Former pure-play deception startup Illusive attracts Proofpoint with its repositioned platform focusing on identity threat detection and response (ITDR).

Less than year after a shift to the burgeoning identity threat detection and response (ITDR) market from its initial roots as a pure-play deception technology startup, Illusive reached the liquidity promised land this week. Proofpoint has announced plans to purchase the firm for an undisclosed amount, with the deal set to close in early 2023.

According to executives from Proofpoint, which specializes in email and cloud security, the pickup was spurred by a drive to reinforce its technology portfolio with identity-focused protections. The company said it was drawn to Illusive for its identity risk discovery and remediation capabilities, in addition to post-breach defenses that could build out Proofpoint's protections against ransomware​ and data theft.

"It's currently far too easy for an attacker to turn one compromised identity into an organizationwide ransomware incident or data breach," said Ryan Kalember, executive vice president of cybersecurity strategy for Proofpoint, in a statement.

**Deception Tech: Not Enough on Its Own**

Initially founded in 2014 by former Check Point Software Technologies veteran Ofer Israeli, Illusive touted itself for a long time for its deception technology capabilities, focusing primarily on breach detection through the use of decoy assets — including credentials — seeded on customer networks. 

The firm had raised more than $54 million in venture funds with that market positioning. However, pure-play deception increasingly has been subsumed as a narrow feature set within broader segments, like extended detection and response (XDR).

As Forrester's David Holmes put it in his analysis of the acquisition of deception player Attivo by XDR vendor SentinelOne in March, "Deception tech, while _super cool_, was never able to achieve escape velocity on its own, and some of its shining stars are disappearing into portfolios of larger vendors."

Amid that kind of market action, Illusive pivoted.

**Entering the ITDR Space**

Earlier this year, it repositioned itself as an identity risk management vendor, with the launch of its Illusive Spotlight ITDR platform in February. 

The platform is not that big of a departure from its deception roots — it works hand-in-hand with the deception technology the vendor had developed and sells through its Illusive Shadow product. But the launch of Spotlight gave Illusive leave to reposition itself as a major identity player and go after a market that industry analysts are increasingly promoting as an important component of security programs of the future. 

In March, Gartner named the rise of ITDR as one of the top security and risk management trends for 2022.

"Organizations have spent considerable effort improving \[identity access management\] IAM capabilities, but much of it has been focused on technology to improve user authentication, which actually increases the attack surface for a foundational part of the cybersecurity infrastructure," Peter Firstbrook, research vice president for Gartner, said in that prediction. "ITDR tools can help protect identity systems, detect when they are compromised, and enable efficient remediation."

In many ways, this deal by Proofpoint mirrors SentinelOne's purchase of Attivo. Forrester's Holmes said at the time that the company was attracted to Attivo's identity capabilities first, with the deception element coming second.

"What acquisitions like this one ultimately mean for security and risk decision-makers is that they can pivot from deploying a stand-alone deception tech product and start evaluating how deception gets paired with one or two key tactical domains such as identity," Holmes wrote at the time.

The Proofpoint purchase of Illusive solidifies that assessment.

Proofpoint Nabs Illusive, Signaling a Sunset for Deception Tech

The proliferation of automated cyberattacks against npm, NuGet, and PyPI underscores the growing sophistication of threat actors and the threats to open source software supply chains.

An automated attack within the NuGet open source ecosystem for .NET developers has resulted in a flood of malicious packages containing links to phishing campaigns.  

That's according to a joint report on Wednesday from Checkmarx and Illustria, which, upon digging deeper, found that automated attacks are taking aim on a broad level, against users of the npm, NuGet, and PyPI software developer ecosystems.

The attack vector in the NuGet ecosystem involves the use of automated processes to create a large number of packages with names and descriptions designed to lure those interested in hacking, cheats, and free resources. These contain links to phishing campaigns built to steal personal information or other sensitive data.

The scale of this attack is unique, according to the report, because it involves the creation of over 144,000 packages by the same threat actor — a significantly larger number of packages than is typically seen in such attacks, making it an especially large and significant event.

"The use of automated processes to create the packages and user accounts makes it difficult for security teams to identify and take down the packages," Jossef Harush, head of supply chain security engineering at Checkmarx, tells Dark Reading.

Harush adds, "This makes the attack more dangerous and harder to defend against. It also highlights the need for organizations to be vigilant and take steps to protect themselves against these types of attacks."

**Automation: Improving Efficiency, Reducing Risk to Hackers**

Harush explains the attackers likely invested in automation to poison the NuGet, PyPI, and npm ecosystems because it allows them to create a high volume of packages and user accounts in a short amount of time.

"This allows them to spam the open source ecosystem with many packages, potentially reaching a significant number of users and increasing the likelihood that they will fall victim to the phishing campaigns," he says.

