Revised policy means security analysts won't be charged under the Computer Fraud and Abuse Act.

The US Department of Justice announced this week that it has revised a policy that explicitly states it will not charge security researchers with violations of the Computer Fraud and Abuse Act (CFAA).

The new guidance recognizes "good faith" security research done to promote safety and not carried out in a way that causes harm. The new policy, effective immediately, replaces the previous CFAA charging policy from 2014, the DOJ said. 

"Computer security research is a key driver of improved cybersecurity," said Deputy Attorney General Lisa O. Monaco in a statement about the new DOJ policy. "The department has never been interested in prosecuting good-faith computer security research as a crime, and today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

DoJ Won't Charge 'Good Faith' Security Researchers

Shadowserver Foundation researchers find 380,000 open Kubernetes API servers.

Researchers with Shadowserver Foundation have discovered more than 380,000 open Kubernetes API servers exposed on the Internet. That represents 84% of all global Kubernetes API instances observable online.

The research was conducted across IPv4 infrastructure using HTTP GET requests. The researchers didn’t do any intrusive checks to figure out exactly the level of exposure that the servers exhibited, but the findings suggest potential trouble across this landscape.

“While this does not mean that these instances are fully open or vulnerable to an attack, it is likely that this level of access was not intended, and these instances are an unnecessarily exposed attack surface,” according to the Shadowserver report. “They also allow for information leakage on version and builds.”

The densest cluster of exposed API servers was found in the US, where some 201,348 of these open API instances were discovered. That accounts for 53% of the total open servers found.

This report is yet more evidence in a growing body of research around API security that shows many organizations are unprepared to protect against, respond to, or even have visibility into potential API attacks.

**Data Breaches via API Incidents  
**According to the recent "State of API Security 2022" report from Salt Security, approximately 34% of organizations have absolutely no API security strategy in place, and an additional 27% say that they have just a basic strategy that involves minimal scanning and manual reviews of API security status and no controls or management over them. Another study, from 451 Research on behalf of Noname Security, found that 41% of organizations had an API security incident in the last 12 months. Of those, 63% involved a data breach or data loss.

The scope of the potential API attack surface in modern application and cloud infrastructure is huge. According to the 451 Research study, large enterprises on average have more than 25,000 APIs connected to or operating within their infrastructure. The number is set to keep growing, and in a recent Gartner Predicts 2022 document, analysts say they believe that less than 50% of enterprise APIs will be managed three years from now “as explosive growth in APIs surpasses the capabilities of API management tools."

The Kubernetes exposure found by Shadowserver is evidence for a particularly acute problem in cloud security today. APIs are often one of the weakest links in cloud infrastructure management because they are usually at the heart of the control plane that handles configuration of cloud infrastructures and applications.

“All cloud breaches follow the same pattern: control plane compromise. The control plane is the API’s surface that configures and operates the cloud. APIs are the primary driver of cloud computing; think of them as 'software middlemen' that allow different applications to interact with each other,” explains Josh Stella, chief architect at Snyk and the founder of Fugue, which was recently acquired by Snyk. “The API control plane is the collection of APIs used to configure and operate the cloud. Unfortunately, the security industry remains a step behind the hackers because many vendor solutions do not protect their customers against attacks that target the cloud control plane.”

In the Predicts piece, Gartner analysts agree that newly created APIs that are churning into the scene are an integral part of the emerging cloud and application architectures that are at the heart of the modern continuous delivery model of application development.

“This situation resembles the early days of infrastructure as a service (IaaS) deployment, as ungoverned API usage is on the rise. As the architecture and operational technologies continue to mature, security controls try to apply old paradigms to new problems,” according to Gartner. “These controls can be a temporary solution, but it will take a long time for security controls and practices to catch up with the new architecture paradigm.”

Majority of Kubernetes API Servers Exposed to the Public Internet

CrowdStrike and CyberArk invest in Dig's seed round, which was led by Team8, alongside Merlin Ventures and chairs of MongoDB and Exabeam.

TEL AVIV, Israel, May 19, 2022 /PRNewswire/ -- Cloud data security company **Dig** emerged from stealth today, announcing $11M in seed funding for the first cloud Data Detection and Response (DDR) solution. The seed round was led by **Team8**, with cybersecurity firms **CrowdStrike**, through their Falcon Fund, and **CyberArk** joining as strategic investors alongside **Merlin Ventures**. Moving beyond posture solutions, Dig Security helps organizations discover, monitor, detect, protect and govern their cloud data in real time through a single unified policy engine.

