Information Technology

Digital photography company Shutterfly reported a ransomware attack on Sunday. The incident was first reported by Bleeping Computer, which said a source told them the company was attacked by the Conti ransomware group.  In a statement, the company said portions of the Lifetouch and BorrowLenses business were affected. They experienced interruptions with Groovebook, manufacturing offices, and some corporate systems as well. Law enforcement has been contacted and a cybersecurity company was also hired to help respond to the incident. “As part of our ongoing investigation, we are also assessing the full scope of any data that may have been affected. We do not store credit card, financial account information, or the Social Security numbers of our Shutterfly.com, Snapfish, Lifetouch, TinyPrints, BorrowLenses, or Spoonflower customers, and so none of that information was impacted in this incident,” Shutterfly explained.”However, understanding the nature of the data that may have been affected is a key priority and that investigation is ongoing. We will continue to provide updates as appropriate.”Conti began leaking information it stole to a leak site, according to Bleeping Computer, which added that the attack started about two weeks ago and involves a ransom demand in the millions. Last week, researchers with security firm Advanced Intelligence discovered the Conti ransomware group exploiting VMware vCenter Server instances through the Log4j vulnerabilities.

In a report, the security company said it discovered multiple members of Conti discussing ways to take advantage of the Log4j issue, making them the first sophisticated ransomware group spotted trying to weaponize the vulnerability. AdvIntel said the current exploitation “led to multiple use cases through which the Conti group tested the possibilities of utilizing the Log4J2 exploit.” They noted that their research of ransomware logs shows Conti made over $150 million in the last six months. AdvIntel laid out a timeline of events for Conti’s interest in Log4j starting on November 1, when the group sought to find new attack vectors. Throughout November, Conti redesigned its infrastructure as it sought to expand, and by December 12, they identified Log4Shell as a possibility. By December 15, they began actively targeting vCenter networks for lateral movement. Both CISA and the FBI said in September that they have seen more than 400 attacks involving Conti’s ransomware targeting US organizations as well as international enterprises. The FBI has previously implicated Conti in attacks on at least 290 organizations in the US. Conti has made a name for itself by attacking hundreds of healthcare institutions — including a debilitating ransomware attack on Ireland’s Health Service Executive on May 14 — as well as schools like the University of Utah and other government organizations like the city government of Tulsa, Oklahoma and the Scottish Environment Protection Agency. More

Linux is everywhere. It’s what all the clouds, even Microsoft Azure, run.  It’s what makes all 500 of the Top 500 supercomputers work. Heck, even desktop Linux is growing if you can believe Pornhub, which claims Linux users grew by 28%, while Windows users declined by 3%. 

Open-source software is also growing by leaps and bounds. According to Gartner’s 2021 Hype Cycle for Open-Source Software (OSS): “Through 2025, more than 70% of enterprises will increase their IT spending on OSS, compared with their current IT spending. Plus, by 2025, software as a service (SaaS) will become the preferred consumption model for OSS due to its ability to deliver better operational simplicity, security, and scalability.”Thinking of databases, the beef and potatoes of enterprise software, Gartner predicts that over 70% of new in-house applications will be developed on an open-source database. Simultaneously,  50% of existing proprietary relational database instances will have been converted or are being converted to open-source DBMSs.I’ll buy those numbers. I’ve been following Linux and open-source software since day one. Everywhere I go and everyone I talk to acknowledges that the pair run the software universe.But with great power also comes great responsibility as Spider-Man knows. And, as many developers recently found out when multiple security vulnerabilities with the Apache Java logging open-source library log4j2 were discovered, also comes great headaches.  The log4j2 problems are as bad as bad can get. By the National Vulnerability Database (NVD) scale, it’s rated as 10.0 CVSSv3 which is perfectly awful. Its real trouble isn’t so much with open-source itself. There’s nothing magical about open-source methodology and security. Security mistakes can still enter the code. Linus’s law is that given enough eyeballs, all bugs are shallow. But, if not enough developers are looking, security vulnerabilities will still go unnoticed. As what I’m now calling Schneier’s law, “Security is a process, not a product,” points out constant vigilance is needed to secure all software. 