Additionally, because the use of automation makes it difficult for security teams to identify and take down the packages, the attackers can continue their campaign for a longer period.

"Automation also reduces the risk of the attackers being caught and allows them to operate more efficiently and with less risk," Harush notes.

**Malicious Packages: Key Preventive Measures**

In addition to monitoring networks for signs of the phishing campaigns and other suspicious activity, and educating employees about the importance of being cautious when downloading packages from open source ecosystems, businesses should consider security tools and services to help identify and protect against such threats to their software supply chains.

"Security postures against software supply chain attackers need to evolve in several ways to better defend against these threats," Harush says. "First, the package managers need to improve their ability to detect and prevent the publication of malicious packages to open source ecosystems like NuGet, PyPI, and npm."

He explains this may involve the use of technology to monitor these ecosystems and identify suspicious activity, as well as the development of better security practices and processes for identifying and responding to threats.

Harush points out that overall security postures against software supply chain attackers need to be more proactive, adaptable, and collaborative to effectively defend against these threats.

"This may involve a combination of technology, processes, and people working together to identify and respond to these threats in a timely and effective manner," he says.

A recent report from Google also noted that security leaders should take a more holistic approach to addressing supply chain risks, and should work to implement the Supply Chain Levels for Software Artifacts (SLSA) framework when building software to ensure better software security and integrity.

Automated Cyber Campaign Creates Masses of Bogus Software Building Blocks

Learn to think three moves ahead of hackers so you're playing chess, not checkers. Instead of reacting to opponents' moves, be strategic, and disrupt expected patterns of vulnerability.

Many an article chronicles hacked passwords available in bulk on the evil "Dark Web." It's presented as evidence that the bad behavior of users is the root of all hacking. But as a former red teamer, the end user isn't the only one who is a prisoner to discernable behavioral patterns.

There is a "pattern of vulnerability" in human behavior extending far beyond end users into more complex IT functions. Finding evidence of these patterns can give hackers an upper hand and speed the timeline of compromise.

It's a reality I recognized earlier in my career in operational roles. I've physically helped rebuild and relocate data centers and rewire buildings from top to bottom. It gave me a great perspective of what it takes to build in security from scratch, and how unconscious behaviors and preferences can put it all at risk. In fact, understanding how to identify these patterns gave me a very reliable "superpower" when I moved into red teaming, which ultimately resulted in a patent grant. But more on that later.

**Fatal Recall**

Let's start by examining how our addiction to patterns betrays us — from credentials, to software operation, to asset naming.

While technology has afforded us so many benefits, the complexity of managing it — and the cumbersome controls intended to protect — drives people to repeatable patterns and the comfort of familiarity. The more regular the task or function becomes, the more complacent we get with the pattern and what it telegraphs. For a red teamer, the ability to watch routines, from the physical to the logical, can offer a wealth of intelligence. Repeatability offers opportunity and time to discern patterns, and then to find the vulnerability in those patterns that can be exploited.

Internal naming schemes in particular — be they asset names, system names, or credential groupings — lend themselves to picking common words for descriptive categorization. I saw one organization that used the names of mountains. And while you may not know which system K2 versus Denali is, it acts as a filter for an attacker as they explore an environment. It's also an excellent social engineering tool, allowing an attacker to "speak the internal IT lingo." You may ask, OK, but "what's in a name?"

**Brutal Reality**

I'm sure you've heard of brute-force attacks where attackers throw guesses in volume at a target to find the right combination that leads to access. It's a numbers game and a blunt instrument. However, if you can discern the use of naming conventions, it sharpens the ability to focus on a range of accounts or systems, and then understand their potential attributes. It speeds up the clock for an attacker.

But, you ask, "if these are _internal_ conventions, how does an _external_ attacker even find this type of information"?

**Patently True**

Enter my aforementioned superpower. As any experienced red teamer knows, information leaks out of organizations in many ways, you just need to know where to look, and how to find the signals in the noise.

Internal naming groups and conventions become exposed to the outside world in a variety of ways. They're buried in website code, detailed in technical documentation or as part of APIs, or just simply published in public system information.

Admittedly, this is a very large haystack, but finding the needles is exactly what the patent I was involved in (US Patent 10,515,219) endeavors to do. Site-scanning tools collect a range of information, and unsurprisingly, an overload of information. My approach strips out all the technical programming information (such as markup, JavaScript, etc.), and leaves just words. It then compares results with lists of English words. The algorithm then identifies groupings of words or abbreviations _not_ present in the selected language that, presumably, _may_ signify an internal naming convention or credentials. As is common with brute-force campaigns, it may not, but as the axiom goes, the attacker only needs to be right _once,_ so the ability to generate context-sensitive word lists may make or break your next campaign. This is when the picture may start to become clearer and the shape of things such as user groups, system names, etc., manifest.

