Third annual report identifies top security gaps and challenges for organizations operating in the cloud.

**SANTA** **CLARA,** **Calif.****,** **March** **7,** **2023** **/PRNewswire/** **\--** Palo Alto Networks (NASDAQ: PANW), the global cybersecurity leader, today published its 2023 State of Cloud-Native Security Report. The report surveyed more than 2,500 C-level executives around the world to better understand their cloud adoption strategies, and how those strategies are working.

With organizations of all sizes moving more of their operations to the cloud, a majority are struggling to automate cloud security and mitigate risks. It's one reason why many companies are trying to improve security earlier in the development process, and looking for fewer vendors that can offer more security capabilities.

**Cloud Use Has Grown, Along With Security Concerns -** The expansion of hybrid work during the pandemic drove organizations to expand their use of clouds by more than 25%. As a result, DevOps teams are being pressed to deliver production code at warp speed — making application security more complex, and putting pressure on security organizations to keep pace.

**Most Organizations are Slow to Detect and Respond to Threats** \- 90% of organizations we surveyed said they cannot detect, contain and resolve cyber threats within an hour. Bad actors are working just as fast as developers to take advantage of organizations' vulnerabilities. What could go wrong often does go wrong and any cloud asset that is inadvertently exposed to the internet can be compromised within minutes. Detecting threats in real-time represents the new frontier of cloud security.

**Teams Don't Understand Their Security Responsibilities** - When asked about the challenges of moving to the cloud, respondents' top concerns remained unchanged from our 2020 report: struggles with comprehensive security, compliance, and technical complexity. A large majority (78%) of organizations said they have distributed responsibility for cloud security to individual teams, but almost half (47%) said a majority of their workforce does not understand their security responsibilities.

**A Greater Need for Code-to-Cloud Security -** As more applications are being built in the cloud using off-the-shelf software, there's a risk that any vulnerability in the development process could compromise an entire application later on. That's why more companies are encouraging a deeper level of engagement between application developers and security tools and teams — with 81% of respondents saying they have embedded security professionals inside their DevOps teams.

"With three out of four organizations deploying new or updated code to production weekly, and almost 40% committing new code daily, no one can afford to overlook the security of cloud workloads," said Ankur Shah, senior vice president, Prisma Cloud, Palo Alto Networks. "As cloud adoption and expansion continues, organizations need to adopt a platform approach that secures applications from code to cloud across multicloud environments."

**Moving Towards Consolidation** \- Three quarters of the leaders we surveyed say they struggle to identify which security tools are necessary to achieve their objectives. This has led many of them to implement numerous single point solutions — with the average organization using more than 30 security tools, including six to 10 dedicated to cloud security.

The sheer number of security tools makes it difficult for leaders to have in-depth visibility into their entire cloud portfolio. 76% of survey respondents reported that using multiple security tools creates blind spots that affect their ability to prioritize risk and prevent threats. And 80% said they would benefit from a centralized security solution that sits across all of their cloud accounts and services.

**A Clear Path Forward -** Despite the upheaval caused by the pandemic, organizations have mostly been able to succeed in their cloud expansions — and organizations that made cloud infrastructure a strategic focus across the business were generally more successful. This makes cloud security a clear enabler of business outcomes.

Of course better security does not guarantee success. But having security under control — consolidating tools and vendors and using proven DevSecOps and security automation strategies — lets development teams do their jobs better and gives organizations the tools they need to succeed.

**About the Survey**

This survey was administered online by Palo Alto Networks, and data was gathered from November 21, 2022, to December 14, 2022. Respondents were surveyed from across the globe, spanning the U.S., Australia, Germany, the UK, Singapore and Japan. Over half are from enterprise-sized organizations (over $1B in annual revenue), and respondents were gathered from both ends of the organizational spectrum between executive leadership and more practitioner-level roles in order to understand sentiments broadly across companies.

**Additional Resources**

*   Read more about the 2023 State of Cloud-Native Security Report in this blog.
*   Watch the State of Cloud-Native Security Report Webinar on demand.
*   Find out more about Prisma Cloud here.
*   Follow Palo Alto Networks on Twitter, LinkedIn, Facebook and Instagram.

**About Palo Alto Networks**

Palo Alto Networks is the world's cybersecurity leader. We innovate to outpace cyberthreats, so organizations can embrace technology with confidence. We provide next-gen cybersecurity to thousands of customers globally, across all sectors. Our best-in-class cybersecurity platforms and services are backed by industry-leading threat intelligence and strengthened by state-of-the-art automation. Whether deploying our products to enable the Zero Trust Enterprise, responding to a security incident, or partnering to deliver better security outcomes through a world-class partner ecosystem, we're committed to helping ensure each day is safer than the one before. It's what makes us the cybersecurity partner of choice.

At Palo Alto Networks, we're committed to bringing together the very best people in service of our mission, so we're also proud to be the cybersecurity workplace of choice, recognized among Newsweek's Most Loved Workplaces (2021 and 2022), Comparably Best Companies for Diversity (2021), and HRC Best Places for LGBTQ Equality (2022). For more information, visit www.paloaltonetworks.com.

