Patch Tuesday turned security updates from chaotic events into a routine. Here's how we got here and where things might be heading.

On Oct. 9, 2003, Microsoft CEO Steve Ballmer announced that the company would issue security patches only once a month to "reduce the burden on IT administrators by adding a level of increased predictability and manageability."

Two decades later, Microsoft continues to issue its security updates on the second Tuesday of every month, with occasional exceptions for emergency situations. Many other companies, like Oracle and Adobe, follow similar rules.

Patch Tuesday turned risk management into a monthly appointment, but like many innovations it was founded from crisis. At the beginning of 2002, shortly after the world experienced two of its first cyber doomsdays, Code Red and Nimda, Microsoft decided to change its philosophy around security. The two worms, which infected hundreds of thousands of machines in a matter of hours, exploited vulnerabilities for which patches were available.

"The problem was not that we weren't building patches; the problem was that people weren't deploying them quickly enough," says Christopher Budd, who was with Microsoft from 2000 to 2010 and is now a senior manager for threat research at Sophos.

At that time, the trauma of 9/11 was palpable in North America, and there was a growing concern within Microsoft regarding security. On Jan. 15, 2002, Bill Gates sent his famous Trustworthy Computing memo, highlighting the importance of protecting customers and their systems.

One way to improve security was to change how patches were delivered. So instead of announcing them unpredictably, on a ship-when-ready basis, several times during a week, Microsoft began to stack them together to make it easier for customers to keep up.

At first, the idea was implemented as a "silent pilot project," Budd says. But as it showed promising results, it was soon made official. The first official Patch Tuesday report was published on Oct. 14, 2003, and it included seven vulnerabilities, five of which were seen as critical.

"Tuesday was the earliest day in the week that we felt we could sustainably offer these," says Budd, who helped build Patch Tuesday.

This fixed-schedule approach has become a standard industry practice. But the road was not always smooth.

**The Early Days of Patch Tuesday**

Throughout the years, Microsoft has evolved and refined its approach to security patches, adapting to changing threats. Notable worms that followed Code Red, such as Sasser and Blaster, helped Patch Tuesday to grow and eventually mature.

Budd and his colleagues in the Microsoft Security Response Center, who "suddenly became incredibly important" after the Trustworthy Computing memo, tried to make improvements around patch deployment and detection. One key achievement was to build tools that enabled admins to do a scan and identify the systems that needed security updates — an idea that, while simple, proved to be a game-changer.

The entire process of releasing patches required extensive work, particularly on the Monday before Patch Tuesday, when everything had to be checked. Security experts put in long hours, missed birthday parties, and even showered in Microsoft's headquarters because they didn't have the time to go home.

It is why the releases of the bulletins were celebrated with music blasting over loudspeakers. "When the bulletins were live, it was a big deal for us," says Dustin Childs, who was with Microsoft between 2008 to 2014 and is now the head of threat awareness at Trend Micro's Zero Day Initiative.

Typically, the music was picked by the release manager for that bulletin. "I remember one month it was Klingon music, but it was usually rock and roll," Childs says.

Occasionally, soon after the music stopped, chaos would ensue because some patches caused unintended consequences. One notable incident happened in February 2010, when thousands of customers reported blue screens almost immediately.

When security experts in Redmond heard about the issue, they tried to replicate it but were unsuccessful. For the lack of a better solution, Microsoft bought the computer of a customer who called a support center near Dallas to report the issue.

"And as soon as we got that computer, we found that it had a rootkit installed in it," Childs says.

The Alureon rootkit made modifications to Windows Kernel binaries, which caused the systems to be unstable. The company reissued the patch and fixed the problem.

"The really funny part, though, was that the people who made the rootkit figured it out faster than we did, and they had updated their rootkit to avoid the patch within 48 hours \[of the release\]," Childs says. "It took us a week to fix it!"

And it wasn't the only bizarre episode in Patch Tuesday's history. For instance, Childs remembers that an Internet Explorer patch crashed online banking in South Korea, while a Windows Media Player patch broke an entire country — twice.

"For some reason, on systems in Denmark, it blue-screened," he says. "So we had to recall that patch, fix it and re-release it. And then, the very next month, the same thing happened again. I don't know what was specific about the systems in Denmark."

Even today, some patches released by software companies in general, not just Microsoft, can cause issues, which can be frustrating for those installing them. Childs argues that if vendors improve the reliability of these fixes, customers might be more willing to apply them promptly, as opposed to waiting weeks or months to see if others experienced issues.

Taking the waiting approach can be risky, as it leaves their systems vulnerable to known vulnerabilities. It is why Childs recommends users apply patches as soon as possible. He also tells them to call attention to poor-quality patches.