**Actions Speak Louder**

So, we've established how our deeply rooted behaviors can betray our security literally with "writing on the wall." How do we change, or at least be more aware of, our very nature?

There's the old joke summed up in the punch line that you don't need to outrun a tiger — you just need to outrun your companions. In this way, **first use the basic "sneaker" technologies**. Password managers, multifactor authentication (MFA), and the like at least allow you to outrun your peers so attackers can focus on the laggards in the herd.

**Second, elect for regular change.** Change is uncomfortable, but that discomfort triggers better situational awareness. If you know yourself and your environment better, and force change, that helps prevent an attacker's ability to get to know you too well.

**Next, trust your gut**. If something doesn't seem right, it probably isn't. If you focus on failure and not the familiarity of the behavior around failure, you're better equipped to see the bad guys coming and make sure a small anomaly doesn't become a big problem.

**Finally, play chess, not checkers**. Too many organizations think they're playing chess, and may be employing more complex pieces and roles, but if, ultimately, you're playing in reaction to your opponents' moves, it's checkers in disguise.

It's a lesson I am teaching my own son while he's interested in learning chess. He's learning the _strategy_ behind the game. He understands using the pieces and their characteristics to manipulate the game, and is quickly catching on to the fact that he also needs to focus on manipulating _me_. I'm teaching him to think three moves ahead, think about what is possible, and lure his opponent into doing what he wants them to do, not what they want to do — and, most importantly, to trust the gambit.

How Our Behavioral Bad Habits Are a Community Trait and Security Problem

An emerging cybercriminal group linked with Conti has expanded its partial encryption strategy and demonstrates other evasive maneuvers, as it takes aim at healthcare and other sectors.

The Royal ransomware gang has quickly risen to the top of the ransomware food chain, demonstrating sophisticated tactics — including partial and rapid encryption — that researchers believe may reflect the years of experience its members honed as leaders of the now-defunct Conti Group.

Royal ransomware operates around the world, and reportedly on its own; it does not appear that the group uses affiliates through ransomware-as-a-service (RaaS) or to target a specific sector or country. The group is known to make ransom demands of up to $2 million and claims to have published 100% of the data it extracts from its victims.

A deeper dive into how the Royal ransomware group works shows a surefooted and innovative group with varied ways to deploy ransomware and evade detection so it can do significant damage before victims have a chance to respond, researchers from the Cybereason Security Research & Global SOC Team revealed in a blog post published Dec. 14.

One key aspect of Royal's tactics is the concept of partial encryption, where it locks up only a predetermined portion of file content rather than all of it. While partial encryption is not a new tactic, it is key to Royal's strategy, with the group taking it to a new level not seen much before in ransomware activity, the researchers said.

Recently, for instance, Royal has expanded the idea by basing the tactic on flexible-percentage encryption that can be tailored to the target, thus making detection more challenging, the Cybereason researchers said.

The group also employs multiple threads to accelerate the encryption process, giving victims less time to stop it once it starts, and the encryption also initially starts and deploys in different ways, which also makes detection challenging, according to Cybereason.

**Taking the Crown as a Rapidly Evolving Threat**

The US Department of Health and Human Services sounded an alarm last week about Royal ransomware specifically targeting the healthcare sector; however, the group has been active since early this year and appears agnostic when it comes to its victims, the researchers noted.

"The group does not seem to focus on a specific sector, and its victims vary from industrial companies to insurance companies, and more," the Cybereason researchers wrote.

While Royal began its activity by deploying other types of ransomware, by September the rapidly evolving cybercriminal group had developed its own. And by November, Royal ransomware was reported to be the most prolific ransomware in the e-crime landscape, dethroning the dominant Lockbit for the first time in more than a year, the researchers said.

And even though Royal sets its sites on a diverse range of victims, its targeting of the healthcare sector demonstrates that the group is likely as ruthless as Conti was before it, noted one security expert.

"While some larger ransomware gangs have demonstrated scruples at either avoiding targeting healthcare institutions or providing decryption keys at no cost, it's clear that is not the case when it comes to Royal ransomware," says Shawn Surber, senior director of technical account management at Tanium, a converged endpoint management provider.

Targeting the healthcare industry could literally mean life or death for some of those affected by a ransomware attack, given that it can prevent clinicians from having access to key patient data, he says. This sector also tends to have a dearth of cybersecurity funds to defend itself against ransomware and other cyber threats, making it especially vulnerable, Surber says.

"This is especially concerning considering virtually any outage or disruption in operations will cause a financial — and often physical — impact in a patient care setting," he says.

