In IT environments, some secrets are managed well and some fly under the radar. Here’s a quick checklist of what kinds of secrets companies typically manage, including one type they should manage:

Passwords [x]
TLS certificates [x]
Accounts [x]
SSH keys ???

The secrets listed above are typically secured with privileged access management (PAM) solutions or similar. Yet, most traditional PAM

In IT environments, some secrets are managed well and some fly under the radar. Here's a quick checklist of what kinds of secrets companies typically manage, including one type they should manage:

*   Passwords \[x\]
*   TLS certificates \[x\]
*   Accounts \[x\]
*   SSH keys ???

The secrets listed above are typically secured with privileged access management (PAM) solutions or similar. Yet, most traditional PAM vendors hardly talk about SSH key management. The reason is simple: they don't have the technology to do it properly.

We can prove it. All our SSH key management customers have had a traditional PAM deployed, but they realized that they couldn't manage SSH keys with it. At best, traditional PAMs can discover, let alone manage, 20% of all keys.

****So, what's the fuss about SSH keys?****

SSH keys are access credentials in the Secure Shell (SSH) protocol. In many ways, they're just like passwords but functionally different. On top of that, keys tend to outnumber passwords, especially in long-standing IT environments, by the ratio of 10:1. While only some passwords are privileged, **_almost all SSH keys_** open doors to something valuable.

One key can also open doors to multiple servers, just like a skeleton key in old manors. A root key allows admin access to a single server or multiple ones. After conducting a risk assessment with us, one of our customers discovered a root key that allowed access to ALL their servers.

Another risk is that anyone can self-provision SSH keys. They aren't centrally managed, and it's by design. This is why key proliferation is a lingering problem in large-scale IT environments.

There's even more: Keys don't come with an identity by default, so sharing or duplicating them is very easy. Also, with third parties. By default, keys never expire.

On top of it all, there are interactive and automated connections, the latter of which are more prevalent. Millions of automated application-to-application, server-to-server, and machine-to-machine connections are being run using SSH every day, but not enough organizations (most of them our customers) have control over machine SSH credentials.

I'm sure you got the point: your IT environment might be littered with keys to your kingdom, but you don't know how many there are, who's using them, which ones are legit and which ones should be deleted, keys don't have a best-before date, and more can be created at will without proper oversight.

The key problem is your key problem.

****Why can't traditional PAMs handle SSH keys**?**

Because SSH keys are functionally different from passwords, traditional PAMs don't manage them very well. Legacy PAMs were built to vault passwords, and they try to do the same with keys. Without going into too much detail about key functionality (like public and private keys), vaulting private keys and handing them out at request simply doesn't work. Keys must be secured at the server side, otherwise keeping them under control is a futile effort.

Furthermore, your solution needs to discover keys first to manage them. Most PAMs can't. There are also key configuration files and other key(!) elements involved that traditional PAMs miss. Read more in the following document:

****Your PAM isn't complete without SSH key management****

Even if your organization manages 100% of your passwords, the chances are that you're still missing 80% of your critical credentials if you aren't managing SSH keys. As the inventors of the Secure Shell (SSH) protocol, we at SSH Communications Security are the original source of the access credential called the SSH key. We know the ins and outs of their management.

****Your PAM is not future-proof without credential-less access****

Let's come back to the topic of passwords. Even if you have them vaulted, you aren't managing them in the best possible way. Modern, dynamic environments - using in-house or hosted cloud servers, containers, or Kubernetes orchestration - don't work well with vaults or with PAMs that were built 20 years ago.

This is why we offer modern ephemeral access where the secrets needed to access a target are granted just-in-time for the session, and they automatically expire once the authentication is done. This leaves no passwords or keys to manage - at all. Our solution is also non-intrusive: implementing it requires minimal changes to your production environment.

How's that for reducing the attack surface, eliminating complexity, saving on costs, and minimizing risk? Read more here:

So, the best way to manage passwords AND keys is **_not to have to manage them at all_** and move to ephemeral secrets management instead. Like this:

****"I wish I was still rotating passwords and keys." Said no customer ever!****

Once you go credential-less, you don't go back. Take it from our customers who have rated our solution with an NPS score of 71 – which is astronomical in the cybersecurity field.

Traditional PAMs have worked well so far, but it's time to future-proof your environment with a modern solution that allows you to go passwordless and keyless. At a pace comfortable to you.

Check out our PrivX Zero Trust Suite to learn how to do access and secrets management in a comprehensive manner.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Passwordless AND Keyless: The Future of (Privileged) Access Management

An Iranian advanced persistent threat (APT) threat actor likely affiliated with the Ministry of Intelligence and Security (MOIS) is now acting as an initial access facilitator that provides remote access to target networks.
Google-owned Mandiant is tracking the activity cluster under the moniker UNC1860, which it said shares similarities with intrusion sets tracked by Microsoft, Cisco Talos, and

An Iranian advanced persistent threat (APT) threat actor likely affiliated with the Ministry of Intelligence and Security (MOIS) is now acting as an initial access facilitator that provides remote access to target networks.

