Look, we’ve all been there. It’s Friday afternoon, you’re racing to meet a deadline, and you’re about to push that code straight to production. “I’ll run security tests next time,” you tell yourself. But deep down, you know that “next time” rarely comes. Let’s talk about why integrating security testing into your CI/CD pipeline isn’t just another corporate checkbox—it’s your ticket to actually enjoying your weekends.

Table of Content

1. The Real Cost of “We’ll Fix It Later”
2. Why Your Pipeline Needs Security Testing (And Why You’ll Thank Yourself Later)
3. Making It Work in the Real World
4. Measuring Success (Without Drowning in Metrics)
5. The Bottom Line

The Real Cost of “We’ll Fix It Later”

Remember that time when a tiny security vulnerability turned into a full-blown crisis? You’re not alone. I’ve seen teams spend entire weeks fixing security issues that could have been caught in minutes with proper testing. It’s like trying to find your keys after leaving the house—much harder than checking your pockets before you leave.

The truth is, fixing security issues late in the game is like trying to change your car’s engine while driving on the highway. It’s possible, but it’s stressful, dangerous, and way more expensive than it needs to be. Plus, let’s be honest: none of us want to be that developer who has to explain to the CEO why customer data is trending on Twitter.

Why Your Pipeline Needs Security Testing (And Why You’ll Thank Yourself Later)

Catch Problems While They’re Still Tiny

Think of security testing in your pipeline as having a spell-checker for your code. Sure, you could wait until after you’ve written the entire novel to check your spelling, but wouldn’t you rather know about typos as you write? The same goes for security vulnerabilities. When you catch them early, they’re usually just a quick fix away. Wait too long, and suddenly you’re rewriting entire chapters of your application.

Keep Your Development Mojo Flowing

“But won’t security testing slow us down?” I hear this all the time, and I get it. However, here’s the reality: Nothing kills development momentum faster than having to drop everything to fix a security issue in production. It’s like having to stop your car every few miles to check if the wheels are still attached. With continuous security testing, you can drive smoothly, knowing your car isn’t going to fall apart.

Consistency That Makes Life Easier

Let’s face it: humans are terrible at doing repetitive tasks consistently. We get distracted, we forget things, we take shortcuts. That’s why we need automation. When security testing is part of your pipeline, it’s like having a very diligent, never-tired security expert reviewing your code 24/7. And unlike your human security expert, it doesn’t need coffee breaks.

Making It Work in the Real World

Start Small, Think Big

You don’t need to transform your pipeline overnight. Start with the basics—maybe just SAST for critical components. It’s like going to the gym; you don’t start with the heaviest weights on day one. Begin with what you can manage, and gradually increase your security testing routine as you get stronger.

Choose Tools That Don’t Drive You Crazy

Your security tools should feel like helpful assistants, not annoying backseat drivers. Pick tools that integrate well with your existing workflow and provide clear, actionable feedback. If you find yourself constantly fighting with your security tools, something’s wrong—and it’s probably not you.

Build a Security-Aware Culture (Without the Fear)

Security shouldn’t be about pointing fingers or instilling fear. Create an environment where developers feel comfortable discussing security issues and sharing solutions. Think of it as creating a “security book club” where everyone learns and improves together.

Measuring Success (Without Drowning in Metrics)

Keep it simple. Track things that actually matter:

• How quickly can you find and fix vulnerabilities?
• How many issues are caught before they reach production?
• Are your developers sleeping better at night?

The Bottom Line

Security testing in CI/CD isn’t just about protecting your application—it’s about protecting your sanity. It’s about being able to deploy with confidence, knowing that you’ve got solid security checks watching your back. It’s about spending your time building cool features instead of firefighting security issues.

Remember: Future You will either thank Present You for implementing security testing, or curse Past You for skipping it. The choice is yours.

So, what’s it going to be? Are you ready to give your CI/CD pipeline the security love it deserves? Your code (and your future self) will thank you for it.

P.S. If you’re reading this on a Friday afternoon, considering skipping security testing for your next deployment—take it from someone who’s learned the hard way: don’t do it. Monday You will not be impressed.

In the ever-evolving landscape of application security, Bright is excited  to introduce Bright’s STAR (Security Testing & Automated Remediation) platform.  STAR is a revolutionary approach that disrupts traditional AST (Application Security Testing) concepts and ushers in a new era of Application and API Security solutions. . Bright has been deploying Developer-centric DAST (Dynamic Application Security Testing) solutions to some of the world’s largest enterprises for the past 5 years. The new STAR platform incorporates many of the capabilities needed by our customers and other organizations we speak with to enable them to take a modern approach to Application and API Security by focusing on automation, testing early in the SDLC and driving automated remediation. With the introduction of this new solution  Bright is breaking down barriers between SAST (Static Application Security Testing), DAST, and IAST (Interactive Application Security Testing), offering a truly revolutionary solution to the industry which doesn’t only test, but also helps enterprises auto-remediate vulnerabilities.

Table of Content

1. The Power of STAR: Redefining Application Security
2. Broad Language Support for Maximum Adoption
3. Dynamic Security Testing at the Code Level
4. A New Era in Application Security

The Power of STAR: Redefining Application Security

STAR reimagines Application and API security by leveraging Bright’s advanced Dynamic engine and seamlessly integrating AI capabilities with Bright’s SecTester security unit testing library. This powerful combination enables STAR to:

• Automatically generate security unit test coverage (SecTester) for a given codebase.
• Run security unit tests to identify vulnerabilities dynamically by developers early in the SDLC.
• Automatically generate fixes for discovered vulnerabilities using AI-driven insights.
• Validate those fixes in real time using the same SecTester unit tests ensuring remediation is both effective and seamless. Based on our Dynamic platform Bright is uniquely positioned to provide real validation.

Broad Language Support for Maximum Adoption

Bright’s STAR platform is designed with developers in mind, supporting multiple programming languages, including Go, JavaScript, TypeScript, .NET, and others. This broad compatibility allows organizations across the globe to integrate STAR into their development workflows effortlessly, ensuring security is embedded early in the development lifecycle. Due to our dynamic approach we are able to rapidly add support for additional languages without needing full language integration required by SAST solutions. 

