Information Technology

The Open Source Security Foundation (OpenSSF), GitHub, and Google announced on Wednesday the launch of Scorecards V4, which includes larger scaling, a new security check, and a new Scorecards GitHub Action for easier security automation.OpenSSF launched the Scorecards in November 2020, creating an automated security tool that produces a “risk score” for open source projects and helps reduce the toil and manual effort required to continually evaluate changing packages when maintaining a project’s supply chain.Since Google and OpenSSF’s July 2021 announcement of Scorecards V2, the Scorecards project has grown steadily to over 40 unique contributors and 18 implemented security checks.

Open Source

The Scorecards Action, released in partnership with GitHub, automates the process on how to judge whether changes to a project affected its security. Previously, tasks like this had to be done manually. The Action is available from GitHub’s Marketplace and is free to use. It can be installed on any public repository by following these directions.”Since our July announcement of Scorecards V2, the Scorecards project—an automated security tool to flag risky supply chain practices in open source projects—has grown steadily to over 40 unique contributors and 18 implemented security checks. Today we are proud to announce the V4 release of Scorecards, with larger scaling, a new security check, and a new Scorecards GitHub Action for easier security automation,” said Google Open Source Security Team members Laurent Simon and Azeem Shaikh.”The Scorecards Action is released in partnership with GitHub and is available from GitHub’s Marketplace. The Action makes using Scorecards easier than ever: it runs automatically on repository changes to alert developers about risky supply-chain practices. Maintainers can view the alerts on GitHub’s code scanning dashboard, which is available for free to public repositories on GitHub.com and via GitHub Advanced Security for private repositories.”

The two added that they have scaled their weekly Scorecards scans to over one million GitHub repositories and partnered with the Open Source Insights website for easy user access to the data.
Google
The Open Source Security Foundation explained in a blog post that although the world runs on open-source software, many open source projects engage in at least one risky behavior — like not enabling branch protection, not pinning dependencies, or not enabling automatic dependency updates. “Scorecards makes it simple to evaluate a package before consuming it: a scan run with a single line of code returns individual scores from 0 to 10 rating each individual security practice (“checks”) for the project and an aggregate score for the project’s overall security. Today’s release of a Scorecards GitHub Action makes it easier than ever for developers to stay on top of their security posture,” the organization said. “The new Scorecards GitHub Action automates this process: once installed, the Action runs a Scorecards scan after any repository change. Maintainers can view security alerts in GitHub’s scanning dashboard and remediate any risky supply-chain practices introduced by the change.”All of the alerts will now include the severity of the risk, the file and line where the problem occurs, and the remediation steps to fix the issue. The latest release also adds the License check, which detects the presence of a project license, and the Dangerous-Workflow check, which detects dangerous usage of the pull_request_target trigger and risks of script injections in GitHub workflows.A number of open-source projects have already adopted the Scorecards Action, including Envoy, distroless, cosign, rekor, kaniko. “Scorecards provides us the ability to rapidly litmus test new dependencies in the Envoy project,” said Envoy’s Harvey Tuch. “We have found this a valuable step in vetting new dependencies for well-known attributes and we have integrated Scorecards into our dependency acceptance criteria. Machine checkable properties are an essential part of a sound security process.”  More

Password manager 1Password said it closed its latest funding round on Wednesday, raising $620 million and boosting its valuation to $6.8 billion.

The Series C funding round included the participation of ICONIQ Growth, Tiger Global, Lightspeed Venture Partners, Backbone Angels, and Accel, which led the Canadian company’s series A and B rounds. Celebrities like Ryan Reynolds, Scarlett Johansson, Robert Downey Jr., Matthew McConaughey, Chris Evans, Rita Wilson, Ashton Kutcher, Trevor Noah, Justin Timberlake, and Pharrell Williams also participated in the series C round. Executives like Robert Iger and LinkedIn’s Jeff Weiner invested in the company as well. “Our mission has always been to ease the tension between security and convenience, and the opportunity to deliver on this has never been bigger for 1Password. We create products and solutions that improve upon and easily layer into a company’s existing security infrastructure, nurturing better habits for employees while strengthening a company’s security posture from within,” said Jeff Shiner, CEO of 1Password.”That way, we can tackle the biggest security threats facing the modern workforce and deliver on the promise of providing a safer life online for families and businesses around the world,” Shiner continued.1Password told ZDNet it would use the money to scale the platform and expand its offerings. Over the last year, the company increased its B2B business footprint, adding more than 100,000 companies as customers over the last 24 months. The company has also grown to 570 employees and launched several new products, including a password sharing tool and more. 