_Palo Alto Networks, Prisma, and the Palo Alto Networks logo are registered trademarks of Palo Alto Networks, Inc. in_ the United States _and in jurisdictions throughout the world. All other trademarks, trade names, or service marks used or mentioned herein belong to their respective owners. Any unreleased services or features (and any services or features not generally available to customers) referenced in this or other press releases or public statements are not currently available (or are not yet generally available to customers) and may not be delivered when expected or at all. Customers who purchase Palo Alto Networks applications should make their purchase decisions based on services and features currently generally available._

SOURCE Palo Alto Networks, Inc.

Palo Alto Survey Reveals 90% of Organizations Cannot Resolve Cyberthreats Within an Hour

Attackers use phishing emails that appear to come from reputable organizations, dropping the payload using public cloud servers and an old Windows UAC bypass technique.

A phishing campaign targeting organizations in Eastern Europe is leveraging an old Windows User Account Control (UAC) bypass technique to drop the Remcos remote access Trojan (RAT), to perform cyber espionage across the region, researchers have found.

The campaign uses emails that appear to come from legitimate and highly regarded institutions in the targeted country to lure victims, researchers from SentinelOne revealed in a recent blog post. If successful in getting users to click on a malicious link, attackers leverage the DBatLoader malware loader, which abuses a technique identified more than two years ago to set up mock trusted folders to bypass Windows UAC and drop the RAT, the researchers said.

DBatLoader is known for using public cloud infrastructure to host its malware staging component, the SentinelOne researchers said. In the case of this campaign, they have observed download links to Microsoft OneDrive and Google Drive sites that have been used for this purpose, one of which was active for more than a month, they said.

"When a user decompresses the attachment and runs the executable within, DBatLoader downloads and executes an obfuscated second-stage payload data from a public cloud location," SentinelOne senior threat researcher Aleksandar Milenkoski wrote in the post.

The executable in this case is the Remcos RAT, a malware that threat actors with cybercriminal and espionage motivations widely use to take over computers and collect keystrokes, audio, video, screenshots, and system information as well as deliver other malware, the researchers noted.

Indeed, the campaign observed by SentinelOne is likely linked to reports by the Ukrainian CERT of "phishing campaigns targeting Ukrainian state institutions for espionage purposes using password-protected archives as email attachments," which also deliver the RAT, Milenkoski wrote.

**Reputation-Based Phishing Lures**

Rather than use socially engineered messages in the campaign, attackers rely solely on the reputations of the purported organizations from which the messages are sent to trick victims into taking the bait, the SentinelOne researchers said.

In fact, the messages generally contain no text at all but merely the malicious attachment, they said. In the cases that the messages do include text, it's written in the language of the target’s country, the researchers added. Further, attackers typically send the emails to the sales departments of the targets or publicly available contact email addresses for the organizations. The emails include attachments in the form of tar.lzarchives that typically masquerade as financial documents, such as invoices or tender documentation that appear to originate from institutions or business organizations related to the target. Some attachments purport to be Microsoft Office, LibreOffice, or PDF documents and use double extensions and/or application icons to fool victims.

"Many of the phishing emails we observed have been sent from email accounts with top-level domains of the same country as where the target is based," Milenkoski wrote.

"We observed emails sent from what seems to be compromised private email accounts and accounts from public email services that are also used by the targets and the legitimate institutions or organizations, which are supposedly sending the email," Milenkoski added.

**Abusing Windows UAC Bypass**

When a user decompresses the attachment and runs the executable within, DBatLoader downloads and executes an obfuscated second-stage payload data from an aforementioned public cloud location, which then creates and executes an initial Windows batch script in the %Public%\\Libraries directory, the researchers said.

This script abuses a previously identified method for bypassing Windows UAC that involves the creation of mock trusted directories, such as %SystemRoot%\\System32; this allows attackers to conduct activities with elevated privileges without alerting users, the researchers said. Security researcher Daniel Gebert discovered and subsequently revealed the UAC bypass in a July 2020 post on his security blog.

The bypass occurs through a combination of the mock trusted directories and DLL hijacking, which together cause Windows to automatically elevate the process without issuing an UAC prompt, Milenkoski wrote.

The resulting bypass allows DBatLoader to establish persistence across system reboots, by copying itself in the %Public%\\Libraries directory and creating an autorun registry key that points to an Internet Shortcut file, he explained in the post. This executes the DBatLoader executable in the mock directory, which in turn executes the Remcos RAT through process injection.

Researchers observed a wide variety of Remcos RAT configurations on victim systems, most of which were configured for keylogging and screenshot-theft capabilities, "as well as 'duckdns' dynamic DNS domains for command-and-control purposes," Milenkoski wrote.

**Reducing Cyber-Risk & Avoiding Compromise**

Researchers made a number of recommendations to security administrators to dodge the campaign, particularly given its use of DBatLoader coming through on the public cloud.

First and foremost, they advised vigilance against malicious network requests to public cloud instances, noting that attackers' use of public cloud infrastructure for hosting malware is an attempt to make network traffic for malware delivery look legitimate and thus harder for organizations to detect. "This tactic is popular amongst cybercriminals and espionage threat actors," Milenkoski observed.