Dynamic Security Testing at the Code Level

Yes, you read that correctly!

Unlike traditional SAST solutions that rely on static analysis and approximations, STAR brings dynamic security testing directly to the unit-testing and code level. This eliminates guesswork and false positives while avoiding the complexities of DAST, such as authentication challenges and full application discovery processes. By merging dynamic testing with unit testing, STAR delivers an unprecedented level of accuracy and efficiency in security validation.

A New Era in Application Security

With STAR, Bright is redefining the standards of Application Security by offering a developer-friendly, automated, and AI-powered security testing solution. This next-generation approach empowers development teams to detect and remediate vulnerabilities faster, with minimal friction, ultimately leading to more secure applications and APIs and a stronger security posture for organizations worldwide.

Bright’s STAR is not just an evolution, it’s a revolution in application security! Stay ahead of the curve with Bright and experience the future of AppSec today.

DORA (Digital Operational Resilience Act) is the latest addition to the EU regulatory arsenal. A framework designed to bolster the cyber resilience of financial entities operating within the EU. But let’s face it: there’s no lack of regulations issued by the European Union legislature, and they’re not exactly known for keeping things light and easy. The last decade has seen a veritable barrage of highly stringent regulations that had companies worldwide scrambling to implement required sets of measures and avoid pretty hefty fines. The financial sector was no exception. While DORA aims to fortify the financial sector against digital threats, it also presents a formidable challenge for organizations to adapt and comply. 

This post delves into what DORA means for your organization’s security posture, explores the intricacies of this regulation, and discusses the processes and tools you can implement to address its requirements. Specifically, why does DAST have such a significant impact on achieving DORA compliance?

Table of Content

1. What is DORA, and who does it affect?
2. DORA’s impact on your organization’s security posture
3. Navigating DORA compliance: Processes and tools
4. Unleash Bright DAST and accelerate DORA compliance

What is DORA, and who does it affect?

DORA is a comprehensive regulatory framework that aims to ensure the operational resilience of financial institutions in the face of digital disruptions, such as cyberattacks, IT failures, and natural disasters. It’s not just about preventing these incidents but also about ensuring that organizations recover swiftly and effectively. DORA casts a wide net, affecting a broad spectrum of financial entities operating within the EU, including:

1. Credit institutions
2. Payment institutions
3. Investment firms
4. Insurance companies
5. Crypto-asset service providers

Essentially, if your organization plays a role in the EU’s financial ecosystem – DORA is knocking on your door, this time not to explore but to regulate.

DORA’s impact on your organization’s security posture

While any new regulation seems like yet another chore imposed by the burgeoning bureaucracy, DORA is actually not just another regulatory checkbox. It’s a paradigm shift in how financial institutions approach operational resilience in more ways than one:

1. DORA sets a high bar for security measures, requiring organizations to implement robust cybersecurity controls, conduct regular risk assessments, and establish incident management and reporting procedures.
2. The regulation emphasizes the ability to withstand and recover from disruptions. This means having contingency plans, backup systems, and disaster recovery strategies in place.
3. DORA extends its reach to third-party service providers, requiring organizations to assess and manage the risks associated with outsourcing critical functions.
4. DORA empowers regulators to enforce compliance rigorously, with the potential for hefty fines for non-compliance.

In essence, DORA compels organizations to adopt a proactive and holistic approach to security, ensuring that it’s an integral part of their operational DNA.

Navigating DORA compliance: Processes and tools

Complying with DORA is not a walk in the park. Unless you’re in a seedy part of town, it’s midnight, there’s an all-out gang war, and the park is rumored to be haunted. Then, it might be like a walk in the park. Jokes aside, though, complying with DORA is an achievable goal with the right processes and tools. As with almost any implementation, there’s no one-size-fits-all approach – requirements are comprehensive and diverse, and they will require an in-depth analysis and approach. To help out, we have assembled a series of steps that can assist you in creating your own to-do list:

1. Start by conducting a thorough risk assessment to identify vulnerabilities and potential threats to your operations. This will serve as the foundation for your DORA compliance strategy.
2. Implement a comprehensive cybersecurity framework that aligns with DORA’s requirements. This includes measures like access controls, encryption, intrusion detection, and incident response protocols.
3. Continuous testing is crucial to identify and address security weaknesses before they can be exploited. Employ vulnerability scanning tools and conduct penetration testing to assess your defenses.
4. Establish clear procedures for incident management and reporting. This includes defining roles and responsibilities, communication channels, and escalation paths.
5. Evaluate the security practices of your third-party service providers and ensure they meet DORA’s standards.
6. Educate your employees about DORA’s requirements and the importance of cybersecurity. Regular training sessions can contribute to a security-conscious culture within your organization.

Unleash Bright DAST and accelerate DORA compliance

While the above steps provide a general overview of achieving DORA compliance, leveraging the right tools can significantly streamline the process. Bright Security’s Dynamic Application Security Testing (DAST) solution is one such tool.

Bright DAST is a scanning solution designed to fortify your web applications and APIs against vulnerabilities. By proactively identifying and addressing security risks, Bright DAST empowers you to take swift corrective action, reducing the likelihood of shipping known vulnerabilities to production by an impressive 42%. How does it accomplish that?

• Authenticated scanning – Bright DAST doesn’t just scratch the surface; it dives deep, simulating real-world attack scenarios to uncover hidden vulnerabilities that malicious actors could exploit.
• Business logic vulnerability detection – Bright DAST excels at identifying vulnerabilities in your application’s business logic, ensuring that even the most intricate workflows are secure.
• Seamless integration into the SDLC – Bright DAST integrates into the early stages of your existing software development lifecycle (SDLC), allowing you to catch vulnerabilities sooner in the development process when they are easier and less costly to fix.