Will Griffith, a founding partner at ICONIQ Growth, said more than one hundred CISOs, CIOs, CTOs, developers, and IT leaders were impressed by “1Password’s ability to balance strict security standards with a profound understanding of how humans behave.” “By making safe online behavior second nature, 1Password is not only protecting individuals but also the enterprises where they work.” Griffith said. 

Tech Earnings More

A new Bugcrowd report has revealed significant increases in the number of critical vulnerabilities reported in 2021. The company’s 2022 Priority One report covers a variety of security trends over the last year. The report said their platform experienced a 185% increase in the last 12 months for Priority One (P1) submissions with financial services companies. Bugcrowd said P1 submissions involve vulnerabilities that cause a privilege escalation from unprivileged to admin or allow for remote code execution, financial theft, and more. Overall, P1 vulnerabilities increased 186% in 2021. Bugcrowd founder Casey Ellis added that the global shift to remote work prompted organizations to put more assets online. That led to more investment in ethical hackers, and Bugcrowd saw that 24% of all valid submissions for the year involved P1 and P2 threats. P2 threats are vulnerabilities that affect the security of software and impact the processes it supports.Ellis noted that nation-state hackers have also become far more brazen and less concerned about stealth, using attacks on known vulnerabilities far more frequently in 2021. “Significantly, we’ve seen a democratization of such threats due to an emerging ransomware economy and a continued blurring of lines between state actors and e-Crime organizations,” Ellis said. “All of which, combined with growing and more lucrative attack surfaces, have made for a highly combustible environment. In 2022, we expect more of the same.”Even P3 submissions, which involve vulnerabilities that affect multiple users and require little or no user interaction to trigger, saw year-over-year increases in 2021.Submissions were up 82% overall while payouts for those submissions were up 106%. The software sector saw total payouts increase by 73% as well. Submissions for the government sector were up 1000% in 2021 through Q3 compared to 2020. 

Bugcrowd also found that cross site scripting was the most commonly identified vulnerability type and sensitive data exposure moved up to #3 from #9 on the Top 10 list. “There was some change at the top in 2021, where Cross-Site Scripting overtook Broken Access Control as the most commonly identified vulnerability type, reverting to the 2019 top two and reflecting the rapid deployment of home-grown web applications throughout 2020 and 2021,” Bugcrowd explained. “In third place, Sensitive Data Exposure involving Internal Assets leapt six places from ninth last year, brought on by an increased emphasis on scanning as a means of uncovering vulnerabilities. This was a direct consequence of the expansion and increased complexity of attack surfaces during pandemic-induced digital transformation, as well as the speed at which this transformation took place. The changes in the top 10 most commonly identified vulnerability types demonstrates the natural life cycle of vulnerability categories and the “cat and mouse” nature of the interaction between builders and breakers: the Crowd is incentivized to find new, prevalent vulnerability types, those vulnerabilities are eventually addressed by automated tools (causing incentives to fall), and then new vulnerability types emerge that the Crowd is highly incentivized to find.” More

US President Joe Biden signed a memorandum on Tuesday concerning the cybersecurity of the Defense Department and the country’s intelligence agencies, sketching out exactly how an executive order he signed in May 2021 will be implemented. 

Government

“This NSM requires that, at minimum, National Security Systems employ the same network cybersecurity measures as those required of federal civilian networks in Executive Order 14028. The NSM builds on the Biden Administration’s work to protect our Nation from sophisticated malicious cyber activity, from both nation-state actors and cybercriminals,” the White House said. The memorandum goes into detail about how the executive order applies to national security systems and provides timelines for implementing things like multifactor authentication, encryption, cloud technologies, and endpoint detection services. Within two months of the memorandum, the head of each executive department or agency that owns or operates an NSS is required to update agency plans concerning cloud technology, and within 180 days, agencies need to implement multifactor authentication and encryption for NSS data-at-rest and data-in-transit. It also forces agencies to “identify their national security systems and report cyber-incidents that occur on them to the National Security Agency.”The memorandum gives the National Security Agency broad powers to issue binding directives that force agencies to “take specific actions against known or suspected cybersecurity threats and vulnerabilities.” The White House noted that this directive was modeled after the Department of Homeland Security’s Binding Operational Directive authority for civilian government networks. The NSA and DHS will work together on certain directives and share information about requirements and threats. 

Additionally, the memorandum forces agencies to be aware of and secure cross-domain tools that allow agencies to transfer data between classified and unclassified systems. “Adversaries can seek to leverage these tools to get access to our classified networks, and the NSM directs decisive action to mitigate this threat. The NSM requires agencies to inventory their cross-domain solutions and directs NSA to establish security standards and testing requirements to better protect these critical systems,” the White House said.The memorandum includes a range of other deadlines and orders for agencies working with sensitive information.It comes on the heels of multiple warnings released by the Cybersecurity and Infrastructure Security Agency (CISA) about potential threats coming from Russia. CISA sent out a warning about potential Russian attacks on critical infrastructure and, this week, warned businesses working with Ukrainian organizations about potential cybersecurity issues. The country is still recovering from the SolarWinds scandal, which saw Russian hackers invade multiple US agencies and spend months inside the country’s most sensitive information systems. Nine government agencies were hacked, including the Department of State, Department of Homeland Security; National Institutes of Health; the Pentagon; Department of the Treasury; Department of Commerce, and the Department of Energy.  More

Deloitte has launched a new threat detection and response platform for enterprise clients. 

On Wednesday, the professional services giant said that the latest solution added to the Deloitte cybersecurity portfolio is called Managed Extended Detect and Response (MXDR), a Software-as-a-Service (SaaS) platform for “flexible, technology-enabled, human-powered security operations.”The MXDR SaaS solution aims to provide an “integrated, unified, composable and modular managed detection and response” suite to clients, including threat detection, response, and remediation capabilities.  Cloud security workloads, zero trust identity management systems, insider threats, attack surface & vulnerability management, as well as log and analytics management are included in the suite. Security operation centers in the US and in FedRAMP-authorized centers worldwide manage the service 24/7, 365 days a year.  According to Deloitte, MXDR was initially operationalized by AWS, CrowdStrike, Exabeam, Google Cloud Chronicle, ServiceNow, Splunk, and Zscaler. More vendors will contribute to MXDR as the product line evolves.  “As threats become more frequent, sophisticated and impactful, leading organizations are considering creative, divergent approaches that meet attackers where they are, while simultaneously fortifying the defenses around their most important assets. But, the cost and complexity of consolidating, building and maintaining such cybersecurity infrastructure in-house can be high,” commented Curt Aubley, MXDR by Deloitte leader. “We designed Managed Extended Detection and Response by Deloitte to offer our clients access to a broad suite of industry-leading capabilities that align with their current and future cyber needs.” Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Interpol and the Nigerian Police Force (NPF) arrested 11 people allegedly involved in a “prolific” cybercrime ring known for running Business Email Compromise (BEC) scams that targeted thousands of companies around the world. 

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

In a statement, the law enforcement agencies said the NPF and Interpol’s National Central Bureau in Nigeria coordinated to conduct the raids in Lagos and Asaba between December 13 to December 22. Some of those arrested are allegedly members of a cybercrime network called ‘SilverTerrier.’After the raids, police found one suspect with a laptop containing more than 800,000 potential victim domain credentials, and in total, the group was connected to BEC criminal schemes targeting more than 50,000 organizations. According to Interpol, one suspect was spying on conversations between 16 different companies and their clients, planning to divert funds when transactions were about to be made eventually. Interpol found other evidence implicating another person in a range of BEC crimes across Gambia, Ghana and Nigeria.More than six countries were involved in the effort, according to Interpol. Assistant Inspector General of Police Garba Baba Umar, head of NCB Abuja and Interpol Vice President for Africa, said Interpol’s alerts and technology helped them break up the cybercrime ring. “The outstanding results of Operation Falcon II have served to disrupt this dangerous cyber gang and protect Nigerian citizens from further attack. I encourage fellow African countries to also work with Interpol in ridding our continent of cybercrime to make the cyber world a safer place,” Umar said. Craig Jones, Interpol director of cybercrime, said the investigation into SilverTerrier has helped them build a “very clear picture of how such groups function and corrupt for financial gain.”

“Thanks to Operation Falcon II, we know where and whom to target next,” Jones said. Palo Alto Networks’ Unit 42 and Group-IB’s APAC Cyber Investigations Team assisted Interpol and the NPF in the investigation, providing detailed examinations of the group’s activities. Palo Alto Networks released a blog about the investigation with information about some members of SilverTerrier. They noted that global losses from BEC scams grew to $1.8 billion in 2020, according to FBI statistics. “This recent operation was novel in its approach in that it didn’t target the easily identifiable money mules or flashy Instagram influencers who are typically seen benefiting from these schemes. Instead, it focused predominantly on the technical backbone of BEC operations by targeting the actors who possess the skills and knowledge to build and deploy the malware and domain infrastructure used in these schemes,” Palo Alto Networks explained. The company named six of those involved in SilverTerrier, tying each to a range of different BEC scams and malware used during attacks like LokiBot, PredatorPain, ISRStealer, Pony, NanoCore, AzoRult, ISpySoftware, Agent Tesla and Keybase. Many of those identified had thousands of domains registered to their names or aliases, supporting other BEC actors. A number of those involved had been working on BEC scams since 2014 or 2015. More

Banks and financial institutions in Singapore will have to implement new security measures that have been mandated following a series of phishing SMS scams that wiped several victims of their life savings. These measures include the removal of hyperlinks from email or SMS messages sent to consumers and a 12-hour delay in activating mobile software tokens. The Monetary Authority of Singapore (MAS) and Association of Banks in Singapore (ABS) said in a statement Wednesday that the additional measures aimed to strengthen the security of digital banking, in light of the recent scams targeting bank customers.The SMS-phishing scams involving at least 469 customers of OCBC Bank and resulted in losses of more than SG$8.5 million, with S$2.7 million alone lost over the recent three-day Christmas weekend. Several of the victims reportedly lost their life savings, including a 43-year-old man whose account was wiped of S$500,000, a 38-year-old software engineer who lost S$250,000, and 33-year-old finance executive who had her account emptied of S$68,000. 

In these cases, scammers manipulated SMS Sender ID details to send messages that appeared to be from OCBC. These SMS messages prompted the victims to resolve issues with their accounts, redirecting them to phishing websites and instructing them to key in their bank login details, including username, PIN, and One-Time Password (OTP). Because OCBC’s legitimate Sender ID was successfully cloned, and spoofed, these messages appeared in the same thread as previous alerts or notifications from the bank, leading victims to believe they were legitimate. Affected OCBC customers also expressed frustration over how they were put on hold in their efforts to contact the bank’s hotline and have their accounts locked, after they received notifications of payment transfers and requests to increase their transaction limits, which they never made. “MAS expects all financial institutions to have in place robust measures to prevent and detect scams as well as effective incident handling and customer service in the event of a scam,” the regulator said in its statement. “The growing threat of online phishing scams calls for immediate steps to strengthen controls, while longer-term preventive measures are being evaluated for implementation in the coming months.”