Angel investors include Tom Killalea (Chairman of MongoDB), Jeff Fagnan (Carbon Black, Veracode), Nir Polak (Founder of Exabeam), Ori Fragman (CISO Europe of Ahold Delhaize) and Nitzan Shapira (Founder of Epsagon).\[1\]

Data is the ultimate target of most cyberattacks; it's the easiest way to profit from hacking. However, data in the cloud is fragmented across multiple clouds and services. A typical enterprise stores data on more than 20 types of service and thousands of instances. These organizations don't have visibility, context or control over their cloud data. Existing data security solutions weren't built to protect _cloud_ data and are often irrelevant.

"I've spoken to more than a hundred CISOs and hear the same complaints over and over", said Dan Benjamin, CEO and co-founder of Dig. "Companies don't know what data they hold in the cloud, where it is, or — most importantly — how to protect it. They have tools to protect endpoints, networks, APIs… but nothing to actively secure their data in public clouds".

Dig gives organizations complete control over their cloud data, providing **real-time Data Detection and Response (DDR)**. Using one of the industry's most comprehensive threat models for cloud data attacks, Dig detects, analyzes and responds instantly to threats to cloud data, triggering alerts on suspicious or anomalous activity, stopping attacks, exfiltrations and employee data misuse.

The solution discovers all data assets across public clouds and brings context to how they are used. It also tracks whether each data source supports compliance like SOC2 and HIPAA.

Dig was founded by Dan Benjamin, Ido Azran and Gad Akuka, three veteran entrepreneurs who've previously founded successful companies that were acquired by major firms. They also gained experience at tech giants including Google and Microsoft. Since it was founded, Dig has grown extremely quickly; the company already has a large data security research team and paying customers.

"It's rare to meet a founding team who have both an insider view of cloud security challenges from within Microsoft and Google's cloud organizations, alongside the experience of founding successfully acquired security companies," said Liran Grinberg, Co-Founder & Managing Partner at Team8. "Dig's active approach, bringing detection and response to data in the cloud, is precisely what the market needs. Data security in the cloud is high on the priority list of most CISOs today and we're proud to invest in the company we believe will lead this category."

"Organizations that lack visibility across their infrastructure have data protection challenges," said Michael Sentonas, Chief Technology Officer at CrowdStrike. "Through our Falcon Fund, we look forward to supporting Dig in their journey to provide data transparency, improving cloud data security and protection."

\[1\] Angel investors in their personal capacities. Affiliations included for identification purposes only.

Dig Exits Stealth With $11M for Cloud Data Detection and Response Solution

Mobile attacks have been going on for many years, but the threat is rapidly evolving as more sophisticated malware families with novel features enter the scene.

Mobile platforms are increasingly under threat as criminal and nation-state actors look for new ways to install malicious implants with advanced capabilities on iPhone and Android devices.

Although mobile attacks have been an ongoing problem for many years, the threat is rapidly evolving as more sophisticated malware families with novel features enter the scene.

Attackers are now actively deploying malware with full remote access capabilities, modular design, and, in some cases, worm-like characteristics that can pose significant threats to users and the companies they work for. Many of these malware families are continually improving through regular development updates, and cybercriminals are getting better at beating the review process of official app stores. Meanwhile, both the US and EU are considering new antitrust regulations that could make "sideloading" apps a consumer right.

It is important for businesses to recognize that mobile attacks are a key focus area for sophisticated threat actors. These attacks will continue to evolve as new tools and tactics emerge, posing unique challenges to traditional corporate security.

Here are six mobile malware tactics that companies need to prepare for:

**1\. On-Device Fraud  
**One of the most concerning new mobile malware advancements is the ability to carry out fraudulent actions directly from the victim’s device. Known as on-device fraud (ODF), this advanced capability has been detected in recent mobile banking Trojans, most notably Octo, TeaBot, Vultur, and Escobar. In Octo's case, the malware exploited Android's MediaProjection service (to enable screen sharing) and Accessibility Service (to perform actions on the device remotely). This hands-on remote access feature has also been enabled through an implementation of VNC Viewer, as in the case of Escobar and Vultur.

ODF marks a significant turning point for mobile attacks, which have largely focused on overlay-based credential theft and other types of data exfiltration. Although most ODF Trojans are primarily focused on financial theft, these modules could be adapted to target other types of accounts and communications tools used by businesses, such as Slack, Teams, and Google Docs.

**2\. Phone Call Redirection  
**Another troubling capability is the interception of legitimate phone calls, which recently emerged in the Fakecalls banking Trojan.

In this attack, the malware can break the connection of a user-initiated call without the caller's knowledge and redirect the call to another number under the attacker's control. Since the call screen continues to show the legitimate phone number, the victim has no way of knowing they have been diverted to a fake call service. The malware achieves this by securing call handling permission during the app installation.

**3\. Notification Direct Reply Abuse  
**In February, FluBot spyware (Version 5.4) introduced the novel capability of abusing Android’s Notification Direct Reply feature, which allows the malware to intercept and directly reply to push notifications in the applications it targets. This feature has since been discovered in other mobile malware, including Medusa and Sharkbot.

