Search This Blog

Showing posts with label Software. Show all posts

ChatGPT's Effective Corporate Usage Might Eliminate Systemic Challenges

 

Today's AI is highly developed. Artificial intelligence combines disciplines that make an effort to essentially duplicate the capacity of the human brain to learn from experience and generate judgments based on that experience. Researchers utilize a variety of tactics to do this. In one paradigm, brute force is used, where the computer system cycles through all possible solutions to a problem until it finds the one that has been proven to be right.

"ChatGPT is really restricted, but good enough at some things to provide a misleading image of brilliance. It's a mistake to be depending on it for anything essential right now," said OpenAI CEO Sam Altman when the software was first launched on November 30. 

According to Nicola Morini Bianzino, global chief technology officer at EY, there's presently no killer use case for ChatGPT in the industry which will significantly affect both the top and bottom lines. They projected that there will be an explosion of experimentation over the next six to twelve months, particularly after businesses are able to develop over the top of ChatGPT utilizing OpenAI's API.

While OpenAI CEO Sam Altman has acknowledged that ChatGPT and other generative AI technologies face several challenges, ranging from possible ethical implications to accuracy problems.

According to Bianzino, this possibility for generative AI's future will have a big impact on enterprise software since companies would have to start considering novel ways to organize data inside an enterprise that surpasses conventional analytics tools. The ways people access and use information inside the company will alter as ChatGPT and comparable tools advance and become more capable of being trained on an enterprise's data in a secure manner.

As per Bianzino, the creation of text and documentation will also require training and alignment to the appropriate ontology of the particular organization, as well as containment, storage, and control inside the enterprise. He stated that business executives, including the CTO and CIO, must be aware of these trends because, unlike quantum computing, which may not even be realized for another 10 to 15 years, the actual potential of generative AI may be realized within the next six to twelve months.

Decentralized peer-to-peer technology mixed with blockchain and smart contracts capabilities overcome the traditional challenges of privacy, traceability, trust, and security. By doing this, data owners can share insights from data without having to relocate or otherwise give up ownership of it.



Mousetrapping: What is it & how to Safeguard Against it?

 

Mousetrapping works in the identical way that a traditional mousetrap does: you unknowingly walk into a trap designed to keep you trapped for as long as possible. Operators who utilize mousetraps actively market their products or services. They may even attempt to steal your personal details. So, how do you know when you've stepped into a trap? 

Mousetrapping is an unethical practice used by some website operators to keep you on their site for longer than necessary. It is a technique that traps you in an endless loop of pages and pop-ups, preventing you from leaving a website.

Some operators will even open the new page you've been redirected to in a new window. You can't access the taskbar, toolbar, or browser menu while in this window, making it difficult to close. These websites may even deactivate the web browser's back or exit buttons, trapping you on the page until you exit the browser. In such cases, the only actionable buttons that work are those in pop-ups that force you to perform whatever action the website owner dictates.

"Your phone is hacked. Download this Antivirus Software Now.
99% of android users have this app on their phone.
Your government is tracking your phone. Install this VPN."

When you visit a website with mousetraps, you will encounter a lot of messages like this: pop-ups requesting you to download an app, visit another site, or even enter your phone number. Clicking the exit button on these pop-ups usually results in more call-to-action messages. Executing these actions and downloading the files will almost certainly result in the installation of malware on your computer and the theft of sensitive information.

How to Recognize a Mousetrap

The first step in making a mousetrap is to closely mimic the URL of a legitimate popular website. It could be a celebrity's official website or your favorite newspaper. The malicious site could end up on a search engine with a simple misspelling and a line of code. Because the code and content closely resemble that of the authentic website, the link to the site ends up on search engines.

It is sometimes difficult to tell if a website is legitimate until you click on a link. Fortunately, there are methods for determining whether a website is genuine. The mousetraps are designed by the owners of these websites in order to capture as many clicks as possible from unwitting visitors. When you realize you've been duped, you immediately attempt to exit the site by clicking on a broken back button.

The logical next step would be to press the forward button or search the toolbar for an escape route. It is already too late at this point. It is nearly impossible to leave this way because the site owner has included lines of code that will open one ad banner after another for every click you make.

That isn't all. Because pop-ups appear quickly, you may need to open multiple windows in order to evade them. You must close each pop-up one by one, and the more clicks you have, the more benefit the site owner receives. The close button on pop-ups does not always work, resulting in more ads, banners, and redirects.

Mousetrapping isn't just for clicks. Some threat actors use these traps to keep their victims occupied. The pop-ups and windows are designed to keep you on the page while malware is downloaded onto your system.

How to Get Out of a Mousetrap

The obvious escape, like most traps, will most likely lead you deeper into the trap. The back button you rush to click will simply open an ad in another window or launch a barrage of banners, further frustrating you. Despite this, there are a few ways to get out of mousetraps.

1. Input Another URL Address
2. Disable JavaScript
3. Use Keyboard Shortcuts

It's difficult to spot a malicious website, especially if it's a carbon copy of a popular platform. When you realize you've been trapped and windows and pop-ups are appearing with every click, go to the URL bar and enter a new address. You should be able to close the opened windows using keyboard shortcuts.

However, prevention is always preferable to cure. Use web browsers that have add-ons and plug-ins that prevent redirects, advertisements, and unauthorized window openings. Another option is to disable JavaScript. Many site features, including pop-ups and banners, would be disabled.

After a Security Incident, CircleCI Urges Customers to Rotate Secrets

 


There has been a security threat affecting CircleCI, an American software development service, and the service has urged its users to rotate their secrets to avoid this kind of catastrophe. 

Security Issue Alerts for CircleCI Users

It has recently been announced that the American DevOps platform CircleCI is urging its users after a security incident to rotate their secrets. CircleCI is one of the most popular CI/CD platforms today, providing developers with continuous integration and delivery, enabling them to create code more quickly. A million people use this tool each year, and thousands of companies rely on it for their business. However, in the wake of this security breach, they have been warned. 

Rob Zuber, the Chief Technology Officer of CircleCI, has stated on the CircleCI blog that all secrets stored in CircleCI should be rotated immediately. This includes variables in the project environment variables and contexts that may contain cryptographic information. This issue was also addressed by CircleCI on Twitter, warning customers to take precautions. 