Google-owned Mandiant is tracking the activity cluster under the moniker **UNC1860**, which it said shares similarities with intrusion sets tracked by Microsoft, Cisco Talos, and Check Point as Storm-0861 (formerly DEV-0861), ShroudedSnooper, and Scarred Manticore, respectively.

"A key feature of UNC1860 is its collection of specialized tooling and passive backdoors that \[...\] supports several objectives, including its role as a probable initial access provider and its ability to gain persistent access to high-priority networks, such as those in the government and telecommunications space throughout the Middle East," the company said.

The group first came to light in July 2022 in connection with destructive cyber attacks targeting Albania with a ransomware strain called ROADSWEEP, the CHIMNEYSWEEP backdoor, and a ZEROCLEAR wiper variant (aka Cl Wiper), with subsequent intrusions in Albania and Israel leveraging new wipers dubbed No-Justice and BiBi (aka BABYWIPER).

Mandiant described UNC1860 as a "formidable threat actor" that maintains an arsenal of passive backdoors that are designed to obtain footholds into victim networks and set up long-term access without attracting attention.

Among the tools includes two GUI-operated malware controllers tracked as TEMPLEPLAY and VIROGREEN, which are said to provide other MOIS-associated threat actors with remote access to victim environments using remote desktop protocol (RDP).

Specifically, these controllers are designed to provide third-party operators an interface that offers instructions on the ways custom payloads could be deployed and post-exploitation activities such as internal scanning could be carried out within the target network.

Mandiant said it identified overlaps between UNC1860 and APT34 (aka Hazel Sandstorm, Helix Kitten, and OilRig) in that organizations compromised by the latter in 2019 and 2020 were previously infiltrated by UNC1860, and vice versa. Furthermore, both the clusters have been observed pivoting to Iraq-based targets, as recently highlighted by Check Point.

The attack chains involve leveraging initial access gained by opportunistic exploitation of vulnerable internet-facing servers to drop web shells and droppers like STAYSHANTE and SASHEYAWAY, with the latter leading to the execution of implants, such as TEMPLEDOOR, FACEFACE, and SPARKLOAD, that are embedded within it.

"VIROGREEN is a custom framework used to exploit vulnerable SharePoint servers with CVE-2019-0604," the researchers said, adding that it controls STAYSHANTE, along with a backdoor referred to as BASEWALK.

"The framework provides post-exploitation capabilities including \[...\] controlling post-exploitation payloads, backdoors (including the STAYSHANTE web shell and the BASEWALK backdoor) and tasking; controlling a compatible agent regardless of how the agent has been implanted; and executing commands and uploading/downloading files.

TEMPLEPLAY (internally named Client Http), for its part, serves as the .NET-based controller for TEMPLEDOOR. It supports backdoor instructions for executing commands via cmd.exe, upload/download files from and to the infected host, and proxy connection to a target server.

It's believed that the adversary has in its possession a diverse collection of passive tools and main-stage backdoors that align with its initial access, lateral movement, and information gathering goals.

Some of the other tools of note documented by Mandiant are listed below -

*   OATBOAT, a loader that loads and executes shellcode payloads
*   TOFUDRV, a malicious Windows driver that overlaps with WINTAPIX
*   TOFULOAD, a passive implant that employs undocumented Input/Output Control (IOCTL) commands for communication
*   TEMPLEDROP, a repurposed version of an Iranian antivirus software Windows file system filter driver named Sheed AV that's used to protect the files it deploys from modification
*   TEMPLELOCK, a .NET defense evasion utility that's capable of killing the Windows Event Log service
*   TUNNELBOI, a network controller capable of establishing a connection with a remote host and managing RDP connections

"As tensions continue to ebb and flow in the Middle East, we believe this actor's adeptness in gaining initial access to target environments represents a valuable asset for the Iranian cyber ecosystem that can be exploited to answer evolving objectives as needs shift," researchers Stav Shulman, Matan Mimran, Sarah Bock, and Mark Lechtik said.

The development comes as the U.S. government revealed Iranian threat actors' ongoing attempts to influence and undermine the upcoming U.S. elections by stealing non-public material from former President Donald Trump's campaign.

"Iranian malicious cyber actors in late June and early July sent unsolicited emails to individuals then associated with President Biden's campaign that contained an excerpt taken from stolen, non-public material from former President Trump's campaign as text in the emails," the government said.

"There is currently no information indicating those recipients replied. Furthermore, Iranian malicious cyber actors have continued their efforts since June to send stolen, non-public material associated with former President Trump's campaign to U.S. media organizations."