This unique capability allows the malware to sign fraudulent financial transactions, intercept two-factor authentication codes, and modify push notifications. However, this feature can also be used to spread the malware in a worm-like manner to the victim's contacts by sending automated malicious responses to social application notifications (such as WhatsApp and Facebook Messenger), a tactic known as "push message phishing."

**4\. Domain Generation Algorithm  
**The Sharkbot banking Trojan is also notable for another feature: domain generation algorithm (DGA), which it uses to avoid detection. As with other conventional malware with DGA, the mobile malware constantly creates new domain names and IP addresses for its command-and-control (C2) servers, which makes it difficult for security teams to detect and block the malware.

**5\. Bypassing App Store Detection  
**The app review process has always been a cat-and-mouse game with malware developers, but recent cybercriminal tactics are worth noting. The CryptoRom criminal campaign, for example, abused Apple’s TestFlight beta testing platform and Web Clips feature to deliver malware to iPhone users by bypassing the App Store altogether. Google Play's security process was bypassed by one criminal actor that paid developers to use its malicious SDK in their apps, which then stole personal data from users.

While droppers have become increasingly common for mobile malware distribution, researchers have recently noticed an uptick in activity in the underground market for these services, along with other distribution actors. .

**6\. More Refined Development Practices  
**While modular malware design isn't new, Android banking Trojans are now being developed with sophisticated update capabilities, such as the recently discovered Xenomorph malware. Xenomorph combines a modular design, accessibility engine, infrastructure and C2 protocol to allow for significant update capabilities that could enable it to become a far more advanced Trojan down the line, including the automatic transfer system (ATS) feature. Going forward, more mobile malware families will incorporate better update processes to enable enhanced features and entirely new functionality on compromised devices.

**Fight Back by Boosting Corporate Defenses  
**To fight back against these new mobile malware tactics, businesses need to make sure their cybersecurity programs include robust defenses. These include mobile device management solutions, multifactor authentication, and strong employee access controls. And, since mobile malware infections typically begin with social engineering, companies should provide security awareness training and consider technology that monitors communication channels for these attacks.

6 Scary Tactics Used in Mobile App Attacks

For the first time in a year, security incidents involving email compromises surpassed ransomware incidents, a new analysis shows.

Threat actors doubled down on their use of phishing emails as an initial attack vector during the first quarter of 2022 — and in many cases then used that access to drop ransomware or to extort  organizations in other ways. 

Researchers from Kroll recently analyzed data gathered from security incidents they responded to in the first three months of this year. The analysis showed a 54% increase in incidents of phishing for initial access compared with the same period last year.

For the first time since Microsoft disclosed the so-called ProxyLogon set of vulnerabilities in Exchange Server in the first quarter of 2021, incidents tied to email compromises surpassed those related to ransomware. Kroll described the sharp increase in phishing activity as likely the result of a surge in activity tied to Emotet and IceID malware — threat actors have been using both to drop other malware.

**Multiple Attack Vectors  
**Kroll's analysis shows that attackers leveraged the initial foothold gained via phishing in multiple ways, including to drop ransomware and malware, and to extort without any ransomware or encryption. 

In one incident that Kroll investigated during the first quarter, adversaries acquired an organization's global admin credentials after an IT employee at the company clicked on a phishing email they had sent. The adversaries used the credentials to take over multiple email accounts belonging to other members of the IT team as well as the C-suite, which in turn they used to download sensitive enterprise data. The attackers followed up with a demand seeking a ransom in exchange for the attack to stop.

In other instances, Kroll's researchers identified attackers breaking into a network by exploiting a vulnerability and then using that access to launch convincing-looking phishing campaigns. In one incident, the attackers exploited the ProxyShell vulnerability in Exchange Server to access the target network. Once inside, the attackers attempted to phish employees by attaching a malicious .zip file to a reply to a legacy internal email thread. The .zip file was disguised as an invoice, and appeared to be from a trusted internal source: Several users opened it and unknowingly downloaded IcedID on their systems. That organization was subsequently hit with the QuantumLocker ransomware two weeks later, Kroll said.

Phishing was not the only tactic that attackers used to try and gain initial access on a target system or network. In several incidents that Kroll investigated, threat actors exploited widely publicized vulnerabilities such as ProxyLogon and Log4Shell to gain a foothold from which to drop ransomware such as Conti, AvosLocker, and QuantumLocker on target networks. 

**Inadequate Defenses  
**Patrick Harr, CEO at SlashNext, a provider of anti-phishing services, says current organizations defenses are not fully designed to protect against attacks that appear to originate from inside the organization. "You can’t stop phishing that comes from legitimate services with employee awareness training," he says. "As phishing continues to grow as a vector for ransomware attacks, zero-hour, real-time threat prevention solutions are critical to prevent these threats." 