CircleCI assured its users that building applications with CircleCI was safe and that the company offered a secure platform. 

Besides sharing tools intended to assist teams in tracking down all the potentially compromised secrets, CircleCI has also announced it is working with Amazon Web Services to notify those customers who might have their tokens breached. 

Earlier, CircleCI warned customers regarding the circulation of a credential harvesting scam. This scam was attempting to trick users into entering their GitHub login credentials through what was presented as updated Terms of Service. 

Zuber mentioned in a blog that it would be wise for customers from December 21, 2022, to January 4, 2023, to review their internal logs for their systems and ensure that no unauthorized access was made to them. A further point that Zuber brought up was that all API tokens associated with Projects have been invalidated, and as a result, users will have to replace them. 

Details on CircleCI Security Incident Not Provided

It is imperative to note that CircleCI has notified users of a security issue. It has offered advice on how to protect data. However, further details have yet to be released about what the problem is and what it entails. Despite this, as Rob Zuber stated in the blog post he wrote about CircleCI, it appears that the company intends to provide more details about the incident shortly. 

CircleCI Security Incidents Are Not New

CircleCI has dealt with breaches that have occurred in the past, although it is not clear what the details of the incident were. A breach occurred in 2019 when a third-party analytics vendor gained access to sensitive data through the infiltration of the company's network. 

Furthermore, an attacker gained access to several usernames, email addresses, branch names, repository URLs, and IP addresses that can be used as attack credentials. According to the company, users were warned to review their repository and branch names when the issue occurred.

Don't Miss Open Source Software (OSS), While Assessing Cloud App Security

 

The software development process is becoming increasingly rapid. Devops teams are under additional pressure to get to market quickly, thanks in part to open-source software (OSS) packages. OSS has become so common that it is estimated to account for 80 to 90% of any given piece of modern software. 

However, while it has been a great accelerator to software development, OSS creates a large surface area that must be protected because there are millions of packages created anonymously that developers use to build software. Most open-source developers act in good faith; they want to make life easier for other developers who may face the same problem they are. According to GitHub’s Open Source Survey, “the most frequently encountered bad behavior is rudeness (45% witnessed, 16% experienced), followed by name calling (20% witnessed, 5% experienced) and stereotyping (11% witnessed, 3% experienced).”

Unfortunately, not every open-source software package can be relied on. Because attribution for modifications made to open-source code is difficult to track, identifying malicious actors who want to negotiate the code's integrity becomes nearly impossible. Malicious open-source software packages have been incorporated to highlight the fact that large corporations use these packages but do not fund their development, as well as for purely nefarious purposes.

If an OSS package is utilized to build software and it encompasses a vulnerability, the resulting software also contains a vulnerability. As witnessed with Log4j last year, a back-door vulnerability has the possibility of compromising millions of applications. As per OpenLogic's State of Open Source Report, 77% of organizations increased their use of OSS last year, and 36% reported that the increase was significant. But research from the Linux Foundation shows that only 49% of organizations have a security policy that covers OSS development or use. So, how can you effectively understand and reduce the threat that OSS poses to your cloud application development?

Get visibility

Understanding the surface area of your application is the first step in determining the type of threat you face. Integrate automation into your cybersecurity measures to gain visibility into the OSS packages and versions used in your software. You can incorporate this practice into your developers' workflow by starting as early as the integrated development environment (IDE).

Consider infrastructure as code (IaC) tools like Terraform. Do you know what modules you're using? Do they follow your security controls if they were built by someone else?

Once you understand the scope of your OSS usage, you can gradually begin to gain control. You must strike a balance between supervision and developer freedom and velocity.

Dig into open-source software

Supply-chain Levels for Software Artifacts (SLSA) is the industry standard, a set of standards and controls designed to "prevent tampering, improve the integrity, and secure packages and infrastructure in your projects." There are tools available that use SLSA to determine whether an OSS package has known issues before your developers begin using it.

The Open Source Security Foundation's (OpenSSF) composition analysis can help inform what that "allow list" should look like. Because these packages are used by tech giants, they have also gotten involved in open-source software security. Google pledged $100 million to "support third-party foundations, such as OpenSSF, that manage open-source security priorities and assist in the resolution of vulnerabilities." 

It also has a bug bounty program, which it refers to as a "reward program," to compensate researchers who discover bugs in open-source software packages. A separate initiative led by Amazon, Microsoft, and Google includes $10 million to strengthen open-source software security, but that represents only 0.001% of the companies' combined revenue in 2021. From there, you should either create a "allow list" of trusted sources and reject all others, or at the very least audit instances where non-allow list sources are used.

Increase awareness

Larger investments from tech behemoths who rely on OSS and its ongoing innovations are required, but so are increased community participation and education. OSS packages benefit the greater good of developers, and the landscape encourages code authors to remain anonymous. So, where do we go from here in terms of security priorities?

Training developers at the university level on the risks of blindly incorporating OSS packages into software code is a good place to start. This training should continue at the professional level so that organizations can protect themselves from the threats that occasionally infiltrate these packages and, most likely, their software as well.

Leveraging organizations such as the Cloud Native Computing Foundation (CNCF), which has charted some of the best open-source projects, is also a good starting point.

Open-source software packages are an important component of increased application development velocity, but we need to pay closer attention to what's inside them to limit their risk and defend against cyberattacks.

 CircleCI Breach: Encryption Keys & User Data Seized

A software company CircleCi has acknowledged that a data breach that occurred last month resulted in the theft of customers' personal information. 

After an engineer contracted data-stealing malware that made use of CircleCi's 2FA-backed SSO session cookies to get access to the company's internal systems, hackers broke into the company in December. CircleCi reminded consumers to change their credentials and passwords earlier this month after disclosing a security breach.

The company accepted responsibility for the breach and criticized a system failure, noting that its antivirus program missed the token-stealing malware on the employee's laptop. Using session tokens, users can maintain their login status without constantly typing their password or re-authorizing using two-factor authentication. However, without the account holder's password or two-factor code, an attacker can access the same resources as them by using a stolen session token. As a result, it may be challenging to distinguish between a session token belonging to the account owner and one stolen by a hacker.