"Let's hold vendors accountable," Childs says. "Let's make sure that they're producing good patches."

Aanchal Gupta, deputy CISO at Microsoft, says the company is doing "extensive testing" of patches.

"Before we issue any patch to our customers, it goes through rigorous testing not just within Microsoft. ... \[W\]e also have a set of beta testers, external companies, and they get the patches early on before these are actually made public," she says. "They can test in their environment and report back to us whether there is something unique in their environment which could make the patch not work."

**Patch Tuesday Today**

Patch Tuesday has come a long way since those early days when Klingon music blasted from the speakers. Over time, the releases have become quieter and even automated, becoming invisible to some users.

In the past decade, Microsoft has made several changes to streamline the process. In the mid-2010s, for instance, it announced cumulative updates so that a customer who missed, for instance, five patches only needed to apply the last one because the other ones were included in it. The company also launched machine-readable Security Update Guides, which meant that organizations with huge fleet deployments could rely on automation.

But not every change was welcomed by the community. When Microsoft decided to eliminate security bulletins and replace them with Security Update Guides, customers complained that the information they received was less intuitive. Something similar happened in the fall of 2020, when the tech giant removed executive summaries that included detailed information on vulnerabilities. Once again, many in the industry argued that they didn't receive enough information, which made their decision-making processes difficult.

That was "probably the most disruptive" decision Microsoft made, says security researcher Claire Tills. "I know some defenders also really had trouble with that."

More recently, in 2022 Microsoft took yet another step toward making Patch Tuesday a regular Tuesday, when it announced Autopatch, which promised to ease the process of addressing vulns for customers with Windows Enterprise E3 and E5 licenses. The move made organizations wonder whether Patch Tuesday as we know it might disappear — a rumor Microsoft denied.

The publicity around Patch Tuesday is getting smaller and the number of Patch Tuesday vulnerabilities may have peaked. In 2020, a particularly "aggressive year," Tills counted around 1,200 vulns, while in 2022, she saw 663.

"In terms of the types of vulnerabilities, it's consistently elevation of privilege and remote code execution," she says. "Every once in a while, we'll get peaks in information disclosures and security feature bypass — those two also pop up."

But despite the features meant to streamline the process of applying patches, this task can still be daunting for small businesses that can't afford a dedicated tech support team. It is why Gupta recommends these clients to move to the cloud.

"Then you can purely focus on your business and you don't have to worry about patching and managing systems," she says. "I also encourage people to not disable the default upgrades."

But as we transition toward automating the processes, is dedicating one day for updates obsolete?

**Is Patch Tuesday Becoming Obsolete?**

It is hard to fathom a world of cybersecurity without Patch Tuesday, which has been an integral part of the industry for two decades. As threats become more sophisticated and geopolitics becomes more volatile, however, the traditional model of Patch Tuesday may no longer be sufficient to keep systems secure.

Organizations operating in complex environments, such as in those competitive fields or based in hot areas like Ukraine, cannot afford to make mistakes when it comes to patch management. Threat actors often "targeted technical vulnerabilities rather than specific individuals or organizations," says Nazar Tymoshyk, founder and CEO of cybersecurity startup UnderDefense, which has protected several organizations during the ongoing war with Russia.

"The exploitation of unpatched vulnerabilities in technology stacks or outdated Web resources still accounts for 50% of \[Russia's\] success in cyber-intelligence operations," he says.

Tymoshyk believes that Patch Tuesday is still necessary and should not be retired. However, organizations should build on top of it, adopting additional patching routines depending on the size and complexity of their infrastructure or the types of software and systems they use.

Satnam Narang, senior staff research engineer at Tenable, also favors keeping Patch Tuesday alive because routines can help organizations foster a security-focused culture.

"Each week the folks come to pick up the trash from our street, and we know that that's happening every week on a specific day," he says. "The reason why Patch Tuesday is a valuable resource is that it happens every month on a specific day, so it allows organizations to carve out the time necessary to patch these vulnerabilities."

A chaotic patching system might not work, Narang says, because security teams are already overwhelmed. Aviv Grafi, CTO and founder at Votiro, agrees. "Time is of the essence, and we need to focus on leveraging technologies and software that give security teams more time back in their day," Grafi says.

Security researchers also add that continual patch cycles and automatic updates might not always be feasible at enterprise level in some cases. "In the event of a problem, large organizations need to be able to revert systems to a known state, and that requires planning," says David Farquhar, solutions architect at Nucleus.

Patch Tuesday is a crucial element in the routines of many organizations, but despite that, it can be unpredictable. The past years have shown that its structure can change without prior warnings. "Even though Patch Tuesday feels so foundational and so solid, it can change at the drop of a hat," Tills says. "The end of Patch Tuesday could feel disastrous for a lot of organizations."

