to reach USD 12.11 billion by 2028 according to a new report by Grand View Research, Inc. The market is anticipated to expand at a CAGR of 15.4% from 2021 to 2028. Facial recognition is a contactless biometric solution that is a critical factor contributing the market growth.
*   Multi-factor Authentication Market \- The global multi-factor authentication (MFA) market size is expected to reach USD 17.76 billion by 2025, according to a new study by Grand View Research, Inc., experiencing a CAGR of 15.07% during the forecast period. Increasing implementation of BYOD and cloud-based services across enterprises, along with the growing security regulations and mandates, is benefiting market growth.
*   3D Secure Payment Authentication Market \- The global 3D secure payment authentication market size is expected to reach USD 2.76 billion by 2030, growing at a CAGR of 12.2% from 2022 to 2030, according to a new study conducted by Grand View Research, Inc. The rising demand for e-commerce has augmented the use of Card Not Present (CNP) transactions. As a result of such an increase in CNP transactions, the growth in CNP fraud transactions has been observed over the past few years.

**Browse through Grand View Research's** Next Generation Technologies Industry **Research Reports.**

**About Grand View Research**

Grand View Research, U.S.-based market research and consulting company, provides syndicated as well as customized research reports and consulting services. Registered in California and headquartered in San Francisco, the company comprises over 425 analysts and consultants, adding more than 1200 market research reports to its vast database each year. These reports offer in-depth analysis on 46 industries across 25 major countries worldwide. With the help of an interactive market intelligence platform, Grand View Research Helps Fortune 500 companies and renowned academic institutes understand the global and regional business environment and gauge the opportunities that lie ahead.

Passwordless Authentication Market to Be Worth $55.7 Billion by 2030: Grand View Research, Inc.

By Deeba Ahmed
Okta has, however, confirmed that attackers couldn’t access its customer data or services. Authentication giant Okta has suffered…
This is a post from HackRead.com Read the original post: GitHub Attack Allowed Attackers to Steal Okta’s Source Code

Okta has, however, confirmed that attackers couldn’t access its customer data or services.

Authentication giant Okta has suffered yet another security breach. Reportedly, someone stole Okta’s source code after attacking its repositories on **GitHub**.

Okta’s chief security officer, David Bradbury, issued a “confidential” email notification to their “security contacts,” revealing that the suspicious activity the company detected earlier in December 2022 has led to the leaking of its code repositories.

“Upon investigation, we have concluded that such access was used to copy Okta code repositories,” Okta’s notification read.

“We have decided to share this information consistent with our commitment to transparency and partnership with our customers,” Okta explained.

According to Bradbury, GitHub notified it about a possible suspicious activity and that someone accessed its code repositories. Okta launched an investigation and concluded that the access had indeed occurred. In response, the company temporarily restricted access to Okta GitHub repositories and suspected all GitHub integrations with 3rd party apps.

Okta has confirmed that the attackers couldn’t access its customer data or services, **reports** Bleeping Computer. Hence, users of its different services, including HIPAA, DoD, and FedRAMP, were unaffected by this incident and didn’t need to adopt threat-prevention practices.

It is worth noting that the users of these services are mainly US-based government, healthcare, and defence organizations.

**Okta and Cyber Attacks**

Okta is a cloud-based identity and access management platform that provides secure single sign-on, user provisioning, data security and mobile device management.

The company already had a troublesome year regarding security. **In March 2022**, Okta confirmed a data breach by the ransomware group LAPSUS$, and in September, Auth0, which is owned by Okta, reported the theft of its old source code.

**Possible Repercussions?**

There’s no doubt that source code is a valuable asset, and its stealing or leaking can have far-reaching consequences. Okta, a mainstream authentication platform, should be really concerned because attackers can use its source code to discover hidden flaws and launch new attacks against its customers.

So far, this breach seems limited to Okta’s Workforce Identity Cloud product and not Auth0 Customer Identity Cloud. Okta plans to share more findings about the incident soon.

1.  **LastPass Security Breach – Hackers Steal Source Code**
2.  **Source codes exposed in Microsoft Azure Blob account leak**
3.  **Lapsus$ Hackers Stole T-Mobile’s Source Code, Systems Data**
4.  **Twitch hacked- Source code, Streamer payment figures leaked**
5.  **Samsung confirms data breach as Lapsus$ leak its source code**

GitHub Attack Allowed Attackers to Steal Okta’s Source Code

More zero knowledge attacks, more leaked credentials, more Gen-Z cyber crimes - 2022 trends and 2023 predictions.
Cybercrime remains a major threat to individuals, businesses, and governments around the world. Cybercriminals continue to take advantage of the prevalence of digital devices and the internet to perpetrate their crimes. As the internet of things continues to develop, cybercriminals

More zero knowledge attacks, more leaked credentials, more Gen-Z cyber crimes - 2022 trends and 2023 predictions.