That said, the real pain-in-the-rump with log4j is with how Java hides what libraries its source code and binaries use in numerous Java Archive (JAR) variations. The result? You may be using a vulnerable version of log4j and not know until it’s been exploited. As Josh Bressers, Anchore’s vice president of security recently explained, “One of the challenges the log4j vulnerability poses is actually finding it. Java applications and dependencies are usually in some sort of packaging format that makes the distribution and running really easy, but it can make figuring out what’s inside of those software packages difficult.”Fortunately, there are log4j scanners that can help you spot defective log4j libraries in use. But, they’re not perfect.Behind the log4j mess is another problem, That’s “How do you know what open-source components your software is using?” For example, log4j2 has been in use since 2014. You can’t expect anyone to remember if they used that first version in some program you’re still using today. The answer is one that the open-source community started taking seriously in recent years: The creation of Software Bills of Material (SBOM). An SBOM spells out exactly what software libraries, routines, and other code has been used in any program. Armed with this, you can examine what component versions are used in your program.As David A. Wheeler, the Linux Foundation’s Director of Open Source Supply Chain Security, has explained, by using SBOMs and verified reproducible builds, you can make sure you know what’s what in your programs. That way, if a security hole is found in a component, you can simply patch it rather than search like a maniac for any possible problem code before being able to fix it. “A reproducible build,” by the way explains Wheeler,  is one “that always produces the same outputs given the same inputs so that the build results can be verified. A verified reproducible build is a process where independent organizations produce a build from source code and verify that the built results come from the claimed source code.”To do this, you and your developers need to track your programs in an SBOM using the Linux Foundation’s Software Package Data Exchange (SPDX) format. Then, to further safeguard that your code is really what it claims to be you need to notarize and verify your SBOM with services such as the Codenotary Community Attestation Service and Tidelift Catalogs.All this is easy to say. Doing it hard. In 2022, pretty much all open-source developers are going to be spending a lot of time checking their code for problems and then building SPDX-based SBOMs. Users, worried over Solarwind type disasters and log4j security problems, will be demanding this.  At the same time, Linux developers are working on further securing the operating system by making Rust Linux’s second language. Why? Because, unlike C, Linux’s primary language, Rust is much more secure. Specifically, Rust is much safer than C  at handling memory errors.As Ryan Levick, a Microsoft principal cloud developer advocate, explained, “Rust is completely memory safe.” That’s a huge deal, since, as Linux kernel developers Alex Gaynor and Geoffrey Thomas pointed out at the 2019 Linux Security Summit, almost two-thirds of Linux kernel security holes come from memory safety issues. And where do those come from? Inherent problems with C and C++.  Now Linux is going to be rewritten in Rust. At least not this decade, check with me again in the 2030s, but a lot of Linux drivers and other code will be written going forward in Rust. As Linus Torvalds told me while he’s “in no way ‘pushing’ for Rust,” he’s “open to it considering the promised advantages and avoiding some safety pitfalls. Still, he concluded, “I also know that sometimes promises don’t pan out.” We’ll see how it all works out. No matter how the specifics go, one thing I know for certain. We’re going to see securing code become the top issue for Linux and open-source developers in 2022.  They’ve both become too important for it to go any other way. Related Stories: More

International businesses that process information from China should obtain user consent and establish a data map, so they do not run afoul of the country’s Personal Information Protection Law (PIPL). Specifically, they should look closely at cross-border data flow and residency, even as more clarity still is needed on some components in the new legislation. Organisations that already are set up to comply with Europe’s General Data Protection Regulation (GDPR), though, have a good foundation on which to work towards PIPL adherence.Passed in August, the Chinese legislation came into force last month, laying out ground rules around how data should be collected, used, and stored. It outlines data processing requirements for companies based outside of China, which included passing a security assessment conducted by state authorities.Multinational corporations (MNCs) that move personal information of the country also will have to obtain certification on data protection from professional institutions. The Chinese government described the legislation as necessary to address the “chaos” created, in which online platforms had been excessively collecting personal data.  

Because it was modelled broadly after GDPR, enterprises that had readied themselves for the EU data protection legislation would be better placed to prepare for PIPL compliance. For instance, both bills spell out the need to get user consent and rules around data sovereignty, according to Xin Leo, a Shanghai-based senior associate with law firm Pinsent Masons.Like GDPR, companies would need to obtain consent before collecting and using data from customers under PIPL. The Chinese legislation also outlined standard clauses that should be included in service contracts or agreements between both parties–one that provided the data and the other that received it–that were similar to those detailed under GDPR.

