Researchers flag common misconfiguration errors and a template injection technique that could let an attacker take over the IT management network and connected systems.

Researchers have identified a template injection technique against the open source SaltStack IT configuration and orchestration platform, as well as common misconfiguration issues, which could allow attackers to gain over organization's network.

Salt is open source software for automating networking and security functions based on events and specific configurations, similar to Puppet or Ansible. Written in Python, it is widely used in network administration and security. However, common misconfigurations and security issues in SaltStack, an implementation of Salt, would allow an attacker to execute remote code, achieve presence on and control over a management network, and infiltrate other systems connected to the initially compromised system, Alex Hill, an offensive security specialist at boutique cybersecurity firm Skylight Cyber, wrote in a a blog post. The research team identified a series of three simple management configurations and a "bonus injection" method that allowed them to achieve command execution across the target environment to run arbitrary code and even pivot to customer environments.

"Misconfigured Salt implementations are a high-value target that, if compromised, are likely to lead pretty rapidly to a much broader worst case level of network compromise and should hardened commensurately," Hill tells Dark Reading.

**Template Injection for Customer Access**

At its core, Salt provides automated infrastructure management that's focused on applying and maintaining state on devices; if a device on the network has an active state misaligned to the configured state, the platform tries to reapply previously defined configuration settings. That could mean custom scripts to push up-to-date configuration files for triggering a build pipeline to bring up fresh containers, Hill wrote.

Salt also manages devices via software agents — known as "minions" — that report to centralized master-controller devices.

The researchers discovered a Jinja template injection vulnerability in Salt that — while not new in and of itself — is novel in terms of its potential for exploit in the IT management space, Hill tells Dark Reading. The flaw can result in command execution that allows for attackers to run arbitrary code not only on the master device and its minions but also on customer environments. The team was able to trick the salt-master into issuing instructions to another victim minion running as root, basically allowing them to do whatever they wanted to it and opening the door to a host of nefarious activity by a potential attacker.

**Common Salt Misconfigurations**

Hill identified three "dead simple misconfigurations" that can easily take down an environment: automatic minion enrollment, secrets stored in files, and exposure of the pillar system's secret files.

Salt has an automatic enrollment feature to automate and streamline the provisioning of new customer infrastructure — such as engineer laptops or servers for new sites — but it also can allow rogue devices onto the network, Hill says. An attacker could spin up a system, install a minion, and auto-enroll the system onto the master controller — at which point, the attacker could issue in-built commands, read local files, and even explore the template injection method.

Secrets are exposed with Salt because the framework expects minions to be able to pull down any required files from the file\_roots directories when it tries to reset the device's state. All secrets, including passwords to the master device are exposed because they are in cleartext on the salt-master in web\_user.sls.

An attacker that controls a minion in the environment can also access the password and thus compromise the entire system, the Skylight researchers said.

Relatedly, having the pillar directory inside an accessible directory means that all minions — even ones that were not legitimately enrolled by the administrator — are able to see the contents of the Salt secrets directory.

**How to Secure Salt**

Hill included in the blog post what he calls a "cheat sheet" for organizations when deploying Salt to ensure they don't fall prey to making the common misconfiguration errors or create an environment that allows attackers to exploit the Jinja template injection vulnerability.

"Enterprises using SaltStack internally should be looking at how their implementation is configured and whether they have any of the highlighted issues currently," he says.

Organizations should overall adopt a security attitude of "trust no one" — in this case, the "no one" meaning "no minions."

"Assume all minions are rogue" as well as "compromised and not to be trusted," Hill advised in his post.

Configuration Issues in SaltStack IT Tool Put Enterprises at Risk

Lawsuits say hospitals using Meta Pixel code violated patient privacy — sharing conditions, medications, and more with Facebook.

Two hospital networks in Louisiana are being hauled to court in a pair of class-action lawsuits that accuses the hospitals of deploying Meta Pixel ad-tracker code and sharing sensitive medical data with Facebook in violation of the US Health Insurance Portability and Accountability Act (HIPAA).

LCMC Health Systems and Willis-Knighton Health Systems are being accused of deploying the Meta Pixel code on their sites, which shared information with Facebook — including medical conditions, prescriptions, doctors' names, and prior appointment history — so patients could be targeted for advertising, according to the law firm behind the action, Herman Herman & Katz.