The broader adoption of work-from-home models over the past two years has also made it easier for attackers to target employees in phishing campaigns — and get away with it. "Remote work certainly created more opportunities for threat actors to execute \[business email compromise\] and other phishing attacks," says Hank Schless, senior manager of security solutions at Lookout. "Without being able to walk over to another person’s desk in the office, employees have a much harder time validating unknown texts or emails."

The increased reliance on smartphones and tablets for internal communications has created several issues, he adds. Spear-phishing attacks on mobile devices, for instance, are much harder to catch than on a desktop. Users also cannot preview link destinations or verify the sender's identity. So, a lot of the things that employees are trained to recognize as part of their phishing awareness training are hard or almost impossible to spot on a mobile device, Schless says.

**Temporary Ransomware Drop-off  
**Kroll's analysis showed that ransomware attacks — as a proportion of all attacks — dropped 20% between the fourth quarter of 2021 and the first quarter of 2022 and 30% between the third quarter of 2021 and the first quarter of 2022. At least some of the drop-off in attacks appears to have resulted from law enforcement's disruption of malicious activity by groups such as REvil, Kroll said. Another factor that likely contributed to the slowdown in ransomware attacks was the voluntary exit from the scene made by groups such as BlackMatter, Kroll added.

However, early data from the second quarter of 2022 suggests that ransomware actors are regrouping and preparing to resume their usual level of activity soon, according to Kroll.

An earlier report from Digital Shadows noted a similar drop-off in ransomware incidents in the first quarter of 2022 but pointed to emerging trends in the space that could have implications for enterprise organizations. One example is the growing trend by ransomware groups to align themselves for or against Russia in that country's war against Ukraine.

Like Kroll, researchers from Digital Shadows also observed incidents involving extortion, where no ransomware was deployed. One example cited by both companies was the attacks by a group identified as Lapsus$ (aka DEV-0537) that targeted several technology and security firms in the first quarter of 2022. In some of the incidents, the attackers defaced the websites of target organizations and claimed they had suffered a ransomware attack. In other instance, the group used stolen credentials to exfiltrate data and then threatened victims that it would release the data publicly unless paid a ransom.

Phishing Attacks for Initial Access Surged 54% in Q1

System of Trust includes data-driven metrics for evaluating the integrity of software, services, and suppliers.

Supply chain security has been all the buzz in the wake of high-profile attacks like SolarWinds and Log4j, but to date there is no single, agreed-on way to define or measure it. To that end, MITRE has built a prototype framework for information and communications technology (ICT) that defines and quantifies risks and security concerns over supply chain - including software.

MITRE's so-called System of Trust (SoT) prototype framework is, in essence, a standard methodology for evaluating suppliers, supplies, and service providers. It can be used not just by cybersecurity teams but across an organization for assessing a supplier or product. 

"An accountant, a lawyer, \[or\] an operations manager could understand this structure at the top level," says Robert Martin, senior software and supply chain assurance principal engineer at MITRE Labs. "The System of Trust is about organizing and amalgamating existing capabilities that just don't get connected right now" to ensure full vetting of software as well as service provider offerings, for example.

The SoT will make its official public debut next month at the RSA Conference (RSAC) in San Francisco, where Martin will present the framework as a first step in gathering security community support and insight for the project. So far, he says, the initial feedback has been "very positive."

MITRE is best known in the cybersecurity sector for heading up the Common Vulnerabilities and Exposures (CVE) system that identifies known software vulnerabilities and, most recently, for the ATT&CK framework that maps the common steps threat groups use to infiltrate networks and breach systems.

Martin says he'll demonstrate the SoT framework and provide more details on the project during his RSAC presentation. The framework currently includes 12 top-level risk areas - everything from financial stability to cybersecurity practices - that organizations should evaluate during their acquisition process. More than 400 specific questions cover issues in detail, such as whether the supplier is properly and thoroughly tracking the software components and their integrity and security.

Each risk is scored using data measurements that are applied to a scoring algorithm. The resulting data scores identify the strengths and weaknesses of a supplier, for example, against the specific risk categories. An enterprise could then more quantitatively analyze a software supplier's "trustworthiness."

**SBOM Symmetry  
**Martin says that with software supply chain security, the SoT also goes hand in hand with software bill of materials (SBOM) programs. "SBOMs can give you deeper reason into understanding why you should trust," for example, a software component. Among several risk factors in the SoT, SBOMs can actually mitigate those risks or, at the least, provide better insight into the software and any risks. 

"If the SBOM has pedigree information, that information would allow for assessment of the tools and techniques used to build the software - whether reproducible builds were used to build the software, memory protection methods \[were\] invoked during the build" and other details, he notes.

So how does the SoT framework differ from risk management models? Traditional risk management employs probabilities, Martin says. With SoT, there's a list of risks that can be evaluated and scored to determine whether there is risk in specific areas and, if so, just how bad it really is.