When discovering vulnerabilities is a requirement, Bright DAST plays a crucial role in strengthening operational resilience. Financial institutions handle vast amounts of sensitive data and transactions, making them attractive targets for criminals seeking financial gain or aiming to disrupt economic activity. Bright DAST helps mitigate these risks by identifying and helping mitigate security weaknesses, enhancing your ability to withstand and recover from cyberattacks and other disruptions. This is how we achieve it:

• Bright DAST continuously scans your applications, providing real-time visibility into your security posture and enabling you to respond quickly to emerging threats.
• Bright DAST covers a wide range of vulnerabilities, including those listed in the OWASP Top 10, ensuring your applications are protected against the most common and critical security risks.

• Bright DAST provides detailed reports pinpointing vulnerabilities and offering actionable remediation guidance, making it easier for your development teams to address security issues effectively.

Bright DAST not only strengthens your security posture but also streamlines your compliance journey. Aligning with key articles of the DORA framework, such as Article 24 (Operational Resilience Program), Article 25 (Vulnerability Testing and Automated Scans), and Article 33 (Cyber Threat and Vulnerability Information Sharing), Bright DAST enables you to demonstrate your commitment to regulatory requirements effectively. This alignment is further strengthened by:

• Clear Audit Trails – Bright DAST maintains clear audit trails, documenting all scanning activities and remediation efforts, making it easier to demonstrate compliance to regulators.
• Integration with Existing Security Tools – Bright DAST integrates seamlessly with your existing security tools and workflows (e.g., SAST tools like Snyk), minimizing disruption and maximizing efficiency.
• Expert Support – Bright’s security experts can provide guidance and support in implementing our solution.

Moreover, Bright DAST’s impact extends beyond compliance. Financial institutions leveraging Bright’s DAST experience a remarkable 1,000% improvement in vulnerability detection and resolution early in the software development lifecycle (SDLC). This early intervention significantly reduces the risk of vulnerabilities reaching production environments. Additionally, Bright DAST contributes to a 46% improvement in the resolution velocity of production vulnerabilities, ensuring that any issues that arise are addressed swiftly and efficiently.

Bright DAST is more than just a tool; it’s a strategic investment in your organization’s security and resilience. With its verified track record in regulated environments and alignment with industry standards like OWASP Top 10, Bright DAST empowers you to navigate your development cycle confidently. It is built for enterprise-grade scale and security, catering to organizations with high-scale concurrent scanning needs without compromising on security and standards. Features like SSO, RBAC, and audit logs are available on demand, ensuring that your security operations are both robust and efficient.

And just like with Bright, there is an equally important thing to remember about DORA – it is not just about compliance. It’s about building a resilient and secure future for your organization. It may be wrapped in red tape, but then again, so are many genuine gifts. Therefore, gear up, fire up those Bright engines, and let DORA be the catalyst for your stronger security posture.

Table of Content

1. Introduction
2. The Purpose of Benchmarking
3. Approaching DAST Testing
4. Why does JuiceShop fall short
5. Conclusion

Introduction

OWASP JuiceShop, a widely used Capture The Flag (CTF) contest application for penetration testing (PT) teams. It offers a gamified experience with logical puzzles. While it serves its intended purpose, it is not a suitable benchmarking target for Dynamic Application Security Testing (DAST). We will explain why this is the case in this post. Before we dive into the concerns of using JuiceShop as a DAST benchmarking tool first define why and how we should approach DAST benchmarking.

The Purpose of Benchmarking

In the realm of DAST benchmarking involves comparing the performance, capabilities, and efficacy of various tools in identifying and mitigating security vulnerabilities. The primary goal is to select a DAST solution that aligns with the unique requirements and objectives of an organization’s security strategy. As such we should also make sure the benchmarking target resembles the end target applications of the organization as closely as possible. This is a key reason that selecting very old benchmarking targets with obsolete technologies like DVWAbWAPP or targets which do not behave like real world applications does not align with the end goal of finding the best tool for the job; with the job being testing real world applications of the organization.

Approaching DAST Testing

To extract maximum value from DAST benchmarking, it’s crucial to adopt a comprehensive testing approach. Consider the following key aspects:

a. Ability to Test Modern Technologies: Ensure that the DAST tool supports and effectively tests applications built on modern technologies. Compatibility with diverse tech stacks is vital for addressing the ever-evolving nature of web applications.

An example to technologies we should ensure are present at a modern benchmark are:

1. Modern backend language like: NodeJS, Go, Elixer, etc..
2. Modern frontend frameworks such as React, Angular, and Vue.js.
3. Modern Architectures: SPA, BackendFrontend API communicating over RESTGraphQL.
4. Dynamic Application: JS Events, Complicated DOM, Frontend logic.
5. Modern Stack: PostgresQL, NoSQL, modern web server, etc..

b. Modern Vulnerabilities: Evaluate the tool’s proficiency in detecting modern vulnerabilities. The benchmarking process should include testing for threats beyond traditional issues, such as those related to cloud services, microservices, and serverless architectures.

An example of modern vulnerabilities we should ensure are present at modern benchmark are:

1. Cloud resources: AWS S3 issues, Google Storage, Azure Blobs, API key leaks and secrets.
2. API Security: GraphQL misconfiguration, OWASP API top 10, business constraint issues, business logic issues.
3. Authorization: JWT Token issues, privilege elevation issues, Access Control misconfiguration.

c. Authentication Scenarios: Assess the DAST tool’s capability to handle various authentication mechanisms. Robust testing should encompass scenarios involving single sign-on (SSO), multi-factor authentication (MFA), and other authentication protocols to provide a holistic security assessment.

d. Crawling and Discovery: The tool’s ability to thoroughly crawl and discover the application’s attack surface is critical. Effective crawling ensures comprehensive coverage of the application, uncovering hidden vulnerabilities that may escape less sophisticated tools.

e. API and Backend Testing: With the rise of API-centric architectures, a robust DAST tool should extend its testing capabilities to APIs and backend services. Evaluate how well the tool can identify vulnerabilities in API endpoints, this includes different API technologies like RESTGraphQL and others. we should also make sure the DAST tool can support multiple ways to map and identify all of the different API endpoints (loading schemes, handing introspection, allowing editing or manual setup of specific API EPs)

Now that we agree on the requirements from an effective benchmark we need to ensure the target of our benchmark can enable us to effectively support all these points. This will enable us to stay as true to actual targets we will test for the organization, encompass multiple modern vulnerabilities and behave and be architected in a way that resembles real world applications as much as possible.