Iran's ramping up of its cyber operations against its perceived rivals also comes at a time when the country has become increasingly active in the Middle East region.

Late last month, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that the Iranian APT Lemon Sandstorm (aka Fox Kitten) has carried out ransomware attacks by clandestinely partnering with NoEscape, RansomHouse, and BlackCat (aka ALPHV) groups.

Censys' analysis of the hacking group's attack infrastructure has since uncovered other, currently active hosts that are likely part of it based on commonalities based on geolocation, Autonomous System Numbers (ASNs), and identical patterns of ports and digital certificates.

"Despite attempts at obfuscation, diversion, and randomness, humans still must instantiate, operate, and decommission digital infrastructure," Censys' Matt Lembright said.

"Those humans, even if they rely upon technology to create randomization, almost always will follow some sort of pattern whether it be similar Autonomous Systems, geolocations, hosting providers, software, port distributions or certificate characteristics."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Iranian APT UNC1860 Linked to MOIS Facilitates Cyber Intrusions in Middle East

Google on Thursday unveiled a Password Manager PIN to let Chrome web users sync their passkeys across Windows, macOS, Linux, ChromeOS, and Android devices.
"This PIN adds an additional layer of security to ensure your passkeys are end-to-end encrypted and can't be accessed by anyone, not even Google," Chrome product manager Chirag Desai said.
The PIN is a six-digit code by default, although it's

Encryption / Digital Security

Google on Thursday unveiled a Password Manager PIN to let Chrome web users sync their passkeys across Windows, macOS, Linux, ChromeOS, and Android devices.

"This PIN adds an additional layer of security to ensure your passkeys are end-to-end encrypted and can't be accessed by anyone, not even Google," Chrome product manager Chirag Desai said.

The PIN is a six-digit code by default, although it's also possible to create a longer alpha-numeric PIN by selecting "PIN options."

This marks a change from the previous status quo where users could only save passkeys to save passkeys to Google Password Manager on Android.

While the passkeys could be used on other platforms, it was necessary to scan a QR code using the device where they were generated.

The latest change removes that step, making it a lot easier for users to sign in to online services using passkeys by simply scanning their biometrics. Google noted that support for iOS is expected to arrive soon.

This, however, requires the users to know either the Password Manager PIN or the screen lock for their Android devices before using passkeys on a new device.

"These recovery factors will allow you to securely access your saved passkeys and sync new ones across your computers and Android devices," Desai said.

The development comes as the tech giant said passkeys are being used by more than 400 million Google accounts as of May 2024. Two months later, the phishing-resistant alternative was made available to high-risk users via its Advanced Protection Program (APP).

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Chrome Users Can Now Sync Passkeys Across Devices with New Google PIN Feature

Ivanti has revealed that a critical security flaw impacting Cloud Service Appliance (CSA) has come under active exploitation in the wild.
The new vulnerability, assigned the CVE identifier CVE-2024-8963, carries a CVSS score of 9.4 out of a maximum of 10.0. It was "incidentally addressed" by the company as part of CSA 4.6 Patch 519 and CSA 5.0.
"Path Traversal in the Ivanti CSA before 4.6 Patch

Enterprise Security / Network Security

Ivanti has revealed that a critical security flaw impacting Cloud Service Appliance (CSA) has come under active exploitation in the wild.

The new vulnerability, assigned the CVE identifier CVE-2024-8963, carries a CVSS score of 9.4 out of a maximum of 10.0. It was "incidentally addressed" by the company as part of CSA 4.6 Patch 519 and CSA 5.0.

"Path Traversal in the Ivanti CSA before 4.6 Patch 519 allows a remote unauthenticated attacker to access restricted functionality," the company said in a Thursday bulletin.

It also noted that the flaw could be chained with CVE-2024-8190 (CVSS score: 7.2), permitting an attacker to bypass admin authentication and execute arbitrary commands on the appliance.

Ivanti has further warned that it's "aware of a limited number of customers who have been exploited by this vulnerability," days after it disclosed active exploitation attempts targeting CVE-2024-8190.

This indicates that the threat actors behind the activity are combining the twin flaws to achieve code execution on susceptible devices.

The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the fixes by October 10, 2024.

Users are highly recommended to upgrade to CSA version 5.0 as soon as possible, as version 4.6 is end-of-life and no longer supported.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Critical Ivanti Cloud Appliance Vulnerability Exploited in Active Cyberattacks

How the Kimsuky nation-state group and other threat actors are exploiting poor email security — and what organizations can do to defend themselves.

