The Chinese government recently began saber-rattling about American cyberespionage. The catch? It’s all old news.

For the best part of a decade, US officials and cybersecurity companies have been naming and shaming hackers they believe work for the Chinese government. These hackers have stolen terabytes of data from companies like pharmaceutical and video game firms, compromised servers, stripped security protections, and highjacked hacking tools, according to security experts. And as China’s alleged hacking has grown more brazen, individual Chinese hackers face indictments. However, things may be changing.

Since the start of 2022, China’s Foreign Ministry and the country’s cybersecurity firms have increasingly been calling out alleged US cyberespionage. Until now, these allegations have been a rarity. But the disclosures come with a catch: They appear to rely on years-old technical details, which are already publicly known and don’t contain fresh information. The move may be a strategic change for China as the nation tussles to cement its position as a tech superpower.

“These are useful materials for China’s tit-for-tat propaganda campaigns when they faced US accusation and indictment of China’s cyberespionage activities,” says Che Chang, a cyber threat analyst at the Taiwan-based cybersecurity firm TeamT5.

China’s accusations, which were noted by security journalist Catalin Cimpanu, all follow a very similar pattern. On February 23, Chinese security company Pangu Lab published allegations that the US National Security Agency’s elite Equation Group hackers used a backdoor, dubbed Bvp47, to monitor 45 countries. The _Global Times_, a tabloid newspaper that’s part of China’s state-controlled media, ran an exclusive report on the research. Weeks later, on March 14, the newspaper had a second exclusive story about another NSA tool, NOPEN, based on details from China’s National Computer Virus Emergency Response Center. A week later, Chinese cybersecurity firm Qihoo 360 alleged that US hackers had been attacking Chinese companies and organizations. And on April 19, the _Global Times_ reported on further National Computer Virus Emergency Response Center findings about HIVE, malware developed by the CIA.

The reports are accompanied with a flurry of statements—often in response to questions from the media—by China’s Foreign Ministry spokespeople. “China is gravely concerned over the irresponsible malicious cyber activities of the US government,” Foreign Ministry spokesperson Wang Wenbin said in April after one of the announcements. “We urge the US side to explain itself and immediately stop such malicious activities.” Over the first nine days of May, Foreign Ministry spokespeople commented on US cyber activities at least three times. “One cannot whitewash himself by smearing others,” Zhao Lijian said in one instance.

While cyber activity undertaken by state actors is often wrapped in highly classified files, many hacking tools developed by the US are no longer secret. In 2017, WikiLeaks published 9,000 documents in the Vault7 leaks, which detailed many of the CIA’s tools. A year earlier, the mysterious Shadow Brokers hacking group stole data from one of the NSA’s elite hacking teams and slowly dripped the data to the world. The Shadow Brokers leaks included dozens of exploits and new zero-days—including the Eternal Blue hacking tool, which has since been used repeatedly in some of the largest cyberattacks. Many of the details in the Shadow Brokers leaks match up with details about NSA which were disclosed by Edward Snowden in 2013. (An NSA spokesperson said it has “no comment” for this story; the agency routinely does not comment on its activities.)

Ben Read, director of cyberespionage analysis at the US cybersecurity firm Mandiant, says China’s state media push of alleged US hacking seems to be consistent, but it mostly contains older information. “Everything that I've seen they've written about, they tie back to the US through either the Snowden leaks or Shadow Brokers,” Read says.

Pangu Lab’s February report on Bvp47—the only publication on its website—says it initially discovered the details in 2013 but pieced them together after the Shadow Brokers leaks in 2017. “The report was based on a decade-old malware, and the decryption key is the same” as in WikiLeaks, Che says. The details of HIVE and NOPEN have also been available for years. Neither Pangu Labs or Qihoo 360, which has been on the US government sanctions list since 2020, responded to requests for comment on their research or methodology. A Pangu spokesperson previously said it recently published the old details, and it had taken a long time to analyze the data.

Megha Pardhi, a China researcher at Takshashila Institution, an Indian think tank, says the publications and follow-up comments from officials can serve multiple purposes. Internally, China can use it for propaganda and to send a message to the US that it has the capability to attribute cyber activity. But beyond this, there is a warning to other countries, Pardhi says. “The message is that even though you're allied with the United States, they're still gonna come after you.”

“We oppose and crack down in accordance with law all forms of cyberespionage and attacks,” Liu Pengyu, a spokesperson for the Chinese Embassy in the US, says in a statement. Liu did not respond directly to questions around the apparent uptick in finger-pointing at the US this year, the evidence that was being used to do so, or why this may be happening years after details originally emerged. China is widely considered to be one of the most sophisticated and active state cyber actors—involved in spying, hacking for espionage, and gathering data. Western officials consider the country to be the biggest cyber threat, ahead of Russia, Iran, and North Korea.