Why does JuiceShop fall short

Gamified Approach and Logical Puzzles:

OWASP Juice Shop’s design heavily emphasizes a play-like approach, incorporating logical puzzles that may not align with real-world application security challenges.

One prominent example is the scenario where a user is prompted to “Reset the password of Bjoern’s OWASP account via the Forgot Password mechanism with the truthful answer to his security question.” To solve this scenario one needs to either watch Bjoern’s OWASP lecture from 2018 to see his playthrough of JuiceShop or go to his twitter and scroll until a post talking about his favorite cat “Zaya” happens to come into view.

Another good example is the “Receive a coupon code from the support chatbot” challenge, to win this one a user needs to “bully” the chatbot while asking consistently again and again for a coupon code until the Bot gives up and supplies the user with a coupon.
Many similar “vulnerabilities” have been programmed into JuiceShop. While this makes the application a very fun PT puzzle platform these issues are hardly in the realm of real world vulnerabilities or issues that a DAST tool is expected to find.

Limited Automated Vulnerability Detection:

Certain vulnerabilities within Juice Shop cannot be efficiently detected through automated means. An illustrative example involves extracting security question answers from external sources like YouTube videos. This kind of manual intervention and information retrieval, as demonstrated by Bjoern Kimminich himself in a conference talk, highlights the inherent limitations of automated vulnerability detection in Juice Shop.

Non-Conformity to HTTP Standards:

A major drawback of Juice Shop lies in its non-conformity to HTTP standards. Every page, regardless of existence, returns a 200 OK status, creating potential confusion for DAST tools relying on standard status codes for interpretation.

As the application uses only relative links every such non existent URL has the potential to endlessly increase the sitemap if the tool is not configured to handle such situations.

Furthermore, the application employs unconventional HTTP response status messages, such as using a 500 Internal Error for unauthorized access, a departure from the industry-standard 401 or 403 status.

Moreover, much has been invested to make sure the application behaves in a way that will make automated scanner’s job harder to ensure PT players do not “cheat” the game using automated tools, this also includes other complicated scenarios like forms which are not really forms:

JS events attached to images, fields which do not open, or are not editable until an icon is clicked.
One good example can be seen when looking at the images sources in the main page:

We can see multiple events listeners in the image, each one creating a different behavior.

Another good example is the “search” bar which hides a DOM XSS:

The search bar is non-existent until a click or touch event triggers happens and then the DOM enables the search bar:

Another example if the “Directory Listing”, usually this issue talks about a misconfiguration in the server level that enables browsing directories using the browser, it looks like:

In Juiceshop instead the behavior is an in-app directory browsing library, that allows you to go through the files on a specific folder. this is not what we would classify as “Directory Listing” and it’s more about application feature inside of JuiceShop:

There are other examples of behavior that is very human centrist in order to make sure automated tools have hard time parsing the targets and managing to run scans.

Conclusion

In conclusion, while OWASP Juice Shop provides an engaging platform for PT teams and serves its intended purpose as a gamified CTF application, it falls short as an ideal benchmarking target for DAST tools. Its unique design choices, non-standard HTTP practices, and deliberate anti-automation features pose challenges that diverge from the realistic security scenarios encountered in actual applications. To ensure comprehensive security testing and benchmarking, it is crucial to consider applications that more closely emulate real-world conditions. As the cybersecurity landscape evolves, the need for reliable and realistic benchmarks becomes increasingly vital in fortifying applications against emerging threats.

This is why we should consider proper modern benchmarks like the following:

1. BrokenCrystals – Broken Crystals (sources at: GitHub – NeuraLegion/brokencrystals: A Broken Application – Very Vulnerable! )
2. DVGA – GitHub – dolevf/Damn-Vulnerable-GraphQL-Application: Damn Vulnerable GraphQL Application is an intentionally vulnerable implementation of Facebook’s GraphQL technology, to learn and practice GraphQL Security.
3. VAPI – GitHub – roottusk/vapi: vAPI is Vulnerable Adversely Programmed Interface which is Self-Hostable API that mimics OWASP API Top 10 scenarios through Exercises.
4. crAPI – GitHub – OWASP/crAPI: completely ridiculous API (crAPI)

Part 2 of 2

In the previous segment of our blog series, we looked at the operations of Ryuk/ Conti, also known as “Wizard Spider,”  shedding light on their tactics and impact. In this section, we turn our attention to Maze and Lockbit, two formidable players in the cyber threat landscape, exploring their collaborative dynamics, unique characteristics, and the evolving strategies that define their ransomware campaigns. 

Table of Content

1. Maze: Collaborations and Shifting Dynamics 
2. Lockbit: Connections and Apologies 
3. How Bright can Help
4. Conclusion

Maze: Collaborations and Shifting Dynamics 

Maze, known for its utilization of RDP brute force, strategically avoids old Soviet countries and swiftly exits systems using the Russian language. This group poses a significant threat to the UK, particularly targeting hospitals during the COVID-19 pandemic. Of course, this sounds similar to a previous gang we discussed, known as Conti. 

While Conti is a formidable force, Maze surpasses them in strength and collaboration. Distinguishing itself from Conti, Maze employs ransomware with the ChaCha algorithm and offers ransomware as a service – a novel development in the cybercrime era. The ChaCha algorithm operates on the principles of symmetric key cryptography, where the same key is used for both encryption and decryption. Ransomware as a Service (RaaS) is a cybercriminal business model in which individuals or groups develop and distribute ransomware, making it available for others to use in exchange for a share of the ransom payment. This collaboration amplifies the impact of ransomware attacks, presenting a multifaceted challenge for cybersecurity professionals. The emergence of ransomware as a service further commodifies cyber threats, enabling even less sophisticated actors to participate in malicious activities.  