Dr. Sean Costigan, Managing Director, Resilience Strategy, Red Sift

September 20, 2024

5 Min Read

Source: Brian Jackson via Alamy Stock Photo

COMMENTARY

With heightened geopolitical tensions, a surge in cyberattacks on US and allied organizations by a North Korean cyber-espionage group is hardly unexpected. What is disquieting, however, is that an advanced persistent threat (APT) group known as Kimsuky has seen remarkable success by turning a defensive strength into a weakness — exploiting poorly configured Domain-based Message Authentication, Reporting and Conformance (DMARC) policies to carry out spear-phishing campaigns to secure advantage.

A May 2 advisory from the FBI, the National Security Agency (NSA), and the US State Department stated that Kimsuky, acting as an arm of North Korea's Reconnaissance General Bureau (RGB), has been sending spoofed emails to individuals in high-profile think tanks, media outlets, nonprofits, academia, and other organizations. The emails are part of an intelligence campaign to troll for information on geopolitics and foreign policy plans, particularly related to nuclear policies, sanctions, and other sensitive concerns involving the Korean peninsula.    

With sanctions biting, North Korea has developed a formidable cybercrime capability to generate liquidity for the regime. However, in this case, we see Kimsuky threat actors alter their focus to intelligence operations, targeting troves of information held by trusted parties and prominent organizations. Although the ongoing campaign has complex geopolitical implications, effectively defending against these attacks fundamentally relies on robust, actionable, and properly executed cyber-hygiene practices.

Related:Singapore Arrests 6 Suspected Members of African Cybercrime Group

**DMARC Misconfigurations Are Too Common**

Kimsuky is using trusted networks with improperly configured or missing DMARC to spoof legitimate domains and impersonate trusted personalities and organizations. The DMARC protocol was created to stop the compromise of user accounts and hinder the very types of social engineering at work here.

This is how it's supposed to work: DMARC allows email recipients to verify an email's origin through the Domain Name System (DNS), ensuring that threat actors cannot spoof legitimate domains. DMARC checks the Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) records for an incoming email and, if it does not appear to be legitimate, tells the receiving email server what to do next.

But as Kimsuky's attacks have shown, that only works if DMARC services are properly configured. As the IC3 advisories detail, misconfigurations are far too common or policies are poorly defined by the domain owners. For some organizations, self-managing DMARC may seem cost-effective, but it can also lead to significant oversights, including increasing vulnerabilities, failing to pay heed to evolving threats, missing sound compliance reporting, and creating a false sense of security.  

Related:Indian Army Propaganda Spread by 1.4K AI-Powered Social Media Accounts

**What North Korea's Attack Looks Like**

Kimsuky's spear-phishing campaigns may begin with an innocuous email from a seemingly credible source, building trust before sending a subsequent email with a malicious link or attachment. The group then uses successful compromises to escalate attacks with more credible spear-phishing emails aimed at higher-value targets.

The group focuses its intelligence-gathering activities against South Korea, Japan, and the United States, targeting individuals identified as experts in various fields. According to a subsequent advisory from the Cybersecurity and Infrastructure Security Agency (CISA), think tanks and South Korean government entities have also been targeted.  

One real-world example from the FBI-NSA advisory had a subject line reading: "\[Invitation\] US Policy Toward North Korea Conference." The message, seemingly from a known university, begins: "I hope you and your family are enjoying a lovely holiday and a restful season. It is my privilege to invite you to provide a keynote address for a private workshop, hosted by the \[legitimate think tank\] to discuss the U.S. policy toward North Korea." As further inducement, the email also offers a $500 speaker's fee.

Related:Chinese Threat Actors Use MSI Files to Bypass Windows, VT Detection

Another email had the subject line "Questions about N. Korea," with the writer posing as a journalist from a legitimate media outlet and requesting an interview, followed by a broad outline of North Korea's nuclear activities.

In the university example, the email received a "pass" from SPF and DKIM checks, suggesting the attacker gained access to the university's legitimate email client. And although DMARC returned a "fail" because the sender's email domain differed from SPF and DKIM records for the legitimate source, the organization's DMARC policy was not set to take filtering action, so the message was delivered. In the second case, no DMARC policy was present, allowing the attacker to spoof the journalist's name and the news organization's email domain.

**Why DMARC Matters**

The US government's advisories offer compelling reasons for organizations to secure their digital estates. Kimsuky is not alone among APTs nor, more broadly, cybercriminals who work for profit: Lessons are shared and all are becoming increasingly savvy at targeting misconfigurations and weaknesses.

Securing and properly configuring DMARC is key since it improves organizational cyber hygiene and broadly protects against ubiquitous threats like business email compromise and ransomware email attacks.

Notably, industry or regulatory requirements may already make DMARC a requirement for your organization. As of February 2024, Google and Yahoo have required DMARC for organizations sending large volumes of email, and Microsoft is reportedly planning to follow suit. Additionally, the PCI DSS 4.0 requires implementation of DMARC. According to BIMI Radar, since the FBI's May 2 advisory, DMARC adoption globally has grown from 3.74 million organizations to 5.71 million organizations, as of June 17. 

There's a business imperative at work as well. Organizations must prioritize cyber hygiene to safeguard their digital assets, prevent data breaches, and protect against evolving cybersecurity threats. DMARC should be part of your organization's cyber posture. When properly managed, not only does it ensure better deliverability, provide protection against phishing and business email compromise (BEC), and enable the deployment of Brand Indicators for Message Identification (BIMI), but it can help close doors against nation-state espionage and cybercrime.

**About the Author**

Managing Director, Resilience Strategy, Red Sift

Sean Costigan is an expert in emerging security challenges and a highly sought-after speaker on technology and national security. He is the lead for NATO’s cybersecurity curriculum and is widely published on national security matters relating to information security and hybrid threats. He is also a Professor at the George C. Marshall Center, where he educates on global cybersecurity, hybrid warfare, crime, and national security.

North Korean APT Bypasses DMARC Email Policies in Cyber-Espionage Attacks

Mastercard's $2.65 billion deal to acquire the threat intelligence provider will boost the credit-card company's AI-based cybersecurity protection capabilities.

Source: SOPA Images Limited via Alamy Stock Photo

The largest credit-card providers have made sizeable investments in advanced cybersecurity capabilities in recent years, but Mastercard is upping the ante with last week's agreement to buy Recorded Future from Insight Partners for $2.65 billion.

The deal, scheduled to close in the first quarter of 2025, would mark the second-largest acquisition in Mastercard's 58-year history. The price tag also nearly equals the $3 billion Mastercard is estimated to have previously spent on nine cybersecurity-related companies since launching its cybersecurity business unit in 2017, Strategy of Security analyst Cole Grolmus wrote on LinkedIn.

Recorded Future says it has 1,900 customers worldwide, including governments and half of the Fortune 100. According to a recent Frost & Sullivan report, the Recorded Future Intelligence Cloud hosts one of the largest threat repositories in the world. Recorded Future's Collective Insights integrates broadly with governance, risk, and compliance; third-party risk management; attack surface management; and other analytics tools, a May 2024 Forrester Research report noted.

"Combining Recorded Future's threat intelligence capabilities with Mastercard's extensive insight and knowledge of and partnership with merchants and financial institutions should provide greater protection to digital payment transactions," says Forrester principal research analyst Brian Wrozek. "This also gives Mastercard more direct control over a critical cybersecurity capability: threat intelligence."

Last year, Recorded Future added OpenAI's GPT model to the threat intelligence platform to enhance its real-time analytics capabilities. Using the pretrained transformer model, Recorded Future AI includes 10 years of threat analysis from its Insikt Group threat research subsidiary, which is integrated with the Recorded Future Intelligence Graph.

**Expanding Threat Intelligence Capabilities**

Mastercard has been investing in threat and risk intelligence capabilities for over a decade. In 2014, Mastercard launched SafetyNet, a tool to detect risks based on activity throughout its network. SafetyNet thwarted $20 billion in fraud attempts directed at its network in 2023, says Johan Gerber, Mastercard's EVP of security solutions.

"It's our AI-enabled Decision Intelligence \[solution\] that provides a score to banks, helping them identify and stop fraudulent transactions," he says.

Last year, Mastercard added AI-based risk management capabilities by acquiring Baffin Bay Networks, a threat protection provider based in Sweden. Mastercard integrated Baffin Bay's automated threat protection service to prevent attackers from penetrating or disabling cybersecurity systems through ransomware and distributed denial-of-service (DDoS) attacks.

Mastercard is not alone in its focus on threat and risk intelligence. Visa has invested more than $9 billion in cybersecurity over the past few years in new tools and services to help address fraud and account security in its payment services. The credit card company has embedded AI and analytics in more than 60 different services to stop and block payment fraud. The Visa Account Attack Intelligence (VAAI) offering uses generative AI components to identify and score enumeration attacks. The VAAI Score tool assigns each transaction with a risk score in real time to detect and prevent enumeration attacks in card-not-present transactions.

**Building on Mastercard's AI Capabilities**

Gerber says Recorded Future promises to build on Mastercard's AI-enabled Decision Intelligence capability, which gives scores to its member banks.

"Recorded Future has pioneered the use of AI in analyzing and reporting cyber threat intelligence," he says. "The ability to draw these trends from a wide range of sources will allow our customers to quickly access relevant insights and safeguard their critical operations and infrastructure. It allows us to quantify risk more accurately and simulate attacks based on the latest trends."

Gerber also sees the potential for adding Recorded Future's AI capabilities to RiskRecon, the third-party threat scanning and rating provider Mastercard acquired in 2020 that provides enterprise security monitoring and measures third-party and supply chain risk. Similarly, Recorded Future can boost two Mastercard service offerings launched in 2022: Cyber Front, which provides a threat simulation, and Cyber Quant, a service that identifies and prioritizes risks.

"The insights allow us to quantify risk more accurately," Gerber says. "Our customers will see benefits from the real-time threat insights that Recorded Future brings to the table."

Recorded Future will enhance the intelligence and security of all its products, he adds.

"It will help us create smarter models and anticipate emerging threats before cyberattacks can take place — in payments and beyond," Gerber notes.

Forrester's Wrozek says that Recorded Future promises to give Mastercard more direct control over critical threat intelligence, now a critical cybersecurity capability.

"This aligns perfectly with Mastercard's journey towards leading the defense of the global digital economy," he says.

Citing a 2024 Forrester survey, Wrozek notes that improving threat intelligence capabilities is consistently a top tactical security priority for companies, which typically purchase, on average, over half a dozen threat intelligence feeds.

"Companies need more threat intelligence to improve decision-making, expedite incident remediation, and shift from a reactive to a more proactive security posture," he says.

**About the Author**

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

Mastercard's Recorded Future Deal Furthers Its AI Security Goals

PRESS RELEASE

AUSTIN, Texas and Fal.Con 2024, Las Vegas – September 16, 2024 — CrowdStrike (NASDAQ: CRWD) today announced the launch of its second annual Cybersecurity Startup Accelerator with Amazon Web Services (AWS). NVIDIA also joins in supporting the Accelerator program, powering the next generation of artificial intelligence (AI) and cloud security startups. Targeting cybersecurity’s next market-defining disruptors across the U.S. and EMEA, AWS and CrowdStrike with NVIDIA through its Inception program, will provide mentorship, technical expertise, funding and go-to-market opportunities.  
Applications for the AWS and CrowdStrike Cybersecurity Startup Accelerator with NVIDIA are open from September 16, 2024 to January 10, 2025. Selected startups will be enrolled in a free eight-week program developed by AWS, CrowdStrike and NVIDIA that offers mentorship and guidance from industry experts and executives. Startups will also have access to top-tier global cybersecurity investors, enablement sessions, and up to $25,000 in AWS Activate credits, among other exclusive benefits.

At the end of the program, participants can present their innovations at an in-person Demo Day at the AWS Startup Loft in San Francisco, which will take place during the RSA Conference in April 2025. Winning presentations may be eligible to receive funding from the CrowdStrike Falcon® Fund. 

“CrowdStrike and AWS created the Cybersecurity Startup Accelerator as a formative, value creation experience for innovative startups to learn, create and grow. Since participating in the Accelerator, last year’s cohort participants raised over $150 million from leading global VCs,” said Daniel Bernard, chief business officer, CrowdStrike. “We’re proud to welcome NVIDIA as a supporter of the Accelerator program – bringing together market-leading cybersecurity, cloud and AI expertise to cultivate tomorrow’s great innovators.”

“For startups seeking to tackle the most pressing security challenges, the Cybersecurity Startup Accelerator provides the AI technologies, accelerated computing resources and technical expertise they need,” said Bartley Richardson, director of cybersecurity engineering at NVIDIA.

To apply, visit this website. Startups are encouraged to review the terms and conditions here.

You May Also Like

CrowdStrike Expands Cybersecurity Startup Accelerator With AWS and NVIDIA

PRESS RELEASE

SAN FRANCISCO, Sept. 18, 2024 /PRNewswire/ -- Abstract Security, building the future of AI-enabled security operations, today announced it has added support for deployments within Google Cloud Platform (GCP).

The support for GCP follows Abstract Security's existing support for AWS and Azure. Abstract enables multi-cloud deployments of its SOC platform, deploying multiple instances of Abstract Security around the world to support data localization requirements and eliminate data transfer costs. Additionally, Abstract supports transactions through both AWS and Azure marketplaces with GCP coming soon.

"Abstract's ability to offer customers a true multi-cloud offering with three different cloud platforms in AWS, Azure and now GCP is something we're very proud of for this growing startup," said Colby DeRodeff, co-founder and CEO of Abstract Security. "Because we deploy directly into our customers' cloud environment, we enable those customers to truly own their own data, which separates us from most of our competitors."

Abstract Security's SOC platform offers:

*   Seamless integration with local GCP services - Ensuring strong security coverage and visibility into GCP services.
    
*   Abstract Intel Gallery - As part of Abstract's data fabric, organizations can leverage no-code ETL to enrich events with real-time threat intelligence, enhancing detection accuracy and relevancy.
    
*   Real-time streaming threat detection - Security analytics are powered by AI, enabling enterprises to stay ahead of rapidly evolving cyber threats.
    
*   Compliance and data sovereignty - Providing a single search and reporting view across regional deployments, enabling compliance with data localization requirements.
    

Abstract has seen growing demand since emerging from stealth and announcing its Seed funding in March 2024. In April, Abstract announced the opening of its first Middle East office. In May, the company announced the addition of Christopher Key to its Board of Directors and was selected as a "Pioneering Cybersecurity Startup" winner, as part of the 2024 Global Infosec Awards.

About Abstract Security

Abstract Security, founded in 2023, has built a revolutionary platform equipped with an AI-powered assistant to better centralize the management of security analytics. Crafted by category creators and industry veterans known for redefining the cybersecurity landscape, Abstract transcends next-gen SIEM solutions by correlating data in real time between data streams. As a result, compliance and security data can be leveraged separately to increase detection effectiveness and lower costs – an approach that does not currently exist in the market.

The leadership team of Colby DeRodeff, Ryan Clough, Aaron Shelmire, Chris Camacho, and Stefan Zier bring a unique set of experiences and backgrounds in product development and company-building expertise, at companies such as ArcSight (acq. by HP), Mandiant (acq. by Google), Palo Alto Networks and Sumo Logic. For more information about the company, please visit https://www.abstract.security/ and follow the journey @Get\_Abstracted.

You May Also Like

Abstract Security Expands Multi-Cloud Security Operations

Company urges organizations using self-hosting GitLab instances to apply updates for CVE-2024-45409 as soon as possible.

Source: T. Schneider via Shutterstock

Organizations with self-hosted GitLab instances configured for SAML-based authentication might want to update immediately to new versions of the DevOps platform that the company released this week.

The update addresses a maximum severity bug in GitLab Community Edition (CE) and Enterprise Edition (EE) that allows an attacker to bypass authentication checks and log in as an arbitrary user in an affected system. Depending on the level of access, an attacker could then steal leak or modify source code, inject malicious code into production systems, steal secrets and sensitive data, and execute a variety of other malicious actions.

**Maximum Severity Threat**

The bug, identified as CVE-2024-45409, has a severity score of 10.0, which is as critical as it gets on the CVSS rating scale. The bug has garnered the rating because of its high impact and also because exploiting it involves low-attack complexity, no special privileges, and no user interaction.

CVE-2024-45409 affects both GitLab Dedicated, the fully managed cloud-hosted version, and also self-managed instances of GitLab. The company already has updated all instances of GitLab Dedicated and says that customers of the managed version are already protected against the vulnerability. However, those running self-managed GitLab installations must patch now, the vendor advised. "We strongly recommend that all installations running a version affected by the issues … are upgraded to the latest version as soon as possible."

GitLab has recommended that organizations enable two-factor authentication for all user accounts for self-managed GitLab installations to mitigate against exploits targeting CVE-2024-45409. "Enabling identity provider multifactor authentication does not mitigate this vulnerability," GitLab cautioned. The company also recommends that organizations not allow the SAML two-factor bypass option in GitLab. In addition, GitLab's advisory provides detailed guidance on how to hunt for and detect signs of exploit activity tied to the flaw.

CVE-2024-45409 is present in versions 12.2 and older and versions 1.13.0 to 1.16.0 of Ruby SAML, a library which is a part of GitLab's SAML-based authentication feature. Ruby SAML is what allows organizations to authenticate users to GitLab via external identity providers.

**Improper Signature Verification**

The National Vulnerability Database's description of the flaw shows that affected Ruby SAML versions either aren't verifying or are incorrectly verifying the cryptographic signature in a SAML response. This allows an attacker with access to any signed SAML document from an identity provider to forge a SAML response. "This would allow the attacker to log in as \[an\] arbitrary user within the vulnerable system," the NVD said.

In its advisory, GitLab said that in order to craft a successful exploit for the flaw, an attacker would need to find a way to craft SAML assertions that are identical to those from an organization's legitimate identity provider. This would involve having the information needed to accurately replicate key fields like username, role, identity, and privileges.

"When crafting an exploit, there are many SAML assertions an attacker would need to craft to perfectly replicate a legitimate login," GitLab said. "These include both the key and value fields that you specify at your \[identity provider\] and may be unknown to unauthorized individuals — especially if you have customized these attributes."

**Particularly Troubling on Dev Platforms**

Researchers consider vulnerabilities in DevOps platforms like GitHub to be particularly troublesome because of the opportunities they provide attackers to compromise application development environments in multiple ways.

"The ability to bypass authentication checks is a huge threat, as it gives attackers the window of opportunity to easily enter development environments and cause tremendous damage — all without triggering any alerts," says Katie Teitler-Santullo, cybersecurity strategist at OX Security. "Presumably, and hopefully, organizations are using strong authentication — MFA least privilege, and zero-trust principles — to ensure that all access is fully authorized."

