In this Threatpost podcast, sponsored by Egress, we sit down with Jack Chapman to discuss the steps and tactics that companies can take to stay one step ahead of their adversaries.

During our conversation, we discuss:

• Weaknesses that attackers look to exploit
• Evolution of toolkits
• Securing MFA and more

For this episode of the Threatpost podcast, I am joined by Derek Manky, , Chief Security Strategist & VP Global Threat Intelligence, Fortinet's FortiGuard Labs to discuss the threats facing CISOs along with more.

During the course of our discussion, we dive into:

• What an attack on all fronts looks like
• The current state of the threat landscape
• New techniques being leveraged be adversaries
• The automation of threats

We also lay out what CISOs need to consider when laying out and producing their threat action plan.

You've probably said this or heard this when it comes to friends and family. However, do you also know that secret keeping, or lack thereof is one of the biggest issues that businesses face?

According to the recent The State of the Secret Sprawl from GitGuardian further defines the breadth of business secrets.

"A secret can be any sensitive data that we want to keep private. When discussing secrets in the context of software development, secrets generally refer to digital authentication credentials that grant access to services, systems and data. These are most commonly API keys, usernames and passwords, or security certificates. Secrets are what tie together different building blocks of a single application by creating a secure connection between each component. Secrets grant access to the most sensitive systems."

In this podcast with Mackenzie Jackson, developer advocate at GitGuardian, we dive into the report and also the issues that corporations face with public leaks from groups like Lapsus and more, along with as ways that developers can keep their code safe.

For the full report, click here.

Alex Rice, CTO at HackerOne and Johnathan Hunt, VP of Security at GitLab, help development teams evolve their processes to build security directly into their workflows for smooth and safe cloud app rollouts. 

They dropped by the Threatpost podcast recently to share tips on DevSecOps, including:

• How to build a continual testing, monitoring, and feedback processes to drive down application risk.
• Developing a continuous approach to application security and DevOps security tools.
• Why collaboration and continual feedback is essential across development, cloud and security teams.

…as well as how to deal with the boatload of animosity between development and security teams. One tip: Assume positive intent!

n the company's annual Human Factor 2021 report assessing how the threat landscape morphed over the past year, Proofpoint researchers scratched their heads over the reasons for so many users succumbing to malicious email attachments.

Could be that threat actors jumped on our Pavlovian work-from-home security conditioning, as suggested by Proofpoint vice president and general manager of email fraud defense Rob Holmes. Check out the Threatpost podcast for his take on how the pandemic influenced the threat landscape.

Forcepoint's Nico Fischbach, global CTO and VPE of SASE, and Chase Cunningham, chief strategy officer at Ericom Software, on using SASE to make Zero Trust a reality.

Derek Manky, Chief of Security Insights & Global Threat Alliances at Fortinet's FortiGuard Labs, said that last week researchers with FortiGuard Labs saw activity double over two days for cybercriminals targeting the vulnerabilities. The attackers are using the flaws to deploy cryptominers, ransomware (such as the recently discovered DearCry ransomware) and other malicious campaigns, he said.

• A wave of ransomware attacks targeting a number of hospitals, sparking worries about healthcare security and the impact on patents during COVID-19
• "Zombie" vulnerabilities - including Zerologon and SMBGhost - that continued to haunt system admins this week
• Election security scares, from disinformation campaigns to cyberattacks hitting election infrastructure.

• Patch Tuesday insanity, with Microsoft and Adobe releasing fixes for severe vulnerabilities - including a critical, potentially wormable remote code execution Microsoft vulnerability
• Barnes and Noble being hacked - and why some readers are unhappy with how the book purveyor announced the cyberattack
• DDoS extortion email threats hitting various companies across the globe - including Travelex
• Zoom finally rolling out end-to-end encryption on the video conferencing platform - and why this is different than the video conferencing application's earlier "full encryption" claims

• IBM, the owner of the Weather Channel mobile app, has reached a settlement with the Los Angeles city attorney's office after a 2019 lawsuit alleged that the app was deceiving its users in how it was using their geolocation data.
• A cryptomining worm from the group known as TeamTNT is spreading through the Amazon Web Services (AWS) cloud and collecting credentials.
• Researchers are urging connected-device manufacturers to ensure they have applied patches addressing a flaw in a module used by millions of Internet-of-Things (IoT) devices.