Cybercrime remains a major threat to individuals, businesses, and governments around the world. Cybercriminals continue to take advantage of the prevalence of digital devices and the internet to perpetrate their crimes. As the internet of things continues to develop, cybercriminals will have access to a greater number of vulnerable devices, allowing them to carry out more sophisticated attacks. Cybercrime is expected to become increasingly profitable as criminals continue to find new and better ways to monetize their attack as entry barriers to cybercrime keep going down.

This article discusses key trends we've noticed in 2022 that will likely continue in 2023, which we'll also elaborate on in the upcoming webinar "The Rise of the Rookie Hacker - a new trend to reckon with" on January 11th.

****Leaked credentials will continue to be the main attack vector for initial access****

According to IBM's cost of a breach 2022 report, use of stolen or compromised credentials remains the most common cause of a data breach.

The main source for leaked credentials in 2022 was Info-Stealers - a malware that can steal stored credentials from browsers, cookies (used for session hijacking and to bypass MFA), crypto wallets, and more. Redline Stealer, in particular, gained a lot of popularity among threat actors which led to the creation of several other stealers such as the "Luca stealer" and the "eternity stealer". The latter is part of an end-to-end offering named the eternity project, which allows threat actors to buy or rent any tool they need to launch an attack against a target of their choosing.

Stolen or compromised credentials were the primary attack vector in 19% of breaches in the 2022 study and also the top attack vector in the 2021 study. This trend is most likely to keep in its upward trajectory as a whopping 59% of organizations don't deploy zero-trust, incurring an average of 1 million USD in greater breach costs compared to those that do deploy. Until organizations' cybersecurity will mature, the volume and cost of breaches will continue to rise.

****A rise in zero-knowledge attacks****

Cybercrimes such as DDoS, malware, and ransomware are all offered as subscription services, lowering the entry barrier into cybercrime. For example, per the Microsoft Digital Defense Report 2022, phishing kits are offered on the dark web from as little as $6 and DDoS attack subscriptions for as little as $500. Ransomware-as-a-Service offered as an affiliates model is the preferred method by actors, this means "renting" an already made operation and splitting the revenue based on income and activity. The rise of "clearnet malware" - malware that can be purchased on everyday platforms like Telegram (Hello again eternity project!) helps simplify setting up a cybercrime campaign or operation. The proliferation of crypto payment platforms makes it even easier to trade in cybercrime products and services, pushing the entire cybercrime ecosystem even further.

****Younger threat actors - average age will continue to drop****

In terms of cyberattacks, 2022 was Gen Z's time to shine, leading with UK teen group Lapsus$ that went on a hacking spree targeting tech titans like Microsoft, Nvidia, Samsung, Ubisoft, and Okta. Generation Z is currently the largest generation on earth. Besides their strength in numbers, they are "digital natives", being born into a world with the internet, smartphones, cloud technologies, and social networks. Being young, they naturally crave social validation which they get in the digital sphere. Lapsus$'s main motivator was "Kudos" - they were "doing it for the lulz". The ease of launching zero-knowledge attacks, combined with Gen Z's digital nativeness and their need for social validation in the digital sphere will most likely contribute to the continuous drop in the average age of cyber criminals.

****We'll still need humans in the loop****

Enterprises invest billions of dollars deploying multi-layered security frameworks, platforms, and programs, but at the end of the day, enterprises are made of people, and people can be tricked.

Social engineering is an increasingly popular tactic used by cyberattackers to gain access to sensitive data. It involves exploiting human psychology to manipulate victims into providing confidential information or taking certain actions in order to gain access to a system or network.

LAPSUS$'s modus operandi was based on a text-book sim swapping scam. They bought credentials of the person with the right access to resources within an enterprise, called the phone provider, reporting the phone stolen, rerouted the sim to their own phone, triggered multi factor authentication on an enterprise access point (e.g. Office365 login page), and did a password reset. It was ridiculously simple and devastatingly efficient.

The best technology in the world can't completely remove the risk of human vulnerability. For that you need other humans trained in that. The cybersecurity workforce gap compelled enterprises to outsource this part of their cybersecurity to a managed detection and response (MDR) service. In fact, (according to Reportlinker.com) the global MDR market size is expected to grow from an estimated value of 2.6 billion USD in 2022 to 5.6 billion USD by 2027, at a Compound Annual Growth Rate (CAGR) of 16.0%. Technology is great, machines are great, but we still need humans.