“Recently, there have been many reports of US carrying cybertheft and attacks on China and the whole world,” Liu says in a statement that reflects comments made by China’s Foreign Ministry spokespeople this year. “The US should reflect on itself and join others to jointly safeguard peace and security in cyberspace with a responsible attitude.”

Many of the disclosures in 2022—there are only a handful of previous Chinese accusations against the US—stem from private cybersecurity companies. This is similar to how Western cybersecurity companies report their findings; they are not always incorporated into government talking points, however, and state-backed media is all but nonexistent.

The potential shift in tactics could play into wider policies around technology use and development. In recent years, China’s policies have focused on positioning itself as a dominant force in technology standards in everything from 5G to quantum computers. A raft of new cybersecurity and privacy laws have detailed how companies should handle data and protect national information—including the potential for hoarding previously unknown vulnerabilities.

“One explanation is, possibly, that we are engaged in a kind of ideological—or if you want to put it more prosaically, a marketing—battle with China,” says Suzanne Spaulding, a senior adviser at the Center for Strategic and International Studies and previously a senior cybersecurity official in the Obama administration. The US-China relationship has been fraught in recent years, with tensions rising over national security issues, including concerns about the telecom giant Huawei. “China is offering, around the world, a competing model to Western-style democracy,” Spaulding says, noting that China may be responding to Western countries coming together on multiple issues since Russia invaded Ukraine.

In July 2021, China’s Ministry of Industry and Information Technology published plans to boost the private security industry by 2023. Companies based in China should spend more on their defenses against cyberattacks, the government department said at the time. It also said the whole cybersecurity industry within China should look to grow in size in the coming years, as well as bolster the development of network monitoring systems and threat detection techniques. “What we've started to see over the last couple of years, increasingly, is that companies in China are building their own capabilities,” says Adam Meyers, head of intelligence at the US cybersecurity firm CrowdStrike. “There's been a few that have waded into the threat intelligence space.”

But publicizing details of the long-known incidents still raises plenty of questions. Mandiant’s Read says he wonders exactly how many cyberespionage cases Chinese companies and authorities are finding. The answer would provide significant clues about their true capabilities. Read says: “Is this 50 percent of what they're finding? Is this 1 percent of what they're finding? Is this 90 percent of what they're finding?”

The move appears to be strategic, says TeamT5’s Che. “Considering the close relationship between China's cybersecurity firms and the Chinese government, our team surmises that these reports could be a part of China’s strategic distraction when they are accused of massive surveillance systems and espionage operations.”

The Mystery of China’s Sudden Warnings About US Hackers

The maintainers of the Tails project have issued a warning that the Tor Browser that's bundled with the operating system is unsafe to use for accessing or entering sensitive information.
"We recommend that you stop using Tails until the release of 5.1 (May 31) if you use Tor Browser for sensitive information (passwords, private messages, personal information, etc.)," the project said in an

The maintainers of the Tails project have issued a warning that the Tor Browser that's bundled with the operating system is unsafe to use for accessing or entering sensitive information.

"We recommend that you stop using Tails until the release of 5.1 (May 31) if you use Tor Browser for sensitive information (passwords, private messages, personal information, etc.)," the project said in an advisory issued this week.

Tails, short for The Amnesic Incognito Live System, is a security-oriented Debian-based Linux distribution aimed at preserving privacy and anonymity by connecting to the internet through the Tor network.

The alert comes as Mozilla on May 20, 2022 rolled out fixes for two critical zero-day flaws in its Firefox browser, a modified version of which acts as the foundation of the Tor Browser.

Tracked as CVE-2022-1802 and CVE-2022-1529, the two vulnerabilities are what's referred to as prototype pollution that could be weaponized to gain JavaScript code execution on devices running vulnerable versions of Firefox, Firefox ESR, Firefox for Android, and Thunderbird.

"For example, after you visit a malicious website, an attacker controlling this website might access the password or other sensitive information that you send to other websites afterwards during the same Tails session," the Tails advisory reads.

The bugs were demonstrated by Manfred Paul at the 15th edition of the Pwn2Own hacking contest held at Vancouver last week, for which the researcher was awarded $100,000.

However, Tor Browsers that have the "Safest" security level enabled as well as the Thunderbird email client in the operating system are immune to the flaws as JavaScript is disabled in both cases.

Also, the weaknesses don't break the anonymity and encryption protections baked into Tor Browser, meaning that Tails users who don't handle sensitive information can continue to use the web browser.

"This vulnerability will be fixed in Tails 5.1 (May 31), but our team doesn't have the capacity to publish an emergency release earlier," the developers said.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tails OS Users Advised Not to Use Tor Browser Until Critical Firefox Bugs are Patched

New threat hunting and risk identification service provides organizations with an enterprise-wide baseline of their threat landscape and risk exposure.