Because HTML smuggling is not necessarily a novel technique - it's been used by attackers for awhile - this campaign shows that bad actors continue to rely on older attack methods that are working. Learn more about this latest attack and how attackers are raising the bar during this week's Threatpost podcast.

Threatpost editors Tom Spring, Tara Seals and Lindsey O'Donnell-Welch break down the top sessions, keynotes, speakers and themes to look out for in this week's podcast.

Manky talks about the biggest lessons learned so far from 2020, including the most dire threats to date - from sophisticated social engineering lures, to Internet of Things (IoT) vulnerabilities to targeted ransomware attacks.

• Hackers accessed direct messages (DMs) for 36 of the 130 high-profile users whose accounts were hacked in an unprecedented account breach last week, Twitter confirmed Wednesday.
• Privacy commissioners worldwide urged video conferencing systems like Microsoft, Cisco and Zoom to adopt end-to-end encryption, two-factor authentication and other security measures.
• Apple's Security Research Device program is now open to select researchers – but some are irked by the program's vulnerability disclosure restrictions.

The group, called Cosmic Lynx, is the first reported Russian BEC cybercriminal ring, and it's bringing the once run-of-the-mill email scam attack vector to the next level. The group has been associated with more than 200 BEC campaigns targeting senior-level executives in 46 countries since last July. It uses clear, articulate emails -- with vocabulary like "accretive" and "synergistic" -- that purport to be related to an a "merger and acquisition," keeping with a sensitive theme that targeted employees likely won't discuss.

Mac expert Thomas Reed talks about how the newly discovered EvilQuest ransomware is ushering in a new class of Mac malware.

Threatpost talks to Paul Bischoff, consumer privacy expert with Comparitech, about recent research showcasing flaws in the accuracy of Amazon's facial recognition platform - and why concerns around racial bias and data privacy aren't going away anytime soon.

• Google removing 106 Chrome browser extensions from its Chrome Web Store in response to a report that they were being used to siphon sensitive user data.
• An internal investigation into the 2016 CIA breach condemning the agency's security measures, saying it "focused more on building up cyber tools than keeping them secure."
• How the insider threat landscape is changing due to work from home - a topic that Threatpost will continue to discuss in its webinar coming up next week (register here).

But behind the public health benefits of contact tracing are privacy worries, technology issues like interoperability, and other challenges.  Threatpost discusses the benefits - and the challenges - of contact tracing apps with Steve Moore, chief security strategist at Exabeam.

• Reports emerged earlier this week that the Minneapolis police department had been breached by hacktivist group Anonymous. Security expert Troy Hunt debunked the reports, however.
• Zoom sparked debate after announcing that it would offer end-to-end encryption to paying users only - explaining that it couldn't offer it to everyone as it needs to work with law enforcement to crack down on platform abuse.

• Recent ransomware attacks, including ones targeting healthcare giant Magellan, the IT office that supports Texas appellate courts and judicial agencies, and a popular law firm that works with several A-list celebrities, including Lady Gaga, Drake and Madonna.
• "Double extortion" methods being increasingly used by ransomware actors - and new research that found paying a ransom to unlock systems can actually cost companies more financially than recovering data themselves in the long run.
• The state of Utah announcing it has settled on a contact-tracing mobile app that collects detailed user location information to track the spread of COVID-19 among citizens – eschewing the API model proposed by Apple and Google in April.
• The roadmap for a COVID-19 contact-tracing app, to be rolled out by the UK's National Health Service (NHS), thrust into the spotlight thanks to sensitive documents being leaked via a public Google Drive link.

Threatpost host Cody Hackett talks to Chris Hertz, vice president of cloud security sales at DivvyCloud by Rapid7, about the top trends he's seeing around cloud security and how IaC is helping companies handle security and compliancy.