For the time being, though, it appears that Microsoft will keep the program running. "I wouldn't worry about Patch Tuesday going away anytime soon," Gupta says.

How Patch Tuesday Keeps the Beat After 20 Years

Convergence of two leading cybersecurity companies creates federal sector powerhouse.

**DENVER — March 14, 2023 —** Optiv, the cyber advisory and solutions leader, today announced it has acquired Maryland-based ClearShark LLC and ClearShark Services, Inc. (collectively ClearShark), a premier advisor and top value-added reseller of cybersecurity and modernization technology to the United States federal government. The transaction more-than doubles Optiv’s federal presence, while significantly deepening its bench of government expertise and expanding the breadth of its federal capabilities.

“ClearShark is now the cornerstone of a vibrant Optiv federal business where we will together bring a new level of world-class federal capabilities to the market at scale,” said Optiv CEO Kevin Lynch. “Between the uptick in cyberattacks, the recentBiden-Harris Administration’s National Cybersecurity Strategy and other security regulations, cybersecurity has never been more vital. Together with ClearShark, we are primed to better help federal agencies and contractors ensure a strong cybersecurity posture and build a lasting legacy in the public sector space.”

“Joining forces with the largest pure-play cybersecurity company in the world provides us, our clients and partners with a tremendous growth opportunity. We couldn’t be more excited about this partnership or more bullish on the future,” said Brian Strosser, ClearShark LLC president.

ClearShark Services President Marshall Bailey added, “Leveraging Optiv’s comprehensive suite of cybersecurity solutions and services, we can continue to expand our already dominate delivery capabilities and operate at scale while also providing employees with new career opportunities.” 

The acquisition brings together two leading cybersecurity companies to create a powerhouse partnership that will better serve current and new clients by providing:

*   An expanded federal presence with more direct connections to the public sector.
*   An even broader federal team that builds on the exceptional Optiv service and expertise clients and partners have come to depend on.
*   A vast and comprehensive portfolio of cybersecurity services and solutions, technical capabilities and federal resources.
*   Exceptional relationships with the industry’s leading security technology companies and product manufacturers.

The terms of the transaction are not being disclosed.Holland & Hart LLP provided counsel to Optiv during the transaction.IzenbergLaw PLLC,Fontana Law GroupandPilieroMazza PLLC provided counsel to ClearShark.

For the latest news and updates from Optiv, visit https://www.optiv.com/newsroom

**Follow Optiv**

Twitter: www.twitter.com/optiv

LinkedIn: www.linkedin.com/company/optiv-inc

Facebook: www.facebook.com/optivinc

YouTube: www.youtube.com/c/OptivInc

Blog: www.optiv.com/explore-optiv-insights/blog

**Optiv Security: Secure greatness.****®**

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.

**ClearShark**

ClearShark is an IT solutions provider, comprised of ClearShark LLC (including FedBiz) and ClearShark Services, Inc., focusing on providing cybersecurity, datacenter and cloud infrastructure, AI and data analytics and DevSecOps solutions and services. Our first-class engineering team is made up of mission-focused, results-driven subject matter experts from the intelligence community, Department of Defense and Department of Energy. We are focused and innovative, making investments in technologies we believe in, and being free to pivot and find disruptive technologies. For more information, visit www.clearshark.com.

Optiv More Than Doubles Federal Presence With ClearShark Acquisition

**Brescia, Istanbul,** **Tel** **Aviv,** **March** **14th,** **2023** **—** Camozzi Group, a leading provider of Industrial Automation solutions, and Radiflow, part of Sabanci Holding and a global player in Industrial Cybersecurity and Operational Technology (OT), have announced a collaboration agreement to implement cybersecurity technologies across Camozzi's production sites.

The collaboration between Camozzi Group and Radiflow aims to strengthen the resilience and security of industrial infrastructures in any sector, recognizing cybersecurity as a core strategic business pillar. The risks of OT Cybersecurity attacks aimed at productive systems have become a fast-growing phenomenon in Italy and around the world. The collaboration seeks to identify vulnerabilities and sources of attacks while relying on high-performance risk management systems.

According to Exprivia's latest threat report, the total number of detected threats in Italy was 2,600 in 2022, which is double the number registered in 2021 and four times higher than those registered in 2020. Therefore, it is crucial for enterprises to understand the level of risk exposure and secure their technology systems by adopting advanced software and platforms, as well as through organizational and training models suitable for the new challenges of OT and IIOT (Industrial Internet of Things) security.