Unique Characteristics

Maze introduces a distinctive practice where, if the target refuses to pay the ransom, they publicly release unencrypted data. This approach has been adopted by other ransomware gangs, including Lockbit. Intriguingly, Maze declared collaboration with other groups after shutting down, viewing them as friends rather than competitors. The use of QakBot, shared malware with Egregor, raises speculations about potential connections between the two malwares. QakBot, also known as Qbot, is a sophisticated banking trojan and malware strain that primarily targets Windows-based systems. Egregor is a notorious ransomware strain that emerged in September 2020. It gained prominence for its advanced tactics, techniques, and procedures (TTPs), as well as its aggressive and highly effective approach to extortion. Shared malware suggests a level of collaboration of knowledge exchange between the groups, leading cybersecurity experts to investigate whether there is a more significant relationship or affiliation. The ever-evolving nature of these ransomware groups is evident as Egregor takes over Maze’s operations following its shutdown, emphasizing the need for continuous vigilance. 

Hospital Targeting and Impact

While Maze purportedly refrained from targeting hospitals in 2020 due to the impact of Covid-19, incidents, like the attack on a German hospital resulting in a tragic death, expose the grim reality. Despite claims by various ransomware groups that they do not target healthcare facilities, subsequent attacks on these institutions persist, underscoring the severity of the issue. The intersection of cyber threats and healthcare vulnerabilities become even more apparent, as these attacks not only jeopardize sensitive patient data but also directly impact medical services and, tragically, even patient outcomes. 

Lockbit: Connections and Apologies 

Lockbit follows a trajectory similar to Conti, utilizing its own ransomware encryptor. Recent reports suggest Lockbits adoption of the Lockbit green ransomware encryption method, based on Conti Green Ransomware. Here, the ransomware encrypts the victim’s data and appends a random extension to the filenames of all encrypted files. The encryption process is automatic and targets devices across Windows domains. Connections between Lockbit and Conti emerge as both groups attempt to recruit developers facing challenges. The dynamics of Lockbit’s attacks have shifted, evident in their actions towards German hospitals where apologies are replaced with unapologetic targeting. 

While focusing on this article, Lockbit once again launched an attack in the final days of January. Their target this time was Saint Anthony Hospital, a facility dedicated to providing care for children. The ransom demanded by the attackers amounted to $900,000. Shockingly, Lockbit did not provide a decryption key nor express any remorse for their malicious actions. They imposed a two-day negotiation period on the hospital, warning that failure to comply would result in the public release of all the data they had acquired from the institution.

Hospital Attacks and Lessons Learned

The Lockbit attack on SickKids Hospital in Canada was marked by an unusual event in the world of ransomware attacks – Lockbit issued an apology and provided a decryptor. This departure from the typical adversarial behavior of ransomware groups hinted at a potential sense of remorse or a strategic decision to present a more benevolent image. Offering a decryptor alongside an apology was uncommon in an ecosystem where threat actors are often known for their ruthless tactics and indifference to the consequences faced by their victims. 

However, this apparent display of empathy in the SickKids Hospital incident sharply contrasts with Lockbit’s subsequent actions in Germany, signaling a significant shift in their approach. In the German attacks, Lockbit abandoned the apologetic stance seen in Canada and embraced a more aggressive and unapologetic strategy. This change in behavior could be attributed to various factors, including shifts in the group’s leadership, modifications to their ransomware-as-a-service model, or a strategic decision to project a different image in response to evolving cybersecurity landscapes and law enforcement activities.

The intersection of cybersecurity and healthcare becomes apparent as hospitals become lucrative targets for ransomware attacks. The evolving landscape prompts reflections on past attacks by various ransomware groups and the indifference displayed even in the fact of condemnation. It underscores the critical need for heightened cybersecurity measures within the healthcare sector and beyond. 

How Bright can Help

Minimizing cybersecurity risks is paramount for businesses in today’s threat landscape. Thankfully, Bright’s Dev-centric DAST proves invaluable in this endeavor by effectively identifying vulnerabilities and offering robust mitigation processes. Its advanced capabilities include the detection of critical CVEs using sophisticated payloads and the reduction of false positives through AI. 

The constant emergence of new CVEs poses an ongoing threat to digital infrastructures, with hackers actively exploiting unpatched or outdated systems. A notable example is the CI0P group, utilizing CVE-2023-34362, a SQL injection vulnerability to deploy ransomware. Another avenue for attackers involves leveraging XSS to spread ransomware and tarnish an organization’s reputation. In the vast landscape filled with numerous vulnerabilities, Bright plays a crucial role during threat mapping activities. 

Upon identifying vulnerabilities related to web infrastructure, the SOC team can seamlessly implement prevention measures. This proactive cycle begins with discovery, followed by manual scanning and investigation processes, significantly reducing the time required for solution. While some CVEs or vulnerabilities may take days to address, Bright’s tool proves instrumental in minimizing this timeframe, ensuring thorough detection without potential false positives, thus optimizing the efficient use of time and resources. 

Conclusion

As we unravel the operations of Maze and Lockbit, the intricate dance between ransomware groups and cybersecurity professionals continues. Understanding their tactics, collaborations, and impact is pivotal in fortifying defenses against the evolving threats. As the landscape continues to evolve, proactive measures informed by a deep understanding of the adversaries become crucial for a robust security posture in 2024. 

Table of Content

1. Ryuk: A Threat to Healthcare 
2. Conti: Ryuk Restructured
3. Conclusion

Part 1 of 2

In the dynamic landscape of cyber threats, the battle between ethical and malicious actors has escalated to unprecedented levels. The shift in motivations, from mere amusement to the pursuit of financial gains, has given rise to ransomware gangs that pose a substantial threat to diverse sectors. The implications of this transformation are worrisome for organizations globally, emphasizing the critical need for vigilance and awareness. In this evolving digital battleground, staying informed becomes not only a proactive strategy but a formidable defense mechanism for safeguarding against the menace of ransomware attacks. 

Part 1 of our ransomware gangs series sheds light on the notorious group Ryuk, also known as Conti or “Wizard Spider”. This exploration aims to uncover the tactics, evolution, and impact of these malicious entities on critical industries.