"We want to help provide a consistent way of doing assessments ... and we would like to encourage data-driven decisions wherever we can" in supply chain evaluations, he says.

The next steps: introducing the concept of the SoT and offering the live taxonomy for public comment and scrutiny. "Then we can see what parts can be automated and where," and ensure that it can be integrated into the acquisition process. Vendors, too, could use SoT terminology in their product materials.

"'Supply chain' has a lot of different meanings," Martin explains. "We're not talking microelectronics in the US versus overseas. We're not trying to solve port issues. We're trying to get a culture of organizational risk management that includes supply chain concerns as a normal part of that. We want to bring some consistencies, automation, and data-driven evidence so there's more understanding of supply chain risks."

MITRE Creates Framework for Supply Chain Security

Last month attackers quickly reverse-engineered VMware patches to launch RCE attacks. CISA warns it's going to happen again.

The Cybersecurity and Infrastructure Agency (CISA) has issued an emergency directive requiring federal civilian executive branch agencies to update their VMware products impacted by a pair of new vulnerabilities or remove them from their networks.

The VMware bugs – CVE-2022-22972 and CVE-2022-22973 – expose several VMware products to remote code-execution (RCE) attacks. 

CISA said that last month, within just 48 hours of VMware patching its VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager, advanced persistent threat (APT) actors were able to reverse-engineer the updates to launch attacks. 

"These vulnerabilities pose an unacceptable risk to federal network security," CISA director said Jen Easterly in a statement. "CISA has issued this emergency directive to ensure that federal civilian agencies take urgent action to protect their networks. We also strongly urge every organization – large and small – to follow the federal government's lead and take similar steps to safeguard their networks."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

CISA to Federal Agencies: Patch VMware Products Now or Take Them Offline

From a scrappy contest where hackers tried to win laptops, Pwn2Own has grown into a premier event that has helped normalize bug hunting.

In April 2007, when Apple's “I'm a Mac” ads were telling people that Macs can't get hacked, security researcher Dragos Ruiu decided to put the idea to the test – in front of a room full of security researchers, no less. He bought two MacBook Pros and put them on the floor of the CanSecWest conference in Vancouver, which he organized. The challenge had a catchy name, Pwn2Own: If you pwn a computer, you own it.

To Ruiu, it was more than a game. He wanted to make a “political point” that the commercials were misleading and Apple should take security seriously.

“Apple has had an on-again, off-again relationship with researchers. Sometimes they love hackers, sometimes they want to pretend hackers don't exist,” Ruiu tells Dark Reading. “This is one of those times when their marketing department used to run their security team.”

Back then, most companies also treated security researchers poorly. If someone found a flaw and reported it, they would often be threatened with lawyers. Part of Pwn2Own's merit is that it helped change that, “normalizing the concept of reporting bugs,” says Dustin Childs, communications manager for Trend Micro's Zero Day Initiative program, who now runs the event.

Throughout the years, the Pwn2Own competition has attracted high-profile researchers, including Dino Dai Zovi, Charlie Miller, George Hotz, Vincenzo Iozzo, Dion Blazakis, Ralf-Philipp Weinmann, and Jung Hoon Lee (aka Lokihardt). They’ve poked at everything, from Macs to phones, to IoT devices, industrial control systems, and even cars.

“It's a demonstration of some of the most advanced exploitation techniques that exist in the industry, at any given point in time,” says Brian Gorenc, senior director of vulnerability research at Trend Micro Gorenc. Demonstrations like these actually change how the industry looks at security.

Researchers’ efforts are well rewarded, too. Last year alone, cash prizes at Pwn2Own –

one of the highest-paying hacking competitions in the world – exceeded $2.5 million in total during multiple events.

This year’s contest, which starts today, marks its 15th anniversary and includes six categories: virtualization, Web browser, enterprise applications, server, local escalation of privilege, enterprise communications, and automotive. Whoever earns the most points will be crowned Master of Pwn, which will guarantee them “a killer trophy and a pretty snazzy jacket to boot.”

**Early Pwn2Own Wins  
**But let’s start with a recap of the first day of the 2007 CanSecWest conference, when two MacBook Pros with the latest security updates were in the spotlight, waiting to be hacked. A few researchers tried their luck, but the computers survived.

Then, security expert Shane Macaulay, who was in attendance, called former co-worker Dino Dai Zovi, based in New York, and asked him if he wanted to participate.

“I said, OK, cool, let me sit down and take a look and see what I can find,” Dai Zovi said in an interview a week after the conference. It took him five hours to detect a bug and another four to write the exploit. At 3 a.m., he called Macaulay, telling him they might actually win.