"We are learning more and more about this shocking breach of trust as our investigation continues," Herman Herman & Katz partner Stephen Herman said in a statement about the data privacy lawsuits. "This was a gross invasion of privacy that went on for years."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Hospitals Sued for Using Meta's Ad-Tracking Code, Violating HIPAA

The goal: Ensure that data is always finely curated and accessible, and that security decisions get made with high-fidelity data.

In a tale seemingly as old as time, security teams have been continuously under siege. Be it novel attack paths, lethal adversaries, new technologies — such as public cloud, containerization, Kubernetes, and serverless computing — or stringent regulatory requirements, teams have faced quite the burden. To help shoulder the load, the industry has established frameworks and pushed out amazing tech, from SIEMs to CNAPPs and XDRs to CASBs. These processes and technologies have helped to keep attackers at bay and people protected, but have created a new problem of far too much data.

To face off against this data-driven world, CISOs and security teams will need to embrace the data and look outside of traditional security personas to adopt a new model of working: security data operations, or simply (and catchier) SecDataOps.

SecDataOps is a term used to describe the process of integrating data into the entire security life cycle, whether for risk management, incident response, or cyber-threat intelligence production. Quantitative data about your environment, assets, business domain, and adversaries must be used. This also means security teams have to adopt strong data analysis, engineering and science processes from data collection and storage to dissemination and archiving. The goal of SecDataOps is to ensure that data is always finely curated and accessible, and that security decisions are made with high-fidelity data.

**Joint Task Force**

SecDataOps need not be a formalized reporting structure all at once but instead can be a joint task force and an additional horizontal responsibility in a security program. Occasionally, SecDataOps may bleed into enterprise architecture, enterprise IT, and other teams as needed. Instead of forcing all your security engineers to become data engineers, consider first bringing in big data consultants and other experts to help take account of how data moves in the organizations, where it's stored, how much it costs, all the way down to schema and formats.

Once the governance and management of raw data available to a team directly from security tools or from environments (e.g., cloud APIs, configuration management databases, existing data lakes) is complete, metrics need to be defined. Service-level agreements (SLAs) are typically formalized agreements but are a great way to hold your burgeoning SecDataOps practices to high quality standards.

Strong SLAs define the purpose of setting the SLA (the why), the promise and specific metric (the what and how), and any specific requirements (the when), if applicable. Creating these SLAs from the start that align to both the overall SecDataOps program and for specific datasets, data feeds, or projects will be important to achieve cohesion and long-term SecDataOps success.

Only once a strong baseline is set can specialized projects or process overhauls can be carried out. This same contextual approach can be applied to cloud security posture management remediation or as enrichment for real-time investigatory requirements such as pulling in ownership and asset data into a security alert investigation.

The leadership decision of a SecDataOps team is an important choice and may need to change as the team matures. When existing as an additional responsibility or joint task force, it may make sense to have the CISO run the function no matter what their level of hands-on technical acumen is; this is to hold the cross-functional team together. The results of SecDataOps will have a strong business emphasis, as the goal is to rapidly detect, pinpoint, and address various risks.

Harnessing data and building generative adversarial networks and massive business-intelligence dashboards to quantify cyber-risk is the exciting part of SecDataOps. But large parts of the work will be formative and the outcome for protecting the business is still the primary goal. Do not fear bringing in outside talent to build out the data piece of the equation. Having a team that is ready to cross-train and learn from one another will be vastly more successful than throwing security engineers to the data wolves.

This security data problem is not going away. Starting off is simply an information gathering operation: meet with your teams, understand how they harness data, what data they wish they had, and start from there. Do not get lost dreaming of what cool machine-learning algorithms you can deploy when sometimes the best outcome is well-governed data. SecDataOps is the way we win this data war and defeat our adversaries.

Why SecDataOps Is the Future of Your Security Program

**CORK, Ireland--(****BUSINESS WIRE****)--** Vaultree, the Data-In-Use Encryption leader, today announced the appointment of Rinki Sethi to the company's board of directors.

Rinki Sethi is the current vice president and chief information security officer at BILL, where she leads global information technology functions. She is also responsible for leading efforts to protect BILL’s information and technology assets and advise the company’s continued innovations in the security space.