According to CircleCi, the theft of the session token enabled the hackers to assume the identity of the employee and obtain access to a few of the business systems, which store client data. CircleCi states they rotated all customer-related tokens, including Project API Tokens, Personal API Tokens, and GitHub OAuth tokens, in retaliation to the hack. Additionally, the business collaborated with Atlassian and AWS to alert clients of potentially hacked AWS and Bitbucket tokens.

CircleCi claims that in order to further fortify its infrastructure, they have increased the number of detections for the actions taken by the information-stealing malware in its antivirus and mobile device management (MDM) programs.

"While client data was encrypted, the cybercriminals also gained the encryption keys able to decrypt consumer data," claimed Rob Zuber, the company's chief technology officer. To avoid illegal access to third-party systems and stores, researchers urge customers who have not already taken steps to do so. The company additionally tightened the security of its 2FA solution and further limited access to its production settings to a smaller group of users.

Why 2023 Could be the Worst Year Ever for Businesses due to Malware?

 

2022 was a challenging year for cyberspace businesses. Companies faced ransomware, the continued effects of the SolarWinds and Log4j exploits, and rising cyber insurance premiums. Unfortunately, the consequences of malware have gotten worse year after year. 

The costs of cyberattacks have risen dramatically, and many analysts predict that they will continue to rise. Despite the efforts of businesses and governments to combat malware, it does not appear that the online world has reached a tipping point in the battle. Let's look at six reasons why 2023 could be the worst year for malware yet.

1. The cost of ransomware continues to increase

Ransomware attacks are a constant threat to businesses worldwide. In recent years, the number and scale of ransomware attacks have increased dramatically. According to IBM, the average ransomware attack will cost businesses $4.54 million in 2022—and that figure does not include the cost of the ransom itself.

While many businesses have strengthened their cybersecurity teams to better prevent ransomware attacks, there are still many vulnerable targets for hackers to target. Schools, local governments, and hospitals have all proven to be easy targets for ransomware groups. Worse, cybercriminals have discovered that by threatening to release organizations' data if they do not pay, they can command higher ransoms. According to Cybersecurity Ventures, cybercrime alone could cost the world $10.5 trillion by 2025.  There's little reason to believe that the frequency of ransomware attacks will level off or decline by 2023.

2. Malware attacks could be motivated by geopolitical hostility

While individual hackers and cybercriminal gangs are responsible for the majority of malware attacks, nation-state attacks also pose significant threats to businesses. Russia, China, and North Korea all use sophisticated hacking teams to further their geopolitical objectives. As tensions between China, Russia, and the West rise, many analysts predict that state-sponsored attacks on critical infrastructure will become more common.

Russia, for example, could use cyberattacks against Western businesses to discourage them from doing business with Ukraine or to punish countries that support Ukraine's war efforts.

3. Artificial intelligence may make phishing more effective than ever before

Some of the most significant data breaches in 2021 were caused by phishing attacks. Uber was hacked after an employee failed to respond to repeated two-factor authentication requests. After a SIM-swap attack, Microsoft saw the source code for its Bing search engine and Cortana virtual assistant published.

AI advancements may make phishing attacks even more difficult to detect. Hackers, for example, may be able to write malicious emails using text-generation tools such as OpenAI's ChatGPT. They can also use AI to impersonate people's friends, family, and coworkers to get them to reveal their passwords or other sensitive information.

4. The number of devices available for use is increasing

Year after year, the world becomes more digitally connected, opening up new opportunities for hackers. Every new internet-connected device poses a risk.

Malicious actors will have more attack surfaces as IoT devices proliferate. Frequently, relatively simple devices such as baby monitors, WiFi-enabled kitchen appliances, and internet-connected smart home devices are not subjected to stringent cybersecurity standards. These devices can unintentionally provide backdoors into a company's network. Furthermore, businesses are increasingly connecting employees through virtual reality and metaverse-like digital spaces. 

5. The recession may force cybersecurity cost-cutting measures

While governments around the world work hard to avoid a global economic recession in 2023, many businesses are bracing for the worst. That means reducing spending on all fronts, including cybersecurity.

Already, companies such as Microsoft are reporting lower sales of cybersecurity software. It's also possible that, as a result of the broader slowdown in tech hiring, companies will postpone adding more cybersecurity professionals to their IT teams. Reduced cybersecurity spending may make businesses more vulnerable to malware and put them behind in the race against new hacking techniques.

Conclusion

In 2023, the cybersecurity environment appears to be more difficult than ever. Ransomware costs are continuing to rise, geopolitical tensions are increasing the likelihood of major attacks, and technological advances are exposing businesses to more threats than ever before.

To protect themselves against malware in 2023, businesses will need a strong cybersecurity software suite, as well as education, monitoring, and redundancy.

Overreliance on Detection Solutions in Security Stacks

 


The typical approach to detection used by organizations is to employ a variety of methods, such as antivirus software, sandbox engines, extensive data analysis, and anomaly detection, among others. This depends on the organization. Through monitoring and spotting, these technologies seek to discover and eliminate any malicious code or malware that might reach an endpoint and be executed by it. 

The only way to believe in the effectiveness of detection solutions is to see them in action. In the absence of detecting a threat, how are you supposed to know whether it is a threat or not? This is a fundamental principle that defines the foundation of such technologies. After the detection of a threat on the network, this involves searching for it, taking action against it, and moving to isolate and neutralize it. This is done as soon as the threat is confirmed. There are several problems associated with this approach.  

A detection solution is generally focused on identifying what is malicious and benign, which results in them having similar limitations as viruses. These methodologies can indeed produce false positives and negatives. Layering these technologies on top of each other can be very expensive. 

It is also imperative to note that relying solely on detection puts you at a disadvantage. It is this situation that forces you to respond to threat actors once they are already on the network - by the time you can react, the damage has already been done and it is nearly too late. 

Taking a Multifaceted Approach to Security 

Several typical defense mechanisms form the pillars of many organizations' security strategies. These include file inspections performed by SWGs and sandboxes to network and HTTP inspections, indicators of compromise feeds, and malicious link analysis. When confronted with HEAT, many of these defense mechanisms become virtually useless when confronted. 

The most effective way for organizations to be prepared to combat modern threats is to move beyond sole reliance on detection solutions. Instead, they should develop a multifaceted approach to security that brings multiple levels of protection. Even though these solutions still serve a purpose today, to ensure that attackers are prevented from even reaching networks in the first place, these solutions must be coupled with a proactive approach that focuses on prevention. 

Contrary to a detection solution, a prevention solution does not diagnose the quality of traffic. In other words, these companies take a zero-trust approach, that is to say, they assume that all traffic carries at least some level of risk in it. In this case, all traffic, up until it is proven to be innocent, is treated as guilty. Remote browser isolation (RBI) is an innovative method that prevents code from entering users' browsers without determining whether it is infected. This creates a digital air gap and allows users to browse the internet safely as RBI moves the execution point to a cloud-based container, preventing any malicious content from executing successfully. 

All traffic is executed in the cloud, so it never needs to be analyzed or remediated at the endpoint. This dramatically reduces the cost and time associated with managing your SOC.  

With HEAT techniques, attackers are not restricted to exploiting or bypassing vulnerabilities on the endpoint. The network is protected by preventing content from reaching it.       

Hackers can Overcome Air-Gapped Systems to Steal Data


What are air gaped systems?

An air gap is a safety feature that isolates a computer or network and prevents it from connecting to the outside world. A computer that is physically isolated and air-gapped is unable to communicate wirelessly or physically with some other computers or network components. 

Data must first be copied on a removable media device, like a USB drive, and then physically transported to the air-gapped system from the computer or network. Only a select group of trusted users should be able to access the air-gapped system in situations where security is of the utmost importance.

New Technique 

Researchers at Ben-Gurion University of the Negev's Department of Software and Information Systems Engineering have developed a novel method for breaching air-gapped systems that takes advantage of the computer's low-frequency electromagnetic radiation.

According to Mordechai Guri, director of research and development at the Cyber Security Research Center at Ben Gurion University, "the attack is very evasive because it executes from a regular user-level process, does not require root capabilities, and is successful even within a Virtual Machine."

The COVID-bit technique makes use of on-device malware to produce electromagnetic radiation in the 0–60 kHz frequency region, which is then transmitted and detected by a covert receiving device in close vicinity.

After SATAn, GAIROSCOPE, and ETHERLED, which are intended to hop across air-gaps and extract private data, COVID-bit is the most recent method developed by Dr. Guri this year.

By utilizing electromagnetic emissions from a component known as a switched-mode power supply (SMPS) and encoding the binary data using a technique known as frequency-shift keying (FSK), the virus uses the COVID-bit, one of these covert channels, to communicate information.

The research article advises employing antivirus software that can recognize strange CPU patterns in addition to limiting the frequencies that some CPUs can use in order to protect air-gapped computers from this kind of attack.

Hackers can Hijack Antivirus Software to Erase Data

 


In a report released this week, a top cybersecurity researcher revealed that many popular antivirus software programs had been exploited, for their ability to erase data, including Microsoft, SentinelOne, TrendMicro, Avast, and AVG. 

Yair Or, a consultant for the cybersecurity firm SafeBreach and works as a time-of-check to time-of-use vulnerability researcher, explained how the exploit works in a proof-of-concept document titled "Aikido" that outlines the method for exploiting this vulnerability. 

One of the most renowned martial arts forms is Aikido. It is one of the Japanese arts that use the movement and force of the opponent against the practitioner to achieve an advantage. 

What does this process entail? 


According to Yair, it is possible to exploit this vulnerability to facilitate cyberattacks known as "Wipers," commonly used to commit offensive war crimes. 

An eraser, also known as a wiper, is a type of malware designed to delete all the data and programs on the hard drive of the computer it infects to prevent it from functioning aptly. 

As stated in the slide deck, the exploit redirects the "superpower" of endpoint detection software into the capability to "delete any file regardless of its permission levels". 

This entire process was achieved by creating a malicious file in the directory "C:\temp\Windows\System32\drivers\ndis.sys". 

Subsequently, it needed to capture down while the "AV/EDR should ask to delay deleting the feature until after the next reboot by holding its handle". 

Following that, it is necessary to delete the "C:/temp directory" to create a junction between C:/temp and C:/ and to restart your computer after completing this process. 

It has been confirmed that only some of the most popular antivirus brands have been affected, approximately 50% of them. 

As reported by the researcher, Microsoft Defender, Defender for Endpoint, SentinelOne EDR, TrendMicro Apex One, Avast Antivirus, and AVG Antivirus were some of the antivirus programs affected by this vulnerability, according to a slide deck prepared by him.

Meanwhile, some products are lucky to have survived the attack intact. These include Palo Alto, XDR, Cylance, CrowdStrike, McAfee, and BitDefender.

This TikTok Thirst Trap Dupes Users Into Downloading Malware

 

In a new malware attack, digital thieves are exploiting horny TikTok viewers' desire for nude images. The attack, revealed by Checkmarx researchers, entices users by offering to remove a filter used by TikTokers participating in the "Invisible Challenge." 

Users who participate in the challenge upload nude or mostly nude images of themselves to TikTok and then use an invisibility filter to remove their bodies from the video, leaving only a ghostly blurry image in their wake. Preying on viewers' curiosity, the attackers offer "unfilter" software that claims to be able to remove the filter. In reality, that "unfilter" download contains malware skilled of stealing passwords, credit card information, and other private details.

The Checkmarx report cites attackers who posted their own TikTok videos promoting software that they claim can discard the invisible filter. These videos contained links to a Discord server where users could download the files. That server, dubbed "Space Unfilter," contains nude images uploaded by the attackers as proof that the unfilter tools work.

Users who download the software expecting to see boobs inadvertently install "WASP Stealer" malware hidden in a Python package. That malware is said to be capable of stealing a wide range of personal information, from credit card numbers and cryptocurrency wallets to Discord account information. Checkmarx estimates that over 30,000 people joined the Discord server before it was shut down.

“The high number of users tempted to join this Discord server and potentially install this malware is concerning,” Checkmarx Software Engineer Guy Nachshon said in a blog post. “These attacks demonstrate again that cyber attackers have started to focus their attention on the open-source package ecosystem; We believe this trend will only accelerate in 2023.”

The Invisible Challenge, which depends on a filter that acts as a type of green screen by matching a user's skin tone to their background, has been around for a while but has recently gained traction. The #invisiblefilter tag had over 27 million views at the time of writing. With all of the attention, the challenge becomes a breeding ground for attackers looking to catch pervy users with their pants down.

“By offering a potential tool that could ‘unfilter’ the effect, threat actors prey on people’s curiosity, fear, and even their malicious side to download it,” Cybersmart CEO and co-founder Jamie Akhtar​​ said in an interview with Forbes. “Of course, by then, they’ll learn the attackers’ claims are false and malware is installed.”

Report: Tax Preparation Software Returned Personal Consumer Data to Meta and Google

 

As per The Markup, popular tax preparation software such as TaxAct, TaxSlayer, and H&R Block sent sensitive financial information to Facebook's parent company Meta via its widely used code known as a pixel, which helps developers track user activity on their sites. 

In accordance with a report published on Tuesday by The Verge, Meta pixel trackers in the software sent information such as names, email addresses, income information, and refund amounts to Meta, violating its policies. The Markup also discovered that TaxAct sent similar financial data to Google via its analytics tool, though the data did not include names.

According to CNBC, Meta employs tiny pixels that publishers and businesses embed on their websites. When you visit, the dots send a message back to Facebook. It also enables businesses to target advertisements to people based on previous websites they have visited.

Based on the report, Facebook could use data from tax websites to power its advertising algorithms even if the person using the tax service does not have a Facebook account. It's yet another example of how Facebook's tools can be utilized to track people across the internet, even if users are unaware of it. According to some statements provided to The Markup, it could have been a mistake.

Ramsey Solutions, a financial advice and software company that uses TaxSlayer, told The Markup that it "NOT KNEW and was never alerted that personal tax information was being gathered by Facebook from the Pixel," and that the company informed TaxSlayer to deactivate the Pixel tracking from SmartTax.

An H&R Block spokesperson said the company takes “protecting our clients’ privacy very seriously, and we are taking steps to mitigate the sharing of client information via pixels.” 

H&R Block further stated in a statement on Wednesday that it had "removed the pixels from its DIY online product to stop any client tax information from being collected."

The Markup discovered the data trail earlier this year while working with Mozilla Rally on a project called "Pixel Hunt," in which participants installed a browser extension that sent the group a copy of data shared with Meta via its pixel.

“Advertisers should not send sensitive information about people through our Business Tools,” a Meta spokesperson told CNBC in a statement. “Doing so is against our policies and we educate advertisers on properly setting up Business tools to prevent this from occurring. Our system is designed to filter out potentially sensitive data it is able to detect.”

Meta considers potentially sensitive data to contain information about income, loan amounts, and debt status.

“Any data in Google Analytics is obfuscated, meaning it is not tied back to an individual and our policies prohibit customers from sending us data that could be used to identify a user,” a Google spokesperson told CNBC. “Additionally, Google has strict policies against advertising to people based on sensitive information.”

A TaxAct spokesperson said in a statement, “The privacy of our customers is very important to all of us at TaxAct, and we continue to comply with all laws and IRS regulations. Data provided to Facebook is used at an aggregate level, not the individual level, by TaxAct to analyze our advertising effectiveness. TaxAct is not using the information provided by its customers and referenced in the report issued by The Markup to target advertising with Facebook.”

A TaxSlayer representative did not immediately respond to CNBC's request for comment.

Understand BatLoader Malware and its Working


The BatLoader follows the common practice that all cybercriminals use to target victims and get maximum output. They prefer to target large organizations, companies, or firms instead of targeting individuals, as the profit of payoff from these firm attacks is huge than targeting potential individuals.

The researchers at VMware Carbon Black stated in their research that the operators of BatLoader are using a dropper to spread a variety of malware tools, along with a banking Trojan, an information stealer, and the Cobalt Strike post-exploit toolkit on the target’s system. 

The researchers at VMware also stated that “the threat actors utilize search engine optimization (SEO) poisoning to lure users to downloading the malware from compromised websites.” 

The research highlighted the similarity of BatLoader with Conti ransomware. The team at VMware found that some attributes in BatLoader's attack chain were similar to past incidents in Conti ransomware. 

Mandiant, a subsidiary of Google, has also pointed out the similarities in the techniques employed by BatLoader and Conti. However, the team at VMware clearly stated that there is no link to Conti in the origin of the BatLoader. 

The carbon Black MDR team of VMware has disclosed that there have been 43 successful attacks by BatLoader in the past 90 days. There were some unsuccessful cases also in which the threat operators successfully delivered the initial harm, but the victim did not use it, nullifying the harm. In a further report, the team mentioned the number of affected organizations and their sectors. They targeted five companies in the manufacturing industry, seven in financial services, and nine in business services. There were numerous cases of attempts in the education, IT, healthcare, and retail sector. 

BatLoader’s process of infecting the target’s system 

The process of infecting the target’s system by BatLoader includes incorporation inside Windows MSI installers for software like TeamViewer, LogMeIn, and Anydesk. 

After that, the criminals purchase the adverts to direct the victims to the replica websites like logmein-cloud.com. These purchased adverts pop up on the top of the page where users search for that software like Zoom, Anydesk, etc. 

Later, when the victims follow the adverts, download the software, and execute it, their system gets opened up for the threat actors. 

BatLoader has advanced capabilities, especially for harming businesses, as it is half-automated. It is controlled by a person or group of people in place of additional code. BatLoader operates by the “Living off the land” command to distribute more malware. 

“Living off the Land” attack denotes if the malicious actors have complete control of your system, they can utilize the pre-existing software like Windows PowerShell and scripting tools in your system to administer the system by directing commands without installing any other malware. 

The researchers concluded BatLoader is more dangerous because, after the installation and execution of links that include BatLoader, it will also download and install the banking malware and information. Along with it, the BatLoader can find if it has other linked networks, and it will install remote monitoring and management malware to target all connected systems. 

Even after updates in technology in cyber security, BatLoader and similar threats pose a clear need for more tools and knowledge to detect the source and block the spread of such threats. Considering the regular emergence of new threat vectors, the dynamic of threats is changing, and the demand for updated ways of fighting against these cyberattacks, opting for an online course for gaining cybersecurity knowledge is also an innovative decision to decrease the chances of facing losses due to cyber-attacks.

Chrome Extensions That Record Keystrokes and Steal Personal Data Should be Avoided

 


Using their Zimperium zLabs research department, Zimperium researchers have discovered a malicious browser extension, dubbed Cloud9. This extension is designed to steal private and sensitive user information and to completely take over the victim's computer. 