Dai Zovi found a bug in a QuickTime library loadable through a Java applet. An attacker could exploit it through any browser on Mac OS X that supports Java applets, such as Safari and Firefox. He sent his exploit to Macaulay, who put it on a website and emailed its URL to the organizers of the challenge. Once they loaded the malicious Web page, Macauley obtained a remote shell that granted him control of the laptop. The duo pwned the machine, earning them a 15-inch MacBook (which Macaulay kept since Dai Zovi had recently bought himself a laptop) and a $10,000 cash prize, courtesy of the Zero Day Initiative.

Dai Zovi says winning the first Pwn2Own event changed his life. “It was a massive benefit to my career and really put it on a different and better trajectory,” he says. “At the time, I had been writing exploits quietly as a personal hobby for almost a decade but was not at all known for it.”

The reputation he gained led him to consulting projects on iOS security and writing a book with another Pwn2Own rockstar, Charlie Miller, “The Mac Hacker's Handbook,” followed by “iOS Hacker's Handbook.”

Miller found himself in the spotlight the following year when he wrote an exploit for Safari with colleagues Jake Honoroff and Mark Daniel. “It might be because I'm biased about the things I'm good at, but \[Safari is\] the easiest browser \[to hack\],” Miller said in an interview after the competition.

**Beyond Apple  
**But Pwn2Own wasn’t only about Apple products. During the 2008 event, a Fujitsu U810 laptop running Vista was also attacked with an exploit for Adobe Flash written by Shane Macaulay, Alexander Sotirov, and Derek Callaway.

“In the very beginning, Pwn2Own was very much a browser-focused contest, and over the years, we've expanded the attack surfaces,” Gorenc says. “We've raised the prizes to make it more attractive for people to come in.”

Indeed, by 2015 the total cash prices exceeded $500,000. This month’s event, held in a hybrid format, has up to $600,000 waiting for the hacking of the Tesla Model 3, the largest target in Pwn2Own history.

But it is not only about money. “Pwn2Own was the first competition that focused on demonstrating real, working zero-day exploits against real-world software, whereas before most security competitions were capture-the-flag competitions that focused on “mock” targets and vulnerabilities,” Dai Zovi says. “It really put the focus on what was possible against the software that millions, if not billions, of people use to put a spotlight on how much we needed to improve security.”

**When ‘Wow’ Is an Understatement  
**The Pwn2Own competition has expanded to include software like MS Office, Adobe Reader, and Zoom. It has also tested the security of iPhones and BlackBerrys, and featured attacks targeting SCADA systems and IoT devices.

Some of the hacks were just mind-blowing and “times when 'wow' just isn't enough,” according to an HP Security Research blog post published during the 2015 event. That was when Jung Hoon Lee from South Korea hacked three browsers: Internet Explorer 11 (he found a time-of-check to time-of-use vulnerability), both the stable and beta version of Chrome (he exploited a buffer overflow race condition in the browser), and Safari (he exploited an uninitialized stack pointer in the browser).

  
Another exciting hack happened in 2017, when a team of researchers from Chinese Internet security company Qihoo 360 broke into VMWare's virtual machine sandbox.

“They fired up a virtual client, a fully patched Windows box. They pulled a fully patched browser and browsed to a Web page. They took their hands off the keyboard and let everything run,” Trend Micro's Childs says. “They combined enough bugs to break out of that \[sandbox\] and execute code on the underlying hypervisor on VMware Server underneath. And it was astonishing.”

  
Hacks like these made vendors feel edgy before the competition, and sometimes they would even push updates before an event.

“One year we got to Vancouver only to find out that the version of the BlackBerry deployed in Canada actually patched our bug, so we had to not sleep for two nights straight to fix the exploit,” says security expert Iozzo.

But, he adds, things like that were part of Pwn2Own's cachet. Many hackers who attended these events say they were both intense and fun. In March 2019, team Fluoroacetate, which took its name from a highly toxic substance that can kill bugs, found a severe memory randomization bug in Tesla's Model 3's infotainment system. Team members Richard Zhu and Amat Cama were crowned Masters of Pwn, earning $375,000 and the car.

  
Humor and jokes complement the stress associated with hacking.

“Last year also, we had someone hack a printer and play AC/DC through the speaker, which was pretty inventive,” Childs says. “We're dealing with a serious subject matter; the impact of these bugs can be tremendous. But at the same time, we try to keep the attitude light for the competitors so that we don't take ourselves too seriously.”

**Pwn2Own's Contributions to Bug Hunting  
**When the first edition of the Pwn2Own competition took place, the concept of hunting bugs was pretty exotic. Most companies were reluctant to talk to security researchers who reported issues, and even vendors who attended Pwn2Own events had mixed feelings about it.

But as the competition gained attention and brought everyone good publicity, companies started to open up. Looking back, security researcher Ruiu says that Pwn2Own partially assumed the role of negotiator, helping hackers get decent pay for their work.