Researchers also recommended that administrators monitor for suspicious file creation activities in the %Public%\\Library directory, and process-execution activities that involve filesystem paths with trailing spaces, especially \\Windows \\. "The latter is a reliable indicator of malware attempting to bypass Windows UAC by abusing mock trusted directories, such as %SystemRoot%\\System32," Milenkoski wrote.

Another tactic for avoiding compromise that administrators should consider is configuring Windows UAC to "always notify," which will always alert users when a program attempts to make changes to computers across a business network, he added.

Researchers also enforced general advice for avoiding phishing compromise in any form by ensuring that administrators and employees alike are aware of what malicious emails look like and how to avoid engaging with them.

Remcos RAT Spyware Scurries Into Machines via Cloud Servers

**REDWOOD CITY, Calif.****,** **March 7, 2023** **/PRNewswire/ --** Delinea, a leading provider of Privileged Access Management (PAM) solutions for seamless security, today announced new features for its Privilege Manager and DevOps Secrets Vault products. Updates to both products make it more seamless to implement the controls frequently required to secure or renew cyber insurance policies.

Enhancements to Privilege Manager, Delinea's solution for managing privileged access on workstations, focus on policies for Windows Store applications and updates for MacOS Ventura. The latest version of DevOps Secrets Vault, Delinea's high-speed vault for DevOps and DevSecOps teams, makes it easier for developers to install the Command Line Interface (CLI) in their favorite coding console while also providing their own encryption keys.

According to a recent Delinea survey, almost 80% of respondents indicate that they have already used their cyber insurance policies, and only 40% met PAM requirements when they applied for their policies. Credentials hard-coded in applications are a vulnerability that can be exploited, potentially leading to claims that may not be supported when less than 50% of survey respondents' policies cover data recovery. Furthermore, the survey revealed that ransomware attacks often start on workstations, and over 70% of policies will not cover ransomware payments.

**Stronger privilege controls on Windows and Macs**

The latest version of Privilege Manager allows administrators to build policies for applications installed from the Windows Store and other Universal Windows Platform applications, defining which applications are not allowed to run. Enhancements to the native MacOS agent ensure that users on MacOS Ventura have consistent application controls. Both updates make installing ransomware on Windows and Mac workstations more difficult, including those running the latest operating systems from Microsoft and Apple. Other updates include enhancements to the UI that highlight the number of workstations impacted by policy changes and management of certificate credentials.

**Streamlined credential management in the most popular coding consoles**

New CLI installers for DevOps Secrets Vault allow developers to run a native command in their environment to install and begin dynamically injecting credentials into their applications. CLI installers are supported for several of the most popular coding consoles – HomeBrew, PowerShell, Aqua, Curl, Snap, and Scoop. Enhancements to the Command Line Interface allow developers to configure and use their own encryption keys to provide even stronger security. Additional enhancements include new flags to the rest API and CLI for more easily searching objects, and an improved "break glass" security function.

"Our customers increasingly approach us with more stringent cyber insurance requirements, often necessitating more modern Privileged Access Management controls," said Phil Calvin, Chief Product Officer at Delinea. "We continuously focus on making it less complicated to implement privileged access policies, and these two product releases make PAM more seamless for both workstations and coded credentials."

Organizations can start a free trial of the latest versions of Privilege Manager at https://delinea.com/products/privilege-manager and DevOps Secrets Vault at https://delinea.com/products/devops-secrets-management-vault.

**About Delinea**

Delinea is a leading provider of privileged access management (PAM) solutions that make security seamless for the modern, hybrid enterprise. Our solutions empower organizations to secure critical data, devices, code, and cloud infrastructure to help reduce risk, ensure compliance, and simplify security. Delinea removes complexity and defines the boundaries of access for thousands of customers worldwide. Our customers range from small businesses to the world's largest financial institutions, intelligence agencies, and critical infrastructure companies. Learn more about Delinea on LinkedIn, Twitter, and YouTube.

Delinea Adds New features for its Privilege Manager and DevOps Secrets Vault

The strategy document does nothing to change things on the ground in the near term; legislation, regulation, and follow-up executive action are all going to be key to moving forward the administration's agenda.

The Biden administration's plans to introduce minimum cybersecurity requirements for organizations in critical infrastructure sectors could face challenges in a divided Congress.

That said, many other proposals in the president's broad new National Cybersecurity Strategy, announced March 2, could be relatively easier to implement, even though some of them might have to be via executive fiat, several former government officials and security experts said.

**Much Needed Updating**

"President Biden's National Cybersecurity Strategy will drive a much-needed updating of the United States' cyber-social contract," a senior administration official tells Dark Reading. "That includes both immediate initiatives that build on the administration's executive actions to drive critical infrastructure cybersecurity, as well as an ambitious, long-term vision that will require legislative, regulatory, and technological innovations over the next several years."

The strategy represents a commitment by federal agencies to pursue those innovations and to collaborate with industry to meet objectives, the official says, and continues "our longtime, critical partnership with Congress in developing bipartisan cybersecurity policy."

The key focus areas for Biden's strategy for building US resilience in cyberspace are: critical infrastructure defense, disrupting threat actors, and using the government's purchasing clout and other mechanisms to influence better cybersecurity practices in the public and private sector. The plan also proposes new federal investment in cybersecurity research and development, building a digital identity ecosystem, and focusing on foundational Internet technologies such as the Domain Name System and IPv6.