Join Ronen Ahdut, Head of Cyber Threat Intelligence at Cynet for a webinar "The Rise of the Rookie Hacker - a new trend to reckon with" on January 11th at 10AM ET / 15:00 GMT. The webinar will deep-dive into 2023 cybersecurity trends, threats, and technology, including the need for human oversight in cybersecurity and how to detect these new threats.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

The Rise of the Rookie Hacker - A New Trend to Reckon With

Microsoft on Tuesday disclosed it took steps to suspend accounts that were used to publish malicious drivers that were certified by its Windows Hardware Developer Program were used to sign malware.
The tech giant said its investigation revealed the activity was restricted to a number of developer program accounts and that no further compromise was detected.
Cryptographically signing malware is

Microsoft on Tuesday disclosed it took steps to suspend accounts that were used to publish malicious drivers that were certified by its Windows Hardware Developer Program were used to sign malware.

The tech giant said its investigation revealed the activity was restricted to a number of developer program accounts and that no further compromise was detected.

Cryptographically signing malware is concerning not least because it not only undermines a key security mechanism but also allows threat actors to subvert traditional detection methods and infiltrate target networks to perform highly privileged operations.

The probe, Redmond stated, was initiated after it was notified of rogue drivers being used in post-exploitation efforts, including deploying ransomware, by cybersecurity firms Mandiant, SentinelOne, and Sophos on October 19, 2022.

One notable aspect of these attacks was that the adversary had already obtained administrative privileges on compromised systems before using the drivers.

"Several developer accounts for the Microsoft Partner Center were engaged in submitting malicious drivers to obtain a Microsoft signature," Microsoft explained. "A new attempt at submitting a malicious driver for signing on September 29, 2022, led to the suspension of the sellers' accounts in early October."

According to an analysis from Sophos threat actors affiliated with the Cuba ransomware (aka COLDDRAW) planted a malicious signed driver in a failed attempt at disabling endpoint detection tools via a novel malware loader dubbed BURNTCIGAR, which was first revealed by Mandiant in February 2022.

The company also identified three variants of the driver signed by code signing certificates that belong to two Chinese companies, Zhuhai Liancheng Technology and Beijing JoinHope Image Technology.

The reasoning behind using signed drivers is that it offers a way for threat actors to get around crucial security measures which require kernel-mode drivers to be signed in order for Windows to load the package. What's more, the technique misuses the de facto trust security tools place in Microsoft-attested drivers to their advantage.

"Threat actors are moving up the trust pyramid, attempting to use increasingly more well-trusted cryptographic keys to digitally sign their drivers," Sophos researchers Andreas Klopsch and Andrew Brandt said. "Signatures from a large, trustworthy software publisher make it more likely the driver will load into Windows without hindrance."

Google-owned Mandiant, in a coordinate disclosure, said it observed a financially motivated threat group known as UNC3944 employing a loader named STONESTOP to install a malicious driver dubbed POORTRY that's designed to terminate processes associated with security software and delete files.

Stating that it has "continually observed threat actors use compromised, stolen, and illicitly purchased code-signing certificates to sign malware," the threat intelligence and incident response firm noted that "several distinct malware families, associated with distinct threat actors, have been signed with this process."

This has given rise to the possibility that these hacking groups could be leveraging a criminal service for code signing (i.e., malicious driver signing as a service), wherein the provider gets the malware artifacts signed through Microsoft's attestation process on behalf of the actors.

STONESTOP and POORTRY are said to have been used by UNC3944 in attacks aimed at telecommunication, BPO, MSSP, financial services, cryptocurrency, entertainment, and transportation sectors, SentinelOne said, adding a different threat actor utilized a similar signed driver that resulted in the deployment of Hive ransomware.

Microsoft has since revoked the certificates for impacted files and suspended the partners' seller accounts to counter the threats as part of its December 2022 Patch Tuesday update.

This is not the first time digital certificates have been abused to sign malware. Last year, a Netfilter driver certified by Microsoft turned out to be a malicious Windows rootkit that was observed communicating with command-and-control (C2) servers located in China.

It's not a Windows-only phenomenon, however, as Google this month published findings that compromised platform certificates managed by Android device makers including Samsung and LG had been used to sign malicious apps distributed through unofficial channels.