“The manufacturers would love to just say: Have a T-shirt here,” Ruiu says. “But we became advocates for the security developers.”

As security experts and vendors met in the disclosure room to talk about hacks, the mood became less adversarial and more cooperative. The result: Bugs were fixed promptly before being exploited by a malicious entity.

Pwn2Own showed “it was OK for responsible organizations to compensate individual researchers for the hours of work put into their findings,” and led many large software companies to support bug-bounty programs, says Terri Forslof, a threat analyst at Microsoft.

Ruiu agrees, saying that Pwn2Own has helped pave the way for bug-bounty platforms like HackerOne and Bugcrowd, which work as intermediaries between researchers and tech companies. In 2021, HackerOne paid nearly $37 million for more than 66,500 valid bugs; the median earning for a critical bug was about $3,000. Also last year, Google offered bug hunters $8.7 million, while Zoom paid out $1.8 million.

Ruiu's initial goal of getting Apple to take security seriously has also been achieved, at least in part. The Cupertino, Calif., giant is currently offering up to $1 million to security experts for an exploit that results in a zero-click kernel code execution with persistence and kernel PAC bypass.

But although the role bug bounties play is undeniable, related issues remain. They still need to be formalized, says Childs, adding that such projects are not for everyone. “They're not a one-size-fits-all thing,” he says.

Many companies start bug-bounty programs without having a mature response process in place to be able to handle the reports they receive. As Childs puts it, “They get all these bugs, and they don't know what to do with them.” Organizations should have an efficient triage and specific procedures process in place to roll updates to customers, he points out.

“Until you have that basic, fundamental process available, offering a bug-bounty program is actually going to be more harmful than good because you're going to be getting bugs, and you're going to be overwhelmed by that,” Childs says. “And then you begin to have an adversarial relationship with the people who are reporting, even though you ask them to report.”

Hackers also complain. Some say they are underpaid for the bugs they discover, while others argue that their efforts are not always acknowledged in full.

During this week’s Pwn2Own, both Ruiu and ZDI hope to make one more small step in the right direction. “It still continues to change; it evolves continuously,” Ruiu says. “One of our goals is to improve the relationship between vendors and independent researchers.”

How Pwn2Own Made Bug Hunting a Real Sport

Polygraph Data Platform adds Kubernetes audit log monitoring, integration with Kubernetes admission controller, and Infrastructure as Code (IaC) security to help seamlessly integrate security into developer workflows.

SAN JOSE, Calif., May 18, 2022 /PRNewswire/ -- Lacework, the data-driven cloud security company, today announced new features added to the Polygraph® Data Platform which provide enhanced visibility and protection in Kubernetes environments. Through Kubernetes audit log monitoring, integration with the Kubernetes admission controller, and Infrastructure as Code (IaC) security, Lacework customers can now further minimize risks in build time and automate discovery of unusual behavior that could signify cloud account or container compromise. With these new features, Lacework is the only company which can offer automated anomaly detection that provides consistent visibility, context, and security across the entirety of a customer's multi-cloud environment from a single security platform.

According to Gartner® (1), "by 2026, more than 90% of global organizations will be running containerized applications in production, which is a significant increase from less than 40% today."

As more organizations leverage container-based application deployment to scale their businesses, they are rapidly adopting Kubernetes to manage containerized workloads. While easier to manage overall, the complexity and sheer size of Kubernetes environments makes it difficult for companies to detect threats, ensure compliance, and efficiently capture relevant security events. Existing security tools and manual procedures aren't built to secure the Kubernetes attack surface, which slows down agile development and defeats the purpose of using containers. This forces customers to employ additional Kubernetes-specific tools, further slowing down understaffed security teams with additional tool sprawl and alert fatigue. In fact, Red Hat found in its 2021 State of Kubernetes Security Report that more than half of respondents delayed deploying Kubernetes applications into production due to security concerns. Developers need more automated practices to quickly resolve issues and focus on delivering revenue-driving initiatives.

Lacework eliminates this challenge by integrating container security into the Polygraph Data Platform, providing end-to-end, integrated monitoring that enables customers to secure their cloud and Kubernetes environments from build to runtime. By consolidating disparate tools into a single platform, Lacework provides a highly automated solution that empowers organizations to seamlessly integrate security into developer workflows. The new features announced today provide comprehensive visibility, threat detection and alerts, configuration and compliance checks, and vulnerability scans:

Kubernetes Audit Logs Monitoring: A typical Kubernetes environment could include thousands of pods and containers with components constantly being created, shut down, or moved, and generating millions of events daily. This feature enables customers to monitor Kubernetes audit logs and all user and system actions to detect unknown and known threats.

Kubernetes Admission Controller: Through this integration, the Polygraph Data Platform can scan containers for misconfigurations or vulnerabilities prior to deployment on Kubernetes. Customers can use pre-built or customer policies to define the criteria, threshold, and response for a violation.

