How a pentester’s attempt to be ‘as realistic as possible’ alarmed cybersecurity firms

How a pentester’s attempt to be ‘as realistic as possible’ alarmed cybersecurity firms


Over the past few weeks, investigators at several security companies have been scratching their heads trying to figure out who was targeting German companies with what appeared to be a supply chain attack.

On Wednesday, they received their response: an inmate at a threat intelligence company simulating “realistic threat actors” for their customers.

JFrog’s security research teams, ReversingLabs, and Snyk released reports in recent weeks after they detected several malicious JavaScript packages in the widely used npm registry. The code was addressed to a German media conglomerate and other German companies.

But on Wednesday, employees of Germany-based Code White GmbH came forward to admit that the malicious packages were part of a test they were running.

In several Twitter responses to the companies and in messages to The Record, the company said the purpose of the test was to resemble the kind of real-world piracy attempts that security teams have to fight.

Code White said the malicious actor identified by the companies was actually an intern “in charge of investigating the confusion of dependencies as part of our ongoing customer attack simulations.”

“We are trying to mimic realistic threat threats for dedicated customers as part of our security intelligence service and brought our‘ own ’package manager that supports thread and npm,” Code White said.

In a message to JFrogthe company said the “attack” was a “simulated but realistic one on our part for some of our clients hired with their consent.”

David Elze, CEO of Code White, confirmed that it was part of a set of attack simulations for customers.

“We are doing this to really improve our customers’ level of security resistance using the latest and most likely attack techniques, such as dependency confusion in this case, so that some of them show impact, raise awareness and prepare. even more so organizations for the real threat. actors, “Elze said.

But some investigators did not kindly take the revelation. Shachar Menashe, senior director of security research at JFrog, said the payload level with this penetration test “is quite irresponsible”.

Menashe said that throughout his long career, he had never seen a situation like this, “both in terms of the sophistication of a npm / pypi payload and in terms of the aggressiveness of a pentesting payload.”

“Because the code had absolutely no indication (in the source code) or in its metadata (for example, the npm package description), this could have put the threat response team of the company on high alert, wasting customer resources on nothing “, Menashe. dit.

“Adding a simple string ‘for security testing purposes’ to the npm package description or even the source code could have been avoided by proving the point, as presented in previous attacks with great success “.

Menashe explained that for such dependency-confusing attacks, packet metadata is not manually inspected before the attack occurs, so this would not impair the viability of the attack.

Menashe also criticized the idea of ​​Code White using a full back door as a payload, calling it “unwarranted.”

“If the back door contained any bugs, or if a malicious actor could take control of the C2 server, the client’s infected machines would be at the mercy of a real threat actor and not the pentesting company,” he said. dir Menashe a The Record.

“These are scenarios that have happened many times before (for example, a hacker taking control of another hacker’s botnet). The payload could have been a simple payload of ‘information leak’ without back door capacity, and the pentesting company would still have shown that the customer is vulnerable. “

In response to Menashe’s comments, a Code White representative said that the key difference between a typical penetration test and a realistic red team scenario is that the threat response team wants to deal with compelling threats to training and preparation.

“Naturally we are in direct communication and close collaboration with our clients’ defense teams. So being as realistic as possible but without inflicting any real harm is our focus on supporting our clients and helping them prepare their defenses, ”the spokesman said.

“The tool, C2, payload, communication channel … everything was developed explicitly for this specific scenario and was not compromised in any way (we were recording and monitoring each request and session). ”

The representative reiterated that the company is not only doing pentesting based on compliance “to prove a point”, but is also trying to simulate real threat actors to prepare its customers.

“That means they are really invested in real cybersecurity, which is a big advantage we believe,” the rep said.

Jonathan has worked worldwide as a journalist since 2014. Before returning to New York City, he worked for the media in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.





Source link

Related post

EDUCAUSE 2022: How Data Collection Can Improve Student and Faculty IT Support

EDUCAUSE 2022: How Data Collection Can Improve Student and…

At Indiana University, Gladdin said, to make life easier for students and faculty, they implemented a course template for the Canvas…
UGC, AICTE warn students against online PhD programmes offered by EdTech platforms | Latest News India

UGC, AICTE warn students against online PhD programmes offered…

The University Grants Commission (UGC) and the All India Council for Technical Education (AICTE) on Friday issued a joint advisory against…
UGC, AICTE warn students against online PhD programmes offered by EdTech platforms | Latest News India

UGC, AICTE warn students against online PhD programmes offered…

The University Grants Commission (UGC) and the All India Council for Technical Education (AICTE) on Friday issued a joint advisory against…

Leave a Reply

Your email address will not be published.