Local banks, in consultation with MAS, would work to implement more stringent measures within the next two weeks. These would include setting the default threshold of funds transfer transaction notifications at S$100 or lower and triggering notification to existing mobile number or email registered with the bank, whenever a request is made to change a customer’s mobile number or email address.Banks also would have to set up dedicated and “well-resourced” customer assistance teams to deal with customer feedback on potential fraud cases, MAS said. The regulator added that further safeguards, such as enforcing a cooling-off period before requests for key account changes, including a customer’s contact details, should be implemented. In addition, banks would work closely with MAS, local law enforcements, and Infocomm Media Development Authority (IMDA) to deal with the current “scourge of scams”. This would include working on more permanent measures to combat SMS spoofing, including the adoption of SMS Sender ID registry by all relevant stakeholders, MAS said.”MAS is also intensifying its scrutiny of major financial institutions’ fraud surveillance mechanisms to ensure they are adequately equipped to deal with the growing threat of online scams,” it added. MAS’ managing director Ravi Menon said: “The threat of scams will not go away, but we can reduce our vulnerabilities. This requires a multi-pronged response across the ecosystem. MAS, together with the Police, IMDA, and other relevant government agencies, is working closely with the financial industry, the telco industry, consumer groups, and other stakeholders to strengthen our collective resilience against scam attacks. We will ensure that digital banking remains secure, efficient, and trusted.”OCBC on Wednesday said all customers affected by the SMS phishing scam would receive “full goodwill payouts” comprising the amount they lost. This came after its previous statement on Monday that it had begun to make “goodwill payouts” since January 8, but did not specify if these covered the entire amount customers lost. The bank acknowledged its customer service and response “fell short” of customers’ expectations.RELATED COVERAGE More

A new form of ransomware that uses discreet techniques to avoid detection before encrypting files and demanding payment in exchange for the decryption key could be linked to a notorious financial crime group. White Rabbit ransomware emerged in December 2021 with an attack against a US bank and has since been examined by cybersecurity researchers, who say that the ransomware appears to be connected to FIN8, a financially motivated cyber-criminal gang. 

ZDNet Recommends

FIN8 was first identified in 2016 and typically targets point-of-sale (POS) systems with malware attacks designed to steal credit card information. Now it appears that FIN8 could be following the money and shifting towards ransomware campaigns. SEE: Your cybersecurity training needs improvement because hacking attacks are only getting worseAccording to cybersecurity researchers at Trend Micro, White Rabbit uses tactics that have been seen before, most notably by Egregor, in that it’s payload binary requires a specific command-line password before it goes ahead with the ransomware and encryption routine – a technique that allows the payload to remain undetected until it’s executed. The payload is also hard to detect because the file is small, only 100KB, which appears to show no signs of activity. It contains strings for logging – something that could give away the malicious intent – but these could only be accessed with the correct password. In the sample analysed by Trend Micro, the password was ‘KissMe’ – although the password could be different for each campaign. Like many other ransomware groups, White Rabbit uses double extortion, threatening the victim of the attack with publishing or selling data stolen from the compromised network if a ransom payment isn’t received. They also threaten to leak the data if the victim contacts the FBI about the attack. 

It’s not detailed how the cyber criminals behind White Rabbit initially compromise networks, but researchers note the use of Cobalt Strike, a penetration-testing tool, to gather information and move around affected systems. But something that has been detailed by researchers at cybersecurity company Lodestone is what appears to be a connection between White Rabbit and FIN8. They note that a malicious URL connected to the attack has previously been connected with FIN8 activity. SEE: A winning strategy for cybersecurity (ZDNet special report)In addition to this, Lodestone has identified White Rabbit being used alongside a never-before-seen version of Badhatch, a form of malware designed to create backdoors into compromised networks and that is associated with previous FIN8 campaigns targeting point-of-sale systems. “Currently, we are still determining if FIN8 and White Rabbit are indeed related or if they share the same creator. Given that FIN8 is known mostly for its infiltration and reconnaissance tools, the connection could be an indication of how the group is expanding its arsenal to include ransomware,” Trend Micro wrote in a blog post. For financially motivated cyber criminals, a shift towards ransomware could be seen as desirable because of the amount of money that can be made from encrypting networks, which can reach millions of dollars. It isn’t without precedent – cybersecurity researchers have previously detailed how FIN11, an established financial crime group that previously focused on phishing and malware campaigns, changed tactics and switched to ransomware attacks. MORE ON CYBERSECURITY More