**A New Twist on Partial Encryption**

While most ransomware bases partial encryption only on the file size, then encrypts a set percentage of the file the same way each time, Royal ransomware lets the operator choose a specific percentage and lower the amount of encrypted data even if the file size is large, the researchers said.

When a targeted file is being encrypted, the ransomware calculates the percentage to encrypt and divides the file content — encrypted and unencrypted — into equal segments, researchers explained in the post. The fragmentation — and thus the low percentage of encrypted file content that results — lowers the chance of being detected by anti-ransomware solutions.

"This ability to change the amount of the file to be encrypted gives Royal ransomware an advantage when it comes to evading detection by security products," the researchers noted.

The file size that Royal chooses for its partial encryption threshold — 5.24MB — also is the same as what Conti Group used in the past, encrypting 50% of a file in a divided manner if it was over this size, "much like Royal ransomware," the researchers wrote.

Though it's widely believed that Conti's former operators are behind Royal, this similarity is not strong enough evidence to confirm that link definitively, the researchers added.

Another technique unique to Royal is how it multithreads encryption, choosing the number of running threads by using the API call _GetNativeSystemInfo_ to collect the number of processors in a machine, the researchers divulged. It will then multiply the result by two and create the appropriate number of threads accordingly. This allows for rapid encryption, another show of sophistication by the group, the researchers said.

**Shielding the Enterprise From a Royal Threat**

To avoid rolling out the red carpet for Royal and other ransomware, researchers recommend that enterprises deploy a multilayer approach to malware protection that leverages threat intelligence, machine learning, anti-ransomware, next-generation antivirus, and variant payload-prevention capabilities.

For healthcare organizations with limited cybersecurity resources that may not have such tools in their arsenal, one security expert advised the adoption of low-code security automation to help detect and respond to threats in real time by allowing complete visibility into IT environments.

_"_Endpoint security tools that integrate low-code security automation give healthcare organizations a cohesive protection strategy that protects patients and employees from data theft and extortion," Daniel Selig, security automation architect at security automation provider Swimlane, tells Dark Reading.

Royal Ransomware Puts Novel Spin on Encryption Tactics

Aiming to give threat hunters a list of popular attack tactics, a cybersecurity team analyzed collections of real-world threat data to find attackers' most popular techniques.

An analysis of threats encountered by four organizations has identified the most common techniques used by attackers to compromise systems, infiltrate networks, and steal data, according to data analysts at Splunk SURGe, which published details of the research on Dec. 14.

The analysis used published data from Mandiant, Red Canary, MITRE's Center for Threat Informed Defense, and the US Cybersecurity and Infrastructure Security Agency (CISA) to find the most popular post-compromise threat activities, as defined by the MITRE ATT&CK framework. Threat groups that gain access to a compromised system, for example, are likely (28% of the time) to start up the PowerShell command line utility to extend their attack laterally throughout a network and to gain persistence on the compromised machine, the analysis found.

The use of PowerShell, obfuscating files, and exploiting public-facing applications are the three most popular techniques for attackers, the analysis found. Using the data, security operations center (SOC) managers can ensure that they are focused on detecting common tactics, says Ryan Kovar, distinguished security strategist and leader of Splunk’s SURGe research team.

"A lot of times, SOC analysts don't know where to start, and these are the areas where four trusted sources are saying they see adversaries consistently using these techniques," he says. "I talk to a lot of people around the world, and they do not have logging turned on for PowerShell, and if you do not have logging for PowerShell you are never going to see what is arguably the No. 1 adversary technique according to these four groups."

    

The rankings of the top four techniques by data set. Source: Splunk

The analysis effort combined data on cyberattacks from multiple industries and multiple years, including more than 400 techniques from the MITRE ATT&CK framework and more than 100 techniques targeting industrial control systems (ICS).

The analysis comes at a time when attackers are shifting toward using more stealthy tactics and hands-on intrusion techniques, making the training of SOC analysts increasingly important. In the past year, for example, cybersecurity services firm CrowdStrike has seen a small but measurable increase in targeted attacks, which now account for 18% of all attacks. In addition, attackers are eschewing malware in their attacks, with 71% of intrusions investigated by the firm not using malicious tools.

For defenders, finding ways to detect attacks remains difficult, Splunk researchers stated in the analysis.

"It has never been more difficult to decide which threats deserve the most attention," the analysis stated. "A sound defensive approach to directing analysis efforts should be data-driven, focusing on the trends and progression of attacker tradecraft, such as represented in ATT&CK."

**PowerShell, Obfuscated Files Top Tactics**

The top four tactics used by intruders includes using PowerShell as a command shell and script interpreter and attempting to obfuscate files and commands to remain stealthy. Using vulnerabilities in public-facing applications is the third most common technique, while spear-phishing attacks are the No. 1 initial access technique, according to Splunk's analysis.