Ryuk: A Threat to Healthcare 

Ryuk, named after a fictional death spirit in Japanese folklore, has become a notorious player in the realm of cybercrime. Specializing in high-stakes ransomware attacks, this group has honed its focus on the healthcare sector, presenting a threat to medical institutions across the United states. 

Ryuk has established itself as a formidable adversary, particularly targeting hospitals in the United States. Between 2018 and 2021, the group executed a staggering 235 confirmed attacks, raking in over $100 million through their relentless ransom demands in 2020 alone. Employing hostile diplomatic relations with their targets, Ryuk often resorts to intimidation when payment is refused. This targeted approach has not only financial implications but also raises concerns about the safety and well-being of those relying on critical healthcare services. 

Tactics Evolution

The ransomware gang has not remained stagnant in their approach. Ryuk continually modifies its malware types and techniques, transitioning from the infamous Trickbot and Emotet to more sophisticated tools like BazarLoader and BazarBackdoor. These advanced tools come at a higher cost but prove to be more effective, eluding detection by many endpoint security systems. Ryuk’s ability to adapt and evolve highlights the dynamic nature of cyber threats, requiring organizations to stay one step ahead in their defense strategies. 

Deceptive Phishing Tactics 

Ryuk employs a sophisticated and diverse range of phishing tactics to infiltrate its targets. These maneuvers include posing as legal professionals or other individuals, initiating discussions on specific topics, or even claiming local affiliations, thereby introducing an additional layer of intricacy to their operations. Operating as a service, Ryuk consistently dispatches these deceptive emails on a daily basis. This relentless approach has proven highly effective, evident in instances where multiple hospitals across the USA fell victim to the same threat actors in a single day. The repercussions of their attacks on healthcare institutions are alarming, as the group strategically targets vulnerable systems, resulting in substantial disruptions to emergency care services.

Impact on healthcare

The recovery process for hospitals can span weeks, leading to disruptions in essential services. A distressing example from Manchester highlights the consequences of such attacks, where a hospital was unable to take immediate action due to the decryption of essential medical files, including X-rays and CT scans. Research has also shown that ransomware attacks have resulted in fatalities. In Germany, for instance, Dusseldorf Hospital had to redirect an emergency case involving an elderly woman with an aneurysm to another hospital in Wuppertal, which was 20 miles away. Tragically, a baby born with a brain injury in Alabama lost their life because the attackers had ransomed the hospital, rendering all computers offline.The collateral damage extends beyond financial loss, affecting patient care and endangering lives. 

Conti: Ryuk Restructured

Ryuk reorganized as Conti to employ a diverse array of tactics designed to infiltrate and compromise targeted systems. One distinctive characteristic of Conti’s operations is its collaboration with another gang known as Maze, utilizing RDP (Remote Desktop Protocol) brute force attacks to gain unauthorized access. In an RDP brute force attack, the attacker typically uses automated tools or scripts to repeatedly try different username and password combinations until they find the correct credentials that grant access to the targeted system. 

Unlike its predecessor, Conti strategically avoids targeting old Soviet countries and promptly exits systems using the Russian language, showcasing a level of sophistication and strategic selectiveness. 

Unique Tactics

Conti’s approach extends to its exploitation of vulnerabilities during the COVID-19 pandemic. Notably, the group poses a substantial threat to the United Kingdom by actively targeting hospitals. Unlike traditional ransomware Conti utilizes various strains with the RSA and AES algorithm, enhancing the complexity of their attacks and making decryption more challenging. 

Examples of Conti’s impact on organizations are particularly distressing. The group not only encrypts essential data but also engages in the extortion of sensitive information. A significant departure from conventional ransome practices, Conti sells the victim’s data on the Darkweb even after the ransom has been paid. This dual-treat approach intensifies the consequences for organizations, as they not only face the immediate aftermath of a ransomware attack but also the potential exposure and exploitation of confidential information. 

Threat Dynamics

The collaboration between Conti and other threat actors, coupled with its ability to adapt and innovate in its tactics, presents an ongoing challenge for cybersecurity professionals. The United States government, recognizing the severity of the threat, has imposed fines for disclosing information about the criminal organization. Despite these measures, Conti’s impact is far-reaching, emphasizing the urgent need for advanced cybersecurity strategies, threat intelligence sharing, and international cooperation to mitigate the evolving risks posed by such sophisticated ransomware groups. 

Conclusion

As ransomware gangs continue to wreak havoc, it is imperative for organizations, especially in critical sectors like healthcare, to bolster their cybersecurity defenses. By understanding their threats and strategies, we’ve provided a foundation for organizations to strengthen their security posture. Identifying these harmful forces is the first step in securing your organization against the continually changing landscape of cyber threats. In part two of this series, we’ll explore Maze and Lockbit, offering insights to help you navigate the intricate world of ransomware threats. Stay tuned for a detailed examination of their approaches and impacts as we continue to enhance cybersecurity awareness. 

You can read part 2 of the series here.

Table of Content

1. Evolving Regulatory Landscape: A Closer Look
2. Building a Responsible AI Future

In the fast-paced realm of AI, the transformative impact on various industries is undeniable. From content creation to marketing strategies, data analysis to strategic planning, AI has become an indispensable tool for businesses seeking efficiency and innovation. Surveys reveal that over half of the US workforce is already incorporating AI into their daily tasks, with a substantial 56% utilizing generative AI, according to a recent study by The Conference Board. Astonishingly, nearly one in ten in ten workers engages with this technology on a daily basis.

The benefits are not just anecdotal – studies, such as the one conducted by MIT, underscores the tangible advantages of AI integration. Worker productivity sees a remarkable boost of 14%, signaling a significant stride toward more effective and streamlined operations. The message is clear: adapt or risk being left behind. Those who embrace AI are not only staying ahead of the curve but are positioned to replace those slow to adopt. 