Sethi brings decades of security and technology leadership expertise, including her recent roles as VP and CISO at Twitter and Rubrik, Inc. She has been at the forefront of developing cutting edge online security infrastructure at several Fortune 500 companies such as IBM, Palo Alto Networks, Intuit, eBay, Walmart.com and PG&E. Sethi also serves on the board of ForgeRock, a global digital identity leader. She advises many other startups and VCs.

Sethi holds several recognized security certifications and has a B.S. in Computer Science Engineering from UC Davis and a M.S. in Information Security from Capella University.

“Bringing Rinki on board underscores our strong focus on innovation in the field. With Vaultree on the journey to solving major cryptographic problems around data security and encryption, it is incredibly important to us that we work with industry experts like Rinki to ensure we bring Data-In-Use Encryption to the forefront and enable businesses to significantly reduce the risks of plaintext data exposure,” said Ryan Lasmaili, CEO and co-founder of Vaultree. “Trust and confidence are other important pillars that Rinki will bring with her to support Vaultree in creating an encrypted future where plaintext data no longer exists, and Data-In-Use Encryption is the standard across all industries.”

In addition to its recent $12.8m Series A funding round, the appointment of Sethi will be instrumental in fulfilling Vaultree’s mission to protect the sensitive data of people and enterprises worldwide.

“I am joining Vaultree because I am very excited about their mission and how it will unleash the power of data by processing encrypted data. I am also very impressed by the team Vaultree has built and am looking forward to joining this journey with them,” said Rinki Sethi. “The idea is to democratize and demystify data privacy and encryption. As we move toward a world where every human will have ’privacy traces’ online, we are tackling a real-world issue. Data security is not only one of today's hot topics but also the topic of tomorrow.”

**About Vaultree**

Vaultree has developed the world’s first Fully Functional Data-in-Use Encryption solution that solves the industry’s fundamental security issue: persistent data encryption, even in the event of a leak. Vaultree enables enterprises, including those in the financial services and healthcare / pharmaceutical sectors, to mitigate the great financial, cyber, legal, reputational, and business risk of a data breach in plain text. With Vaultree, organizations process, search and compute ubiquitous data at scale, without ever having to surrender encryption keys or decrypt server-side. If a leak occurs, Vaultree’s data-in-use encryption persists, rendering the data unusable to bad actors. Integrating Vaultree into existing database technologies is seamless, requiring no technology or platform changes. Vaultree is a privately held company based in Ireland and the U.S. For more information, please visit www.vaultree.com.

Vaultree Appoints Technology Industry Veteran Rinki Sethi to Its Board of Directors

State of XIoT Security Report: 2H 2022 from Claroty's Team82 reveals positive impact by researchers on strengthening XIoT security and increased investment among XIoT vendors in securing their products.

**NEW YORK****,** **Feb. 14, 2023** **/PRNewswire/ --** Cyber-physical system vulnerabilities disclosed in the second half (2H) of 2022 have declined by 14% since hitting a peak during 2H 2021, while vulnerabilities found by internal research and product security teams have increased by 80% over the same time period, according to the State of XIoT Security Report: 2H 2022 released today by Claroty, the cyber-physical systems protection company. These findings indicate that security researchers are having a positive impact on strengthening the security of the Extended Internet of Things (XIoT), a vast network of cyber-physical systems across industrial, healthcare, and commercial environments, and that XIoT vendors are dedicating more resources to examining the security and safety of their products than ever before.

Compiled by Team82, Claroty's award-winning research team, the sixth biannual State of XIoT Security Report is a deep examination and analysis of vulnerabilities impacting the XIoT, including operational technology and industrial control systems (OT/ICS), Internet of Medical Things (IoMT), building management systems, and enterprise IoT. The data set comprises vulnerabilities publicly disclosed in 2H 2022 by Team82 and from trusted open sources including the National Vulnerability Database (NVD), the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), \[email protected\], MITRE, and industrial automation vendors Schneider Electric and Siemens.