The company plans to expand the list to a top 20 most common tactics, allowing security teams to discuss whether they can detect the techniques and how best to use their current tools to do so.

A critical part of the effort should be to game out each technique, how it could be detected, and whether the current information, telemetry, and logs are able to detect attackers who use the technique. Determining which logs and telemetry to track is the hard part, Kovar says.

"Find all the ways to log and show that information because every vendor and company has such different information and different platforms," he says. "That is where the hard work comes in, and for a lot of people, they know what they want to do, but they just don't know where to start."

**Easing the Pain for Threat Hunters**

By focusing on the attack techniques most commonly used by attackers, SOCs and security teams should have more information about how to improve their programs and better detect attackers.

Easing the work of SOC analysis is critical. A year-old survey found that 72% of SOC analysts rated the pain of doing their jobs at least a 7 out of 10.

In the end, Splunk's SURGe team aims to give cybersecurity professionals a way to harden their networks against attacks. Tackling the top 20 list of attacker tactics and ensuring that the SOC can detect every technique is a great way to begin 2023, Kovar says.

"Your mileage may vary," he adds, "but I am very confident that if you want to start your threat hunting program in a couple areas and want an immediate return on investment, this is where you can start."

Analysis Shows Attackers Favor PowerShell, File Obfuscation

Deloitte's Future of Cyber study highlights the fact that cybersecurity is an essential part of business success and should not be limited to just mitigating IT risks.

Cyber threats should no longer be viewed as just an IT problem, but also a business problem, Deloitte said in its latest Future of Cyber study. Operational disruption, loss of revenue, and loss of customer trust are the top three significant impact of cyber incidents. More than half, or 56%, of respondents told Deloitte they suffered related consequences to a moderate or large extent.

In 2021, the top three negative consequences from cyber incidents and breaches were operational disruption, which includes supply chain and the partner ecosystem, intellectual property theft, and a drop in share price. While operational disruption remained the top concern in 2022, loss of revenue and loss of customer trust and negative brand impact moved up in importance. Intellectual property theft and drop in share price dropped to eighth and ninth (out of ten) in ranking. Losing funding for a strategic initiative, loss of confidence in the integrity of the technology, and impact on employee recruitment and retention moved up in ranking in 2022. Respondents were also asked to mark two consequences they felt would be most important in 2023: Operational disruption and loss of revenue topped the list.

"Today, cyber means business, and it is difficult to overstate the importance of cyber as a foundational and integral business imperative," Deloitte noted in its report. "It \[cyber\] should be included in every functional area, as an essential ingredient for success—to drive continuous business value, not simply mitigate risks to IT."

**Cyber Maturity Matters**

Deloitte categorized organizations' cybersecurity maturity based on their adoption of cyber planning, risk management, and board engagement. Risk management included activities such as industry benchmarking, incident response, scenario planning, and qualitative and quantitative risk assessment. Whether or not the organization adopted any of these three practices hinged on stakeholders recognizing the importance of cyber responsibility and engagement across the whole organization, Deloitte said in its report. Examples included having a governing body that comprises IT and senior business leaders to oversee the cyber program, conducting incident-response scenario planning and simulation at the organizational and/or board level, regularly providing cyber updates to the board to secure funding, and conducting regular cyber awareness training for all employees.

In the analysis, 21% of organizations were considered high maturity, as they adhered to two or three of the key practices, and 41% of organizations were categorized as medium maturity for adhering to one of the practices. The remainder, or 38%, were low maturity, as they did not adhere to any of practices identified by Deloitte.

According to Deloitte, 91% of organizations reported at least one cyber incident or breach, but low maturity organizations tended to experience more significant cybersecurity events (6 or more events).

There were some differences based on the organization's maturity in what kind of issues they were concerned about. High-maturity organizations seem more concerned about cybercriminals and terrorists, as well as phishing, malware, and ransomware. Medium-maturity and low-maturity organizations were more concerned about denial-of-service attacks.

High maturity organizations are doing more when it comes to engaging leadership, planning, and acting, and they are seeing results in areas typically not associated with cybersecurity, such as increased efficiency, resiliency, and agility, Deloitte noted. Nearly 70% of high maturity organizations said their cybersecurity posture had an impact on enhancing trust and enabling efficiency throughout the organization. And 65% of the high maturity organizations cited resilience and agility as the benefits they are seeing as a result of their cybersecurity activities. More than half of the leaders of these high maturity organizations said their cybersecurity activities gave them confidence to take on new initiatives, compared to 45% for medium-maturity organizations and 40% for low-maturity organizations, Deloitte found. Cybersecurity also helped with the bottom line: 47% of high maturity organizations claimed their cybersecurity initiatives helped increase revenue.