This ensured organisations that collected and processed data would provide similar levels of protection under PIPL as they would with GDPR, Xin said in an interview with ZDNet. Being GDPR-compliant put  enterprises on the right path towards PIPL adherence as well as other associated Chinese legislations, specifically, the country’s 2017 cybersecurity and 2021 data security bills, said JoHannah Harrington, chief legal officer at Elements Global Services, which specialises in HR technology and compliance. The company works with local law firms in China, where it also has corporate secretariat partners. Harrington, too, pointed to the need for user consent before data can be processed or transferred out of China as a common component that PIPL and GDPR shared. In addition, both laws required organisations to meet certain requirements, such as clear and reasonable purpose, for processing data they collected and have processes in place to maintain data protection. These included deploying data security tools and conducting risk mitigation processes, such as firewall and online privacy notices. Like GDPR, PIPL outlines the need to ensure user opt-in and the reclassification of data, said Sovan Bin, CEO of Odaseva. The data management vendor offers tools touted to ensure data is compliant, including with GDPR and PIPL, as it moves across an organisation’s global network.Consumers protected under both legislations also have the right to ask to be deleted or removed from an organisation’s database, Bin told ZDNet. Concerted efforts to define data ownership and return consent to consumers, regardless of where their data sat, began with GDPR, which was released in 2016. He said the EU legislation had put forward the concept of cross-border data transfers, so rules requiring organisations to obtain consent whenever they moved data outside the user’s home country were not unique to PIPL.Chinese regulators, though, had the benefit of time to assess the impact of such laws and adopt a modern approach, he noted. Data had become a key asset for every organisation over the years, while technologies also had evolved. Regulations established in the 1990s, for one, were no longer relevant with the emergence of cloud technologies, he said, adding that several countries were modernising their data regulations so these were more compatible with the cloud era.Questions remain about user consent, conflict with international lawsBut while PIPL shared several similarities with GDPR, there were some significant differences between both legislations that organisations should take note of. According to Harrington, PIPL does not include legitimate interests or purposes as a condition for data processing, while GDPR does. This, for instance, enables organisations to process their employees’ personal data, as it is deemed of legitimate reason. The exclusion of legitimate purposes could mean that MNCs would have to seek the consent of all employees in China, if they had not already done so, before their HR departments were permitted to process the employee’s personal information. Uncertainties over the concept of user consent, which was not well defined yet in PIPL, was one likely reason major technology companies had opted to leave the Chinese market, Harrington said.Clarity around consent was paramount because, under the Chinese legislation, it must be applied before data could be processed. She added that as the law was new and untested, clearer definitions in some areas still needed to be established.According to Xin, the legislation outlined three areas organisations should address with regards to cross-border data transfers. These included the need for a government security assessment, to gain approval, if the data processed exceeded a threshold specified by the legislation. Some requirements called for certain certifications to be established, under specific instances, between the data exporter and data receiver, but how such procedures should be carried out remained unclear, he said.