"Cyber-physical systems power our way of life. The water we drink, the energy that heats our homes, the medical care we receive – all of these rely on computer code and have a direct link to real-world outcomes," said Amir Preminger, VP research at Claroty. "The purpose of Team82's research and compiling this report is to give decision makers in these critical sectors the information they need to  properly assess, prioritize, and address risks to their connected environments, so it is very heartening that we are beginning to see the fruits of vendors' and researchers' labor in the steadily growing number of disclosures sourced by internal teams. This shows that vendors are embracing the need to secure cyber-physical systems by dedicating time, people, and money to not only patching software and firmware vulnerabilities, but also to product security teams overall."

**Key Findings**

*   **Affected Devices:** 62% of published OT vulnerabilities affect devices at Level 3 of the Purdue Model for ICS. These devices manage production workflows and can be key crossover points between IT and OT networks, thus very attractive to threat actors aiming to disrupt industrial operations.
*   **Severity:** 71% of vulnerabilities were assessed a CVSS v3 score of "critical" (9.0-10) or "high" (7.0-8.9), reflecting security researchers' tendency to focus on identifying vulnerabilities with the greatest potential impact in order to maximize harm reduction. Additionally, four of the top five Common Weakness Enumerations (CWEs) in the dataset are also in the top five of MITRE's 2022 CWE Top 25 Most Dangerous Software Weaknesses, which can be relatively simple to exploit and enable adversaries to disrupt system availability and service delivery.
*   **Attack Vector:** 63% of vulnerabilities are remotely exploitable over the network, meaning a threat actor does not require local, adjacent, or physical access to the affected device in order to exploit the vulnerability.
*   **Impacts:** The leading potential impact is unauthorized remote code or command execution (prevalent in 54% of vulnerabilities), followed by denial-of-service conditions (crash, exit, or restart) at 43%.
*   **Mitigations:** The top mitigation step is network segmentation (recommended in 29% of vulnerability disclosures), followed by secure remote access (26%) and ransomware, phishing, and spam protection (22%).
*   **Team82 Contributions:** Team82 has maintained a prolific, years-long leadership position in OT vulnerability research with 65 vulnerability disclosures in 2H 2022, 30 of which were assessed a CVSS v3 score of 9.5 or higher, and over 400 vulnerabilities to date.

To access Team82's complete set of findings, in-depth analysis, and recommended security measures in response to vulnerability trends, download the full State of XIoT Security Report: 2H 2022 report.

Cyber-Physical Systems Vulnerability Disclosures Reach Peak, While Disclosures by Internal Teams Increase 80% Over 18 Months

**DENVER****,** **Feb. 14, 2023** **/PRNewswire/ --** Ping Identity, the intelligent identity solution for the enterprise, has formed a new strategic alliance with Deloitte, a leader in global security consulting services, to help the organizations' shared clients improve advanced Identity Access Management (IAM) Solutions selection and onboarding. Through the alliance, Ping and Deloitte's shared clients will be able to streamline digital identity management and effectively authorize which employees, customers, vendors, and suppliers can access sensitive corporate resources.

Deloitte brings to the alliance its significant experience in identity and access management across strategy, implementation and operations-managed services for both workforce and customer IAM solutions in a global customer ecosystem. Ping Identity brings its strength in single sign-on (SSO) and multi-factor authentication (MFA) technologies as well as advanced capabilities like identity authorization, risk and fraud mitigation, and overall IAM orchestration. Deloitte and Ping's shared clients will have access to intelligent identity solutions able to scale enterprise-wide and to offer customers a secure and frictionless experience. 

"We're moving into an experience-first world where identity is paramount to enable security and frictionless interactions," said Andre Durand, CEO and founder of Ping Identity. "Our IAM solutions align well with Deloitte's deep knowledge of connected customer journeys and trusted customer experiences. This alliance will help more organizations reduce risk and accelerate time-to-value as they look to modernize their identity strategies."

As part of the alliance, Deloitte will receive Ping Identity's dedicated sales training, certifications, product roadmap updates, and marketing resources that strengthen and secure access to the cloud, mobile, SaaS, and on-premises applications across the hybrid enterprise.

"As the digitization of businesses continues to increase, providing a trusted employee and customer experience is imperative for organizations," said Nakul Sharma, a Deloitte Risk & Financial Advisory managing director, Deloitte & Touche LLP. "Offering visibility and transparency around how data is used is important to building trust throughout the enterprise as well as with consumers. Our alliance with Ping is an important step in our ecosystem growth to offer Deloitte clients enhanced identity management solutions to help secure identities and data across digital engagement channels."

As used in this document, "Deloitte" means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of our legal structure. Certain services may not be available to attest clients under the rules and regulations of public accounting.

**About Ping Identity**

At Ping Identity, we believe in making digital experiences both secure and seamless for all users, without compromise. That's digital freedom. We let enterprises combine our best-in-class identity solutions with third-party services they already use to remove passwords, prevent fraud, support Zero Trust, or anything in between. This can be accomplished through a simple drag-and-drop canvas. That's why more than half of the Fortune 100 choose Ping Identity to protect digital interactions from their users while making experiences frictionless. Learn more at www.pingidentity.com.

Ping Identity and Deloitte Forge Alliance to Give Organizations Advanced Identity and Access Solutions

**ARLINGTON, Va.****,** **Feb. 14, 2023** **/PRNewswire/ --** ThreatConnect, maker of leading threat intelligence operations (TI Ops) and risk quantification solutions, announced today the company's accelerated growth through 2022 and market leading position heading into 2023.

"With a tumultuous year marked by geopolitical and economic uncertainty that increased pressure on CISOs and their teams to improve security effectiveness and efficiency, ThreatConnect had a tremendous year in both new customer acquisition and product innovation," said Balaji Yelamanchili, CEO of ThreatConnect. "As we enter 2023, we're positioned to continue delivering market leading product innovation that enables our customers and partners to manage efficient TI Ops with quantifiable risk mitigation strategies."

**Customer & Revenue Growth** 

*   Substantial double-digit growth in new logo and expansion business, including some of the world's largest technology, financial services, healthcare, governmental, and cyber security organizations choosing ThreatConnect for their TI Ops and risk quantification initiatives.
*   Expanded risk quantification and TI Ops deployments with three of the top five software companies in the world, 12 global financial services organizations, and 33 other large enterprise customers.
*   Now serving nearly 200 global customers, including five of the top 10 software companies in the world, three of the top five airlines, three of the top five pharmaceutical companies, two of the top five insurance providers, and more than 10 defense and federal agencies.

**Threat Intelligence Operations Innovation**

The company's product and engineering teams delivered a variety of new features that enable cyber threat intelligence (CTI) teams to more efficiently investigate and create intelligence, and work with security operations (SecOps) teams to consume and operationalize threat intelligence.  These new features are designed to deliver better security outcomes in terms of mean time to detect (MTTD) and mean time to resolve (MTTR) potential threats and incidents, and drive efficiencies across teams and tools.

**Specific Innovations:** 

ThreatConnect made many useful product enhancements, including:

*   ThreatConnect's Collective Analytics Layer (CAL™), powered by Big Data and Machine Learning, increased its volume of data by 25% versus prior year to over 176 billion points of data used for scoring potential indicators of compromise (IOCs), providing insights for investigations, and categorizing relationships between indicators, threat actors, malware, and campaigns. By merging anonymized insights from ThreatConnect users with this massive data set creates the ability to have better confidence scoring and enrichment on potential IOCs that very few other players in the market can claim.
*   Natural Language Processing (NLP) capabilities to recognize MITRE ATT&CK® techniques by extracting insights from open source blogs, research, and other sources. This enables customers to get faster insights on relevant threats they are investigating.
*   Highly intuitive graph investigation capability that incorporates the customer's threat intelligence and internal case & investigation data, with insights from CAL's Automated Threat Library, including threat actors, campaigns, and ATT&CK techniques, and a growing number of third-party intelligence and enrichment sources.
*   A new reporting engine that makes it easy to create and disseminate threat intelligence reports with graphs, tables, images, and narrative descriptions.
*   New Enrich Anywhere capability automates the addition of context to indicators of compromise, allowing users to easily identify false positives and pinpoint actionable intelligence.  
*   Streamline the work of the SOC by infusing relevant threat intelligence directly into every step of their case workflow, and allowing for relevant artifacts and findings to be promoted for validation as threat intelligence by the CTI team.
*   Measure the work being done by the team with case and analyst efficiency metrics.
*   Stronger multi-tenant management of clients for MSSP and multi-tiered organizations with the introduction of Super Admin Users who can answer RFI's or work alongside analysts in other organizations without leaving their ThreatConnect instance.