Jeff Williams, founder and CTO at Contrast Security, stresses the importance of addressing authentication bypass flaws. "In this case, a forged SAML assertion can be created to log on as any user and take any actions that a user can do," he says. "This might include tampering with pipelines, embedding malicious code in software products, stealing intellectual property, installing malware, or just about any other bad thing you can imagine."

CVE-2024-45409 is the most critical among 18 vulnerabilities that GitHub disclosed this month as part of its regular security updates. GitHub assessed one of the other 17 vulnerabilities as critical. The flaw (CVE-2024-6678), with a CVSS severity score of 9.9, affects multiple GitLab CE and EE versions. It is one of several in recent months that allows an unauthenticated, remote attacker to run a pipeline in the context of any user within a GitLab environment.

The vulnerability is similar to flaws that GitLab disclosed in May, June, and July and suggests a pattern of not taking security seriously, Williams says. "Critical vulns month after month. Maybe they're doing better testing? Good. Or maybe they aren't being proactive. We need transparency."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

GitLab Warns of Max Severity Authentication Bypass Bug

PRESS RELEASE

SAN FRANCISCO, Calif., September 16, 2024 – c/side, a cybersecurity company with tools for monitoring, optimizing, and securing vulnerable browser-side third-party scripts, today announced $6 million in seed funding. The round is led by Uncork Capital, with participation from Mantis VC, Scribble Ventures, Roar Ventures, and PrimeSet. c/side’s total funding is now $7.7 million, following a pre-seed round announced earlier this year. Scribble and Roar also participated in the pre-seed, along with strategic angel investors.

  
As headlines have continued to show since the infamous British Airways breach, the third-party code scripts that businesses add into their websites are often poorly monitored and undersecured. While these scripts are necessary for critical site functions such as analytics, chatbots, and error handling, the scripts change frequently without a business’ knowledge—posing significant risks. Malicious actors exploit vulnerabilities within the scripts to redirect website visitors, steal sensitive information, or manipulate website content. As a result of increased security awareness on the infrastructure and open source supply chain, malicious actors increasingly seek to weaponize the browser as the place of execution—yet most sites have nothing in place to monitor client-side behavior.

  
With an advanced proxy service and an AI-driven detection engine, c/side offers a comprehensive toolkit to identify and neutralize malicious scripts in real-time. The innovative solution not only bolsters website security, but also significantly enhances website performance. Beyond safeguarding organizations from cyberattacks, c/side’s technology also simplifies compliance with stringent industry regulations like PCI DSS 4.0, making it a critical and particularly timely tool for businesses accepting digital payments via their sites.

  
“Even in the few short months since we launched, major browser supply chain attacks like polyfill\[.\]io and regulatory breach incidents like the one at Kaiser Permanente have underscored just how significant and rapidly-escalating this attack vector has become,” said Simon Wijckmans, CEO and founder, c/side. “Security and IT teams cannot take a ‘set it and forget it’ approach to the third-party web scripts that run through their organization’s website. We understand what’s required to ensure ongoing visibility and protection, and offer an end-to-end solution that’s simple to deploy. We’re thrilled to bring on new investors with our seed funding, and look forward to our next stage.”

  
“c/side is addressing client-side app security, one of the most challenging threats to digital organizations and a problem that has been largely overlooked until now,” said Andy McLoughlin, Managing Partner at Uncork Capital. “Their AI-driven solution not only identifies these threats but acts swiftly to neutralize them, ensuring robust client-side web security. We’re thrilled to lead this round and support the c/side team as they develop solutions to protect businesses from costly and damaging browser-executed attacks."

  
“We’re impressed by c/side’s AI-driven approach and its potential to revolutionize client-side security at scale,” said Alex Pall, General Partner, Mantis VC. “This team has the expertise and vision to make a significant and lasting impact across the cybersecurity landscape, making web security more accessible to all. Whether you’re an early-stage grinding entrepreneur or a large established brand, c/side will grow to have your back. Simon and the team will make things rock!”

  
The seed funding will enable c/side to accelerate the development of its flagship product, the powerful proxy solution for securing third-party web scripts. The company will also deepen its vulnerability detection engine’s capabilities and grow its team to support customer service, sales, partnership, and marketing functions.

  
c/side’s free tier is now fully operational and available — anyone can sign up and begin securing their site in minutes. Business, Enterprise, and Partner tiers are in development; those interested can contact c/side here. 

  
About c/side  
c/side is a forward-thinking cybersecurity startup focused on browser-side detection and protection. Led by industry expert Simon Wijckmans, c/side is pioneering technologies to shield against sophisticated cyber threats, ensuring unparalleled security standards for users across the web.

Latest News