Both parties also would need to agree to a model, or template, contract to be stipulated by the regulator. This contract terms, however, had yet to be released. There was further uncertainty over PIPL rules pertaining to data sovereignty, Xin said, under which personal data stored in China could not be provided to foreign jurisdictions or organisations without the Chinese government’s consent. While this policy is not new, as it already is stated in the country’s data security and international corporate criminal laws, there are questions about how this will play out alongside international laws. The US CLOUD (Clarifying Lawful Overseas Use of Data) Act, in particular, gives US law enforcement power to demand access to data stored by cloud providers, including data held outside the US.Doing so in China would be in breach of PIPL, Xin said, which could create a dilemma for MNCs operating in the country. He added that provisions, if any, and procedures organisations should follow under such circumstances currently were unclear.Bin noted that organisations were spending more effort, in particular, on ensuring compliance with specifications related to cross-border data and data residency. PIPL outlined certain thresholds under which organisations would have to adhere to guidelines on how to process cross-border data, he said. Businesses handling personal data of more than 1 million users, for instance, or that had to transfer personal data of more than 100,000 users would have to abide to specific policies.Additional policies regarding data residency also would apply to certain types of data, he said. For instance, companies processing data deemed to be more sensitive must pass a security assessment by Cyberspace Administration of China (CAC).He advised businesses to exercise more care in handling such data across borders, to ensure compliance with PIPL.He further noted that, unlike GDPR where there was a two-year grace period during which organisations could ready themselves before enforcement and fines were implemented, PIPL did not have a similar allowance. In addition, the Chinese legislation was passed and came into force in a shorter time period, giving enterprises less time to prepare for compliance. Seek local representative, consent as first stepsWhile the legislation is new and some definitions remain unclear, there are some first steps organisations can take towards PIPL compliance. These include appointing a local representative and registering, where required, with the relevant authorities. Asking for user consent for all forms of data would be a good baseline from which to start, as well as ensuring there was a clear purpose for collecting user data, said Harrington. She also recommended organisations appoint local representatives to handle data-related processes in China and carry out security assessment of their data management. Xin advised companies to establish a data map, including determining the types of personal data they held, and perform a compliance review to identify gaps between their current data practices and PIPL requirements. They then would need to enhance their data policies as well as IT infrastructure and organisational structure accordingly to plug any gaps, he said. With different business units processing data differently, he stressed the need for organisations to ensure they had a comprehensive understanding of how all these departments collected and processed data. He also underscored the importance of training employees and beefing up overall awareness of data management policies. Businesses could consider appointing a representative for each business unit who was focused on data protection and reported to the company’s data privacy officer, he added.With regards to handling employees’ personal data, Xin also suggested organisations formulated their labour rules to incorporate data collection and protection practices. In accepting their employment with the organisation, employees then would have provided consent to the collection and management of personal data as stipulated under the company’s employment contract or handbook.This then would not require businesses to separately obtain employee consent for PIPL, he said. However, most MNCs that processed data of employees in China likely would need to do a separate privacy impact assessment, he noted.Any organisation that wished to transfer data out of China also would be required to carry out such assessments, he said, adding that those providing sensitive personal data to a third party would need to do likewise.According to PIPL, violators that fail to comply with orders to rectify the breach will face fines of up to 1 million yuan ($150,000), while the person responsible for ensuring compliance can be fined between 10,000 yuan ($1,500) and 100,000 yuan ($15,000). For “serious” cases, Chinese authorities also dish out fines of up to 50 million yuan ($7.5 million) or 5% of the company’s annual turnover for the previous fiscal year. In addition, its business operations may be suspended or business permits and licences revoked. RELATED COVERAGE More

CISA released its own Log4J scanner this week alongside a host of other scanners published by cybersecurity companies and researchers. 

more Log4j

The open-sourced Log4j scanner is derived from scanners created by other members of the open source community, and it is designed to help organizations identify potentially vulnerable web services affected by the Log4j vulnerabilities. CISA said it modified a Log4J scanner created by security company FullHunt and got help from other researchers like Philipp Klaus and Moritz Bechler. The repository provides a scanning solution for CVE-2021-44228 and CVE-2021-45046. CISA said it supports DNS callback for vulnerability discovery and validation while providing fuzzing for HTTP POST Data parameters, fuzzing for JSON data parameters, and support for lists of URLs. It also features WAF Bypass payloads and fuzzing for more than 60 HTTP request headers.CrowdStrike similarly released its own free Log4J scanner called the CrowdStrike Archive Scan Tool, or “CAST.” Yotam Perkal, vulnerability research lead at Rezilion, did a test of some of the Log4J scanners, finding that many were unable to find all instances of the vulnerability. 
Rezilion

“The biggest challenge lies in detecting Log4Shell within packaged software in production environments: Java files (such as Log4j) can be nested a few layers deep into other files – which means that a shallow search for the file won’t find it,” Perkal said. “Furthermore, they may be packaged in many different formats which creates a real challenge in digging them inside other Java packages.”Rezilion tested the nine scanners most commonly used by developers and IT teams against a dataset of packaged Java files where Log4j was nested and packaged in various formats.Perkal said that while some scanners did better than others, none were able to detect all formats. According to Perkal, the research illustrates “the limitations of static scanning in detecting Log4j instances.””It also reminds us that detection abilities are only as good as your detection method. Scanners have blindspots,” Perkal explained. “Security leaders cannot blindly assume that various open source or even commercial-grade tools will be able to detect every edge case. And in the case of Log4j, there are a lot of edge instances in many places.” More