However, the rise of AI is not without its challenges. A study by Deloitte reveals a paradoxical landscape where executives recognize the immense benefits of generative AI but acknowledge the substantial risks it poses. A staggering 57% of respondents highlighted the potential ethical concerns associated with these tools. The pivotal ethical principles deemed most important by leaders include responsibility (21%), safety and security (19%), and accountability (11%) when navigating emerging technologies. 

So, what does this mean for the AI landscape? How can we strike a balance between harnessing the benefits of this transformative technology and mitigating the inherent ethical and security risks? In the following sections, we’ll delve into the evolving regulatory landscape surrounding AI, exploring the standards being set to ensure responsible and secure implementation. 

Evolving Regulatory Landscape: A Closer Look

In response to the ethical and security challenges posed by AI, regulatory bodies around the world are beginning to take action recognizing the need to shape the trajectory of AI use. Governments and industry organizations are working to set standards that govern AI use, from conception to deployment. This multifaceted approach involves addressing not only the technical aspects of AI but also its broader societal impact. Below, we will explore some of the notable developments in the regulatory landscape. 

European Union’s AI Act

The European Union (EU) has taken a bold step by proposing the AI Act, a comprehensive regulatory framework aimed at governing AI systems. The act classifies AI applications into high, medium, and low-risk categories, each subject to varying degrees of regulatory scrutiny. High-risk applications, such as critical infrastructure and biometric identification, face stringent requirements to ensure safety and transparency. The proposed regulations also include provisions for fines of up to 6% of a company’s global turnover for non-compliance. 

United States Federal Initiatives 

In the United States, federal agencies are actively considering measures to regulate AI. The National Institute of Standards and Technology (NIST) has released guidelines outlining the ethical principles that organizations should consider when developing and deploying AI systems. Additionally, discussions around the establishment of a dedicated regulatory body for AI are gaining traction. 

Collaboration Through International Standards

Recognizing the global nature of AI development and deployment, international collaboration is emerging as a key aspect of regulation. Organizations like the International Organization for Standardization (ISO) are working on developing international standards for AI to ensure consistency and coherence across borders. 

Striking a Balance: Responsible AI Implementation

As regulations take shape, organizations must proactively address the ethical considerations associated with AI. Striking a balance between technological progress and ethical responsibility involves several key steps: 

Ethical Frameworks and Guidelines 

Developing and adhering to comprehensive ethical frameworks and guidelines is crucial. This involves defining the principles that govern the use of AI within an organization, addressing concerns related to bias, transparency, and accountability. A well-established ethical framework not only ensures responsible AI implementation but also fosters trust among stakeholders. Regular updates and continuous evaluation of these guidelines are essential to adapt to evolving technological landscapes and emerging ethical challenges in the field of artificial intelligence. 

Continuous Monitoring and Auditing 

Implementing mechanisms for continuous monitoring and auditing of AI systems is essential. Regular assessments can help identify and rectify ethical issues as they arise, ensuring that AI systems align with established ethical standards. A robust continuous monitoring and auditing process provides organizations with the opportunity to track the performance and impact of AI systems over time. This iterative approach not only enhances the responsiveness to ethical concerns but also facilitates the refinement of algorithms, contributing to the ongoing improvement of ethical practices in AI. 

Transparency in AI Decision-Making 

Ensuring transparency in AI decision-making processes is a cornerstone of responsible implementation. Users and stakeholders should have a clear understanding of how AI systems arrive at their conclusions, promoting trust and accountability. Additionally, transparent AI decision-making not only empowers users to make informed choices but also facilitates the identification and mitigation of biases within the algorithms. By providing visibility into the decision processes, organizations can foster a greater sense of accountability and ethical responsibility. 

Inclusive Development Practices

Promoting inclusive development practices involves diverse and representative teams working on AI projects. This helps mitigate biases and ensures that AI systems are designed to serve a broad spectrum of users without inadvertently discriminating against certain groups. Embracing inclusive development practices fosters innovation by bringing varied perspectives to the table, ultimately leading to more robust and effective AI solutions. By prioritizing diversity in teams, organizations can better address the nuanced needs and preferences of a diverse user base, enhancing the overall inclusivity and impact of AI applications. 

Building a Responsible AI Future

As AI continues its unprecedented integration into our professional and personal lives, navigating the landscape of regulations becomes imperative. The ethical considerations surrounding AI demand a delicate balance between progress and responsibility. With evolving regulatory frameworks and proactive organizational strategies, we can pave the way for a future where AI serves as a force for good, driving innovation without compromising ethical standards. As businesses and governments collaborate on setting the right standards, the roadmap to a responsible AI future becomes clearer, ensuring that the benefits of AI are harnessed while safeguarding against potential risks. It’s not just about embracing AI; it’s about embracing it responsibly for a better and more ethical future. 

On December 8, 2023, the European Union took a bold step in the realm of technology regulation by agreeing on a groundbreaking new law, called the AI Act, to regulate artificial intelligence. This move marks one of the world’s first comprehensive legislative efforts to put checks on the use of a technology that’s rapidly reshaping society and the economy.

Understanding the AI Act

The AI Act, which is not yet available, sets a new global benchmark for managing the potential benefits and risks associated with artificial intelligence. This legislation is not just about leveraging AI’s potential in driving innovation but also about mitigating its risks – from job automation to the proliferation of misinformation and threats to national security.

Focus on High-Risk Applications

EU policymakers have zeroed in on AI’s riskiest applications, particularly those employed by companies and governments in crucial sectors like law enforcement and essential services like water and energy. General-purpose AI systems, which power tools like the ChatGPT chatbot, will now be subjected to stringent transparency requirements. The legislation mandates clear disclosure when chatbots and software generating deepfakes are involved, ensuring users are aware of AI’s involvement.

Regulating Facial Recognition and Other AI Tools

In a significant move, the use of facial recognition software by police and governments will be tightly regulated, with exceptions only for specific safety and national security scenarios. Violating these regulations could lead to hefty fines, up to 7% of global sales.

Challenges and Effectiveness of the AI Act

While the AI Act is a regulatory breakthrough, its effectiveness remains a question. The implementation of many policy aspects will take 12 to 24 months – a considerable timeframe given the rapid pace of AI development. Moreover, the final language of the policy and its balancing act between fostering innovation and ensuring safety was a contentious issue until the last stages of negotiation.