Cybersecurity Drives Improvements in Business Goals

Here's what you need to patch now, including six critical updates for Microsoft's final Patch Tuesday of the year.

Microsoft has released fixes for 48 new vulnerabilities across its products, including one that attackers are actively exploiting and another that has been publicly disclosed but is not under active exploit now.

Six of the vulnerabilities that the company patched in its final monthly security update for the year are listed as critical. It assigned an important severity rating to 43 vulnerabilities and gave three flaws a moderate severity assessment. 

Microsoft's update includes patches for out-of-band CVEs it addressed over the past month, plus 23 vulnerabilities in Google's Chromium browser technology, on which Microsoft's Edge browser is based.

**Actively Exploited Security Bug**

The flaw that attackers are actively exploiting (CVE-2022-44698) is not among the more critical of the bugs for which Microsoft released patches today. The flaw gives attackers a way to bypass the Windows SmartScreen security feature for protecting users against malicious files downloaded from the Internet. 

"An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging," Microsoft said.

CVE-2022-44698 presents only a relatively small risk for organizations, says Kevin Breen, director of cyber-threat research at Immersive Labs. "It has to be used in partnership with an executable file or other malicious code like a document or script file," Breen says. "In these situations, this CVE bypasses some of Microsoft's built-in reputation scanning and detection — namely SmartScreen, which would normally pop up to tell a user the file may not be safe." 

At the same time, users should not underestimate the threat and should patch the issue quickly, Breen recommends.

Microsoft described another flaw — an elevation of privilege issue in the DirectX Graphics kernel — as a publicly known zero-day but not under active exploit. The company assessed the vulnerability (CVE-2022-44710) as being "Important" in severity and one that would allow an attacker to gain system-level privileges if exploited. However, the company described the flaw as one that attackers are less likely to exploit.

**Vulnerabilities to Patch Now**

Trend Micro's ZDI flagged three other vulnerabilities in the December Patch Tuesday security update as being significant: CVE-2022-44713, CVE-2022-41076, and CVE-2022-44699.

CVE-2022-44713 is a spoofing vulnerability in Microsoft Outlook for Mac. The vulnerability allows an attacker to appear as a trusted user and cause a victim to mistake an email message as if it came from a legitimate user. 

"We don't often highlight spoofing bugs, but anytime you're dealing with a spoofing bug in an email client, you should take notice," ZDI's head of threat awareness Dustin Childs said in a blog post. The vulnerability could prove especially troublesome when combined with the aforementioned SmartScreen MoTW bypass flaw that attackers are actively exploiting, he said.

CVE-2022-41076 is a PowerShell remote code execution (RCE) vulnerability that allows an authenticated attacker to escape the PowerShell Remoting Session Configuration and run arbitrary commands on an affected system, Microsoft said. 

The company assessed the vulnerability as something that attackers are more likely compromise, even though attack complexity itself is high. According to Childs, organizations should pay attention the vulnerability because it is the type of flaw that attackers often exploit when looking to "live off the land" after gaining initial access on a network. 

"Definitely don’t ignore this patch," Childs wrote.

And finally, CVE-2022-44699 is another security bypass vulnerability — this time in Azure Network Watcher Agent — that, if exploited, could affect an organization's ability to capture logs needed for incident response. 

"There might not be many enterprises relying on this tool, but for those using this \[Azure Network Watcher\] VM extension, this fix should be treated as critical and deployed quickly,' Childs said.

Researchers with Cisco Talos identified three other vulnerabilities as critical and issues that organizations need to address immediately. One of them is CVE-2022-41127, an RCE vulnerability that affects Microsoft Dynamics NAV and on-premises versions of Microsoft Dynamics 365 Business Central. A successful exploit could allow an attacker to execute arbitrary code on servers running Microsoft's Dynamics NAV ERP application, Talos researchers said in a blog post. 

The other two vulnerabilities that the vendor considers to be of high importance are CVE-2022-44670 and CVE-2022-44676, both of which are RCE flaws in the Windows Secure Socket Tunneling Protocol (SSTP). 

"Successful exploitation of these vulnerabilities requires an attacker to win a race condition but could enable an attacker to remotely execute code on RAS servers," according to Microsoft's advisory.

Among the vulnerabilities that the SANS Internet Storm Center identified as important are (CVE-2022-41089), an RCE in the .NET Framework, and (CVE-2022-44690) in Microsoft SharePoint Server.

In a blog post, Mike Walters, vice president of vulnerability and threat research at Action1 Corp., also pointed to a Windows Print Spooler elevation of privilege vulnerability (CVE-2022-44678), as another issue to watch. 