The collaboration with Radiflow will enable Camozzi Group to maximize security and stability further. Already characterized by an elevated level of technology reliability, this collaboration reinforces Camozzi Group's commitment to its customers' security and stability.

The partnership between Camozzi Group and Radiflow will undoubtedly lead to strengthened cybersecurity for industrial systems, making Camozzi Group a safer and more secure provider of Industrial Automation solutions.

**About Camozzi Group**

Founded in 1964, Camozzi Automation proposes a product range including components, systems and technologies for the Industrial Automation field, the control of fluids - both liquids and gases - and applications dedicated to the Transportation and Life Science industries.

Camozzi Automation’s offering includes ever more IIoT products and solutions. We work on both the digitalisation of production processes and the creation of real cyber-physical systems, to enable the integration of mechanical, electronic and digital elements, constantly improving process performance and the management of the data chain.

**About Radiflow**

Radiflow is an OT Cyber Security company that has unique tools to protect and manage digital OT assets for the long term. Radiflow works directly with Managed Security Service Providers to oversee the discovery and management of all relevant data security points. Radiflow’s unique pinpoint approach brings the businesses’ team into the fold, trading the industry’s one-size-fits-all approach for a calculated, focused, and secured system without inhibiting communication or productivity. With offices in Europe and the US, Radiflow’s solution is installed in over 6000 sites around the globe.

Camozzi Group and Radiflow Announce Collaboration on Industrial Systems Cybersecurity

Security vendors urge organizations to fix the actively exploited bugs, in Microsoft Outlook and the Mark of the Web feature, immediately.

IT teams should prioritize the patching of two zero-day vulnerabilities, one in Microsoft Outlook's authentication mechanism and another that's a Mark of the Web bypass, security experts said today. The two are part of a cache of 74 security bugs that Microsoft disclosed in its March Patch Tuesday security update.

In a blog post, researchers from Automox recommended that organizations patch both vulnerabilities within 24 hours since attackers are exploiting them in the wild. 

In addition, several of the critical flaws in the March update enable remote code execution (RCE), making them a high priority for patching as well. 

Vendors had slightly different takes on the total number of new critical vulnerabilities in Microsoft's March update — likely because of differences in what they included in the count. Trend Micro's Zero-Day Initiative (ZDI), for instance, identified six of the vulnerabilities in Microsoft's March update as critical, while Tenable and Action1 pegged the number at nine.

**Privilege Escalation Zero-Day**

One of the zero-days is a critical privilege escalation vulnerability in Microsoft Outlook tracked as CVE-2023-23397, which allows an attacker to access the victim's Net-NTLMv2 challenge-response authentication hash and then impersonate the user. 

What makes the bug dangerous is that an attacker could trigger it simply by sending a specially crafted email that Outlook retrieves and processes before the user even views it in the Preview Pane.

"This is because the vulnerability is triggered on the email server side, meaning exploitation would occur before a victim views the malicious email," said Satnam Narang, senior staff research engineer at Tenable in an emailed comment. An attacker could use the victim's Net-NLMv2 hash to conduct an attack that exploits the NTLM challenge-response mechanism and allows the adversary to authenticate as the user.

That makes the bug more of an authentication bypass vulnerability than an privilege escalation issue, added ZDI researcher Dustin Childs, in a blog post that summarized the most important flaws in Microsoft's March Patch Tuesday update. Disabling the Preview Pane option will not mitigate the threat because the bug gets triggered even before that, he wrote.

Microsoft attributed the bug's discovery to researchers from Ukraine's Computer Emergency Response Team (CERT) as well as one of its own researchers.

Organizations that cannot patch CVE-2023-23397 immediately should consider implementing Microsoft's mitigation for the flaw, which prevents the use of NTLM as an authentication mechanism, Automox said.

**Actively Exploited Security Feature Bypass Flaw**

Microsoft identified the second zero-day bug as CVE-2023-24880, a Windows SmartScreen security feature bypass issue than at attacker could use to bypass the Mark of the Web designation that Microsoft uses to identify files that a user might download from the Internet. 

The feature is designed to warn users about potentially unsafe content. CVE-2023-24880 affects all desktop systems running Windows 10 and above and systems running Windows Server 2016, 2019, and 2022.

Chris Goettl, vice president of security products at Ivanti, cautioned administrators not to be lulled into a sense of false security by Microsoft's relatively low severity rating for the flaw. 

"The CVSSv3.1 score is only 5.4, which may avoid notice by many organizations," Goettl said in a statement. On its own, the CVE may not be all that threatening, "but it was likely used in an attack chain with additional exploits," he warned.

**Other Security Bugs at High Patching Priority**

One of the RCE flaws to make a special note of is CVE-2023-23415, which exists in the Internet Control Message Protocol (ICMP) that network devices use to diagnose communications issues. 