Microsoft’s Security Response Center has released a blog explaining its response to the “NotLegit” bug in Azure that was discovered by cloud security company Wiz.io.Wiz.io said all PHP, Node, Ruby, and Python applications that were deployed using “Local Git” on a clean default application in Azure App Service since September 2017 are affected. They added that all PHP, Node, Ruby, and Python applications that were deployed in Azure App Service from September 2017 onward using any Git source, after a file was created or modified in the application container, were also affected.Microsoft clarified in their response that the issue affects App Service Linux customers who deployed applications using Local Git after files were created or modified in the content root directory. They explained that this happens “because the system attempts to preserve the currently deployed files as part of repository contents, and activates what is referred to as in-place deployments by deployment engine (Kudu).” “The images used for PHP runtime were configured to serve all static content in the content root folder. After this issue was brought to our attention, we updated all PHP images to disallow serving the .git folder as static content as a defense in depth measure,” Microsoft explained. “For these languages since the application code controls whether it serves static content, we recommend customers review the code to make sure that only the relevant code is served out.”They noted that not all users of Local Git were impacted by the vulnerability and that the Azure App Service Windows was not affected. Microsoft has notified the customers that are affected by the problem, including those that were impacted due to the activation of in-place deployment and those who had the .git folder uploaded to the content directory. They also updated their Security Recommendations document with an additional section on securing source code and updated the documentation for in-place deployments.

The Wiz Research Team said on Tuesday that it first notified Microsoft of the issue on October 7 and worked with them through the month to address it. The fix was deployed in November and customers were notified by December. Wiz was paid a bug bounty of $7,500.Microsoft did not say if the vulnerability has been exploited but Wiz said “NotLegit” is “extremely easy, common, and is actively being exploited.””To assess the chance of exposure with the issue we found, we deployed a vulnerable Azure App Service application, linked it to an unused domain, and waited patiently to see if anyone tried to reach the .git files. Within 4 days of deploying, we were not surprised to see multiple requests for the .git folder from unknown actors,” the researchers explained. “Small groups of customers are still potentially exposed and should take certain user actions to protect their applications, as detailed in several email alerts Microsoft issued between the 7th – 15th of December, 2021.”The Wiz Research Team noted that accidentally exposing the Git folder through user error is a security issue that has impacted organizations like the United Nations and a number of Indian government sites. Vectra CTO Oliver Tavakoli said the impact of the vulnerability will be highly variable. Accessing the source code underlying an application (and possibly other files which might have been left in the same directory) may provide information that could be leveraged for other attacks, Tavakoli said. “The fact that the researchers set up what amounts to a honeypot and saw the vulnerability exploited in the wild is of particular concern as it means that the vulnerability was not a well-kept secret,” Tavakoli explained. JupiterOne field security director Jasmine Henry told ZDNet that leaked source code puts an organization in an incredibly vulnerable position to threat actors who can instantly steal intellectual property or launch an exploit tailored to unique weaknesses in the source code. “The NotLegit vulnerability is especially eye-opening since it highlights the growing security risk caused by privileged accounts and services, even in the absence of developer error,” Henry said.  More

Spyware from Israeli tech company NSO Group has been implicated in the hack of a leading opposition politician in Poland and several others, according to University of Toronto nonprofit Citizen Lab. 

In partnership with the Associated Press, Citizen Lab revealed on Thursday that Polish Senator Krzysztof Brejza was hacked using NSO Group’s Pegasus spyware 33 times between April 26, 2019 and October 23, 2019.Brejza helped run the opposition campaign against the right-wing government of Prime Minister Mateusz Morawiecki that is currently in power. Doctored photos from Brejza’s smartphone falsely implicated him in several scandals and were shared by government-backed news outlets. Morawiecki eventually won the election by a razor-thin margin.  Brejza, who has gained popularity as a hardliner against corruption, was horrified to learn of the hack. Access to his phone would provide anyone with information about his campaign strategy as well as the corruption whistleblowers who put their trust in him.  Earlier this week, Citizen Lab revealed that Pegasus was also used to hack into the phones of outspoken Polish prosecutor Ewa Wrzosek and Roman Giertych, a lawyer for Brejza’s party Civic Platform.While Morawiecki and the Polish government have denied any involvement in the hacking, EU member states have begun to speak out about the incident. “EU governments using spyware on political opponents and critics is unacceptable. ⁦EU Commission ⁩has to stop ducking the issue. Such practices have no place in the EU and must be banned,” Dutch EU parliamentarian Sophie in ‘t Veld tweeted on Wednesday. 