San Jose, Calif., 24 May 2022 – Forescout Technologies, the leader in automated cybersecurity, today announced the launch of Forescout Frontline, a new threat hunting service utilizing a team of highly-trained cybersecurity analysts to support cybersecurity teams by proactively identifying risks, enabling accelerated incident response, and maturing security posture. Forescout is offering this complimentary service for organizations that lack the internal resources and visibility to defend themselves from cybersecurity attacks, including ransomware and advanced persistent threats (APT).

“Cybersecurity attacks are on the rise. Simultaneously, cybersecurity teams are perennially understaffed and under resourced. This has created a perfect storm,” said Shawn Taylor, vice president of threat defense. “Organizations are under immense pressure to cope with the scale and speed of attacks and the havoc caused by the adversaries. Forescout is launching this new service to help organizations defend against attacks by providing a complete and holistic view of their assets.”

Many organizations use multiple security tools across multiple teams to help identify threats and risks. However, insights may be limited due to siloed views of IT, IoT, IoMT or OT assets. Typically, a variety of these asset types exist across an organization’s digital terrain and are often interconnected, which means cybersecurity risk must be identified and tackled holistically.

Delivered by Forescout Frontline analysts, the Threat Hunting and Risk Identification Service overcomes staffing resources and asset visibility challenges to uncover threats and identify risks that may otherwise remain undiscovered. Forescout Frontline will help organizations:

Discover, validate and prioritize a wide variety of cyber threats and vulnerabilities across all assets, including IT, IoT, IoMT and OT

Analyze the context and risk associated with all findings

Leverage the comprehensive insights to develop effective risk mitigation and remediation strategies

A State of Florida Agency, which supports several key Florida departments, engaged Forescout Frontline to understand each instance of Log4j, a zero-day vulnerability in a popular Java logging framework, across the organization’s 220 sites in 16 diverse divisions. In less than a day and a half, Forescout Frontline delivered insights into thousands of assets with vulnerabilities such as Log4j and Windows-based PrintNightmare. Additionally, hundreds of Critical CVSS-rated vulnerabilities affecting infrastructure devices such as switches and routers were found. Finally, actionable intelligence concerning critical embedded IoT TCP-IP stack-based instances such as NUCLEUS: 13 and RIPPLE 20, insecure communications, and other risks were also discovered. Leveraging this free service shrunk time to mitigation and remediation of these security gaps and improved overall security posture.

“When Log4J broke, we knew it was a critical issue, but we lacked a full picture of the risk within our extended enterprise. The \[Forescout threat hunting\] report was way more thorough than I expected, with in-depth information and actionable intelligence. Not just on Log4j but on other critical vulnerabilities as well, and not just in general terms but exactly where they exist in our environment.” – Information Security Manager, State of Florida Agency

Forescout Frontline levels the cybersecurity playing field by operationalizing the vulnerability research and threat intelligence produced by Forescout’s Vedere Labs and enhancing it with the Forescout Continuum Platform to provide threat hunting services across multiple dimensions. Forescout Frontline analysts include former public sector and private sector threat hunters with training in threat detection and incident response.

To learn more about Forescout Frontline visit here and for further insight into how a State of Florida agency benefitted from this new service visit here.

**About Forescout**

Forescout Technologies, Inc. delivers automated cybersecurity across the digital terrain, maintaining continuous alignment of customers’ security frameworks with their digital realities, including all asset types – IT, OT, IoT, IoMT. The Forescout Continuum Platform provides complete asset visibility, continuous compliance, network segmentation and a strong foundation for Zero Trust. For more than 20 years, Fortune 100 organizations and government agencies have trusted Forescout to provide automated cybersecurity at scale. Forescout arms customers with data-powered intelligence to accurately detect risks and quickly remediate cyberthreats without disruption of critical business assets.

Managing cyber risk, together.

Forescout Launches Forescout Frontline to Help Organizations Tackle Ransomware and Real Time Threats

Gartner's security service edge fundamentally changes how companies should be delivering data protection in a cloud and mobile first world.

Do you live life on the edge? If you're a rock climber, skydiver, or striving to be a TikTok dance influencer, the answer might be yes. Putting yourself out there requires risk but can be rewarding. Why? When you are able to confidently look risk in the eye and say "I win," that dopamine hit makes you feel invincible! So, do you feel the same way about your data protection? Letting your data protection live on the edge might sound risky, but in reality it's a step in the right direction, and it dramatically transforms how you think and deliver data security.

Before we get too far into it, let's actually explore what the "edge" means. If you're familiar with Gartner's latest collection of letter-soup offerings for the security industry, you probably know where this is going. Secure access service edge (SASE) and its better half, security service edge (SSE), are frameworks that define how organizations should think about cloud security platforms. In short, organizations are being encouraged to double down on SSE, which unifies all security services into a zero-trust cloud platform. SSE follows the user over any connection, drives down risk with always-on protection, and ditches the cost and complexity of point products like SWG, DLP, VPN, CASB, firewalls, and sandboxes. It's the next big thing, but how does this change data protection?