"An attacker can remotely exploit this vulnerability through the use of a low-level protocol error containing a fragmented IP packet in its header that is sent to the target machine," Microsoft said. The vulnerability affects multiple Microsoft products, including Windows 10, Windows 11, Windows Server 2008, 2012, 2016, 2019, and 2022.

ZDI, Automox, and Action1 also all identified a RCE vulnerability with a near maximum severity of 9.8 on the CVSS scale in the HTTP Protocol Stack as another issue that organizations might want to prioritize. 

The vulnerability (CVE-2023-23392) allows an unauthenticated attacker to send a specially crafted packet to a server that uses the HTTP Protocol Stack leading to RCE. "The vulnerability affects Windows Server 2022 and Windows 11, and has a low-complexity attack vector that requires no privileges or user interaction," Action1 warned. Because of this, Microsoft has assessed the vulnerability as one that threat actors are more likely to exploit than other flaws.

Automox also recommended that organizations address CVE-2023-23416, a RCE bug in the Windows Cryptographic Services protocol, within 72 hours. That's because, among other things, it affects all versions of desktops Windows 10 and above, and all Windows server editions from Server 2012 on.

In addition to patches for new vulnerabilities, Microsoft also issued updates for four older flaws — all from 2022 — in its March patch cycle. The update expands the number of Microsoft software and applications affected by the vulnerabilities and provides a patch for them, Ivanti said. The security vendor identified the four updated patches as CVE-2022-43552, CVE-2022-23257, CVE-2022-23825, and CVE-2022-23816.

Microsoft Zero-Day Bugs Allow Security Feature Bypass

Financing will help support increasing customer demand while continuing to transform incident response for cloud and SaaS environments

**NEW YORK, March 14, 2023 –** Mitiga, the cloud and SaaS incident response leader, today announced the completion of its $45 million Series A Round, bringing total funding to $45 million, led by ClearSky Security, with participation from Samsung Next and existing investors Blackstone, Atlantic Bridge and DNX. This news comes on the heels of Mandiant’s former President/COO, John Watters, joining Mitiga as an independent board member.

"When we founded Mitiga, we had one goal in mind — to help organizations accelerate their responses to the rising tide of cloud and SaaS attacks," stated Tal Mozes, co-founder and CEO, Mitiga. "We knew we could do it better than traditional incident response (IR) solutions because they’re reactive by nature, and tremendously time-consuming. Our proactive and automated approach enables organizations that experience cloud and SaaS breaches to respond immediately and recover faster than any other solution on the market. We are thrilled to include Samsung Next as one of our investors and look forward to our next growth phase in 2023 and beyond."

Mitiga will use the investment to accelerate its growth, helping to meet the high demand for cloud incident response services from the overwhelming number of organizations that now rely on cloud and SaaS environments—because today's harsh reality is that cloud attacks are inevitable. Mitiga’s modern approach offers cloud-driven companies a new level of cyber and organizational resilience. By enabling ongoing readiness and compressing the investigation time from weeks or months to hours, Migita's solution reduces incident-related damage and gets customers back to business fast.

"As more and more companies are advancing their cloud journeys, they're beginning to understand that growing their cyber resiliency is a vital part of that transformation" stated Tal Achituv, CTO, Samsung Next. "Mitiga's modern incident response solution combined with the team’s deep cloud forensics expertise enables companies to prepare for cloud breaches before they happen — so they get back to business immediately. It's an important capability and we're happy to be supporting Mitiga to enable it."

To learn more about Mitiga, please visit www.migita.io, or if attending the 2023 RSA Conference, stop by Moscone North Expo, Booth 5624. 

**About Mitiga**

Mitiga is the cloud and SaaS incident response leader. In a world filled with cloud risks, we help organizations return to business as usual 90% faster than traditional incident response. Our IR2 solution provides instant answers to the most burning breach-related questions, enabling teams to speed investigations, minimize impact, and enhance cyber resilience against future attacks. Mitiga’s approach leverages automated insights from our leading-edge SaaS platform and combines them with support from Mitiga's world-leading cloud incident responders. The result not only accelerates and improves incident response, but it also minimizes enterprises' breach-related costs through a subscription-based model that makes cloud and SaaS IR expenditures more predictable.

Samsung Next Invests in Mitiga, Brings Total Funding to $45M

The ransomware group sent a message directly to Elon Musk: Pay or the confidential SpaceX information goes up for grabs on the Dark Web.

The LockBit ransomware group is reportedly threating to release stolen SpaceX schematics unless Elon Musk pays to keep them under wraps.