The news adds to disastrous stories about NSO Group. Citizen Lab provided the Washington Post with evidence showing the UAE used Pegasus to hack and track the phone of Hanan Elatr, wife of deceased Saudi journalist Jamal Khashoggi. Her phone was hacked months before her husband was assassinated by Saudi officials. Also: NSO Group’s spyware used against journalists and political activists worldwideNSO Group chief executive Shalev Hulio in July denied that Elatr and Khashoggi were ever targets of Pegasus customers. Even with the new forensic information, NSO Group continued to deny that Elatr was ever targeted. That story came after Citizen Lab provided information to The Guardian showing that UN war crimes investigator Kamel Jendoubi was hacked with Pegasus while he served as chairman of the Group of Eminent Experts in Yemen. NSO Group was blacklisted by the US government last month after it was revealed Pegasus was used to hack into the phones of several US State Department officials in Uganda. NSO Group is now facing significant trouble, including lawsuits from Apple and a potential default on more than $300 million in loans. Citizen Lab has worked with multiple news outlets throughout the year to reveal the scale of NSO Group’s work. In July, the “Pegasus Project” used information from Amnesty International, Citizen Lab, and Forbidden Stories to uncover that the NSO Group’s spyware was used to target at least 65 business executives, 85 human rights activists, 189 journalists, and at least 600 politicians. The Israeli government’s spy agency used the tool to hack the phones of six Palestinian human rights activists. The ruler of the UAE used Pegasus to spy on his ex-wife and her British lawyers. Targeted government officials included French President Emmanuel Macron, South African President Cyril Ramaphosa, and Iraqi President Barham Salih. Cabinet ministers from dozens of countries, including Egypt and Pakistan, were also targeted. John Scott-Railton, senior researcher at Citizen Lab, told ZDNet that the Polish victims of Pegasus were particularly notable because they suggest that Pegasus is being used for political purposes in a European democracy. The Khashoggi case reinforces the knowledge that there were Pegasus infections in the Washington Post reporter’s close circle prior to his murder, according to Scott-Railton. He added that the case further undermines NSO Group’s credibility because it directly contradicts multiple statements they have made. Overall, the stories revealed researchers’ worst fears: Pegasus was being used profusely to impact politics and human rights. “Pegasus is also being used to erode key international institutions and the people who work at them. Taken together, alongside NSO’s dismal recent economic news, the picture is of a company that behaves recklessly and ignored the tremendous harms it was causing,” Scott-Railton said, noting that NSO Group is not the only spyware company causing damage. He explained, “The problem extends far beyond NSO. NSO has just made itself the poster child for how bad the industry is.” More

Cybersecurity firm ReasonLabs is warning eager fans of “Spider-Man: No Way Home” to beware of cryptominers if they decide to torrent the film instead of heading to theaters for it. In a new report, the ReasonLabs research team says it found Monero miners attached to Russian torrent files of the new film, which brought in more than $750 million worldwide since it debuted last week. The miner adds exclusions to Windows Defender, creates persistence, and spawns a watchdog process to maintain its activity, according to ReasonLabs. “The malware is not signed and written in .net, and as of this date, it is not present in Virus Total. The malware tries to stay away from examining eyes, by using ‘legitimate’ names for the files and processes that it creates. We recommend taking extra caution when downloading content of any kind from non-official sources — whether it’s a document in an email from an unknown sender, a cracked program from a fishy download portal, or a file from a torrent download,” the team explained. “One easy precaution you can take is to always check that the file extension matches the file you are expecting e.g. in this case, a movie file should end with ‘.mp4’, not ‘.exe’. Try to gather information about the file, and always think twice before double-clicking on it. To make sure you see the real file extension, open a folder, go to ‘View’ and check ‘File name extensions.’ This will make sure you see the full file type.” The researchers added that although the malware does not compromise personal information, cryptominers cause other kinds of damage.The added electricity will cost victims of the malware and the researchers noted that the miner runs for long periods, slowing down your device while requiring high CPU usage. 