Individual components of the strategy include mandatory minimum cybersecurity requirements for critical infrastructure, a proposal to make software vendors liable for the security of their products, and services and scaling existing public and private partnerships.

**What's Next for the National Cybersecurity Strategy?**

For the moment, at least, the strategy document does nothing to change things on the ground. Legislation, regulation, and follow-up executive action are all going to be key to moving forward the administration's agenda, says Jordan Burris, senior vice president and head of public sector strategy at Socure. 

"Specifically, we will see this play out in regulation for critical infrastructure sectors to set minimum requirements for cybersecurity," says Burris, former chief of staff at the White House Office of Management and Budget. Legislation will also play a role in ensuring that resources are available for some of the new requirements in the strategy for agencies and other stakeholders.

"Cybersecurity has always been viewed as a non-partisan issue in Washington, DC," Burris says. "However, it is critical that as the administration continues to roll out its plans, that it works with both sides of the aisle to make progress." 

This is going to be especially key when calling on Congress to invest in cybersecurity capabilities across agencies, he says, "Unfortunately, there are many proposals that administrations have advocated for that have obtained little to no traction in the halls of Congress."

Ideally, Biden's plans should receive bipartisan applause and action for his proposals, says Theresa Payton, CEO at Fortalice Solutions and a former CIO at the Executive Office of the President at the White House. "But I've been around long enough to understand the political atmosphere in Washington right now is just short of toxic," she says. "So, finding common ground on these critically important issues is going to be difficult," she adds.

Like Burris, Payton notes that for now, the new strategy provides a road map for the administration's cybersecurity priorities more than anything else. Essentially, the strategy acknowledges the federal government's significant role in cybersecurity while also demanding a whole lot more from the private sector.

**The Biggest Congressional Sign-Off Challenges**

Garnering the support in Congress is going to be especially difficult when it comes to the regulatory component in Biden's strategy document, Payton says. While it is notable the administration is willing to wade into an area that other administrations have stayed away from, the regulatory question will be a tough sell on the Hill, given the pro-business/anti-regulation climate amongst the House majority. Even so, "I think in the aftermath of the SolarWinds breach and the Colonial Pipeline attack, it's an important and probably overdue dialogue that all public and private sector partners need to have," Payton says.

And the Biden administration's proposal to shift liability for software away from users to software vendors and publishers is almost certainly going to be another hard sell. There have been similar proposals in the past that have gone nowhere, and there's little to suggest the new plans will fare any differently.

One initial stumbling block is that software is still not a tangible product under the Uniform Commercial Code (UCC) in the US, explains John Pescatore, a former National Security Agency (NSA) analyst and current director of emerging security trends at the SANS Institute. Before discussions around legislative support for the liability-shifting proposal in Biden's new strategy can even begin, that issue needs resolution, Pescatore tells Dark Reading. 

"The UCC says software is not a tangible good and without that you cannot assign liability," he says. The lobbying power that tech giants have in Washington is only going to exacerbate the challenge, he notes.

Even so, the White House can also take unilateral action in many cases, according to Payton. "Nearly all areas of the strategy can be actionable whether if implemented as an executive order or as a law passed by Congress," Payton adds. "Given the divided nature of Congress, I would expect to see a series of executive orders coming from the White House in the weeks and months ahead."

**There Are Some Actionable Strategy Components**

While the biggest pieces of the plan remain unactionable for now, not all of the proposals in Biden's strategy are dependent on legislation and regulatory action. Perhaps the most important among this group, according to security experts, is the plan to use the federal government's purchasing power to get software vendors and others doing business with the government to follow cybersecurity best practices. 

A Biden May 2021 executive order already requires all federal contractors to produce a software bill of materials (SBOM) and other artifacts of secure software development practices to their federal agency customers. Last week's strategy seeks to scale up and build on those kinds of efforts and doing so will require no legislative support. The strategy document's proposal to bolster public-private information sharing and for dismantling threat actor infrastructure are two other areas that are also not dependent on Congress to move on.

And indeed, Burris perceives that the administration can also move things forward on that front by getting Sector Risk Management Agencies (SRMAs) to better coordinate with entities such as information sharing and analysis centers (ISACs), the US Cybersecurity and Infrastructure Agency (CISA), and bodies such as the Joint Cyber Defense Collaborative.

"Some of the strategy can be enacted by the executive branch under the direction of the White House," says Curtis Franklin, an analyst with Omdia. "These pieces are quite likely to be actionable and, once in place, binding and long-lasting." As examples, he points to proposals in the new strategy to integrate federal cybersecurity centers, to update the federal incident response plan and processes, and integrating federal disruption activities. 

"There's a lot in the document that is an extension of existing strategic items and those will have the easiest time moving forward," Franklin says. Nonetheless, he agrees that it's important to be realistic: "The pieces that would require legal or regulatory action are much more challenging, and some will never happen."

Key Proposals in Biden's Cybersecurity Strategy Face Congressional Challenges

The health, manufacturing, and energy sectors are the most vulnerable to ransomware.

National defense and security experts long predicted that future warfare would not be waged by firearms but with code designed to disable services people depend on for daily life.