The development also comes amid a broader abuse of signed drivers to sabotage security software in recent months. The attack, referred to as Bring Your Own Vulnerable Driver (BYOVD), involves exploiting legitimate drivers that contain known shortcomings to escalate privileges and execute post-compromise actions.

Microsoft, in late October, said it's enabling the vulnerable driver blocklist (DriverSiPolicy.p7b) by default for all devices with Windows 11 2022 update, alongside validating that it's the same across different operating system versions, following an Ars Technica report that highlighted inconsistencies in updating the blocklist for Windows 10 machines.

"Code signing mechanisms are an important feature in modern operating systems," SentinelOne said. "The introduction of driver signing enforcement was key in stemming the tide of rootkits for years. The receding effectiveness of code signing represents a threat to security and verification mechanisms at all OS layers."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Ransomware Attackers Use Microsoft-Signed Drivers to Gain Access to Systems

The company has taken measures to mitigate the risks, but security researchers warn of a broader threat.

Less than two weeks ago, the United States Cybersecurity & Infrastructure Security Agency and FBI released a joint advisory about the threat of ransomware attacks from a gang that calls itself “Cuba.” The group, which researchers believe is, in fact, based in Russia, has been on a rampage over the past year targeting an increasing number of businesses and other institutions in the US and abroad. New research released today indicates that Cuba has been using pieces of malware in its attacks that were certified, or given a seal of approval, by Microsoft.

Cuba used these cryptographically signed “drivers” after compromising a target's systems as part of efforts to disable security scanning tools and change settings. The activity was meant to fly under the radar, but it was flagged by monitoring tools from the security firm Sophos. Researchers from Palo Alto Networks Unit 42 previously observed Cuba signing a privileged piece of software known as a “kernel driver” with an NVIDIA certificate that was leaked earlier this year by the Lapsus$ hacking group. And Sophos says it has also seen the group use the strategy with compromised certificates from at least one other Chinese tech company, which security firm Mandiant identified as Zhuhai Liancheng Technology Co. 

“Microsoft was recently informed that drivers certified by Microsoft’s Windows Hardware Developer Program were being used maliciously in post-exploitation activity,” the company said in a security advisory today. “Several developer accounts for the Microsoft Partner Center were engaged in submitting malicious drivers to obtain a Microsoft signature … The signed malicious drivers were likely used to facilitate post-exploitation intrusion activity such as the deployment of ransomware.”

Sophos notified Microsoft about the activity on October 19 along with Mandiant and security firm SentinelOne. Microsoft says it has suspended the Partner Center accounts that were being abused, revoked the rogue certificates, and released security updates for Windows related to the situation. The company adds that it hasn't identified any compromise of its systems beyond the partner account abuse.

Microsoft declined WIRED's request to comment beyond the advisory.

“These attackers, most likely affiliates of the Cuba ransomware group, know what they’re doing—and they’re persistent," says Christopher Budd, director of threat research at Sophos. “We’ve found a total of 10 malicious drivers, all variants of the initial discovery. These drivers show a concerted effort to move up the trust chain, starting at least this past July. Creating a malicious driver from scratch and getting it signed by a legitimate authority is difficult. However, it’s incredibly effective, because the driver can essentially carry out any processes without question."

Cryptographic software signing is an important validation mechanism meant to ensure that software has been vetted and anointed by a trusted party or “certificate authority.” Attackers are always looking for weaknesses in this infrastructure, though, where they can compromise certificates or otherwise undermine and abuse the signing process to legitimize their malware. 

“Mandiant has previously observed scenarios when it is suspected that groups leverage a common criminal service for code signing,” the company wrote in a report published today. “The use of stolen or fraudulently obtained code signing certificates by threat actors has been a common tactic, and providing these certificates or signing services has proven a lucrative niche in the underground economy.”

Earlier this month, Google published findings that a number of compromised “platform certificates” managed by Android device makers including Samsung and LG had been used to sign malicious Android apps distributed through third-party channels. It appears that at least some of the compromised certificates were used to sign components of the Manuscrypt remote access tool. The FBI and CISA have previously attributed activity associated with the Manuscrypt malware family to North Korean state-backed hackers targeting cryptocurrency platforms and exchanges.

“In 2022, we’ve seen ransomware attackers increasingly attempting to bypass endpoint detection and response products of many, if not most, major vendors,” Sophos' Budd says. “The security community needs to be aware of this threat so that they can implement additional security measures. What’s more, we may see other attackers attempt to emulate this type of attack.”

With so many compromised certificates flying around, it seems that many attackers have already gotten the memo about shifting toward this strategy.

Tag

#samsung