"The newly resolved CVE-2022-44678 is most likely to be exploited, which is probably true because Microsoft fixed another zero-day vulnerability related to Print Spooler last month," Walters said. "The risk from CVE-2022-44678 is the same: an attacker can get SYSTEM privileges after successful exploitation — but only locally."

**A Confusing Bug Count**

Interestingly, several vendors had different takes on the number of vulnerabilities that Microsoft patched this month. ZDI, for instance, assessed that Microsoft patched 52 vulnerabilities; Talos pegged the number at 48, SANS at 74, and Action1 initially had Microsoft patching 74, before revising it down to 52.

Johannes Ullrich, dean of research for the SANS Technology Institute, says the issue has to do with the different ways one can count the vulnerabilities. Some, for instance, include Chromium vulnerabilities in their count while others do not. 

Others, like SANS, also include security advisories that sometimes accompany Microsoft updates as vulnerabilities. Microsoft also sometimes releases patches during the month, which it also includes in the following Patch Tuesday update, and some researchers don't count these. 

"The patch count can sometimes be confusing, as the Patch Tuesday cycle is technically November to December, so this will also include patches that were released out of band earlier in the month, and can also include updates from third party vendors," Breen says. "The most notable of these are patches from Google from Chromium, which is the base for Microsoft's Edge browser."  
Breen says by his count there are 74 vulnerabilities patched since the last Patch Tuesday in November. This includes 51 from Microsoft and 23 from Google for the Edge browser. 

"If we exclude both the out-of-band and Google Chromium \[patches\], 49 patches for vulnerabilities were released today," he says.

A Microsoft spokesman says the number of new CVEs for which the company issued patches today was 48.

Microsoft Squashes Zero-Day, Actively Exploited Bugs in Dec. Update

OSV-Scanner generates a list of dependencies in a project and checks the OSV database for known vulnerabilities, Google says.

Securing the software supply chain is an increasingly complex and time-consuming challenge for enterprises. To help developers find vulnerability data for open source components, Google launched OSV-Scanner on Tuesday.

Modern software development requires managing multiple dependencies – software libraries and components that add functionality to the application without having to develop them from scratch. Developers need to be aware of vulnerabilities which may exist in the components, but the task is complicated by the fact that each dependency potentially contains other dependencies.

A new report from the Station 9 research team at Endor Labs found that 95% of all vulnerabilities in open source software are found in transitive dependencies – code packages that are indirectly pulled into projects by other dependencies. Developers need to be able to manage vulnerabilities in the dependencies they selected as well as in these transitive dependencies. To complicate matters even more, the same research report found that even the latest version of a package could still have known vulnerabilities.

Last year, Google launched the OSV.dev service, a distributed open source vulnerability database, to help developers with vulnerability management. OSV.dev encompasses 16 different open source ecosystems and vulnerability databases, with a total of 38,000 advisories. The idea is to use the service for vulnerability tracking, triage, and patch automation. Google's Rex Pan calls OSV-Scanner, which connects a project's list of dependencies with the vulnerabilities that affect them, the "next step" in managing open source vulnerabilities.

With OSV-Scanner, developers can match code and dependencies against a list of known vulnerabilities and identify any available patches or newer versions of the software component. The scanner identifies all the transitive dependencies being used by the project by analyzing software manifests, software bill of materials, and commit hashes. The scanner then connects to OSV.dev to display the known vulnerabilities in the project.

The information generated by the scanner "closes the gap between a developer's list of packages and the information in vulnerability databases," Pan wrote in the blog post announcing the new tool. Features such as the ability to utilize specific function level vulnerability information automated remediation will be available in the future, Pan wrote.

OSV-Scanner automates the discovery and patching of vulnerabilities in the software supply chain. The 2021 United States Executive Order for Cybersecurity specifically included automated tools "that check for known and potential vulnerabilities and remediate them" as a requirement for national standards on secure software development.

Developers can download and try out OSV-Scanner from the osv.dev website or use OpenSSF Scorecard's Vulnerabilities check to automatically run the scanner on a GitHub project, Google says.

Google Launches Scanner to Uncover Open Source Vulnerabilities

Citrix issues a critical update as NSA warns that the APT5 threat group is actively trying to target ADC environments.

Citrix has issued a patch for a critical flaw affecting Citrix ADC and Citrix Gateway, adding that the company is aware of attacks against the vulnerability in the wild.

The vulnerability, tracked under CVE-2022-27518, affects Citrix ADC and Citrix Gateway versions 12.1 (including FIPS and NDcPP) and 13.0 before 13.0-58.32. 

"Both must be configured with an SAML SP or IdP configuration to be affected," Citrix noted in its security update.

The National Security Agency (NSA) issued its own warning that the China-linked APT5 threat group has been actively targeting Citrix ADCs to bypass authentication controls to breach organizations. It also provided threat hunting guidance for security teams, and asked for intelligence sharing among the public and private sectors.