In May 2021, security experts' worst fears came true, when a ransomware attack struck the Colonial Pipeline. Gas delivery to most of the US Northeast halted almost overnight. Although systems were eventually restored, the event still lives in infamy today and reminds us of the destructive potential cyberattacks can have when levied against critical infrastructure. Since then, similar infrastructure attacks have dominated headlines across most of the world and are increasingly carried out by non-state-sponsored actors.

In our "Q2/Q3 Ransomware Index Update," Securin (formerly Cyber Security Works) researchers mapped out the impact of ransomware on industrial control systems (ICS) deployed in critical infrastructure establishments. They identified the three most at-risk sectors: healthcare, energy, and manufacturing. Our researchers also examined 16 ransomware vulnerabilities and the bad actors who exploit them, such as Ryuk, Conti, WannaCry, and Petya. We have included a table at the end of the article with the full list of vulnerabilities and impacted vendors.

With each successful attack, ransomware groups grow bolder and target industries that can cause the most pain to exploit the crises for maximum extortion. Understanding the threat actors and their methods is the key to protecting critical industries and maintaining smooth operations.

    

Ransomware CVEs affecting ICS products yet to be included in the CISA KEVs (as on date of publishing the report).

**Healthcare**

Cybersecurity and Infrastructure Security Agency (CISA) advisories to healthcare providers come in the aftermath of ongoing attacks by ransomware groups such as Black Basta, Quantum, and MountLocker. The impact of unpatched critical vulnerabilities in this sector could be potentially life threatening.

Public health and healthcare systems are affected by the majority of vulnerabilities — nine out of the 16 identified — because they are dependent on other sectors for the continuity of their service delivery and operations. Philips Healthcare, a technology-based company that develops advanced visualization software for crucial imaging equipment, is the most affected vendor, clocking in eight vulnerabilities found in its IntelliSpace Portal 9.0. Vulnerabilities CVE-2017-0144 and CVE-2017-0147 should be patched immediately for their high ransomware family associations used in real-world attacks.

**Energy**

An attack on an energy provider can result in grid failure or inconsistent energy output to homes, commercial buildings, or other critical service providers. The energy sector is plagued by six vulnerabilities that organizations must watch, particularly those found in Schneider Electric's products.

CVE-2017-6032 and CVE-2017-6034 affect Schneider Electric's Modicon Modbus Protocol, an open communications standard that is used across critical infrastructure, which can lead to chain reaction attacks. However, vulnerabilities CVE-2019-18935 and CVE-2020-10713 found in Hitachi ABB Power Grid systems and Hitachi Energy Transformer Asset Performance Management (APM) Edge, respectively, pose just as much risk. They should be treated as serious by network security administrators.

**Manufacturing**

The critical manufacturing sector can be divided into four core subindustries: transportation equipment; machinery manufacturing; electrical equipment, appliance and component manufacturing; and primary metals manufacturing.

A quarter of the vulnerabilities included in our analysis affect vendors in the manufacturing sector, including Exacq Technologies, Sensormatic Electronics, and Schneider Electric.

**How to Stay Protected**

We encourage organizations to stay aware of vendor advisories of the products they utilize and take steps to organize vulnerability enumeration according to severity. Most of the vulnerabilities in this article take advantage of legacy setups comprising out-of-date software and, sometimes, unsupported end-of-life components. Here are key insights to keep your system and industry safe:

*   **Improper input validation** is the most prevalent weakness powering ICS ransomware CVEs. Proper input screening can prevent bad actors from infiltrating databases and locking admins out of the system.
*   **Six vulnerabilities** are missing from the CISA Known Exploited Vulnerability (KEV) catalog and should be patched: CVE-2018-5391, CVE-2018-10115, CVE-2017-6034, CVE-2017-6032, CVE-2017-7494, and CVE-2020-10713.
*   **Performing simulated** **penetration tests** of your systems can identify hidden entry points that criminals would otherwise use. Finding where you are most exposed can help set patch priorities and build defenses before attackers can leverage them.

The US economy depends on an interconnected infrastructure of energy, health, and manufacturing. Hospitals need the energy to function and render life-saving services, and oil and natural gas refineries deliver necessary fuel to power domestic manufacturing — it's a marvelous system to appreciate, but a rather precious one as well, and we should take steps to protect it.

CVE ID

Impacted Vendors

CVSS v3 Score

Action

CVE-2021-44228

Exacq Technologies, a subsidiary of Johnson Controls, Inc.; Sensormatic Electronics, LLC, a subsidiary of Johnson Controls Inc.

10

Vendor patch

CVE-2020-10713

Hitachi Energy

8.2

Vendor patch

CVE-2019-18935

Hitachi ABB Power Grids

9.8

Vendor patch

CVE-2019-0708

Spacelabs

9.8

Vendor patch

CVE-2018-5391

Siemens

7.5

Vendor patch

CVE-2018-10115

Philips

7.8

Update to latest version

CVE-2017-7494

Schneider Electric

9.8

Vendor advisory

CVE-2017-6034

Schneider Electric

9.8

ICS advisory

CVE-2017-6032

Schneider Electric

5.3

ICS advisory

CVE-2017-0199

Philips

7.8

Vendor patch

CVE-2017-0148

Philips

8.1

Vendor patch

CVE-2017-0147

Philips

5.9

Vendor patch

CVE-2017-0146

Philips

8.1

Vendor patch

CVE-2017-0145

Philips

8.1

Vendor patch

CVE-2017-0144

Philips

8.1

Vendor patch

CVE-2017-0143

Baxter, Philips

8.1

Vendor patch

Ransomware's Favorite Target: Critical Infrastructure and Its Industrial Control Systems

**DENVER****,** **March 7, 2023** **/PRNewswire/ --** Digitization and the heavy adoption of connected devices are enabling organizations to reach new heights and, at the same time, have intensified the threat landscape and extended the attack surface. As organizations work to reap the benefits of the IT, OT and industrial control system (ICS) convergence, Optiv, the cyber advisory and solutions leader, is helping businesses secure their critical hardware, systems and processes with a full suite of OT security advisory, deployment and management services.

Organizations need a path to mature their OT while also protecting what is most important to the business: safety, uptime and resiliency.

Optiv's OT cyber advisors hold nearly 130 combined years of on-the-ground ICS experience. They provide the foundation for identifying and quantifying risk with assessments, threat modeling, roadmapping, network validation, site walks and policy building.

"We're seeing organizations manage their production environment more effectively while improving their security posture. This has resulted in reduced downtime and increased output," said Sean Tufts, Optiv's OT security services leader. "New endpoints and data sources also create hidden vulnerabilities. Traditional network security struggles to map cyber risk, which puts an OT-driven facility's entire state of being on shaky ground. An impact to OT is an impact to the bottom line."

Optiv provides the necessary tools and services for organizations to gain control over protecting their crucial functions, SCADA systems and both company- and vendor-owned devices. Experts work closely with finely vetted technology partners on OT technology racking, stacking, tuning and integration.

In addition, OT/ICS clients can lift the operational burden from their in-house security teams, with Optiv customizing managed security services to their unique business needs. These might include real-time threat detection and response, platform patching, device maintenance and continuous technology configuration and optimization in OT alert triaging, technology management and Optiv's OT SOC and Advanced Fusion Center.

Whether it is mastering the fundamentals or building advanced capabilities, Optiv's OT cyber services are designed to help identify business-specific OT risks for an integrated approach that spans an organization's entire ecosystem.

Learn more about Optiv's OT Security Services with these resources:

*   Advise – Service Brief
*   Deploy – Service Brief
*   Operate – Service Brief

For the latest news and updates from Optiv, visit https://www.optiv.com/newsroom/. 

**Optiv Security: Secure greatness.®**

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.

Optiv Launches Full Suite of Operational Technology Services

Securin Inc. will provide tech-enabled security solutions, vulnerability
intelligence and deep domain expertise.

**ALBUQUERQUE, N.M., March 7, 2023 /PRNewswire-PRWeb/ --** Cyber Security Works Inc., a leading security company, today announced that it is rebranding as  
Securin Inc. due to the evolution of its service capabilities and offerings.  
Under the new identity, it will provide tech-enabled security solutions to  
continuously improve customers' security posture and help them gain resilience  
against evolving threats.

CSW offers flagship services such as vulnerability management and penetration  
testing to customers around the globe. In 2020, CSW became a CVE Numbering  
Authority (CNA) to help the Department of Homeland Security (DHS) and MITRE  
validate newly discovered zero-day vulnerabilities.  

In 2022, CSW acquired Securin, an automated platform with solutions such as  
attack surface management (ASM) and vulnerability intelligence (VI). Since its  
launch, Securin ASM has been providing many leading tech companies with an  
outside-in view of their expanding attack surface from an adversary's  
perspective and helping them to prioritize and remediate their most dangerous  
exposures. Securin VI offers an entire spectrum of vulnerability intelligence  
powered by 700+ authentic intelligence feeds that continuously measure a  
vulnerability's risk. Through its artificial intelligence (AI) & machine  
learning (ML) models, Securin's VI platform warns its customers about  
vulnerabilities that will likely be exploited soon, enabling them to prioritize  
and patch proactively.  

After this rebrand, Securin will combine its offerings to provide customers with  
a comprehensive suite of security solutions such as ASM, VI, Vulnerability  
Management, and Penetration Testing to level up their security. Securin has  
grown to 250+ employees globally and will continue to operate from its offices  
in Albuquerque, New Mexico and Chennai, India.  

Ram Movva, Co-Founder and Chairman of Securin, said, "In the past few years, we  
have added many new capabilities to our offerings. With the shifting  
cybersecurity landscape and evolving threats, it is critical to implement tools  
and solutions that can provide actionable and timely intelligence to prevent  
cybersecurity breaches before they happen. As we forge ahead, we want to become a tech-enabled solution organization focused on increasing the security posture of our customers through our suite of offerings. We believe Securin, as our  
overall brand name, embodies our vision to secure organizations to build  
resilience against emerging threats."  

Expanding on Movva's comments, Aaron Sandeen, CEO of Securin, said, "We are very excited to rebrand as Securin. CSW has seen amazing growth in the past two years and evolved beyond recognition. We have been providing our customers with a full suite of capabilities, such as vulnerability management and penetration testing, bundled with ASM & VI. Rebranding into Securin is the next step in our business evolution, which will enable us to focus on our vision to improve security posture and reduce the attack surface of our customers."  

Sandeen added, "By combining our services - vulnerability management and  
penetration testing with products like Securin ASM and Securin VI, we will be  
offering customers a powerful suite of solutions that will manage and shrink  
their expanding attack surface and also keep them a step ahead of the bad guys."  
After the rebrand, Securin will continue to act as a CVE Numbering Authority  
(CNA) and help MITRE validate zero days and expedite their entry in the National  
Vulnerability Database (NVD).  
To learn more, visit http://www.securin.io.**About Securin**  
Securin is a leading provider of tech-enabled cybersecurity services, helping  
hundreds of customers worldwide gain resilience against emerging threats.  
Powered by accurate vulnerability intelligence, human expertise, and automation,  
its products and services have enabled enterprises to make critical security  
decisions to manage their expanding attack surface.

Cyber Security Works to Rebrand As Securin Inc.

The third iteration of the Exploit Prediction Scoring System (EPSS) performs 82% better than previous versions, giving companies a better tool for evaluating vulnerabilities and prioritizing patching.

A public effort to create a way of predicting the exploitation of vulnerabilities announced a new machine learning model that improves its prediction capabilities by 82%, a significant boost, according to the team of researchers behind the project. Organizations can access the model, which will go live on Mar. 7, via an API to identify the highest scoring software flaws at any moment in time.

The third version of the Exploit Prediction Scoring System (EPSS) uses more than 1,400 features — such as the age of the vulnerability, whether it is remotely exploitable, and whether a specific vendor is affected — to successfully predict which software issues will be exploited in the next 30 days. Security teams that prioritize vulnerability remediation based on the scoring system could reduce their remediation workload to an eighth of the effort by using the latest version of the Common Vulnerability Scoring System (CVSS), according to a paper on EPSS version 3 published to arXiv last week.

EPSS can be used as a tool to reduce workloads on security teams, while enabling companies to remediate the vulnerabilities that represent the most risk, says Jay Jacobs, chief data scientist at Cyentia Institute and first author on the paper.

"Companies can look at the top end of the list of scores and start to work their way down — factoring in ... asset importance, criticality, location, compensating controls — and remediate what they can," he says. "If it's really high, maybe they do want to bump it into critical — let's fix it in the next five days."

The EPSS is designed to address two problems that security teams face on a daily basis: keeping up with the increasing number of software vulnerabilities disclosed every year, and determining which vulnerabilities represent the most risk. In 2022, for example, more than 25,000 vulnerabilities were reported into the Common Vulnerabilities and Exposure (CVE) database maintained by MITRE, according to the National Vulnerability Database.

    

EPSS version 3 (red line) performs much better than previous versions. Source: Jacobs, Jay et al., "Enhancing Vulnerability Prioritization."

Work on EPSS started at Cyentia, but now a group of about 170 security practitioners has formed a Special Interest Group (SIG) as part of the Forum of Incident Response and Security Teams (FIRST) to continue to develop the model. Other research teams have developed alternative machine learning models, such as Expected Exploitability.

Previous measures of the risk represented by a particular vulnerability — typically, the Common Vulnerability Scoring System (CVSS) — do not work well, says Sasha Romanosky, a senior policy researcher at the RAND Corporation, a public-policy think tank and co-chair of the EPSS Special Interest Group.

"While CVSS is useful for capturing the impact \[or\] severity of a vuln, it's not a useful measure of threat — we've fundamentally lacked that capability as an industry, and this is the gap that EPSS seeks to fill," he says. "The good news is that as we integrate more exploit data from more vendors, our scores will get better and better."

**Connecting Disparate Data**

The Exploit Prediction Scoring System connects a variety of data from third parties, including information from software maintainers, code from exploit databases, and exploit events submitted by security firms. By connecting all of these events through a common identifier for each vulnerability — the CVE — a machine learning model can learn the factors that could indicate whether the flaw will be exploited. For example, whether the vulnerability allows code execution, whether instructions on how to exploit the vulnerability have been published to any of three major exploit databases, and how many references are mentioned in the CVE are all factors that can be used to predict whether a vulnerability will be exploited.

The model behind the EPSS has grown more complex over time. The first iteration only had 16 variables and reduced the effort by 44%, compared to 58%, if vulnerabilities were evaluated with the Common Vulnerability Scoring System (CVSS) and considered critical (7 or higher on the 10-point scale). EPSS version 2 greatly expanded the number of variables to more than 1,100. The latest version added about 300 more.

The prediction model carries tradeoffs — for example, between how many exploitable vulnerabilities it catches and the rate of false positives — but overall is pretty efficient, says Rand's Romanosky.

"While no solution is perfectly able to tell you which vulnerability will be exploited next, I’d like to think that EPSS is a step in the right direction," he says.

**Significant Improvement**

Overall, by adding features and improving the machine learning model, the researchers improved the performance of the scoring system by 82%, as measured by the area under curve (AUC) plotting precision versus recall — also known as coverage versus efficiency. The model currently accounts for a 0.779 AUC, which is 82% better than the second EPSS version, which had a 0.429 AUC. An AUC of 1.0 would be a perfect prediction model.

Using the latest version of the EPSS, a company that wanted to catch more than 82% of exploited vulnerabilities would only have to mitigate about 7.3% of all vulnerabilities assigned a Common Vulnerabilities and Exposures (CVE) identifier, much less than the 58% of the CVEs that would have to be remediated using the CVSS.

The model is available through an API on the FIRST site, allowing companies to get the score of a particular vulnerability or to retrieve the highest scoring software flaws at any moment in time. Yet companies will need more information to determine the best priority for their remediation efforts, says Cyentia's Jacobs.

"The data is free, so you can go get the EPSS scores, and you can go grab daily dumps of that, but the challenge is when you put it into practice," he says. "Exploitability is only one factor of everything that you need to consider, and the other things, we can't measure."

Machine Learning Improves Prediction of Exploited Vulnerabilities

The Android app unnecessarily accessed clipboard device contents, which often includes passwords and other sensitive data.

A version of the Shein shopping application in the Google Play store with more than 100 million downloads was unnecessarily accessing Android-device clipboard contents, creating a potential security threat, according to Microsoft.

The software giant said in a blog post from Microsoft Threat Intelligence that it asked Shein to remove the feature from its Android app that accessed user clipboards, and the company complied. However, users need to update their apps to be free from danger. 

From passwords to account numbers, and auto-fill information of all kinds, device clipboards can contain a treasure trove of sensitive data.

"Microsoft discovered that an old version of the Shein Android application periodically read the contents of the Android device clipboard and, if a particular pattern was present, sent the contents of the clipboard to a remote server," the Microsoft blog post said. "While we are not specifically aware of any malicious intent behind the behavior, we assessed that this behavior was not necessary for users to perform their tasks on the app."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Shein Shopping App Glitch Copies Android Clipboard Contents

This is the latest in a line of law-enforcement actions busting up the ransomware scene.

On Feb. 28, multiple police forces carried out a coordinated action against two suspected members of the cybercrime gang behind the DoppelPaymer ransomware.

These latest raids, revealed on March 6 by Europol, follow a series of other law enforcement campaigns against prominent ransomware groups in recent years. "We've seen an increase in the velocity of law enforcement and government action against actors that are involved in ransomware or in the supporting ecosystem," Jeremy Kennelly, lead analyst in financial crime analysis for Mandiant, tells Dark Reading. "And that does, in aggregate, seem to be causing a bit of a chilling effect."

**Police Chip Away at DoppelPaymer**

DoppelPaymer is a 4-year-old ransomware derived from the BitPaymer ransomware and Dridex banking Trojan. Cybercriminals have used it to freeze corporations like Compal and Kia, sometimes demanding multimillion-dollar ransoms in the process. It has also been used in attacks against government agencies and critical infrastructure.

In September 2020, for example, DoppelPaymer cut off communications between emergency personnel and a Dusseldorf hospital. "At least one individual requiring emergency services was re-routed to a hospital 20 miles away," the FBI explained in a notice to the private sector. "This individual later died," though police "felt the individual’s health was poor and the patient likely would have died even if they had not been re-routed."

In a press release published March 6, Europol revealed that officers of the North Rhine-Westphalia Police raided the home of a German citizen "who is believed to have played a major role" in the group behind DoppelPaymer. At the same time, the agency noted that "despite the current extremely difficult security situation that Ukraine is currently facing due to the invasion by Russia," Ukrainian National Police officers interrogated a second suspected core member of the group, and searched two associated locations — one in Kiev and the other in Kharkiv.

In both cases, officers seized electronic equipment, which is currently under forensic examination. These coordinated actions were aided by Europol, the Dutch National Police Corps, and the FBI.

**Is Law Enforcement Having an Impact?**

Some of the darkest days in cybercrime history occurred in 2020 when, capitalizing on the COVID-19 pandemic, financially motivated cybercriminals ramped up their ransomware activity to never-before-seen levels. It "was hugely lucrative," Kennelly explains. "They just kept pressing that button, and money kept coming out of it." Worst of all, though, "their actions weren't getting disrupted, and people weren't getting arrested."

Eventually, the rampant attacks against hospitals, in particular, put an unignorable spotlight on the scourge of ransomware. Law enforcement responded, cracking down on some of the world's most prominent ransomware groups. For example, Hive has been thoroughly disrupted by a months-long campaign by the US Department of Justice, and REvil — once the scariest name in the game — was almost completely dismantled following coordinated arrests in Russia.

"Any one action won't completely stem the tide," Kennelly says, but "it's the aggregate result of pressure from all sides" that has caused a noticeable effect on the underground cybercrime economy.

"A lot of cyber-threat activity is still being monetized via ransomware," Kennelly explains, "but based on our own observations, and data from other data from public sources, it appears as though there has been an overall decline in the amount of ransomware activity globally."

By taking down infrastructure, removing key members of these groups, and intimidating those that remain, law enforcement is beginning to make a real impact on ransomware. But even these many good news stories only address a small fraction of the ecosystem at large. "It's still very prevalent," Kennelly warns. "So to say that ransomware is going away or that the criminal ecosystem is shifting away from it isn't reasonable."

Source

DARKReading