• A "PhantomLance" espionage campaign discovered targeting specific Android victims, mainly in Southeast Asia — which could be the work of the OceanLotus APT.
• A highly targeted phishing campaign, uncovered this week, with a Microsoft file platform twist, that successfully siphoned the Office 365 credentials of more than 150 executives since mid-2019.
• A Microsoft vulnerability found in Microsoft Teams that could have allowed an inside attacker to weaponize a single GIF image and use it to pilfer data from targeted systems and take over all of an organization's Teams accounts.

• Apple zero days were disclosed in the iPhone iOS; researchers say they have been exploited for years, but Apple has pushed back and said there's no evidence to support such activity
• Nintendo confirming that over 160,000 accounts have been hacked, due to attackers abusing a legacy login system
• With the NFL's virtual draft kicking off this week, security researchers and teams have been sounding off on security issues leading to data theft or denial of service attacks

• The various cybercriminal activity - from malware, phishing and other scams - tapping into the coronavirus pandemic
• The security risks of businesses working from home due to the virus' spread
• Privacy concerns as more governments use facial recognition and mobile apps for tracking the virus  
• The results of Pwn2Own, which took place this week

Threatpost talks to Ryan Olson, vice president of Threat Intelligence for Unit 42 at Palo Alto Networks, and May Wang, senior distinguished engineer at Palo Alto Networks and former Zingbox CTO, about the top IoT threats.

• Recent phishing scams - including ones with a romance hook - continue to trick victims, showing that phishing tactics still work in stealing millions from individuals, corporations, and even government agencies.
• Emotet has a newly discovered feature that hacks nearby Wi-Fi networks, allowing the prolific malware to spread rapidly, like a worm.
• The operators behind the Robbinhood ransomware are using a new tactic called "bring your own bug," which researchers think will continue in future campaigns.
• Patch Tuesday craziness this week included 99 patches from Microsoft, as well as vulnerability fixes from Adobe, Intel and Mozilla Firefox.

However, as more programs are created, some companies are forgetting the real reason behind bug bounties. That is, instead of making their systems more secure, companies want to merely hunt bugs. Threatpost talked to Katie Moussouris, founder and CEO of Luta Security, to hear more about her thoughts about the challenges in developing – and launching – bug bounty programs.

Researchers say that the vulnerabilities, which they collectively dub CDPwn, can allow attackers to remotely take over millions of devices. The flaws specifically exist in the parsing of CDP packets, in the protocol implementation for various Cisco products, from its software to IP cameras. Cisco issued patches on Wednesday addressing the five flaws, and is urging users to update as soon as possible.

However, Vanunu told Threatpost at CPX 360, Check Point's annual security conference that takes place this week, WhatsApp is a prime example of how mobile devices are increasingly becoming targeted by nation state actors, in stark contrast to previous, less serious threats mobile devices have faced like adware.

• Various proof-of-concept exploits being released for serious vulnerabilities this week - including for the recently-patched crypto-spoofing vulnerability found by the National Security Agency and reported to Microsoft.
• Multiple cable modems used by ISPs to provide broadband into homes have a critical vulnerability in their underlying reference architecture, dubbed "Cable Haunt," that would allow an attacker full remote control of the device.
• Google's continual battle against attackers who are infiltrating Google Play with Android apps (more than 17,000 apps to date) distributing the Joker malware.
• Google setting an aggressive two-year deadline for dropping support for third-party tracking cookies in its Chrome web browser.

Microsoft's January Patch Tuesday security bulletin disclosed the "important"-severity vulnerability, which could allow an attacker to spoof a code-signing certificate, vital to validating executable programs in Windows, and make it appear as if an application was from a trusted source.

Threatpost talked to Pratik Savla, senior security engineer at Venafi, about the vulnerability, whether the hype around the flaw was warranted, and what the disclosure means for the NSA.

At a high level ,the CCPA mandates strict requirements for companies to notify users about how their user data will be used and monetized along with giving them straightforward tools for opting out.  However, one of the bigger challenges with the CCPA is the question of tracking the location of that user data, Terry Ray, SVP and fellow with Imperva, tells Threatpost.

Threatpost sat down with Jessica LaBouve, a pen tester with A-LIGN, to discuss the personal challenges she's faced in the cybersecurity industry and the opportunities in the space that she sees for improvement.