**Risk Quantification Break Out Year**

*   Significant double digit annual sales growth, including new customers in healthcare, finance and manufacturing.
*   Launched technology alliance and go-to-market partnership with SecurityScorecard, resulting in 14 net new customers.
*   New go-to-market partnership with 3 of the top global software vendors.

**Industry recognition**

Winner of multiple industry accolades, including the Global Infosec Awards, Cybersecurity Excellence Award, and the top 100 most Innovative Cybersecurity companies by Expert Insights.

**Experienced Leadership and Board Advisors**

In 2022, the company added seasoned cybersecurity operators to its executive ranks with cybersecurity veterans. Balaji Yelamanchili, previously EVP and General Manager of Symantec's Enterprise Security business, joined the company as Chief Executive Officer.  Burney Barker, a veteran of Forescout, Gigamon, and Dell EMC, joined the company as Chief Revenue Officer.  In the Chief Marketing Officer role, Charles Gold joined the company, bringing more than 25 years of executive experience at category leaders including Sonatype, Virtru, and FireMon.

The company also added an elite group of enterprise cybersecurity leaders as Board Advisors.  This esteemed group includes Colin Anderson, current CISO at Ceridian and former CISO at Safeway and Levi Straus, Myrna Soto former CISO at MGM and Comcast and current Board member at Spirit Airlines and Trinet, and Patrick Joyce, CISO at Medtronic.  They will advise the company's Board and executive team on strategic product and go-to-market matters.

"Enterprises are transforming  their approach to security operations to support their move to the cloud and the digital economy while at the same time addressing a growing threat landscape and emerging threats like ransomware,"  said Yelamanchili.   "Our TI Ops and risk quantification solutions are critical to these initiatives and, given our momentum in 2022 and near term product roadmap, I couldn't be more excited about this coming year."

**About ThreatConnect**

ThreatConnect enables threat intelligence operations, security operations, and cyber risk management teams to work together for more effective, efficient, and collaborative cyber defense and protection. With ThreatConnect, organizations can infuse ML and AI-powered threat intel and cyber risk quantification into their work, allowing them to orchestrate and automate processes to get the necessary insights, and respond faster and more confidently than ever before. More than 200 enterprises and thousands of security operations professionals rely on ThreatConnect every day to protect their organizations' most critical assets.

ThreatConnect Closes 2022 with Accelerated Growth in Threat Intelligence Operations (TI Ops)

**CHANDLER, Ariz.****,** **Feb. 14, 2023** **/PRNewswire/ --** SynSaber, an ICS/OT cybersecurity monitoring company, today announced the launch of its OT PCAP Analyzer tool. The free tool allows users to view a high-level breakdown of the device and protocol information contained within a packet capture (PCAP) file.

The OT PCAP Analyzer is available for early access during the S4x23 ICS Security event. Attendees will be the first to have the opportunity to see live demos of the OT PCAP Analyzer at SynSaber's booth.

SynSaber's OT PCAP Analyzer (affectionately dubbed "OPA!" by internal team members) provides quick visibility into a snapshot of your network segment. The tool works entirely in memory, allowing for detailed offline analysis of industrial PCAP files. The OT PCAP Analyzer is designed with the operational technology (OT) security community in mind, from operators and plant managers to compliance managers and other cybersecurity-minded individuals.

Users upload a PCAP file and receive a visual breakdown of the network traffic and a complete list of the devices communicating within that snapshot of the network. With the OT PCAP Analyzer, users can:

*   View device metadata, including IP addresses, vendor name, class (IT/OT), and subclass type (workstation, PLC, virtualization, etc.)
*   Identify protocols, protocol communications, and the directions of these communications
*   View a map of which devices are communicating with each other
*   Filter device view by time, protocol, CIDR, or manufacturer

_"We created the OT PCAP Analyzer to simplify the network analysis process and give operators the ability to visualize their environment like never before,"_ says Benji Vesterby, Principal Engineer at SynSaber. _"The tool empowers analysts, auditors, and anyone tasked with maintaining industrial security to visually read and understand PCAP files without digging through raw network data for relevant information._"

To learn more about the OT PCAP Analyzer and get early access, visit https://synsaber.com/product/ot-pcap-analyzer.

**About SynSaber**

SynSaber is the simple, flexible, and scalable industrial asset and network monitoring solution that provides continuous insight into the status, vulnerabilities, and threats across every point in the industrial ecosystem, empowering operators to observe, detect and defend OT/IT systems and protect critical infrastructure. SynSaber is privately held with funding from SYN Ventures, Rally Ventures, and Cyber Mentor Fund. Learn more at SynSaber.com.

SOURCE SynSaber

SynSaber Launches a Free OT PCAP Analyzer Tool for the Industrial Security Community

Industry standards must evolve as digital transformation makes all companies software companies. Security testing boosts development speed and software quality.

You've probably heard this phrase more than a few times by now: _Every company today is a software company._ On the surface, it's easy to connect a few dots and understand why this phrase rings true. The digital transformation is, quite literally, changing every aspect of our world so that it is in some way digitally connected. For instance, instead of going to a bank to cash a check, your bank now has an app on your phone to accomplish this.

Regardless of industry, every organization today truly must be a software company. On the customer-facing front, this usually means an easy-to-use, high-quality, accessible application. But what does it mean for organizations themselves? The automotive industry is offering some surprising and helpful lessons on the depths to which every sector and company are embracing software as part of everyday business, and why cybersecurity is directly linked to this.

**The Automotive Industry's Software Evolution**

Like every other industry, the automotive industry has been evolving and embracing new technology. In the past few decades, building a car has gone from being almost entirely hardware focused to adding a full fleet of software capabilities. Most modern cars today have features that weren't even around 20 years ago, including:

● Information and entertainment systems with voice assistants, connectivity for navigation, and streaming services

● Sensors to assist with safe driving or, in some cases, full self-driving capabilities

To accomplish this, car manufacturers that have been around for decades had to adapt, investing in adding an entire division dedicated to software development. For example, Volkswagen created Cariad, its in-house software company, which employs 5,000 software engineers and makes Volkswagen one of the largest software companies in Germany.

The quick pivot many manufacturers have made to modern "smart" cars is impressive. But it also has come with added risk and responsibility. Traditionally, the automotive industry's security regulations and standards have been focused on functional safety, like ISO 26262, which addresses compliance for safety-related systems that include electrical or electronic components. But with software added to the mix of what makes up today's vehicles, industry standards have needed to evolve.

**Automotive Cybersecurity Standards Are Increasing**

Wherever software exists, so too does the risk of a cybersecurity-related incident. When we evolved the concept of a car from four wheels and an engine to include entertainment, connectivity, and so on, we accepted increased risk. And like with the software used in every other type of business, cybersecurity vulnerabilities, risks, and hacks are all on the rise. In December, a Sirius XM radio connected vehicle service exposed several car brands to remote hackers attacks due to a vulnerability. The connected service is currently used by more than 12 million cars in North America, including Acura, BMW, Honda, Hyundai, and Toyota.

The International Organization of Standardization is addressing the makeup of modern cars with ISO/SAE21434:2021. The standard includes engineering requirements for cybersecurity risk management, from concept to development, production, operation, and maintenance. Only software that complies with this ISO standard is allowed to be built into cars today.

**Lessons Learned**

At first, automotive developers might feel apprehensive that these added cybersecurity requirements could be a pain point that would slow the production and shipping of their software. After all, it's another bullet point of responsibility added to their job description, and one for which they likely didn't sign up.

Luckily, modern cybersecurity tools are allowing security testing to fit into the software development life cycle (SDLC). A variety of approaches to security scanning, including static application security testing (SAST), dynamic application security testing (DAST), and feedback-based application security testing can be used together to effectively test applications for vulnerabilities and bugs while an application is still in development.

What automotive developers have learned through this process is that contrary to their initial fears of development being slowed by added cybersecurity requirements, once security scanning is up and running within their continuous integration/continuous delivery (CI/CD) development process, the pipeline is faster and more efficient than before. As bugs and flaws are discovered earlier and earlier in development, they're fixed before they get to production. This saves on the costs and time traditionally associated with going back later to fix these issues. The further a bug or flaw moves through the software development life cycle, the more it costs to fix, and of course, if it makes its way to production, the more vulnerable the software is to a potential cybersecurity attack.

**Cybersecurity: A Competitive Advantage**

The automotive industry is just one of many sectors that are seeing added ISO standards focused on cybersecurity. Healthcare, aviation, energy, finance, and many more are keeping pace or following closely behind with new cybersecurity standards of their own, as software becomes an increasingly critical component in every part of our world. All organizations need to be prepared to prioritize and implement cybersecurity capabilities (if they haven't already). They also need to have developers with the experience and expertise required to understand that when correctly implemented, security testing can improve the speed of development and the overall quality and security of software.

Lessons All Industries Can Learn From Automotive Security

It's not just Internet-accessible hosts that are vulnerable, researchers say.

Security teams working to secure their organizations against a nearly two-year-old vulnerability in VMware's ESXi hypervisor technology that attackers suddenly began exploiting en masse last week must pay attention to all ESXi hosts in the environment, not just Internet-accessible ones.

That's the advice of security vendor Bitdefender after it analyzed the threat and discovered that attackers can exploit it in multiple ways.

**Two-Year-Old Flaw**

The vulnerability in question, CVE-2021-21974, is present in VMware's implementation of a service delivery protocol in ESXi called Open Service Location Protocol (OpenSLP). The vulnerability gives unauthenticated attackers the ability to remotely execute malicious code on affected systems without any user interaction.

VMware disclosed the vulnerability in February 2021 and issued a patch for it at the same time. Since then, attackers have targeted it heavily and made CVE-2021-29174 one of the most exploited vulnerabilities in 2021 and 2022. On Feb. 3, France's computer emergency response team warned about bad actors exploiting CVE-2021-21974 to distribute a ransomware variant dubbed ESXiArgs ransomware on ESXi hosts around the world.

The widespread nature of the attacks prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to release a recovery script that victims of ESXiArgs could use to try to recover their systems.

Martin Zugec, technical solutions director at Bitdefender, says though the initial compromise vector remains unknown, a popular theory is that it is via direct exploitation through Internet-exposed port 427. VMware itself has recommended that if organizations cannot patch immediately, they should block access to port 427.

While that measure can slow down an adversary, it does not eliminate risk from the flaw entirely because attackers can exploit the vulnerability in other ways as well, Zugec says. If an organization blocks port 427, for instance, an attacker could still compromise one of the virtual machines running on an ESXi host via any existing vulnerability.

They could then escape the compromised virtual machine to exploit the vulnerability in OpenSLP and gain root access to the host, he says.

**Other Ways to Exploit Flaw**

"Threat actors can use any existing vulnerability to compromise a virtual machine — whether it's Linux or Windows-based," Zugec notes.

A threat actor can also relatively easily buy on the Dark Web access to a previously compromised virtual machine and attempt OpenSLP remote code execution against the hosting hypervisor, he says.

"If successful, the threat actor can gain access not only to the hypervisor host, but also to all other machines running on the same server," Zugec says. "The OpenSLP exploit in this case would allow a threat actor to escalate their access and move laterally to other — potentially more valuable — machines."

Zugec says Bitdefender has so far seen no evidence of attackers exploiting the VMware ESXi vulnerability in this manner. But, given the major focus on direct exploitation via port 427, Bitdefender wanted to warn the public about other methods to exploit this vulnerability, he says. In addition to blocking access to port 427, VMware has also recommended that organizations that cannot patch CVE-2021-21974 simply disable SLP where possible.

**Shades of WannaCry**

Bitdefender said its analysis of the latest attacks targeting CVE-2021-21974 suggest that the threat actors behind them are opportunistic and not very sophisticated. Many of the attacks appear completely automated in nature, from initial scans for vulnerable systems to ransomware deployment.

"We can compare this to WannaCry," Zugec notes. "While these attacks can reach a wide range of machines, the impact remains limited."

But more sophisticated threat actors would use the flaw in ESXi to conduct a much larger operation, he says. Initial access brokers, for instance, could deploy a remote Web shell and disable SLP service so other threat actors cannot exploit the same flaw. They could then simply lie in wait for the best opportunity to monetize their access. Potential options could include data theft, surveillance, and cryptojacking.

To fully address the risk of a cyberattack exploiting the VMware vuln, Bitdefender — like VMware and others — recommends that organizations apply the patch for it immediately.

Source

DARKReading