Let's start with the traditional view of data protection, which has been driven by DLP and CASB vendors over the last several years. The discussion focuses on how users interact with data, how the data is handled (sometimes dangerously), and how the internal threat to your data should be controlled. It's the standard data-protection pitch you've probably heard multiple times. Well, here are the real questions: What about the _external_ threat? Which has the most potential to damage your organization: internal or external threats? I often talk to customers that know they are losing data due to accidental user error but have come to accept it as background noise. Those same customers, when a data breach happens, spring into action with the force of a thousand caffeinated SOC employees. See my point? Now, please don't get me wrong — the internal threat shouldn't be neglected, but it's clear that the best strategy should masterfully combine both external and internal data threat protection. This is why SSE is such a powerful concept — if delivered correctly.

Since SSE focuses on incorporating data protection into a larger zero-trust, cyber-threat story, we should understand what that means. Like any great architecture, it starts with a strong foundation. In the case of SSE, that foundation without a doubt is inline proxy inspection, which enables SSL inspection. Want to keep data from leaking to the Internet? Want full visibility to find and classify sensitive data? Want to stop data exfiltration during a breach? They all require full, scalable SSL inspection. Inline inspection sets up everything else, which is why it's so important to get that part right. But there's a big caveat here — your inline security cloud needs to prove that it can deliver when the going gets tough. If it can't perform or scale, everyone across the organization will immediately know there's a problem.

After that, stopping external and internal threats with SSE becomes easy. First, start with SWG to block risky destinations and content. This prevents external threats like phishing and ransomware from targeting your users and data. Add to that a helping of sandbox and AI/ML to quickly stop zero-days and advanced threats. Now, move to DLP, which is the core building block of great data protection. Define this to find and control your sensitive content and then send it hunting across your data in motion and at rest in your clouds (with CASB). Since you're already inline, and everything is unified, you only have one policy, which reduces complexity and alert noise. You get full control over user and cloud app activity, and can ensure data isn't accidentally or maliciously lost. Once you've tackled the basics, you can move on to other aspects of data protection, like browser isolation for BYOD or UEBA to quickly zero in on suspicious activity. Best of all, services can be easily added as you grow.

Hopefully, you're beginning to see that the right SSE platform can drastically change how you deliver data protection. It applies a more holistic approach to securing data, and equally focuses on external and internal threats, while drastically reducing cost, complexity, and overall risk. So as you look to evolve your data protection strategy, remember to live life on the edge! And maybe keep those TikTok videos to yourself.

**About the Author**

    

Steve Grossenbacher is Director of Product Marketing at Zscaler, where he currently focuses on data protection. Prior to Zscaler, Steve held marketing, competitive, sales engineering and support positions at McAfee and Xerox Engineering Systems. With more than 20 years of experience in the network and security industry, he has helped companies navigate the ever-changing world of IT and currently helps organizations securely transform their networks to a cloud-first architecture

Is Your Data Security Living on the Edge?

Open source software community initiative utilizes blockchain technology.

**Sunnyvale & San Diego, Calif., May 25, 2022** — (swampUP 2022) – JFrog Ltd. (“JFrog”) (NASDAQ: FROG), the Liquid Software company and creators of the JFrog DevOps Platform, today introduced Project Pyrsia, an open-source software community initiative that utilizes blockchain technology to secure software packages (A.K.A Binaries) from vulnerabilities and malicious code. Available for sign-ups immediately, Project Pyrsia is an open-source-based, decentralized, secure build network and software package repository aimed at helping developers establish chain of provenance for their software components, creating greater confidence and trust.

“Open-source is everywhere, and while it has always been seen as a seed for innovation and modernization, the recent rise of software supply chain attacks has made every organization vulnerable,” said Shlomi Ben Haim, Co-Founder and CEO, JFrog. “Led by developers and for developers, JFrog is proud to work with the community on developing Project Pyrsia so everyone can continue to embrace open source with confidence, while protecting the software supply chain.”

Open-source software is a critical element of nearly every technology we use today – from our operating systems and browsers to the applications and services on which we depend to run our lives. Yet there’s no question the volume, sophistication and severity of software supply chain attacks has increased in the last year. In recent months the JFrog Security Research team tracked over 20 different open-source software supply chain attacks – two of which were zero-day threats. While open-source components are designed to make development more efficient, not knowing where your software comes from makes it hard-to-spot risks–seeding doubt and uncertainty about its safety.

Thus, JFrog and other open-source technology leaders, including Docker, DeployHub, Futureway, and Oracle – worked together to establish the Project Pyrsia network for validating the source and security of open-source software packages. With Pyrsia, developers can confidently use open-source software knowing their components have not been compromised, without needing to build, maintain, or operate complex processes for securely managing dependencies.