Musk has until March 20 to make an extortion payment, according to a recent LockBit post shared on Twitter by cybersecurity analyst Dominic Alvieri. The confidential drawings were reportedly lifted not from SpaceX itself, but from a third-party vendor: Maximum Industries, which produces parts for SpaceX projects.

"Elon Musk we will help you sell your drawings to mother manufacturers — build the ship faster and fly away," the LockBit ransomware demand read.

“When people hear of extortion, their mind immediately goes to ransomware. However, ransomware is just one tool in an attackers arsenal," says Javvad Malik, lead awareness advocate at KnowBe4,. "The data is the actual gold dust that the criminals are after. If they can exfiltrate it, then they have immense leverage over the victim."

He adds, "This raises the important questions of how criminals get into organizations, how they spend so long undetected, and how can sensitive data be exfiltrated without being blocked. The answers to these extend beyond simply looking at point products, but is really about looking at the overall security culture in an organization and how it can be strengthened in a positive manner to reduce the overall risk.”

Ransomware accounted for about $34 million in adjusted losses reported to the FBI last year, according to the FBI's Internet Crime Report (PDF).

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

LockBit Threatens to Leak Stolen SpaceX Schematics

An agency team will identify vulnerabilities being exploited by ransomware groups and alert organizations ahead of attacks, CISA says.

An anti-ransomware project launched by the Cybersecurity and Infrastructure Security Agency (CISA) will proactively track common vulnerabilities being exploited by ransomware gangs, and alert exposed organizations to the risks to help them mitigate the threat before a cyberattack occurs.

The Ransomware Vulnerability Warning Pilot (RVWP) program started out by alerting 93 organizations open to the recent Microsoft Exchange Service "ProxyNotShell" vulnerability, which was under open attack by ransomware operators in the wild, the CISA announcement explained. The intention is for the RVWP to replicate the model on a larger scale and help critical infrastructure organizations stave off future ransomware attacks.

"Ransomware attacks continue to cause untenable levels of harm to organizations across the country, including target rich, resource poor entities like many school districts and hospitals," Eric Goldstein, executive assistant director for cybersecurity at CISA, said about the program in CISA's announcement. “The RVWP will allow CISA to provide timely and actionable information that will directly reduce the prevalence of damaging ransomware incidents affecting American organizations."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

CISA Trials Ransomware Warning System for Critical Infrastructure Orgs

One researcher thinks trust is broken in AD. Microsoft disagrees that there's a security vulnerability. But enterprise IT environments should be aware of an authentication gap either way.

An access control gap in Microsoft's Active Directory (AD) service may allow users within Windows environments to access domains beyond those for which they are authenticated, all while IT admins are none the wiser.

AD, Microsoft's catchall identity management service for authenticating computers, printers, users, or really anything participating in an IT environment, is built into most Windows domain-type networks. Tens of thousands of organizations use the service, including 90% of Global Fortune 1000 companies, according to Frost & Sullivan.

Network administrators use AD to manage authentication across a domain, ensuring that intended users — _only_ intended users — can access the resources they're allotted — _only_ those they're allotted.

In a report published March 14, however, Charlie Clark, security researcher at Semperis, detailed how a user can escape the guardrails within AD, and access domains for which they were not explicitly granted permission.

"It massively increases the attack surface for an attacker," he explains, "and obviously, the larger the attack surface, the more likely it is that an attacker can find an exploitable bug."

**MSFT AD's "Transitive Trust" Problem**

According to the transitive property of mathematics, if a = b and b = c, then a = c.

In AD, if domain A connects to domain B, and domain B connects to domain C, domains A and C may or may not be able to access one another, depending on whether they share a "transitive trust." As stated in Microsoft's documentation, "transitivity determines whether a trust can be extended outside of the two domains with which it was formed."

Two domains belonging to two different organizations might bear an "external trust" — a form of trust that's set up manually in AD, which is nontransitive. However, herein lies the issue that Clark found: that external trust can be used by one company to access sister domains within the same group (what Microsoft calls a "forest") as the second, for which no official external trust has been established, Clark says.

"If what we thought about non-transitive trusts were true," Clark explains, an authenticated user from one domain would "only be able to target the specific domain they've got a trust with. They wouldn't be able to move around the forest to other domains."

Instead, "any account within the trusted domain will be able to authenticate against any domain within the entire forest in which the trusting domain resides," he wrote in his analysis.

A malicious user who figures out how to burrow around a forest at will can access resources, reach accounts, and find data they otherwise should not.

"It allows an attacker to have a much larger attack surface from any low-privileged account on a trusted domain," Clark reasons, because "if you manage to take over a single domain within a forest, it's very easy to take over the whole forest."