IaC Security: Using capabilities available following the acquisition of Soluble, Lacework customers can now review Infrastructure as Code prior to deployment to identify and optionally block insecure Kubernetes-related configurations.

"Containerized workloads are already difficult for many security solutions to keep up with because of their ephemeral and constantly changing nature. At scale, it's impossible for often understaffed security teams to effectively secure these environments," said Frank Dickson, Group Vice President, Security & Trust research practice, IDC. "Any benefit organizations get from deploying Kubernetes environments is negated by security approaches which don't provide security teams with the same automation Kubernetes provides to developers."

"We chose Lacework because it provides a fully integrated platform for cloud security. Before Lacework, we lacked the granularity and depth we needed to assess vulnerabilities due to numerous disparate tools," said Michael Lyborg, Senior Vice President, Global Information Security & Enterprise IT at Swimlane. "By integrating Lacework and the Swimlane low-code automation platform we automated our container image scans. This has resulted in time savings, better prioritization of work, faster iteration and validation of builds. The integration gave us the ability to retroactively and continuously scan published images so we have a continuous real-time view of risk across our dynamic cloud environment."

"While so much innovation has focused on helping developers work more efficiently to create revenue-driving initiatives, very little has been applied to the security tools that keep businesses safe, reducing the gains of development teams and ultimately putting organizations at risk," said Adam Leftik, VP of Product, Lacework. "Security teams are as important as developers in driving revenue for businesses, and these Kubernetes features for the Polygraph Data Platform ensure they can help teams across the business innovate securely and with confidence."

The Lacework Polygraph Data Platform is the only solution that extends automated anomaly detection across AWS, Google Cloud and now Microsoft Azure and Kubernetes EKS environments. Using accurate, machine learning-based threat detection at scale, the Polygraph Data Platform empowers customers to innovate with confidence.

Kubernetes audit logs monitoring is now available to Lacework customers on AWS EKS in limited availability. The Kubernetes admission controller integration is generally available. Integration with IaC security is available to all Lacework customers.

**Additional Resources:**

Visit our team at KubeCon EMEA at booth S47 on the show floor.

Check out the Lacework blog to learn more about Kubernetes audit log monitoring, our integration with the Kubernetes admission controller, and IaC security.

Become an expert on security fundamentals and learn more from your security and developer peers through Lacework Academy and the Lacework Community.

Read what Lacework customers have to say about the Lacework Polygraph Data Platform.

For more information about how to join the Lacework team, visit our careers page.

(1) Gartner, "Compute Evolution: VMs, Containers, Serverless — Which to Use When?",  
Refreshed 22 March 2022, Arun Chandrasekaran, Published 1 June 2021,  
https://www.gartner.com/document/4002112?ref=TypeAheadSearch

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

**About Lacework**

Lacework is the data-driven security company for the cloud. The Lacework Polygraph® Data Platform automates cloud security at scale so our customers can innovate with speed and safety. Only Lacework can collect, analyze, and accurately correlate data across an organization's AWS, Microsoft Azure, Google Cloud, and Kubernetes environments, and narrow it down to the handful of security events that matter. Customers all over the globe depend on Lacework to drive revenue, bring products to market faster and safer, and consolidate point security solutions into a single platform. Founded in 2015 and headquartered in San Jose, Calif., Lacework is backed by leading investors like Sutter Hill Ventures, Altimeter Capital, D1 Capital Partners, Tiger Global Management, Counterpoint Global (Morgan Stanley), Franklin Templeton, Durable Capital, GV, General Catalyst, XN, Coatue, Dragoneer, Liberty Global Ventures, and Snowflake Ventures, among others. Get started at www.lacework.com.

SOURCE Lacework

Lacework Integrates Kubernetes Features to Enhance Security Across Multi-Cloud Environments

Publicly released proof-of-concept exploits are supercharging attacks against unpatched systems, CISA warns.

The Cybersecurity Infrastructure and Security Agency (CISA) has issued a warning about active exploits against unpatched F5 Network's BIG-IP systems. 

A patch for the vulnerability (CVE-2022-1388) was issued on May 4; since then, working proof-of-concept exploits have circulated among cybercriminals, making it easier for even less-skilled attackers to take advantage, CISA explains. 

Along with CISA, the F5 BIG-IP vulnerability alert was issued by the Multi-State Information and Analysis Center (MS-ISAC). Both organizations "strongly urge" administrators to upgrade F5's BIG-IP systems to a patched version. 

"According to public reporting, there is active exploitation of this vulnerability, and CISA and MS-ISAC expect to see widespread exploitation of unpatched F5 BIG-IP devices (mostly with publicly exposed management ports or self IPs) in both government and private sector networks," the alert states. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading