**SAN FRANCISCO****,** **Dec. 22, 2022** **/PRNewswire/ --** The global passwordless authentication market size is expected to reach USD 55.70 billion by 2030, growing at promising 18.2% CAGR, according to a new report by Grand View Research, Inc. Passwordless authentication is a security procedure that uses unique biological traits of a person to validate their authenticity.

**Key Industry Insights & Findings from the report:**

*   Growing investments in developed countries such as the U.S., Canada, Germany, France, and the U.K. for implementing passwordless authentication technology is a crucial factor driving the growth.
*   Fingerprint recognition and facial recognition provide various benefits. The increased security, accountability, convenience, and their non-transferable nature are crucial drivers for the growth.
*   The surge in e-commerce and internet banking, as well as legislations by various authorities such as central banks mandates large organizations to utilize robust authentication mechanisms to authenticate customers.
*   Multi-factor authentication protects clients from phishing attempts and fraudulent purchases and secures transactions.

Read 117-page market research report, "Passwordless Authentication Market Size, Share & Trends Analysis Report By Component, By Product Type (Facial Recognition, Fingerprint, Iris), By Authentication Type, By Portability, By End-user, By Region, And Segment Forecasts, 2022 - 2030", published by Grand View Research.

**Passwordless Authentication Market Growth & Trends**

The increasing adoption of smartphones and other electronic gadgets is a crucial element driving the biometric authentication market forward. According to a July 2022 Oxford Economics and Samsung study, up to 85% of small and midsize enterprises allow all or most of their staff to use mobile devices for work. Personal laptops and smartphones used by employees might expose a small firm to the dangers of unauthorized access to proprietary data, files, and systems. Such solutions remain the need of the hour and growing focus of many companies around the world.

For instance, in September 2022, AaDya Security, a cyber-security firm, announced the availability of passwordless authentication for Judy, the first all-in-one cybersecurity solution for SMEs. The new security feature protects how small business employees access company resources, mainly when they operate remotely and on mobile phones and personal laptops.

The growing requirement for an additional layer of protection beyond passwords fuels the growth of the passwordless authentication industry. To authenticate identities, fingerprint sensors and smartcards are utilized, and these security points allow for a seamless experience and data flow across locations. Most businesses are using voice biometric authentication in their workplaces for their personnel.

Reduced fraud exposure and lower authentication costs often drive organizations to implement voice biometric technology in their facilities. For instance, in July 2022, Turant Inc., a voice biometric AI firm, launched its cutting-edge AI solution in India. The company seeks to eliminate OTP-related fraud in transactions across use cases across business/industry domains, including e-commerce deliveries, by making it available in all Indian languages and roughly 20,000 dialects.

Furthermore, due to the increasing number of incidences of data theft around the world, passwordless authentication has gained popularity. Data theft issues in devices such as computers, cellphones, and tablets have increased the requirement for protection beyond passwords. fingerprint sensors and facial recognition are ways modern gadgets can be secured to prevent data theft.

For instance, in August 2022, ForgeRock, an international identity and access management software business, established strategic cooperation with Israeli software company Secret Double Octopus. ForgeRock will use SDO technology to provide employees, contractors, and vendors with a unified multi-factor secure experience. ForgeRock Enterprise Connect, the new solution, connects effortlessly with any ForgeRock deployment option, allowing organizations to gain increased security for databases, workstations, VPNs, and servers.

**Passwordless Authentication Market Segmentation**

Grand View Research has segmented the global passwordless authentication market based on component, product type, authentication type, portability, end-user, and region:

**Passwordless Authentication Market - Component Outlook (Revenue, USD Million, 2017 - 2030)**

*   Hardware
*   Software
*   Services

**Passwordless Authentication Market - Product Type Outlook (Revenue, USD Million, 2017 - 2030)**

*   Fingerprint Authentication
*   Palm Recognition
*   Iris Recognition
*   Face Recognition
*   Voice Recognition
*   Smart Card
*   Others

**Passwordless Authentication Market - Type Outlook (Revenue, USD Million, 2017 - 2030)**

*   Single-factor Authentication
*   Multi-factor Authentication

**Passwordless Authentication Market - Portability Outlook (Revenue, USD Million, 2017 - 2030)**

*   Fixed
*   Mobile

**Passwordless Authentication Market - End-user Outlook (Revenue, USD Million, 2017 - 2030)**

*   IT & Telecom
*   Retail
*   Transportation & Logistics
*   Aerospace & Defense
*   BFSI
*   Healthcare
*   Government
*   Others

**Passwordless Authentication Market - Regional Outlook (Revenue, USD Million, 2017 - 2030)**

*   North America

*   U.S.
*   Canada
*   Mexico

*   Europe

*   U.K.
*   Germany
*   France

*   Asia Pacific

*   China
*   India
*   Japan

*   Central & South America

*   Brazil

*   Middle East and Africa (MEA)

**List of Key Players in the Passwordless Authentication Market**

*   ASSA ABLOY
*   DERMALOG Identification Systems GmbH
*   East Shore Technology, LLC
*   Fujitsu
*   HID Global Corporation
*   M2SYS Technology
*   Microsoft
*   NEC Corporation
*   Safran
*   Thales.

**Check out more related studies published by Grand View Research:**

*   Facial Recognition Market **\-** The global facial recognition market size is expected to reach USD 12.11 billion by 2028 according to a new report by Grand View Research, Inc. The market is anticipated to expand at a CAGR of 15.4% from 2021 to 2028. Facial recognition is a contactless biometric solution that is a critical factor contributing the market growth.
*   Multi-factor Authentication Market \- The global multi-factor authentication (MFA) market size is expected to reach USD 17.76 billion by 2025, according to a new study by Grand View Research, Inc., experiencing a CAGR of 15.07% during the forecast period. Increasing implementation of BYOD and cloud-based services across enterprises, along with the growing security regulations and mandates, is benefiting market growth.
*   3D Secure Payment Authentication Market \- The global 3D secure payment authentication market size is expected to reach USD 2.76 billion by 2030, growing at a CAGR of 12.2% from 2022 to 2030, according to a new study conducted by Grand View Research, Inc. The rising demand for e-commerce has augmented the use of Card Not Present (CNP) transactions. As a result of such an increase in CNP transactions, the growth in CNP fraud transactions has been observed over the past few years.

**Browse through Grand View Research's** Next Generation Technologies Industry **Research Reports.**

**About Grand View Research**

Grand View Research, U.S.-based market research and consulting company, provides syndicated as well as customized research reports and consulting services. Registered in California and headquartered in San Francisco, the company comprises over 425 analysts and consultants, adding more than 1200 market research reports to its vast database each year. These reports offer in-depth analysis on 46 industries across 25 major countries worldwide. With the help of an interactive market intelligence platform, Grand View Research Helps Fortune 500 companies and renowned academic institutes understand the global and regional business environment and gauge the opportunities that lie ahead.

Passwordless Authentication Market to Be Worth $55.7 Billion by 2030: Grand View Research, Inc.

With a recession potentially coming, some companies are cutting security teams. But moving more infrastructure to the cloud and reducing the number of vendors through consolidation may be the best ways to prepare.

As economic forecasters and businesses raise expectations of a recession in 2023, information-security budgets will likely be pressured in the coming year, experts tell Dark Reading.

Because of latent demand, the call for cybersecurity workers is in flux. While some companies — Patreon, for example — have laid off their cybersecurity teams, other businesses are pausing hiring, as many have open requisitions for cybersecurity specialists. It would be difficult to fill positions anyway: There are currently only enough cybersecurity workers to fill 65% of positions, according to CyberSeek US.

Instead, security teams will have to make do with what they have going forward. The best way to do that is consolidating vendors to reduce costs, and find ways to bring in managed security service providers (MSSPs) to help with areas in which they lack expertise, says Mike Hamilton, chief information security officer at threat-detection and management firm Critical Insight.

"Enterprises have the ability to hire and maintain large teams, so they will continue to do that, but in the mid-market, IT has just got to suck it up and do more security as part of their job," he says. "That's pretty much they way it is everywhere."

While economists and business leaders do not have a great track record for forecasting recessions, current surveys of sentiment have set historical records for recessionary predictions. The Wall Street Journal's quarterly survey of economists found that 63% expect a recession in the next 12 months, the highest registered negative sentiment from economists in the nation outside of an ongoing recession.

Half of companies are already considering instituting IT technology austerity measures, a share that will likely increase if a recession takes hold. Yet, information security should not relax their defensive vigilance, says Merritt Maxim, vice president and research director at Forrester Research.

"Companies need to be as diligent as before," he says. "Hackers and others are not going to stop doing what they have been doing, because of a recession. That will actually spur more activity."

**Turning to the Cloud to Cut IT Security Costs**

Companies should consider moving more infrastructure to the cloud as an austerity measure, experts say. While US firms have moved less than half (45%) of current infrastructure to cloud services, they expect to have 58% of their applications in the cloud in two years, according to Forrester.

While cloud costs have risen and cloud-native application require a different set of skills to secure, they still cost less than equivalent on-premise technologies, Forrester stated in its "Planning Guide 2023: Security & Risk" report. Based on the costs for maintenance, licensing, upgrades, and other investments, on-premises technology consumes the largest percentage of security costs — 41% for companies spending 20% or less of their IT budget on security.

Other experts also recommended cloud infrastructure as being easier and less costly to secure.

"Budget pressure also poses an opportunity and added incentive to accelerate this transformation rather than continue to execute on previous templates," enterprise software firm SAP stated in its security recommendations for 2023. "The cloud poses new security challenges, but also capabilities to optimize and make use of economies of scale."

**Security Vendor Consolidation Reigns: But It May Not Be a Choice**

Managing the disparate security, compliance, and threat-intelligence systems necessary to have visibility and control in a corporate environment has ballooned in the past decade. The average large company has 75 security solutions, according to Microsoft. Over all businesses, the number is smaller but still large, with 13% of companies having more than 20 vendors, according to Cisco's 2020 CISO Benchmark Study.

No wonder, then, that consolidation has become a major strategy going into 2023, with three-quarters of businesses planning to reduce the number of security vendors on which they rely. And many vendors are leaning into that consolidation strategy, not surprisingly. Microsoft, for example, touts cost savings as one of the benefits of consolidating to a single vendor's products and services, claiming that unifying security, compliance, and identity solutions can save up to 60% in costs.

"Managing multiple vendors can be burdensome for IT, while valuable security insights sit siloed in separate dashboards," Vasu Jakkal, corporate vice president for security, compliance, identity, and management at Microsoft, stated in a blog post. "And siloed solutions can result in fragmented visibility and can be exploited."

As part of the strategy, many vendors are buying up smaller firms and rivals — a mixed blessing for companies given that they may have fewer choices in the future. Companies may get more capabilities for less, but they may also find themselves paying for unwanted features, says Forrester's Maxim.

"Whether companies are planning to consolidate or not, I think a lot of consolidation is going to happen on its own, either through strategic M&A or fire-sale M&A, because of where we at in this economy," he says. "Private equity still has a huge amount of capital, and the operations benefits from reducing the number of vendors is significant."

Finally, organizations will find that there are some costly security and risk areas that they simply cannot jettison, such as compliance and governance costs, Critical Insight's Hamilton says. Publicly traded companies, in particular, have little leeway in cutting the costs associated with some regulations.

"You cannot neglect things like governance," he tells Dark Reading, "and you have to make sure your compliance is being met every year."

Security on a Shoestring? Cloud, Consolidation Best Bets for Businesses

A successful attacker could use the SSRF vulnerability to collect metadata from WordPress sites hosted on an AWS server, and potentially log in to a cloud instance to run commands.

A vulnerability in the Google Web Stories plug-in for WordPress could be exploited via a server-side request forgery (SSRF) vulnerability to steal Amazon Web Services (AWS) metadata from sites hosted on the AWS server. That metadata can include sensitive information such as the AccessKeyId, SecretAccessKey, and Token.

An SSRF vulnerability gives attackers a way to elevate privileges on a compromised system using a modified URL, thereby gaining access to internal resources.

The Web Stories plug-in is an open visual storytelling format for the Web, consisting of animations and other interactive graphics, which can be shared and embedded across sites and apps. There are more than 100,000 active installations of the plug-in.

A Wordfence research team discovered the plug-in was vulnerable to the SSRF bug (CVE-2022-3708) in versions through 1.24.0, due to insufficient validation of URLs supplied via the "url" parameter found via the /v1/hotlink/proxy REST API Endpoint.

"Exploiting this vulnerability, an authenticated user could make web requests to arbitrary locations originating from the web application," Wordfence Threat Intelligence team member Topher Tebow wrote in a Dec. 21 blog post.

He added that, in testing, the team was able to uncover specific metadata used to enable features like EC2 Instance Connect; stolen metadata could then be used to log in to the virtual server and run commands through the terminal.

The researcher noted that this is the tip of the iceberg: "There are many metadata categories provided by AWS that each have specific uses and varying degrees of severity if misused."

The team found the flaw in October, and by the end of November, two blocks of code were updated to fully patch the vulnerability in the plug-in.

"With the patch applied within version 1.25.0 and newer, attempts to obtain AWS metadata will fail," Tebow explained.

He added that the attack can succeed for users logged in with an account that has minimal permissions, such as a subscriber, so the issue particularly threatens sites with open registration.

"The authenticated user does not need high level privileges to exploit this vulnerability," Tebow continued.

**Using Zero Trust to Limit SSRF Vulnerabilities**

"Understanding the impact of vulnerabilities such as SSRF vulnerabilities is critical for developers," Tebow wrote. "Keeping code secure can be difficult to ensure during the development phase, which is why the code must be tested for vulnerabilities during and after it has been written."

Developers were advised to pay close to attention to their coding practices as they relate to the vulnerabilities inherent in each programming language, ensure any inputs are validated, and to adopt a posture of zero trust authentication.

"SSRF vulnerabilities are possible because the internal and external resources may be configured to assume that requests sent from an internal location are inherently trustworthy," Tebow noted. "By requiring validation and authorization for every action, this default trust is removed, and requests must be validated properly before being considered trusted."

Constant code reviews and updates of WordPress plug-ins and themes are among the other steps that developers can take to limit exploits of WordPress-built websites.

**WordPress Sites Face a Raft of Security Issues**

Malicious actors have been targeting WordPress sites at a rapid clip — mainly through vulnerable plug-ins — since the beginning of the year: In February, a report found tens of thousands of websites powered by WordPress were vulnerable to attack via a remote code execution (RCE) bug in a widely used plug-in called Essential Addons for Elementor.

In May, there was a widespread attack launched to exploit known RCE flaw in the Tatsu Builder WordPress plug-in, and two months later, researchers discovered a phishing kit that injects malware into legitimate WordPress sites and uses a fake PayPal-branded social engineering scam.

More recently, a threat group called SolarMarker exploited a vulnerable WordPress-run website to encourage victims to download fake Chrome browser updates, while another group of attackers were actively exploiting a critical vulnerability in BackupBuddy, a WordPress plug-in that an estimated 140,000 websites are using to back up their installations.

Google WordPress Plug-in Bug Allows AWS Metadata Theft

Our growing interconnectedness poses almost as many challenges as it does benefits.

The number of cyberattacks around the world jumped 28% in the third quarter of 2022. Such a figure is not surprising because recent years have brought more and bigger attacks on almost every sector. The coming year will no doubt also be filled with attacks and risks, despite companies spending even more on solutions and both governments and the private sector taking further steps to prioritize security.

While many of the current trends will continue, there also will be significant changes and developments in the year ahead. The increasingly efficient and business-minded manner of both cybercriminals and state-backed attackers will drive many of these growing trends and new challenges.

**Expect More Disruptive Attacks**

Business disruption due to cyberattacks is on track to become a bigger problem. During the past 12 months, 93% of organizations have suffered a data-related business disruption, and 43% reported permanent data loss, according to a recent survey. This comes as attackers move away from ransomware attacks, which hold data hostage for money and have fallen by 8% in recent months, and carry out attacks simply to disrupt services and activities, sometimes by erasing data, rather than to raise money. 

Political motivations are often behind such purely disruptive attacks, including Russia-linked or Russia-backed hackers who have targeted businesses in Ukraine, or those that support Ukraine. The public nature of these disruptive attacks, including denial-of-service (DoS) attacks, is also an effective way for hacking groups to build up their brands. This public relations effort is important as more groups, including the infamous Conti group that shut down several government websites and services for months in Costa Rica, seek affiliates to work with on attacks.

**Signs Are Pointing to a Catastrophic Attack**

We will not likely get through the coming year without some sort of catastrophic attack on a very strategic and important network or service provider like Gmail, WhatsApp, or Microsoft. We have long known — and it became even more clear from Twitter whistleblower and former head of security Peiter Zatko, who exposed lax data security practices at the social media giant — that the biggest tech companies, with the biggest security budgets, still have severe challenges. 

If a global software provider or communication platform is attacked it could lead to significant disruption of business and communication, and put the personal data of billions at risk. It would be a worldwide event with lasting economic, social, and political consequences.

**Supply Chain Attacks Will Persist — and Grow**

Supply chain attacks, in which bad actors gain access to organizations through third parties, enabling one attack to include hundreds of victims, will continue to increase as hacking groups become more business-oriented and concerned with efficiency. These types of attacks have already increased by nearly eightfold over the past three years. Many of the largest and most threatening groups are no longer operating alone. In addition to working with affiliates, they are working with states. States are hiring them, funding them, or simply providing them a safe harbor from which to operate. With more at stake, including funding from government or affiliates, these groups are under pressure to accomplish more damage in shorter amounts of time, in the most efficient way possible.

These bad actors are evolving into a modern form of organized crime, and as long as efficiency and results remain important to them, they will pursue supply chain attacks. Such attacks put every sort of organization that uses any type of cloud software at risk, meaning every company must embrace intelligence and be prepared for attacks from sophisticated criminal gangs or state-backed attackers.

**Personalized Attacks Will Target Executives and Their Friends and Family**

We will see more personalization of attacks, including bad actors using tactics like demanding money or network access credentials in return for not releasing valuable or sensitive data they already have. A growing related tactic is "sextortion," or threatening to release embarrassing information, photos, or videos unless the victim gives over money, information, or network credentials. In other cases, attackers offer to pay money in return for passwords or other information that can help them carry out a future cyberattack. 

What all of these attacks have in common is that they are very personal in nature, especially those that rely on sextortion. They can affect business executives, public figures, and anyone else who has a public profile or access to confidential or valuable data and information. But in addition, these types of attacks also often involve friends or family members of their ultimate victims. For example, in one case my company dealt with, a teenager received emails threatening to reveal that he was gay — something his family did not know — unless he installed some files on his home network. Acting out of fear, he installed the files, and this eventually gave a cyberattacker potential access to his mother, an executive at a large company.

With attackers growing more sophisticated and more focused on efficiency, it is more important than ever for businesses to understand and improve their security posture. In the constantly evolving threatscape, no organization can consider itself immune to attacks by the biggest hacking groups, including those backed or sheltered by governments. We are entering a new era in which interconnectedness poses almost as many challenges as it does benefits.

'Sextortion,' Business Disruption, and a Massive Attack: What Could Be in Store for 2023

New technical chatbot capabilities raise the promise that their help in threat modeling could free humans for more interesting work.

There's been a flood of news about OpenAI's new GPT-3 Chatbot. For all the very real critiques, it does an astounding and interesting job of producing reasonable responses. What does it mean for threat modeling? There's real promise that it will transform threat modeling as we know it. 

For readability, I'll just call it "chatbot." The specific examples I use are from OpenAI's implementation, but we can think about this as a new type of technical capability that others will start to offer, and so I'll go beyond what we see today. 

Let's start with what it can do, ask what can go wrong, see if we can manage those issues, and then evaluate. 

**What Chatbots Can Do**

On the Open Web Application Security Project® (OWASP) Slack, @DS shared a screenshot where he asked it to "list all spoofing threats for a system which has back-end service to back-end service interaction in Kubernetes environment in a table format with columns — threats, description, and mitigations."

    

The output is fascinating. It starts "Here is a table listing some examples …" Note the switch from "all" to "some examples." But more to the point, the table isn't bad. As @DS says, it provided him with a base, saving hours of manual analysis work. Others have used it to explain what code is doing or to find vulnerabilities in that code. 

Chatbots (more specifically here Large Language Models, including GPT-3) don't really know anything. What they do under the hood is pick statistically likely next words to respond to a prompt. What that means is they'll parrot the threats that someone has written about in their training data. On top of that, they'll use symbol replacement for something that appears to our anthropomorphizing brains to be reasoning by analogy. 

When I created the Microsoft SDL Threat Modeling Tool, we saw people open the tool and be unsure what to do, so we put in a simple diagram that they could edit. We talked about it addressing "blank page syndrome." Many people run into that problem as they're learning threat modeling. 

**What Can Go Wrong?**

While chatbots can produce lists of threats, they're not really analyzing the system that you're working on. They're likely to miss unique threats, and they're likely to miss nuance that a skilled and focused person might see. 

Chatbots will get good enough, and that "mostly good enough" is enough to lull people into relaxing and not paying close attention. And that seems really bad.  

To help us evaluate it, let's step way back, and think about why we threat model. 

**What Is Threat Modeling? What Is Security Engineering?**

We threat model to help us anticipate and address problems, to deliver more secure systems. Engineers threat model to illuminate security issues as they make design trade\-offs. And in that context, having an infinite supply of inexpensive possibilities seems far more exciting than I expected when I started this essay.

I've described threat modeling as a form of reasoning by analogy, and pointed out that many flaws exist simply because no one knew to look for them. Once we look in the right place, with the right knowledge, the flaws can be pretty obvious. (That's so important that making that easier is the key goal of my new book.) 

Many of us aspire to do great threat modeling, the kind where we discover an exciting issue, something that'll get us a nice paper or blog post, and if you just nodded along there … it's a trap. 

Much of software development is boring management of a seemingly unending set of details, such as iterating over lists to put things into new lists, then sending them to the next stage in a pipeline. Threat modeling, like test development, can be useful because it gives us confidence in our engineering work.

**When Do We Step Back?** 

Software is hard because it's so easy. The apparent malleability of code makes it easy to create, and it's hard to know how often or how deeply to step back. A great deal of our energy in managing large software projects (including both bespoke and general-use software) goes to assessing what we're doing, and getting alignment on priorities — all these other tasks are done occasionally, slowly, rarely, because they're expensive. 

It's not what the chatbots do today, but I could see similar software being tuned to report how much any given input changes its models. Looking across software commits, discussions in email and Slack, tickets, and helping us assess its similarity to other work could profoundly change the energy needed to keep projects (big or small) on track. And that, too, contributes to threat modeling. 

All of this frees up human cycles for more interesting work.

Threat Modeling in the Age of OpenAI's Chatbot

Threat actors continue to evolve the malicious botnet, which has also added a list of new vulnerabilities it can use to target devices.

A recently discovered botnet that attacks organizations through Internet of things (IoT) vulnerabilities has added brute-forcing and distributed denial-of-service (DDoS) attack vectors, as well as the ability to exploit new flaws to its growing arsenal, Microsoft security analysts have found. 

The updates to Zerobot, a malware first observed earlier this month by Fortinet researchers, pave the way for more advanced attacks as the threat continues to evolve, according to the Microsoft Security Threat Intelligence Center (MSTIC).

MSTIC revealed in a blog post on Dec. 21 that the threat actors have updated Zerobot to version 1.1, which can now target resources through DDoS and make them inaccessible, widening the possibilities for attack and further compromise.

"Successful DDoS attacks may be used by threat actors to extort ransom payments, distract from other malicious activities, or disrupt operations," the researchers wrote in the post. "In almost every attack, the destination port is customizable, and threat actors who purchase the malware can modify the attack according to their target."

**Brute-Forcing and Other Tactics**

Fortinet researchers already had tracked two previous versions of Zerobot — one that was quite basic and another that was more advanced. The botnet's principal mode of attack originally was to target various IoT devices — including products from D-Link, Huawei, RealTek, TOTOLink, Zyxel, and more — through flaws found in those devices, and then spread to other assets connected on the network that way to propagate the malware and grow the botnet.

Microsoft researchers now have observed the botnet getting more aggressive in its attacks on devices, using a new brute-force vector to compromise weakly secured IoT devices rather than just trying to leverage a known vulnerability, the researchers revealed.

"IoT devices are often internet-exposed, leaving unpatched and improperly secured devices vulnerable to exploitation by threat actors," they wrote in the post. "Zerobot is capable of propagating through brute-force attacks on vulnerable devices with insecure configurations that use default or weak credentials."

The malware attempts to to gain device access by using a combination of eight common usernames and 130 passwords for IoT devices over SSH and telnet on ports 23 and 2323 to spread to devices, the researchers wrote. In their observations alone, the MSTIC team identified numerous SSH and telnet connection attempts on default ports 22 and 23, as well as attempts to open ports and connect to them by port-knocking on ports 80, 8080, 8888, and 2323.

**An Expanded Security Vulnerability Exploit List**

Zerobot hasn't abandoned its original way to access devices, however, and has even expanded this practice. Prior to its new version, Zerobot already could exploit more than 20 flaws in assorted devices, including routers, webcams, network-attached storage, firewalls, and other products from a host of well-known manufacturers.

The botnet has now added seven new exploits for flaws to its quiver, found in Apache, Roxy-WI, Grandstream, and other platforms, the researchers found.

MSTIC also found new evidence that Zerobot propagates by compromising devices with known vulnerabilities that are not included in the malware binary, such as CVE-2022-30023, a command injection vulnerability in Tenda GPON AC1200 routers, they added.

**Zerobot's Post-Compromise Behavior**

Researchers also observed more about Zerobot's behavior once it gains device access. For one, it immediately injects a malicious payload — which may be a generic script called "zero.sh" that downloads and attempts to execute the bot, or a script that downloads the Zerobot binary of a specific architecture, they said.

"The bash script that attempts to download different Zerobot binaries tries to identify the architecture by brute-force, attempting to download and execute binaries of various architectures until it succeeds," the researchers wrote.

Once Zerobot achieves persistence, it scans for other devices exposed to the Internet that it can infect, by randomly generating a number between 0 and 255 and scanning all IPs starting with this value.

"Using a function called _new\_botnet\_selfRepo\_isHoneypot_, the malware tries to identify honeypot IP addresses, which are used by network decoys to attract cyberattacks and collect information on threats and attempts to access resources," the Microsoft researchers wrote. "This function includes 61 IP subnets, preventing scanning of these IPs."

Zerobot 1.1 uses scripts targeting various architectures, including ARM64, MIPS, and x86\_64. The researchers also have observed samples of the botnet on Windows and Linux devices, exhibiting different persistence methods based on the OS.

**Protecting the Enterprise**

Fortinet researchers already had stressed the importance of organizations immediately updating to the latest versions of any devices affected by Zerobot. Given that businesses are losing up to $250 million a year on unwanted botnet attacks, according to a report published last year from Netacea, the danger is real.

To help identify if an organization is vulnerable, Microsoft researchers included an updated list of CVEs that Zerobot can exploit in their post. The MSTIC team also recommended that organizations use security solutions with cross-domain visibility and detection capabilities to detect Zerobot malware variants and malicious behavior related to the threat.

Enterprises should also adopt a comprehensive IoT security solution that allows for visibility and monitoring of all IoT and operational technology (OT) devices, threat detection and response, and integration with SIEM/SOAR and extended detection and response (XDR) platforms, according to Microsoft.

As part of this strategy, they should ensure secure configurations for devices by changing default passwords to strong ones and blocking SSH from external access, as well as use least-privileges access including VPN service for remote access, the researchers said.

Another way to avoid compromise by Zerobot is to harden endpoints with a comprehensive security solution that manages the apps that employees can use and provides application control for unmanaged solutions, they said. This solution also should perform timely cleanup of unused and stale executables sitting on an organization's devices.

Zerobot Adds Brute Force, DDoS to Its IoT Attack Arsenal

Security leaders must maintain an effective cybersecurity strategy to help filter some of the noise on new vulnerabilities.

The security industry collectively loses its mind when new vulnerabilities are discovered in software. OpenSSL is no exception, and two new vulnerabilities overwhelmed news feeds in late October and early November 2022. Discovery and disclosure are only the beginnings of this never-ending vulnerability cycle. Affected organizations are faced with remediation, which is especially painful for those on the front lines of IT. Security leaders must maintain an effective cybersecurity strategy to help filter some of the noise on new vulnerabilities, recognize impacts to supply chains, and secure their assets accordingly.

**Supply Chain Attacks Aren't Going Away**

In roughly a year's time, we've suffered through severe vulnerabilities in componentry including Log4j, Spring Framework, and OpenSSL. Exploitation of older vulnerabilities also never ceases from implementations that are misconfigured or that use known vulnerable dependencies. In November 2022, the public learned of an attack campaign against the Federal Civilian Executive Branch (FCEB), attributable to a state-sponsored Iranian threat. This US federal entity was running VMware Horizon infrastructure that contained the Log4Shell vulnerability, which served as the initial attack vector. FCEB was hit with a complex attack chain that included lateral movement, credential compromise, system compromise, network persistence, endpoint protection bypass, and cryptojacking.

Organizations may ask "why consume OSS at all?" after security incidents from vulnerable packages like OpenSSL or Log4j. Supply chain attacks continue trending upward because componentry reuse makes “good business sense” for partners and suppliers. We engineer systems by repurposing existing code rather than building from scratch. This is to reduce engineering effort, scale operationally, and deliver quickly. Open source software (OSS) is generally considered trustworthy by virtue of the public scrutiny it receives. However, software is ever-changing, and issues arise through coding mistakes or linked dependencies. New issues are also uncovered through evolution of testing and exploitation techniques.

**Tackling Supply Chain Vulnerabilities**

Organizations need appropriate tooling and process to secure modern designs. Traditional approaches such as vulnerability management or point-in-time assessments alone can't keep up. Regulations may still allow for these approaches, which perpetuates the divide between "secure" and "compliant." Most organizations aspire to obtain some level of DevOps maturity. "Continuous" and "automated" are common traits of DevOps practices. Security processes shouldn't differ. Security leaders must maintain focus throughout build, delivery, and runtime phases as part of their security strategy:

*   **Continuously scan in CI/CD:** Aim to secure build pipelines (i.e., shift-left) but acknowledge that you won't be able to scan all code and nested code. Success with shift-left approaches is limited by scanner efficacy, correlation of scanner output, automation of release decisions, and scanner completion within release windows. Tooling should help prioritize risk of findings. Not all findings are actionable, and vulnerabilities may not be exploitable in your architecture.

*   **Continuously scan during delivery:** Component compromise and environment drift happen. Applications, infrastructure, and workloads should be scanned while being delivered in case something was compromised in the digital supply chain when being sourced from registries or repositories and bootstrapped.

*   **Continuously scan in runtime:** Runtime security is the starting point of many security programs, and security monitoring underpins most cybersecurity efforts. You need mechanisms that can collect and correlate telemetry in all types of environments, though, including cloud, container, and Kubernetes environments. Insights gathered in runtime should feed back to earlier build and delivery stages. Identity and service interactions

*   **Prioritize vulnerabilities exposed in runtime:** All organizations struggle with having enough time and resources to scan and fix everything. Risk-based prioritization is fundamental to security program work. Internet exposure is just one factor. Another is vulnerability severity, and organizations often focus on high and critical severity issues since they're deemed to have the most impact. This approach can still waste cycles of engineering and security teams because they may be chasing vulnerabilities that never get loaded at runtime and that aren't exploitable. Use runtime intelligence to verify what packages actually get loaded in running applications and infrastructure to know the actual security risk to your organization.

We've created product-specific guidance to steer customers through the recent OpenSSL madness.

The latest OpenSSL vulnerability and Log4Shell remind us of the need for cybersecurity preparedness and effective security strategy. We must remember that CVE-IDs are just those known issues in public software or hardware. Many vulnerabilities go unreported, particularly weaknesses in homegrown code or environmental misconfigurations. Your cybersecurity strategy must account for distributed and diverse technology of modern designs. You need a modernized vulnerability management program that uses runtime insights to prioritize remediation work for engineering teams. You also need threat detection and response capabilities that correlate signals across environments to avoid surprises.

**About the Author**

    

Michael Isbitski, Director of Cybersecurity Strategy at Sysdig, has researched and advised on cybersecurity for over five years. He's versed in cloud security, container security, Kubernetes security, API security, security testing, mobile security, application protection, and secure continuous delivery. He's guided countless organizations globally in their security initiatives and supporting their business.

Prior to his research and advisory experience, Mike learned many hard lessons on the front lines of IT with over 20 years of practitioner and leadership experience focused on application security, vulnerability management, enterprise architecture, and systems engineering.

Supply Chain Risks Got You Down? Keep Calm and Get Strategic!

The Play ransomware group was spotted exploiting another little-known SSRF bug to trigger RCE on affected Exchange servers.

The operators of a ransomware strain called Play have developed a new exploit chain for a critical remote code execution (RCE) vulnerability in Exchange Server that Microsoft patched in November.

The new method bypasses mitigations that Microsoft had provided for the exploit chain, meaning organizations that have only implemented those but have not yet applied the patch for it need to do so immediately.

The RCE vulnerability at issue (CVE-2022-41082) is one of two so-called "ProxyNotShell" flaws in Exchange Server versions 2013, 2016, and 2019 that Vietnamese security company GTSC publicly disclosed in November after observing a threat actor exploiting them. The other ProxyNotShell flaw, tracked as CVE-2022-41040, is a server-side request forgery (SSRF) bug that gives attackers a way to elevate privileges on a compromised system.

In the attack that GTSC reported, the threat actor utilized the CVE-2022-41040 SSRF vulnerability to access the Remote PowerShell service and used it to trigger the RCE flaw on affected systems. In response, Microsoft recommended that organizations apply a blocking rule to prevent attackers from accessing the PowerShell remote service through the Autodiscover endpoint on affected systems. The company claimed — and security researchers agreed — that the blocking rule would help prevent known exploit patterns against the ProxyNotShell vulnerabilities.

**Novel New Exploit Chain**

This week, however, researchers at CrowdStrike said they had observed the threat actors behind Play ransomware use a new method to exploit CVE-2022-41082 that bypasses Microsoft's mitigation measure for ProxyNotShell.

The method involves the attacker exploiting another — and little-known — SSRF bug in Exchange server tracked as CVE-2022-41080 to access the PowerShell remote service via the Outlook Web Access (OWA) front end, instead of the Autodiscover endpoint. Microsoft has assigned the bug the same severity rating (8.8) as it has for the SSRF bug in the original ProxyNotShell exploit chain.

CVE-2020-41080 allows attackers to access the PowerShell remote service and use it to exploit CVE-2022-41082 in exactly the same way as they could when using CVE-2022-41040, CrowdStrike said. The security vendor described the Play ransomware group's new exploit chain as a "previously undocumented way to reach the PowerShell remoting service through the OWA frontend endpoint, instead of leveraging the Autodiscover endpoint."

Because Microsoft's ProxyNotShell mitigation only blocks requests made to the Autodiscover endpoint on Microsoft Exchange server, requests to access the PowerShell remote service via the OWA front end will not be blocked, the security vendor explained. 

CrowdStrike has christened the new exploit chain involving CVE-2022-41080 and CVE-2022-41082 as "OWASSRF."

**Patch Now or Disable OWA**

"Organizations should apply the Nov. 8, 2022, patches for Exchange to prevent exploitation since the URL rewrite mitigations for ProxyNotShell are not effective against this exploit method," CrowdStrike warned. "If you cannot apply the KB5019758 patch immediately, you should disable OWA until the patch can be applied."

Microsoft did not respond immediately to a request for comment.

CrowdStrike said it discovered the new exploit chain when investigating several recent Play ransomware intrusions where the initial access vector was via a Microsoft Exchange Server vulnerability. The researchers quickly found that Play ransomware attackers had exploited the ProxyNotShell RCE vulnerability (CVE-2022-41082) to drop legitimate payloads for maintaining access and performing anti-forensics techniques on compromised Microsoft Exchange Servers. 

However, there was no sign that they had used CVE-2022-41040 as part of the exploit chain. CrowdStrike's further investigation showed that the attackers had used CVE-2022-41080 instead.

The security vendor's recommendations to organizations for reducing their exposure to the new threat includes disabling remote PowerShell for nonadministrative users where possible and using EDR tools to detect Web services spawning PowerShell processes. The company has also provided a script that administrators can use to monitor Exchange servers for signs of exploitation.

Ransomware Attackers Bypass Microsoft's ProxyNotShell Mitigations With Fresh Exploit

**CHICAGO****,** **Dec. 21, 2022** **/PRNewswire/ --** Heartland Alliance ("Heartland"), a social justice and human rights organization headquartered in Chicago, Illinois, has experienced a data security incident that may have involved personal and protected health information belonging to employees, directors, independent contractors, and certain individuals who sought health care or participated in other Heartland programs.

Heartland is not aware of misuse of any information impacted by this incident. Nevertheless, out of an abundance of caution, beginning on December 15, 2022, Heartland provided notice of the incident to potentially affected individuals, including information about steps they can take to protect their personal and protected health information.

For context, on or around January 26, 2022, Heartland discovered a potential data security incident impacting certain systems. Upon discovering the incident, Heartland immediately secured its network and engaged cybersecurity experts to investigate. The investigation revealed that certain personal information may have been accessed without authorization. The potentially affected personal and protected health information included names, dates of birth, Social Security numbers, driver's license numbers, bank account numbers, and some pieces of medical or health information. Different information on this list may have been accessed for different people.

In addition to the notice sent to potentially affected individuals, Heartland is offering complimentary credit monitoring and identity protection services, as well as providing a toll-free call center to answer questions about the incident and address related concerns. Representatives are available Monday through Friday from 8:00 AM to 8:00 PM Central Timeat (833) 896-6542.

The privacy and security of personal and protected health information are very important to Heartland. Immediately after we learned of this incident, we enhanced our IT security by adding new threat detection software, monitoring, and sign-in protocols. We deeply regret any inconvenience or concern this incident may have caused.

SOURCE Heartland Alliance

Heartland Alliance Provides Notice of Data Security Incident

Organizations can start by integrating functions like detection, prioritization, and remediation on to a single platform.

Cloud transformation often occurs simultaneously across siloed organizational units and groups, each potentially using a different cloud for their applications and workloads. However, taking inventory of all their cloud resources and building a compliant, secure, simple, and unified strategy has become a common challenge.

It wouldn’t be surprising to see an organization with most of its workloads in AWS using Microsoft 365 and Azure Active Directory while also heavily using Google Cloud GKE and Big Query. On top of that, Oracle Cloud may also be in the mix with some autonomous database offerings. As cloud adoption matures in an organization, and as smaller cloud providers gain traction, the mix of services and cloud platforms becomes incredibly diverse and complex. In light of these challenges, organizations must still find ways to govern and secure their entire cloud infrastructure.

The answer? A framework that works across all clouds to unify detection, prioritization, and remediation of the most impactful risks facing the organization.

****Identities and Authentication Keys****

Diving into a use case around cloud identity authentication keys for access, let’s see how you can protect your organization’s crown jewels in your multicloud environment. In the cloud world, identity is perhaps the most critical cloud object to govern, monitor, detect, and remediate. Compromising a cloud identity has the largest blast radius since, frankly, the public cloud is just a bunch of public APIs that respond to authenticated requests.

Authentication keys are cryptographic entities attached to an identity that allow you to issue authenticated API requests from the Internet. Hence, these keys call for the undivided attention of any governance and security strategy. However, each cloud provider defines identity in a different way, with a completely new set of capabilities and risks.

    

The idea here is to think of an organization that wants to enforce the following policy: “Authentication keys should be rotated every 90 days, and every 30 days if they enable personally identifying information access.” This seemingly simple policy would need to take four different implementations, depending on which cloud it’s using. Additionally, the security admin would need to tailor specific policies, such as limiting the number of concurrent keys (not relevant to AWS) or enforcing expiration dates upon key creation (not relevant for secrets).

The same concept applies when an organization tries to enforce “do not allow public access to storage objects” or “only build workloads from images that are up to date.”

****Building, Securing, and Governing the Cloud****

While each cloud is unique, foundationally, they are not so different. They all have a concept of a computer instance, object and file storage, and both human and nonhuman identities, each of which can be assigned permissions. As a result, the multicloud infrastructure calls for unification between building, securing, and governing the cloud.

When building cloud deployments, organizations rely on infrastructure as code (IaC) languages like HashiCorp’s Terraform to create a unified approach to address cloud objects. Think of IaC as a higher-level language over the lower-level cloud-specific API calls.

The parallel higher-level language for securing and governing the cloud is the cloud-native application protection platform (CNAPP). CNAPP converges tools like cloud security posture management, cloud infrastructure entitlement management, cloud workload protection platform, configuration management database, and others, providing complete security for your cloud, spanning the cloud development lifecycle from build time to run time. CNAPP provides a single pane of glass for all your cloud environments.

These solutions provide a complete inventory of your cloud assets, as well as visibility into potential security gaps and risks, correlating across a broad range of signals including misconfigurations, vulnerabilities, Internet exposure, excessive permissions, and more.

Through a CNAPP, teams can enable unified detection, investigation, and enforcement of common cloud objects, as well as pitfalls such as exposed storage, unpatched compute instances, and more. Ideally, a single UI workflow allows you to enforce multicloud organization policies such as “block public access for cloud storage” or “isolate compute instances that accept traffic from the Internet and expose a service with critical vulnerabilities.”

Here are additional best practices and recommendations for securing your cloud footprint:

*   Decide whether to measure against a security framework like NIST or CIS, or your own internally developed policies. Implement these policies across the development lifecycle, with explicit definition of where to enforce action-blocking guardrails. A CNAPP can help you accomplish this.
*   Ensure your security team is diversified in terms of multicloud knowledge, e.g., AWS, Azure, and GCP.
*   Implement identity best practices, such as single sign-on and multifactor authentication, via your organization’s existing IAM provider, whenever possible. Avoid the use of cloud-specific local identities to access the cloud from the Internet.
*   Define the unified view as a prerequisite for procurement of cloud security tools. Ideally, choose tools that enable a unified approach of enforcing organizational policies across clouds.

Cloud transformation has become a vital initiative for many organizations. As you go through the cloud transformation journey, remember that your approach to security (and the tools you use) must transform as well. Whether you’re unifying siloed tools, security and DevOps teams, different cloud vendors, management, or policies and languages, bringing tools together and enforcing commonalities will benefit your organization in the long run.

Read more _Partner Perspectives_ from Zscaler.

Source

DARKReading