Hackers may have abused an Amazon security flaw / Twitter confirms it was hacked in early 2022 / Snyk raises $196.5M Series G round

Plus: Google launches a new open-source vulnerability scanning tool

Inside.com Part of   Network December 13, 2022

Presented by

Hackers may have used a recently tracked security flaw in Amazon Elastic Container Registry Public Gallery to hack users. Threat actors could have used the flaw to inject malicious code remotely, among other actions. More: The Amazon ECR Public Gallery is a public portal that lists all public repositories hosted on the Amazon ECR Public service. Companies and organizations such as NGINX, Ubuntu, Amazon Linux, and HashiCorp Consul publish their images on the platform. This recently tracked vulnerability could have potentially led to the denial of service, data exfiltration, lateral movement, privilege escalation, data destruction, and other multi-variate attack paths. In addition to injecting malicious code, hackers could have used the flaw to delete all images or change them. Using this vulnerability, an attacker could infect popular images such as CloudWatch agent, Datadog agent, EKS Distro, Amazon Linux, and Nginx. This vulnerability was reported to AWS Security Outreach Team, which fixed the vulnerability in less than 24 hours. The timeline of the infection is as follows: Nov. 15, 2022: The vulnerability was reported to AWS Security. Nov. 16, 2022: The fix was successfully deployed. Dec. 13, 2022: Researchers coordinated disclosure with AWS.

Twitter has released a public statement confirming that customer data got leaked earlier in 2022. The flaw was fixed by Twitter in June 2021 but hackers managed to take advantage of it beforehand. More: This vulnerability was tracked in a bug bounty program organized by Twitter in 2021. Abusing the security flaw allowed hackers to see email addresses and phone numbers that were uploaded to Twitter's systems and who that information belonged to. The social media company claims that no passwords were exposed from this hacking campaign but still encourages its users to utilize 2 Factor Authentication as a safety measure.

A message from SECURITY COMPASS Security teams and developers may be aligned on what is needed, but the delivery of these requirements leaves room for improvement. This interactive report examines the maturity and approaches of application security training for software developers. It emphasizes the frustrations developers experience with current eLearning options and organizational views on its effectiveness.  Key takeaways from the study include: 40% of respondents indicate their company provides interactive content, yet a lack of interactive content remains a top frustration.  In total, 75% of respondents indicated they had to look up security-related topics regularly - once or twice a week (54%) or daily (21%).  The best time to do secure development training was during code implementation. 37% of developers stated that implementing new code to satisfy security requirements was the most costly and time-consuming activity they perform.  To view the full “2022 DevSecOps Perspectives on AppSec Training” research report and learn more. Click here

Snyk has raised a $196.5M Series G funding round to help developers find vulnerabilities in their code. The company ends 2022 with 100% YoY revenue growth. More: Snyk enables users to find and automatically fix vulnerabilities in their code, open source dependencies, containers, and infrastructure as code. The company's products are differentiated by features such as non-stop scanning, immediate code updates, post-update analysis tools, repository integration, application monitorization, etc. Snyk claims that its product reduces the chances of being exposed to a security risk by up to 62% and saves its customers, on average, 27 days of wasted time. Some of the company's customers are Salesforce, Comcast, AB InBev, Comcast, Dun & Bradstreet, and Manulife. The round was led by the Qatar Investment Authority with participation from Evolution Equity Partners, G Squared, Irving Investors, boldstart ventures, Sands Capital and Tiger Global. The Boston-based company has raised $1B in funding since being founded in 2015.

Google has launched a new open-source vulnerability scanning tool named OVS-Scanner. The platform will support 16 ecosystems. More: OSV.dev is a repository of more than 38,000 advisories, up from 15,000 security alerts a year ago. Linux is the most represented OS, with 27.4%. Google has stated that it is working on adding support for C/C++ flaws with features that support precise commit-level metadata to CVEs. Written in Google's programming language, GO, OVS-Scanner can be accessed here.

SafeHouse has raised a $6M Pre-Series A funding round to expand its military-grade cybersecurity services in Europe and Southeast Asia. The startup is based in Tel Aviv, Israel. More: SafeHouse offers several cybersecurity apps that provide different levels of security for smartphones. The company's main product is Bodyguard, an app that offers features such as: Real-time internet traffic protection Military-grade encryption Fingerprint/password protection for apps Device tracking Control data outflow to specific countries, etc. The company stated that it will use the funds to boost its R&D program and develop new products that will be released in 2023. SafeHouse is backed by companies such as Barclays, Techstars, and Baesystems.

Quick Hits Customer trust is critical, but creating a continuous security process for your startup can be complex. Learn from Vanta how to enhance security without overextending your resources.* NSA and Citrix have released a statement where they call on companies and organizations to apply security updates for a zero-day vulnerability tracked as CVE-2022-27518. The flaw could allow an unauthenticated remote attacker to perform arbitrary code execution. The number of data breach cases in Australia has increased by 489% in Q4 2022, making the country one of the most cyberattacked in the world. Cybersecurity company Picus has stated that ChatGPT could potentially give access to hacking tools to more people than ever before. HP-owned Apogee stated that its poll results show only 14% of hybrid-working companies consider security as their priority. Recruiting tech ROI of 227%? Here’s how Okta achieves its hiring goals using Greenhouse Recruiting and Greenhouse Onboarding.* *This is sponsored content.

Upcoming events at Inside: January 10 - Inside Startups Coffee Break (Register Here) January 17 - Inside Marketing Coffee Break (Register Here) January 31 - Growth Summit 2023 (Register Here)

Arbër is an Inside writer who also has experience in entrepreneurship. He has experience covering Consumer Tech, Venture Capital, NFTs, Crypto, etc. Arbër holds a Bachelor's degree in Business from XAMK University in Finland. When he is not reading(and writing) business news, he chooses to watch sports or anime...and then read news about sports or anime. Editor Aaron Crutchfield is based in the high desert of California. Over the last two decades, he has spent time writing and editing at various local newspapers and defense contractors in California. When he's not working, he can often be found looking at the latest memes with his kids or working on his 1962 and 1972 Fords.

Security Compass delivers best-practice, role-based, accredited eLearning solutions.

767 Bryant St. #203, San Francisco, CA 94107 Copyright © 2022 Inside.com

Did someone forward this email to you? Head over to inside.com to get your very own free subscription! You received this email because you subscribed to Inside Security. Click here to unsubscribe from Inside Security list or manage your subscriptions.