“At JFrog we believe open-source security will only be successful if we provide the community with the same tools and services that are available to enterprises,” said Stephen Chin, VP of Developer Relations, JFrog. “The combination of an open-source, customizable architecture, and a robust, active community makes Pyrsia the most transparent and trustworthy way to obtain secure software packages. We’re grateful for the help of our industry partners and the community for joining us in securing open source so it can remain a true fountain of innovation.”

Pyrsia aims to seamlessly integrate with the package management systems developers are already using today, so they can certify their software components without foregoing compatibility, security, or efficiency. Utilizing standards like Sigstore’s Cosign and Notary V2 allows developers to quickly access their containers leveraging the Pyrsia network. Using digital signatures, developers receive an immutable chain of evidence for their code, providing peace of mind from knowing the exact source of their packages.

To help guide developers on the process of using Pyrsia for validating software components, a select few entities will build and publish images that will be available for everyone’s use -otherwise known as ‘bootstrapping’ the project. Organizations interested in supporting Pyrsia can volunteer their resources to help establish the project’s first distributed network. From there, Project Pyrsia’s decentralized framework will help provide:

· An independent, secure build network for open-source software

· Trustworthiness of software packages

· Completeness of known open-source software dependencies

For more information on Project Pyrsia or to sign-up to be a contributor visit https://pyrsia.io/. You can also learn more about the project in this blog or chat directly with JFrog Community leaders and Project Pyrsia experts during swampUP 2022 taking place in San Diego, May 25 – 26. For more information and to register visit https://swampup.jfrog.com/.

**Supporting Quotes from Industry Partners**

_“The DeployHub team’s focus is firmly rooted in securing the supply chain, and there is no better place to start than fully auditing the build and package step. To that end, Pyrsia is the first open-source project to introduce improvements in this area via a ‘consensus build network.’ Disruption in this area is long overdue. DeployHub is proud to be part of this innovative team.” – Steve Taylor, CTO DeployHub, Inc._

_“At Docker we feel this is an exciting time for the community to work together on innovation around the supply chain and its core, critical components for build and packaging. We are excited to join and work together with the community on Project Pyrsia. There is a huge opportunity to build new kinds of infrastructure over the core container primitives that will foster innovation and better developer experiences.” – Justin Cormack, CTO, Docker_

_“Open-source project Pyrsia is developing a third-party attested, decentralized, distributed software package network that delivers secure, transparency and integrity for the open-source software package supply chain. Futurewei is committed to collaborating with open-source communities to accelerate the innovations for digital transformation via open-source, open standard, and open ecosystems. As open-source software becomes more pervasive, securing the open-source software supply chain becomes a critical issue. We are thrilled to be a founding member of Project Pyrsia and delighted to have the opportunity to collaborate with other members to accelerate Pyrsia for a secure and trusted open-source software supply chain ecosystem – bringing value to the open-source community.”– David Lai, Director, Cloud Infrastructure and Platform Architecture Open-Source Ecosystem Partnerships, Futurewei Technologies, Inc._

JFrog Launches Project Pyrsia to Help Prevent Software Supply Chain Attacks

Corelight Investigator aids threat hunting and investigation through intelligent alert aggregation, built-in queries and scalable search

SAN FRANCISCO, May 25, 2022 /PRNewswire/ -- Corelight, the leader in open network detection and response (NDR), today announced Corelight Investigator, a SaaS-based solution that extends the power of open-source driven network evidence to SOC teams everywhere. Investigator delivers advanced capabilities for transforming network and cloud activity into evidence in a fast, intuitive platform that is easy to deploy and use.

Based on insights learned from savvy defenders in the Zeek open source community, Corelight Investigator provides not only advanced analytics and open access to the best network evidence, but the ability to do custom evidence enrichment unique to each environment. With Corelight Investigator, security teams can quickly accelerate threat hunting and investigations by mapping threat activity across the MITRE ATT&CK® framework and reduce alert volume with intelligent alert scoring.

"We believe that evidence is at the heart of cybersecurity for any organization," said Brian Dye, CEO of Corelight. "We have the privilege of working with defenders of critical infrastructure that can afford data lake architectures and in-house analytics teams to execute their evidence-driven cyber strategy. Corelight Investigator brings the design patterns of those elite defenders to the broader enterprise by combining advanced analytics and threat hunting capability with the power of Zeek, the industry de-facto standard for network evidence."

**Full network visibility with next-level analytics  
**Corelight Investigator brings complete visibility of the network, both on-premise and in the cloud, with evidence that spans months and years, not days and weeks. Customers can leverage machine learning, behavioral analysis, threat intelligence and signatures, mapped to the MITRE ATT&CK framework, to enable broad coverage of network-centric threats.

This evidence leads to specialized detections and enables the threat hunting necessary for advanced, persistent, and personalized attacks. In addition, it supports custom enrichment of network evidence - such as asset information, vulnerabilities, or per-asset context - and links threat hunting and incident response through custom alerts, queries, and dashboards.

"Unlike competitive 'closed' solutions, Corelight Investigator brings a new level of openness to the SaaS NDR market that enables customers to fully understand the logic behind machine learning based detections, and freely integrates these alerts with their existing tools for the broadest coverage," said Clint Sand, senior vice president of product for Corelight.

**Powered by open source and novel research  
**"Along with the advanced analytics that Corelight Labs provides, another advantage of Corelight Investigator is its ability to harness the analytical power of the open source Zeek and Suricata communities. That provides broad-based threat coverage including rapid zero-day response capabilities," said Vern Paxson, co-founder and chief scientist for Corelight. "The open-source nature of Zeek helps us illuminate _why_ a detection happened, as well as rich information about its surrounding context."

Corelight Investigator customers can access richly detailed, interlinked Zeek logs including access to DNS responses, file hashes, SSL as well as logs created by Corelight Labs - which continually creates new analytics for evolving threats and vulnerabilities using cross-customer visibility with the speed of SaaS – for both investigating those alerts and enabling threat hunting.

"As attacks continue to evolve and grow in sophistication, security teams need NDR solutions that provide not only timely and accurate detections, but the supporting context to respond quickly and effectively," said John Grady, senior analyst with ESG. "Corelight meets these requirements by bringing rich network evidence from its decades-long open source Zeek heritage, combined with novel analytics from an array of inferences, making it a powerful contender in the space."

**University of Missouri powers network visibility with Corelight Investigator  
**For many organizations, it is not possible to staff a full security or development team dedicated to parsing the expansive volumes of network traffic. This is true for the research and support services team at the University of Missouri that needed a solution that could provide full network visibility without the management overhead and other fine-tuning often required with competing solutions.

"We are a large university and we need to have full network visibility," said Aaron Scantlin, security analyst at University of Missouri. "It was simple to set up, which means the rest of my time is spent doing advanced analysis and other work."

In addition, Corelight Investigator quickly identifies threats on the network so the team can take immediate action as well as provides access to the raw data for additional investigation.

"Corelight Investigator ingests events so that we can query them in a snap," said Scantlin. "It improves our security posture by providing instant access to events we need to act on."

**Pricing and availability  
**Corelight Investigator joins the Corelight Sensor product portfolio and will be generally available in June. Corelight customers and prospects can contact sales directly for pricing information. More information Corelight Investigator can be found on the Corelight website.

**About Corelight  
**Corelight provides security teams with network evidence so they can protect the world's most critical organizations and companies. Corelight's global customers include Fortune 500 companies, major government agencies, and large research universities. Based in San Francisco, Corelight is an open-core security company founded by the creators of Zeek®, the widely-used network security technology. For more information, www.corelight.com.

Corelight Announces New SaaS Platform for Threat Hunting

By Waqas
The privacy-oriented search engine and browser provider DuckDuckGo has received flak after a researcher identified Microsoft Trackers in…
This is a post from HackRead.com Read the original post: DuckDuckGo Allows Microsoft Trackers Despite No Tracking Policy – Researcher

The privacy-oriented search engine and browser provider DuckDuckGo has received flak after a researcher identified Microsoft Trackers in the company’s “private” web browser.

DuckDuckGo (DDG) has always promoted and marketed itself as a privacy-centric company that refrains from adding trackers to its products. The company boasted about launching a Private browser with default tracker blocking capabilities.

However, now, research revealed that the browser offers restricted tracking protection, and there are certain loopholes left to facilitate advertising data requests from Microsoft.

It is worth noting that Microsoft is a syndication partner of DuckDuckGo. Since the companies agree on syndicated search content, the DDG browser allows Microsoft trackers on 3rd party websites.

**Research Revealed Disturbing Facts**

According to researcher Zach Edwards, who shared his startling findings on the DuckDuckGo browser on Twitter, he discovered that DuckDuckGo’s mobile browsers didn’t block ad requests from Microsoft scripts as well as non-Microsoft web services.

When Edward examined the browser data flow on Workplace.com, he learned that although DDG informed its users about blocking Facebook and Google trackers, it allowed Microsoft trackers to receive data flows linked with the user’s browsing activities on a non-Microsoft site.

For your information, DuckDuckGo is a search engine that claims it never tracks user searches or behavior and never builds users’ profiles to display targeted ads, and only uses contextual ads from its partners, including Ads by Microsoft. Microsoft ads can track users’ IP addresses and other data after clicking on an ad link.

Researcher Zach Edwards on Twitter

**More DuckDuckGo and Search Engine News**

1.  What Are Dark Web Search Engines and How to Find Them?
2.  $4 billion lawsuit claims Google tracked iPhone users’ activities
3.  DuckDuckGo study claims Google Incognito searches are not private
4.  DuckDuckGo collecting user browsing data without consent (Updated)
5.  Camera privacy bug found in Firefox Android in 2019 hasn’t been fixed yet

DuckDuckGo’s privacy and no tracking policy

**DuckDuckGo CEO’s Response**

In response to Edwards’ tweets, DDG’s founder/CEO Gabe Weinberg tried to rubbish the findings by focusing more on the stuff their browser did block, including third-party cookies, even from Microsoft, tracker blocking, and HTTPS-always encryption service.

Moreover, Weinberg noted that the data flow issue was unrelated to DDG’s search engine. However, the DuckDuckGo browser has an exemption from blocking ad data transfers to subsidiaries of Microsoft like LinkedIn or Bing.

The data can be used to conduct cross-site tracking of users to display targeted advertisements. Weinberg, however, confirmed that their browser does allow Microsoft tracker 3rd party websites due to the agreement.

> “For non-search tracker blocking (e.g., in our browser), we block most third-party trackers. Unfortunately, our Microsoft search syndication agreement prevents us from doing more to Microsoft-owned properties. However, we have been continually pushing and expect to be doing more soon.”
> 
> Gabe Weinberg on Twitter

> “We have always been extremely careful to never promise anonymity when browsing because that frankly isn’t possible given how quickly trackers change how they work to evade protections and the tools we currently offer. When most other browsers on the market talk about tracking protection, they are usually referring to 3rd-party cookie protection and fingerprinting protection, and our browsers for iOS, Android, and our new Mac beta, impose these restrictions on third-party tracking scripts, including those from Microsoft.
> 
> What we’re talking about here is above-and-beyond protection that most browsers don’t even attempt to do — that is, blocking third-party tracking scripts before they load on 3rd party websites. Because we’re doing this where we can, users are still getting significantly more privacy protection with DuckDuckGo than they would be using Safari, Firefox, and other browsers. (…) Our goal has always been to provide the most privacy we can in one download, by default without any complicated settings.”
> 
> Weinberg to Bleeping Computer

Nevertheless, whatever may be the case, the issue seriously undermines the privacy claims made by DuckDuckGo for so long.

**More Privacy News**

1.  How data collected in gaming can be used to breach user privacy
2.  LinkedIn was copying every keystroke of users until iOS 14 exposed it
3.  Massive privacy risk as hacker sold 2 million MyFreeCams user records
4.  Israeli firm Kape Technologies buys ExpressVPN raising privacy concerns
5.  Hackers used macOS 0-days to bypass privacy features, take screenshots

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

DuckDuckGo Allows Microsoft Trackers Despite No Tracking Policy – Researcher

Verizon's "2022 Data Breach Investigations Report" repeatedly makes the point that criminals are stealing credentials to carry out their attacks.

Credentials, phishing, exploiting vulnerabilities, and botnets "pervade all areas of the DBIR, and no organization is safe without a plan to handle them all," Verizon's team of researchers wrote in this year's "Data Breach Investigations Report."

Attackers don't have to bother with zero-day vulnerabilities or build out elaborate attack tools when they can just steal credentials and log right in. Whether the report is looking at Web application attacks, email scams such as business email compromise, or malware, the theme was consistent: Stolen credentials played a role. 

DBIR is chock-full of charts and visualizations, so it is difficult to pick just one -- though the chart about what types of data attackers are stealing is a particularly striking. For a long time, criminals were interested in personal data -- data that could be used for identity theft or other types of financial fraud. While that is still the case, that is not the complete story. Attackers are focusing heavily on obtaining stolen credentials, since those credentials make carrying out other attacks even easier and harder to detect. The report considers 180 different actions that lead to data breaches, and the use of stolen credentials is the most common.

"We've long held that credentials are the favorite data type of criminal actors because they are so useful for masquerading as legitimate users on the system," the report says.

Consider how ransomware gets onto the targeted system: 40% of ransomware incidents involve the use of desktop sharing software, such as remote desktop protocol. And the easiest way to access RDP is via weak passwords.

While third-party breaches represent just 1% of breaches in the 2022 dataset, about half of them involved the use of stolen credentials. 

Phishing and stolen credentials were the top two actions in data breaches involving social engineering attacks. The third is "pretexting," almost all of which are business email compromises. A quarter of BECs used stolen credentials against the victim organization, according to the report.

And finally, in the area of web application attacks, the vast majority of incidents use stolen credentials as their entry point. Over 80% of the breaches that was categorized under web application attacks in this year's DBIR can be attributed to stolen credentials. In comparison, the second most common action, exploiting vulnerabilities, is less than 20%.

"There’s been an almost 30% increase in stolen credentials since 2017, cementing it as one of the most tried-and-true methods to gain access to an organization for the last four years," the report says.

"Even if passwordless authentication isn't ready for prime time in your organization, the report findings can be used to help fund and implement multi-factor authentication," says Rick Holland, CISO and vice-president of strategy at Digital Shadows.

DBIR Makes a Case for Passwordless

A spyware vendor called Cytrox was found to be using several zero-day vulnerabilities in Google's Chrome browser and the Android kernel component. 
The post Zero-day vulnerabilities in Chrome and Android exploited by commercial spyware appeared first on Malwarebytes Labs.

The Google Threat Analysis Group (TAG) has revealed that of the nine zero-day vulnerabilities affecting Chrome, Android, Apple and Microsoft that it reported in 2021, five were in use by a single commercial surveillance company.

Did I hear someone say Pegasus? An educated guess, but wrong in this case. The name of the surveillance company—or better said, professional spyware vendor—is Cytrox and the name of its spyware is Predator.

**Google**

TAG routinely hunts for zero-day vulnerabilities exploited in-the-wild to fix the vulnerabilities in Google’s own products. If the group finds zero-days outside of its own products, it reports them to the vendors that own the vulnerable software.

Patches for the five vulnerabilities TAG mentions in its blog are available. Four of them affected the Chrome browser and one the Android kernel component.

**Vulnerabilities**

By definition, zero-day vulnerabilities are vulnerabilities for which no patch exists, and therefore potentially have a high rate of success for an attacker. That doesn’t mean that patched vulnerabilities are useless to attackers, but they will have a smaller number of potential targets. Depending on the product and how easy it is to apply patches, vulnerabilities can be useful for quite a while.

In the campaign uncovered by TAG, the spyware vendor used the zero-days in conjunction with other already-patched vulnerabilities. The developers took advantage of the time difference between the availability of patches for some of the critical bugs, as it can take a while before these patches are fully deployed across the Android ecosystem.

TAG says Cytrox abused four Chrome zero-days (CVE-2021-37973, CVE-2021-37976, CVE-2021-38000, and CVE-2021-38003) and a single Android zero-day (CVE-2021-1048) last year in at least three campaigns conducted on behalf of various governments.

**Cytrox**

TAG is actively tracking more than 30 vendors with varying levels of sophistication and public exposure selling exploits or surveillance capabilities to government-backed actors. Cytrox is one of these vendors, along with the NSO Group—undoubtedly the best known one among them and responsible for Pegasus spyware.

Citizenlab at the University of Toronto published information about Cytrox in December 2021. It says that Cytrox describes its own activities as providing governments with an “operational cyber solution” that includes gathering information from devices and cloud services. It also says it assists with “designing, managing, and implementing cyber intelligence gathering in the network, enabling businesses to gather intelligence from both end devices as well as from cloud services.”

Cytrox reportedly began life as a North Macedonian start-up and appears to have a corporate presence in Israel and Hungary. As such, Cytrox is believed to be part of the so-called Intellexa alliance, a marketing label for a range of mercenary surveillance vendors that emerged in 2019. The consortium of companies includes Nexa Technologies (formerly Amesys), WiSpear/Passitora Ltd., Cytrox, and Senpai, along with other unnamed entities, purportedly seeking to compete against other players in the cyber surveillance market such as NSO Group (Pegasus) and Verint.

**Government spyware**

Spyware packages such as Predator and Pegasus create problematic circumstances for the security teams at Google, Apple, and Microsoft, and it seems like they will not stop any time soon.

Whatever arguments these vendors use about how they are working for governments, and therefore not doing anything illegal, we all know the legitimacy of some governments lies in the eye of the beholder. And it is not always easy to find out who actually controls the data received from the spyware.

It is for good reason that the European Data Protection Supervisor (EDPS) has urged the EU to ban the development and deployment of spyware with the capabilities of Pegasus to protect fundamental rights and freedoms. The EDPS argues that the use of Pegasus might lead to an unprecedented level of intrusiveness, threatening the very essence of the right to privacy, since the spyware is capable of interfering with the most intimate aspects of our daily lives.

Zero-day vulnerabilities in Chrome and Android exploited by commercial spyware

An analysis from Google TAG shows that Android zero-day exploits were packaged and sold for state-backed surveillance.

At least eight governments around the world have purchased a package of Android zero-day exploits from a company called Cytrox and are using them to install spyware on targets' mobile phones. The development highlights the sophistication of off-the-shelf surveillance offerings, according to a recent report. 

Google's Threat Analysis Group (TAG) said that by taking advantage of the time difference that keep some systems from being updated for hours after patches were released, the Cytrox exploits allowed governments to target Android users with malware to record audio, add CA certificates, and hide apps, Google's TAG said.

The report explained that the governments of Armenia, Côte d’Ivoire, Egypt, Greece, Indonesia, Madagascar, Serbia, and Spain are confirmed to have used the Cytrox exploits in at least three state-backed campaigns, adding there are likely others. 

"Our findings underscore the extent to which commercial surveillance vendors have proliferated capabilities historically only used by governments with the technical expertise to develop and operationalize exploits," the TAG report said, adding that the group is currently tracking more than 30 additional surveillance vendors with the capability of selling tools to state-backed actors. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Tag

#zero_day