When asked how they discovered the cryptominer, the ReasonLabs team told ZDNet that they have amassed a large malware database over the years that allows them to research their origins, flag them, and cross check with other databases such as Virus Total. One of their users downloaded this “Spider-Man: No Way Home” file and it got flagged within their database as a new threat.They do not know how many times the file has been downloaded but noted that it has been around for some time. “The Spiderman malware is actually a new ‘edition’ of a previously known malware that was disguised as various popular apps in the past such as ‘windows updater,’ ‘discord app,’ and now the Spiderman movie. This suggests that it’s been downloaded a lot. No one else has identified this ‘edition’ of the malware,” the team said. BreachQuest CTO Jake Williams said threat actors have used torrents as a distribution mechanism for malware long before cryptominers were a thing. “I remember seeing a wave of threat actors compromising victims with screen savers celebrating Whitney Houston’s career in the wake of her passing. Given that cryptominers are the easiest way for threat actors to cash out, it’s not surprising that threat actors will use these as their malware payload of choice,” Williams explained. Digital Shadows’ Sean Nikkel noted that there are likely lots of Gen Xers and Millennials who remember the days of downloading random files from strangers across Kazaa and Limewire in search of rare or free MP3 or video files and ending up with a Trojan or similar nastiness. The tactic, he said, carried into the torrent world. In addition to malware being attached to popular movies or shows, this same thing occurs with popular applications like those from Adobe, Microsoft, or specialized music programs like Ableton or Fruity Loops, which are themselves often pirated. “Sometimes the key generators themselves were malicious or the application’s executable. There have been plenty of office workers looking to cut corners or use programs they’re familiar with on their work computer. These users run the risk of downloading ‘free’ versions or versions hosted on bad sites and end up getting burned,” Nikkel said. Bugcrowd CTO Casey Ellis explained that from the threat actor’s perspective, using a delivery system where users are less likely to reach out for “technical support” if something seems off or even admit to peers or family that their computer might be acting strange, gives them an increased chance of their malware executing in the first and, once it does, a lower risk of it being discovered and removed. ReasonLabs said it is still researching the origins of the miner but noted that they are constantly seeing miners deployed as common programs, files of interest, popular apps, current events, etc. “Miners got very popular in the past years because it’s easy money and attackers are trying to gain as many victims as possible — by any way possible, including fooling users to download files that are not what they seem,” ReasonLabs told ZDNet.  More

StackCommerce
Cybercrimes are getting worse every day, so the demand for cybersecurity skills is through the roof. If you’d like to switch to a new well-paid career in 2022, you can start training now with the All-In-One 2022 Super-Sized Ethical Hacking Bundle. And it’s on sale for just $42.99.Jump right in with an overview of the field with “All-in-One Hacking Guide: From Zero to Hero.” Then “Bug Bounty: Web Hacking” teaches you how to hack big-name online apps. And you’ll get a solid foundation from the comprehensive guides “Complete Ethical Hacking & Penetration Testing Course” and “Learn Network Attacks & Security.” “Hack People, Systems & Mobile Devices: Advanced Social Engineering” teaches you in detail how hackers crack mobile devices.Python skills are always valuable, and two courses teach you how to hack using it: “Introduction to Python & Hacking with Python” and “Complete Python 3 Ethical Hacking Course: Zero to Mastery.” Another two cover Burp: “Learn Burp Suite for Advanced Web Penetration Testing” and “Mastering Burp Suite Community Edition: Bug Hunters Perspective.”You can build an arsenal of tools for different platforms. Crowd favorite “Learn Server Security with BitNinja” was rated 4.8 out of 5 stars. Instructor Gabriel Avramescu likes to challenge assumptions, strategies and techniques by emulating attackers. Then you can turbocharge your skills by advancing with “PenTesting with OWASP ZAP: Mastery Course,” “Kali Linux Hacker Tools, Tricks & Techniques,” “Master in Hacking with Metasploit” and “Complete NMAP: Learn Ethical Hacking with NMAP.”You’ll get lots of practice with “Hacking in Practice: Certified Ethical Hacking Mega Course,” “Website Hacking In Practice: Hands-On Course 101” and “Hacking Wireless Networks: Theory & Practice.” Then, get a certification that will make your resume shine with the “Ethical Hacker Certification Course.”Any one of these courses will provide you with the skills needed to apply for well-paid ethical hacking positions. It won’t be long before you’re rewarding yourself with some new gaming glasses, or something equally fun.

Don’t pass up this opportunity to become an ethical hacker with the All-In-One 2022 Super-Sized Ethical Hacking Bundle.Prices subject to change.

More ZDNet Academy Deals More