The Road to Agreement

The agreement, reached after intense negotiations in Brussels, is not yet public as technical details are still being finalized. The AI Act now awaits votes in the European Parliament and the European Council. This exhaustive legislative process reflects the high stakes and complexities involved in regulating a technology as influential and pervasive as AI.

Global Context and Urgency

The urgency to regulate AI gained momentum with the advent of technologies like ChatGPT, which highlighted AI’s advancing capabilities. This global phenomenon has prompted actions beyond Europe, with the U.S. administration focusing on AI’s national security implications. Meanwhile, other countries like Britain, Japan, and China have adopted varied stances on AI regulation.

Europe’s Pioneering Role in AI Regulation

The EU has been at the forefront of AI regulation, having initiated discussions around what would become the AI Act as early as 2018. The region’s approach to tech regulation mirrors that of the healthcare or banking industries, with comprehensive laws on data privacy, competition, and content moderation already in place.

Evolving Legislation in the Face of Technological Advances

Originally drafted in 2021, the AI Act had to be continually updated to keep pace with technological breakthroughs, especially regarding general-purpose AI models like those behind ChatGPT. The final agreement adopts a “risk-based approach” to AI regulation, focusing on applications with the greatest potential for societal and individual harm.

Impact on AI Development and Usage

This legislation will profoundly impact not just major AI developers like Google, Meta, Microsoft, and OpenAI, but also myriad businesses and governmental functions that integrate AI into their operations. The focus will be on ensuring that AI tools, especially in sensitive areas like hiring, education, and healthcare, are developed and deployed with due diligence, ensuring they do not perpetuate biases or cause unintended harm.

Enforcement Challenges and Global Implications

Enforcing the AI Act across 27 nations will be a colossal task, requiring significant expertise and resources. The act’s implementation will likely see legal challenges, testing its robustness and effectiveness. This legislation will be closely observed worldwide, setting a precedent for how AI is regulated globally.

Conclusion

The AI Act marks a pivotal moment in the journey of AI from an unregulated frontier to a technology governed by principles of safety, transparency, and accountability. As AI continues to permeate every aspect of our lives, the balance between innovation and regulation will be crucial. The EU, with its AI Act, sets a path for the rest of the world to follow, initiating a new era of tech governance where human welfare and technological advancement go hand in hand.

We are thrilled to share the exciting news that Bright Security has been prominently featured in the G2 Winter Report, a testament to our commitment to delivering top-notch cybersecurity solutions. This prestigious recognition comes from G2, the world’s most extensive and trusted tech marketplace, where users explore, evaluate, and manage software solutions through genuine and timely reviews. Bright’s recognition in the G2 Winter Report reflects our unwavering commitment to customer satisfaction. 

Bright Security has been listed in the following three sections of the Winter 2024 report:

• Relationship Index for Dynamic Application Security Testing (DAST) 
• Grid® Report for Dynamic Application Security Testing (DAST) 
• Americas Regional Grid® Report for Dynamic Application Security Testing

G2 Winter Report Spotlight

Bright Security has achieved a noteworthy position in the Dynamic Application Security Testing (DAST) category, securing its place among the high performers. The G2 Winter Report ranks companies based on authentic user feedback, providing valuable insights into the latest market trends in technology and software. This acknowledgement underscores Bright’s dedication to delivering a trusted solution, as reflected in our high customer satisfaction scores.

In the company of industry leaders such as Intruder, NowSecure, Contrast Security, StackHawk, APPCHECK, SOOS SCA + DAST, DerScanner, Indusface WAS, Astra Pentest, Pentest-Tools.com, and Beagle Security, Bright reaffirms its commitment to excellence and innovation in the realm of cybersecurity. This recognition highlights our dedication to providing cutting-edge solutions that meet the evolving needs of the industry. 

Relationship Index and Customer Satisfaction

Bright has also achieved an impressive score of 8.42 on the relationship index. This score highlights our dedication to building strong relationships with our clients. Factors contributing to this index include the ease of doing business with us, the quality of support we provide, and the likelihood of our users recommending our services. 

Our Mission

Legacy DAST solutions often fall short in keeping up with the speed required for modern business operations. Recognizing this gap, Bright is taking a developer-centric approach to DAST to enable organizations to ship secure applications and APIs at the speed of business. 

Bright empowers developers by putting DAST in their hands. Our solutions enables quick and iterative scans, identifying true and critical security vulnerabilities without compromising on quality or software delivery speeds. This approach allows AppSec teams to provide governance for security in APIs and web apps while enabling developers to take ownership of security testing and remediation work early in the Software Development Life Cycle (SDLC).

At Bright, we believe in a holistic approach to cybersecurity that doesn’t sacrifice speed for security. Our solution is designed to seamlessly integrate with the development process, ensuring that security is an integral part of every stage. By enabling developers to actively participate in the security testing and remediation process, we ensure a balance between quality and speed.

Brights G2 Profile

In the quest to make informed decisions about a product or service, the opinions of others carry significant weight. At Bright, we recognize the importance of customer feedback in guiding potential users toward the right solution. We take pride in the fact that our customers have given us an overall rating of 4.8 out of 5 stars for their reviews. As a snapshot of the collective sentiment in 2023, here are a few testimonials that showcase the satisfaction and trust our customer have in our product:

If you are interested in reading more, check out our full profile here. 

Book a Demo and Elevate Your Organization’s Security Posture

Are you ready to take your Dynamic Application Security Testing to the next level? Book a call with our sales team to discover how our solution can leverage your organization’s security posture. We are dedicated to providing cutting-edge cybersecurity solutions that empower your team, enhance security, and accelerate your business.

Book a Demo and Elevate Your Organization’s Security Posture

Are you ready to take your Dynamic Application Security Testing to the next level? Book a call with our sales team to discover how our solution can leverage your organization’s security posture. We are dedicated to providing cutting-edge cybersecurity solutions that empower your team, enhance security, and accelerate your business.

Book a Demo Now!