Cloud9 is very unnerving because it steals data directly from your computer by monitoring your keystrokes (i.e. keylogging). Cybercriminals would delight in spying on victims' web browser activity since spying can be done through web browsers. After all, it is while you are browsing the web that you are more likely to input highly sought-after credentials, including your bank passwords and other sensitive information. 

Even though you are browsing the web during the time that you are more likely to input highly sought-after credentials, such as your bank passwords or other sensitive information, it is very easy to enter these credentials while you are online. 

In terms of Cloud9, what information do we have? 

As its name suggests, Cloud9 is a botnet that operates as a remote access trojan (RAT) because of the operation method employed. It was found that there were two different versions of Cloud9 that were encountered by researchers: the original and an improved version. The investigators focused their attention in the report, however, on the latter because it "contains all of the functionalities of both variants" according to the report. 

• This type of software runs on a computer to track your keystrokes to steal your credit card information, bank passwords, and more. 

• Using the clipboard, steal your data that was copied and pasted (e.g., you copied it and pasted it). 

• To compromise the user's session, steal your cookies and use them to do so. 

• Cryptocurrencies can be mined using the resources of your browser and computer.

• By inserting malicious code into your device, you will be able to take full control of it.

• From your PC, you can perform DDoS attacks against other websites. 

• A pop-up or an advertisement can be injected into the page. 

The Zimperium zLabs team claims that although Cloud9 is a malicious browser plugin, it cannot be found in any official repository for browser extensions (e.g. Chrome Web Store), despite it being a known malware on the internet. Researchers have found that Cloud9 has been masquerading as an Adobe Flash Player update on malicious websites more frequently than not, according to the research. 

What is the history of Cloud9 and where did it come from? 

A malware group called Keksec was connected to Cloud9 by the investigators to trace its origin. There have been many attacks targeted by this group that has been associated with mining-related malware, said Zimperium zLabs researchers. 

It seems as though the Cloud9 botnet is currently being sold for a few hundred dollars or for free on several hacker forums throughout the world. A report from the company warned that this malware was not targeting a specific type of group. To exploit as much valuable information as possible from all users, cyber criminals target all users to maximize their profits from their exploits. 

In a report released by Zimperium, it was said that because traditional endpoint security solutions do not monitor this vector of attack, browsers are susceptible. However, Cloud9 should remain a distant threat as long as you do not side-load extensions from malicious websites into your browser or use fraudulent executables that originate from malicious websites.

Vulnerabilities in Software Supply Chains Must be Re-valuated

 


The year ended in fine style for many IT teams as 2021 came to a close. However, they were caught off guard just before the holiday season by an unpleasant surprise. 

Hundreds of servers around the globe are susceptible to a vulnerability in Log4Shell, which requires urgent remediation. Consequently, the experts froze their leaves and returned to the scene to check the position of the band-aid after freezing their leaves. 

In the wake of this vulnerability, many organizations are still working to gain peace of mind. The company wants to make sure that this vulnerability, which affects so many segments of today's modern information technology infrastructure, is not lurking somewhere in its systems. 

This is because it affects Java enterprise applications often used in small and medium-sized companies. Another surprise is just around the corner this holiday season when it comes to this vulnerability. 

Among the challenges is finding the most appropriate place to apply a patch or repair the loophole to fix the problem. It is estimated that more than 35,000 Java packages, or 8% of all Java packages in the Maven Central repository, may have been affected by the Log4Shell problem. This is based on some calculations. 

With the sheer volume of third-party code that modern IT systems rely upon today, even outside of Java, it is easy to imagine the kind of headaches that IT teams face in dealing with today's complex IT systems. The problem is that we have too much to sort through to come up with a solution. If you do not see the problem, you can not fix it. 

It is estimated that approximately 40% to 80% of the lines of code in software today come from third parties, such as libraries, components, and software development kits (SDKs) that are provided by third parties. Gartner's research determined that by 2025, 45% of organizations around the world will have experienced attacks on their software supply chains. This is a threefold increase over what was seen in 2021, according to a report by Gartner, a company specializing in information security research. 
 

The Need for More Automation and Visibility Must be Addressed 


Currently, an industry has been built around cyberattacks. Currently, this industry has numerous specialists waiting on the Dark Web. These specialists can play specific roles in a ransomware attack, from crafting the phishing message to collecting the ransom in the case of a ransomware attack. 

In a world where malicious actors have been developing such intricate supply chains and weaponizing malware as a tool for criminals, businesses should step up their game if they want to maintain a competitive edge in their software supply chains. 

A tool that can improve automation within their IT systems as well as provide them with visibility into their IT systems is what they need to provide the level of service they currently provide. Essentially, this means that they will be able to find vulnerabilities in their software supply chain more easily, instead of manually searching for such vulnerabilities. 

A software supply chain has so many parts that it can be quite intimidating. If we were to narrow it down to Java software specifically, here are some of the features to keep an eye out for: 

• An application-level vulnerability assessment can be performed continuously without the need to obtain source code to assess visibility at the application level. A Java-specific CVE database is used to compare code against the CVE database that is run against Java. 

• It is critical to ensure that false positives are avoided by monitoring code executed by the Java runtime (JVM) and building accurate results that are not detected by traditional tools. 

• Performance transparency: By adding additional agents to the production system, we avoid performance degradation caused by overheads that are added to the machine. There should be a way to run a solution without any agents being involved. 

• The tool must perform thorough checks to ensure that it works on all versions of Java software installed on users' computers. This is to avoid missing any loopholes that may exist. 

Traceability history: Establish a history of the components and code used so forensics efforts can concentrate on finding vulnerable code that led to exploits so that forensic efforts can focus on determining what caused the exploit. 

Adapting to an uncertain environment 


As IT environments become more complex, businesses need to be able to observe more of what is going on and increase automation as required. There is no possibility of using manual labor in the future. During production, a piece of software that is running in production daily needs to be closely monitored and observed at a high level. As the supply chain of software becomes more and more complex, malicious actors are increasingly seeking a way to gain access to victims' systems by digging deeper into them. 

Cyberattackers have come up with new ways to penetrate software supply chains, not just through the Log4Shell issue. This vulnerability was classified as one of the most serious software vulnerabilities in history by the United States Department of Homeland Security, but also through various other creative approaches. Their attacks are also somewhat more brazen in the way they do so, as well as in the way they mount them. 

Users of MiMi, a Chinese messaging app whose version was spiked with malicious code earlier this year, have seen a fake version of it being served to them. Depending on how the software is configured, this could allow an attacker to remotely control the program. As a result, the spies could see what the users were chatting about during their chat sessions. 

One of the most remarkable things about this attack was the fact that the attackers somehow managed to gain control over the servers on which the app was delivered to the users. As a result, the attackers added code to the app, removed the original version, and tricked victims into downloading and installing it without their knowledge. 

There is no doubt that this was not a Java-based issue, however, it demonstrates how dangerous software supply chain vulnerabilities have become in the past few years, as well as just how challenging it is to stem the tide of attacks such as this. 

The issue of trust is also one that needs to be taken into account. The majority of digital services today rely on several third parties to provide them with services, ranging from open-source repositories, where attackers can plant malicious code, to packaged apps that are installed by enterprises on their devices. 

This is the background against which businesses have to adopt a smarter approach if they wish to ensure that their digital communications efforts do not go astray. They must also be careful not to encumber themselves with excessive security measures that are too onerous and do not benefit the customer's experience at all. 

To become more agile, companies must look for streamlined solutions that can detect threats automatically as it will enable them to maintain the competitiveness they need.

All of your Wi-Fi Passwords are Stored on Computer Somewhere. Here's How to Locate Them

 

After configuring all of the devices, you're likely to forget your home Wi-Fi password. That is until a friend or family member arrives and requests access to your network. What was the password, again? Is it the ridiculously long number on the back of your router? Even if you don't have the Wi-Fi password saved anywhere or memorized it, there is a way to find all of your Wi-Fi passwords in one place. Simply check your computer. 

The Wi-Fi password is permanently stored in your settings as long as your Windows or Mac computer has previously connected to the network. It may take some digging on your part, but all of the passwords are available.

On MacOS and Windows, here's how to find the passwords for all Wi-Fi networks you've ever connected to. Find out more about the 17 most important settings for customising your MacBook or how to get the most out of Windows 11.

How to Find Wi-Fi Passwords in MacOS 

Every password you enter and save on a Mac is saved in Keychain Access, MacOS' password management system. This includes passwords for Wi-Fi networks.

To begin, open the Keychain Access app using the search feature and do the following:
1. Click on System under System Keychains in the sidebar.
2. Next, click on Passwords at the top of the window.
3. Find the Wi-Fi network you want the password for and double-click on it.
4. Finally, check the box next to Show password and enter your password when prompted.

The password field then displays your password to connect to that Wi-Fi network. If necessary, double-click in the password field to select the password and copy it to your clipboard.

How to Look for Wi-Fi Passwords in Windows

On Windows, finding the password to the Wi-Fi network you're currently connected to is simple, but getting your hands on all stored Wi-Fi passwords requires some effort, so we'll go over both methods below.

1. Click the Start button and then go to Control Panel > Network and Internet > Network and Sharing Center (Windows 11) or Settings > Network & Internet > Status > Network and Sharing Center (Windows 10).
2. Next to Connections, click your Wi-Fi network name highlighted in blue.
3. In the Wi-Fi Status page that opens, click Wireless Properties and then on the Security tab.
4. Finally, check the box next to Show characters to display your Wi-Fi network password above it.

This is not, however, the only way to find your Wi-Fi network passwords. The method described above only allows you to view the password for the Wi-Fi network to which you are currently connected, but there is a way to find the passwords for all Wi-Fi networks to which you have ever connected on your Windows computer. 

To find all your Wi-Fi network passwords on Windows:

1. Right-click on the Windows icon in the taskbar on your desktop.
2. Click Windows Terminal (Admin).
3. Type in netsh wlan show profile and hit Enter on your keyboard to view every Wi-Fi network you've connected to.
4. Once you find the Wi-Fi network you want the password for, type in netsh wlan show profile "(Wi-Fi network name)" key=clear (for example, netsh wlan show profile "Netgear667" key=clear), and then hit the Enter key.

To find your Wi-Fi network passwords on Windows, go to Settings > Profile, Connectivity, Security, and Cost. The Wi-Fi network password will be displayed next to Key Content in the Security settings. In addition to Windows Terminal, you can use the Command Prompt application to enter the commands mentioned above to find your Wi-Fi passwords.

The RCE Vulnerability in ConnectWise Has Been Resolved

 


As part of the ConnectWise Recover and R1Soft Server Backup Manager (SBM) secure backup solutions, ConnectWise has released security updates that address a critical vulnerability within those products. 

In an advisory published by the company today, the company describes the security flaw as being due to an injection vulnerability. This occurs when special elements in output are not adequately neutralized before entering a downstream component. 

Among the affected software, versions are ConnectWise Recover, earlier versions of the product, and R1Soft SBM versions 6.16.3 and earlier versions. 

Several security researchers have reported that this is a critical vulnerability that could expose confidential information or allow attackers to execute code remotely using the vulnerability.

Additionally, it categorized this as a high-priority issue, meaning that it may be exploited in attacks or at a high risk of being targeted in the wild if it is not addressed immediately. 

In a report released by Huntress Labs CEO Kyle Hanslovan, security researchers have discovered, rediscovered, and expanded on the vulnerability discovered by Code White security researcher Florian Hauser. According to Huntress Labs CEO Kyle Hanslovan, the vulnerability can be exploited to spread ransomware to thousands of R1Soft servers exposed to the Internet. This is done via R1Soft servers exposed to the Internet. 

Approximately 4,800 R1Soft servers that are exposed to the Internet may be vulnerable to attacks as a result of this RCE bug. According to a Shodan scan, these servers may not be patched since ConnectWise has released patches for this issue. 

There have been automatic updates applied to ConnectWise Recover SBMs that have been impacted by the vulnerability (v2.9.9), ConnectWise announced. 

It should be noted that Cryptree users are being advised to upgrade their R1Soft backup manager to the latest release, SBM v6.16.4, released on October 28, 2022, by following the steps detailed in the R1Soft upgrade wiki.

As part of the company's recommendation, all R1Soft backup servers that are impacted should be patched as soon as possible. 

Even though patching critical vulnerabilities is always something that cybersecurity professionals are strongly encouraged to do, they do not think it is wise to do it on a Friday evening, as it can be a potentially disastrous timing decision. 

As a result, all Internet-exposed servers such as websites will be compromised to the fullest extent by malicious actors as soon as they discover a vulnerability. 

There is also a tendency for hackers to be especially active on weekends since most IT teams and security teams are away from their computers during these busy times. 

As a result of an end-of-the-week release, it is also more difficult to patch any vulnerable servers before the weekend, potentially exposing more systems for a few days to attack, especially if the release takes place along with a holiday weekend. 

There is a concern that not patching the R1Soft SBM backup solution quickly may lead to a significant security incident. This is because the R1Soft SBM backup solution is a popular tool among managed service providers and cloud hosting providers.

UK Issued New Cybersecurity Guidelines on Emerging Supply Chain Attacks

A surge in the number of instances has prompted cyber security experts to issue a fresh warning about the danger of supply chain hacks. Businesses have been advised by the UK's cybersecurity agency to take additional precautions against supply chain assaults. In response to what it claims to be a recent increase in supply chain threats, the National Cyber Security Center (NCSC) has produced fresh advice for enterprises.

Although the advice is applicable to businesses in all industries, it was released in collaboration with the Cross-Market Operational Resilience Group (CMORG), which promotes the enhancement of the operational resilience of the financial sector. The advice, which is intended to assist medium-sized and larger enterprises, evaluates the cyber risks of collaborating with suppliers and provides confirmation that mitigation techniques are in effect for vulnerabilities related to doing business with suppliers.

The 2020 hack on SolarWinds' software build system, the 2021 ransomware attack on Kaseya clients, and the 2017 NotPetya attack via a Ukraine accounting program are a few notable recent incidents. President Joe Biden of the United States issued an executive order to improve cybersecurity in response to SolarWinds.

In a document titled 'Defending the Pipeline' published by NCSC in February, the agency recommended businesses and programmers use continuous integration and delivery (CI/CD) to automate software development. The CEO of NCSC ranked ransomware as the top cyber danger in October of last year, while also warning that supply chain concerns will persist for years.

The new guidance is assisted medium and bigger enterprises in "evaluating the cyber risks of collaborating with suppliers and gaining assurance that mitigations are in place," according to NCSC in an announcement.

According to the UK government's report on security breaches in 2022, more than half of companies, big and small, contract out their IT and cybersecurity needs to outside companies. However,  s evaluated the dangers posed by immediate suppliers. These respondents claimed that the importance of cybersecurity in procurement was low.

According to Ian McCormack, NCSC deputy director for government cyber resilience, supply chain attacks represents a significant cyber danger to organizations and incidents can have a significant, ongoing effect on companies and customers.

The advice is broken down into five stages that address why businesses should care about supply chain cybersecurity, how to identify and protect one's private data when developing an approach, how to apply the approach to new suppliers, how to apply it to contracts with current suppliers, and continuous improvement.

The US intelligence agency, NSA, released its software supply chain recommendations last month with a focus on developers. New standards for the purchase of software were also released in the same month by the US Office of Management and Budget.

Mainframes are Still Used in 9 Out of 10 Banks, Google Cloud Wishes to Mitigate

 



It has been announced that Google Cloud is introducing a simpler, more risk-averse way for enterprises to migrate their legacy mainframe estates to the cloud. Google Cloud's newly launched service is based on technology originally developed by Banco Santander and aims to simplify planning and execution.

As a result, customers can perform real-time testing before they transition to Google Cloud Platform as their primary system to ensure their cloud workloads are performing as expected, running securely, and meeting regulatory compliance requirements – without stopping their application or negatively impacting user experience.

In his interview with Protocol on Tuesday, Nirav Mehta told: "This is a simple concept, but it is difficult to implement - hasn't been done yet," Nirav Mehta, Google Cloud's senior director of product management for cloud infrastructure solutions and growth, said. As compared to moving mainframe applications to the cloud, this solution will substantially reduce the risk associated with doing so." 

A parallel instance of mainframe workloads is created by using virtual machines on the Google Cloud Platform (GCP) through Dual Run. As Mehta describes, a launcher/splitter is an architecture consisting of the necessary mechanisms to duplicate activity - and return the "primary" response of the system - at each interface that drives the incoming requests or triggers the scheduled workload and can handle both.

A dashboard that displays real-time monitoring shows the differences in transaction responses between the mainframe and GCP deployments that are displayed on the dashboard. The single output hub also ensures that there is a single point of contact during the roll-out period for all batch information that needs to be sent out and collected.

Once the customers are comfortable with the use of their mainframes as backups, they can retire their mainframes or use them as storage.

As long as your mainframe is the primary system that handles customer requests, it should remain the system of choice for quite some time to come. You can consider the cloud instance as nothing more than a secondary system. This will also run the same requests as the regular system, Mehta explained. As part of your monitoring process, you maintain a record of the responses coming back from both the mainframe and Google Cloud. This is to determine whether the Google Cloud instance is working equally well as the mainframe. Then at some point, you switch over to using Google Cloud as your primary source of data and the mainframe as your secondary source of data.

The Dual Run device, which is currently in the preview stage, was developed for a wide range of industries, including the financial services, health care, manufacturing, and retail industries, and the public sector as well. Approximately 90% of North America's biggest banks still use mainframes, according to Mehta, while 23 of the 25 largest U.S. retailers use mainframes as well.

"All of these companies are looking to modernize their old mainframe applications and take them to the cloud to maximize security, scalability, and cost efficiency," he said. However, because these systems are so mission-critical - and mainframes are especially unique in this regard since they've been around for so long and contain so much legacy technology - they perceive a lot of risks, so they do not bring them to the cloud."

In May, Banco Santander, a Google Cloud customer, published a report about the progress it has made in digitizing its core banking platform. It said that 80% of its IT infrastructure had been moved to the cloud using software developed in-house called Gravity, to automate the process. The technology is an exclusive license that Google Cloud has acquired, and its engineers have been working with Santander during the past six months to optimize the technology to make it more suitable for end-to-end mainframe migrations for customers in a wide variety of industries. 

Mehta explained that they only had a very limited use case for the software. The relevance of the solution to any mainframe customer has been elevated to a substantial extent thanks to the changes we have made. This is a huge deal for anyone running mainframes because it allows them to access data remotely.