Clark first reported his findings to Microsoft on May 4, 2022. On Sept. 29, Microsoft wrote in an email that "we have determined that this submission does not meet the definition of a security vulnerability for servicing. This report does not appear to identify a weakness in a Microsoft product or service that would enable an attacker to compromise the integrity, availability, or confidentiality of a Microsoft offering." With that, the company closed the case.

“We provide many mechanisms for limiting resource access when using external trusts in a forest trust environment," a Microsoft spokesperson explained. "For example, by applying an authentication policy to resources at any granularity to allow or deny authentication based on any security descriptor. Customers can also set a deny-by-default posture which only allows those users to authenticate to accounts where the user has the allowed-to-authenticate right. We are continuously researching ways to improve security for future releases. More information is available in our authentication policy documentation.”

**Why Trust Matters**

Clark worked as a systems administrator for over 15 years, and a pen tester for six. "Every medium to large business or infrastructure that I've worked with has had external trusts," he claims. By that logic, most of AD's clients are likely at risk right now, he alleges, if additional protections haven't been put in place.

Microsoft's recommendations aside, to protect against this form of access control abuse, Clark recommends that admins remove all external trusts. If this is not possible, then monitoring which users are accessing what is the next best thing.

The most important thing, in the end, is awareness. Otherwise, admins may fall prey to a false sense of security. They "can see that a trusted domain is a higher risk. So they may apply greater security to that domain," Clark explains, but "they might not apply the same level of security to the rest of the domains within the forest," despite the similar risk.

"I think the main thing is to make system admins aware that this is possible," Clark concludes. By knowing this, "they can harden the rest of the domain sufficiently."

Access Control Gap in Microsoft Active Directory Widens Enterprise Attack Surface

Organizations need to take steps now to strengthen their cyber defenses.

Anxiety over an artificial intelligence tool called ChatGPT is spreading across a wide range of sectors, from education to business to cybersecurity circles. Numerous articles have shown ChatGPT's efficiency in creating phishing emails, as well as passing medical and business school tests. Its ability to write, speak, and answer queries across a wide range of subjects as competently as many humans do, as well as its ability to find vulnerabilities in computer systems, has raised legitimate concerns over how it may be used to create effective phishing campaigns on a large scale.

While today it's a toy, a parlor trick that people take out to show how much AI has improved, businesses and government institutions should be worried about what's going to happen in two to five years, as AI models continue to improve and bad actors take advantage of what it can do. Organizations need to take steps now to strengthen their cyber defenses, against both current threats and what's lurking around the corner.

**AI's Versatility Creates Risks**

ChatGPT, created by OpenAI, has been available for queries since November 2022, in an open-ended beta testing period. OpenAI, a research and deployment company that pursues innovations in AI, says it created the chatbot to interact in a conversational way, study user feedback, and learn its own strengths and weaknesses. It's been used to explore scientific subjects, help write a poem or a song, and even apply for a job. ChatGPT does make mistakes. The coding platform StackOverflow temporarily banned ChatGPT because its answers to questions were often incorrect, deciding that posting those answers would be "substantially harmful" to StackOverflow users. But it is learning and improving.

**The Next Stage of AI Threats**

The most immediate cybersecurity concerns over ChatGPT are that it can give neophyte cyberattackers the ability to write phishing emails, exploit buffer overflows, and carry out other basic cyberattacks. But in a few years, these threats will become much more serious.

AI tools will make it easier for malicious insiders or cybercriminals who gained brokered access to engineer and manipulate intracompany dialogue, sending precisely targeted phishing emails that look like legitimate requests from a person inside the company.

**What Businesses Can Do to Protect Themselves**

There are several steps businesses can take to adopt a security-first culture and protect themselves from the kind of threats AI poses, now and in the future:

1.  **Make sure the business leans toward skepticism.** People at every level of a company should question what they see in email or any other communication channels. Phishing is so pervasive because it has so often worked, accounting for 73% of social engineering attacks in North America, according to Verizon's "2022 Data Breach Investigations Report." Employees should be trained to look at any email, Slack invitation, or other communication with a critical eye. They need to be aware of the signs that it's fraudulent.
2.  **Deliver continuous, real-time cybersecurity training.** Almost every organization has a cybersecurity training program that their employees must take annually. Given the number of breaches we've seen based on phishing attacks, it's clear this is not enough. Organizations need to help employees identify phishing attacks in real-time, pointing out as it happens when employees click on fraudulent links or download privileged information onto a thumb drive. For the sake of productivity, employees try to find workarounds, and cybersecurity training needs to happen in the moment to remind employees why protocols are there in the first place.
3.  **Establish some Internet borders to reduce unnecessary use.** Workplaces already do this to some extent, such as by blocking offensive websites or forbidding Internet use that could put company data in jeopardy. If they have not done it already, businesses can establish a written policy detailing acceptable and forbidden Internet use. Programs are available that will limit Internet use to approved websites, and routers can be used to block sites. Tracking and logging Internet use also can act as a deterrent.
4.  **Improve corporate security policies and actually enforce them.** Security transformation does not happen in days. It happens over months and years, requiring a cultural change in how everyone in the organization thinks about cybersecurity. The best practices in security today can be effective, but only if fully implemented and followed. As with other security steps, businesses should communicate consistently about security, reminding staff of what's expected from them.
5.  **Question current standard practices.** One of the most common explanations used in IT has always been, "We've always done it that way." This is the worst explanation possible for any security practice. An essential component of a security-minded culture is a willingness to change processes and implement new tools to keep up with the ever-changing cyber threat landscape. Be ready to consider more secure and efficient modes of cybersecurity protocol.

**Building a Culture Around Security**

Many organizations begin to see greater success against advanced AI threats when they empower their workforce, which begins with strengthening communication between IT, HR, security teams, and employees about anything and everything concerning risk, data privacy, Internet use, and more. In today's threat environment, security is everyone's responsibility.

How Businesses Can Get Ready for AI-Powered Security Threats

Organizations must educate themselves and their users on how to detect, disrupt, and defend against the increasing volume of online disinformation.

More and more, nation-states are leveraging sophisticated cyber influence campaigns and digital propaganda to sway public opinion. Their goal? To decrease trust, increase polarization, and undermine democracies around the world.

In particular, synthetic media is becoming more commonplace thanks to an increase in tools that easily create and disseminate realistic artificial images, videos, and audio. This technology is advancing so quickly that soon anyone will be able to create a synthetic video of anyone saying or doing anything the creator wants. According to Sentinel, there was a 900% year-over-year increase in the proliferation of deepfakes in 2020.

It's up to organizations to protect against these cyber influence operations. But strategies are available for organizations to detect, disrupt, deter, and defend against online propaganda. Read on to learn more.

**Building a Cyber Influence Campaign**

Cyber influence operations have three main stages. They begin with prepositioning, which is when nation-state actors first introduce their propaganda or false narratives to the general public — whether using the Internet or through making it part of breaking world news. These false Internet narratives are especially harmful because they can lend credence to subsequent references.

Next is the launch phase. This involves foreign entities creating a coordinated campaign to spread their narrative through government-influenced media outlets and social channels. Then comes the amplification phase in which nation-state-controlled media and proxies amplify false narratives to targeted audiences.

The corruption doesn't end there. Cyber influence campaigns can lead to market manipulation, payment fraud, vishing, impersonations, brand damage, and botnets, to name a few. But the greater threat is to our collective sense of trust and authenticity. The growing use of artificial media means that any compromising or undesirable image, audio, or video of a public or private figure can be dismissed as fake — even when it's legitimate.

**How Organizations Can Protect Themselves**

As technology advances, tools that have traditionally been used in cyberattacks are now being applied to cyber influence operations. Nation-states have also begun collaborating to amplify each other's fake content.

These trends point to a need for greater consumer education on how to accurately identify foreign influence operations and avoid engaging with them. We believe the best way to promote this education is to increase collaboration between the federal government, the private sector, and end users in business and personal contexts.

There are four key ways to ensure the effectiveness of such training and education. First, we must be able to detect foreign cyber influence operations. No individual organization will be able to do this on its own. Instead, we will need the support of academic institutions, nonprofit organizations, and other entities to better analyze and report on cyber influence operations.

Next, defenses must be strengthened to account for the challenges and opportunities that technology has created for the world's democracies — especially when it comes to the disruption of independent journalism, local news, and information accuracy.

Another element in combating this widespread deception is radical transparency. We recommend increasing both the volume and dissemination of geopolitical analysis, reporting, and threat intelligence to better inform effective responses and protection.

Finally, there have to be consequences when nation-states violate international rules. While it often falls on state, local, and federal governments to enforce these penalties, multistakeholder action can be leveraged to strengthen and extend international norms. For example, Microsoft recently signed onto the European Commission's Code of Practice on Disinformation along with more than 30 online businesses to collectively tackle this growing challenge. Governments can build on these norms and laws to advance accountability.

Ultimately, threat actors are only going to continue getting better at evading detection and influencing public opinion. The latest nation-state threats and emerging trends show that threat actors will keep evolving their tactics. However, there are things organizations can do to improve their defenses. We just need to create holistic policies that public and private entities alike can use to combat digital propaganda and protect our collective operations against false narratives.

Source

DARKReading