"The indicators and context from this analysis can be used by organizations for defensive purposes against this malicious activity," the NSA announced. "NSA requests that any additional insights and/or discoveries be shared with the NSA Cybersecurity Collaboration Center in order to enhance understanding of this activity and so that it can be used to improve the overall security posture of the Defense Industrial Base, DoD, and USG."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Citrix ADC, Gateway Users Race Against Hackers to Patch Critical Flaw

Software teams can now fix bugs faster with faster release cycles, but breach pressure is increasing. Using SBOM and automation will help better detect, prevent, and remediate security issues throughout the software development life cycle.

Rapid development and deployment cycles have long been criticized for the potential to introduce more flaws in software. But the "move fast and break things" adage doesn't hold up in modern environments, which are increasingly being targeted by malicious actors. On the other hand, faster release cycles can also mean patches can be implemented faster — and this is just one factor that is accelerating the rate at which software teams can fix bugs.

As demand for reliable, secure software increases, a number of tactics and technologies have emerged to help teams build, maintain, fix, and secure their applications faster than ever. Approaches such as DevSecOps, bug bounty programs, open source bug reporting, and even Google's Project Zero have had substantial influence on how we secure software. But if identifying and patching vulnerabilities has become easier, why are we still reading about so many breaches? Let's explore.

**New Tactics Accelerate Bug Fixing**

The wide adoption of DevOps solutions and organization workflows, which we've seen in recent years, means faster release cycles of software. In the not-so-distant past, a software company would release an updated version every few months, which would contain fixes for security issues detected and patched in that period. Anything that wasn't yet discovered or fixed would have to wait for the next release in another few months. With DevOps methodology and technology in place, software vendors and open source project maintainers release versions of their product dozens of times a day — when the fix is ready, the product receives it, cutting the time-to-fix dramatically.

Some organizations are going a step further to implement security into development processes. Research from ESG shows that 62% of organizations have a plan or are evaluating use cases for DevSecOps implementation. And those organizations that have already put these processes into place are seeing radical improvements in the speed at which they can identify and remediate vulnerabilities.

Bug bounty programs have also become mainstream. Some platforms allow software vendors to use the power of crowdsourcing to discover security issues in their own products. This flow must be managed with a dedicated framework for bug fixing. And as the discovery of issues grows, the organization is compelled to create better ways to fix them, and the time-to-fix is getting shorter.

Within the open source community, code management solutions such as GitHub, GitLab, and others have a built-in way to report and track security issues so that open source maintainers and users can easily report and follow vulnerabilities that are presented in an open source project. The information is public (on the public projects), and the maintainers and the community feel committed to fixing issues quickly.

A final factor is the impact made by Google's Project Zero. As part of this initiative, Google has a team of security researchers dedicated to studying zero-day vulnerabilities in the hardware and software systems that are depended upon by users around the world. In 2021, Google's Project Zero detected a record 58 zero-day vulnerabilities in the wild.

In addition, most software companies that are presented in Project Zero's data set aren't your ordinary software vendors, and the project forces these major tech companies to fix security issues within 90 days, which results in shifts in engineering culture and organizational structure as the engineering community at large emulates the big innovators.

**Challenges Remain, Affecting Software Security**

Patches for software are often delivered via updates that require a consumer to upgrade to the latest version, a move which can often impact operations. Resolution in a timely manner can even be impossible, in some cases. Companies developing software today are often relying on a high percentage of open source code and many components that create complexity. Upgrading an open source library, which a company relies on throughout its codebase, or a specific version of a docker image, could mean substantial changes across its products. A single security fix might create a massive amount of work for engineering teams. As a result, teams must prioritize bug fixes, and only critical security issues are getting resolved.

**Improvements in Software Security**

Automation is key. It's impossible for software consumers and vendors to deal with a large amount of security risk in large codebases without using an automated process for detection, remediation, and prevention. Prioritizing is also important. A small engineering team could easily find itself overwhelmed with all the potential security issues disclosed, but it usually doesn't affect its software. To determine if applications are affected by security risks, companies need to take a comprehensive approach — from source code, throughout the DevOps pipelines releasing it, and through the production environment in the cloud. Connecting those dots helps engineers properly manage security risks in apps.

Companies should also employ technologies to assess the health and reputation of open source code. Factors to evaluate include quality, maintainability, popularity, and risk for supply-chain incidents. Automated security tools can play a role here as well by preventing risky code from entering the codebase and notifying developers of potentially dangerous packages. Also, employing a software bill of materials (SBOM) can provide transparency into the software components used in applications, accelerate the identification and remediation of potential vulnerabilities, and help achieve compliance with government regulations.

Source

DARKReading