With the $7.2M contract, Cloudflare will enhance resilience and simplify security for .gov domain users.

**San Francisco, CA, January 13, 2023** **–** Cloudflare, Inc. (NYSE: NET), the security, performance, and reliability company helping to build a better Internet, has been awarded a $7.2 million contract from the Cybersecurity and Infrastructure Security Agency (CISA) to provide Registry and Authoritative DNS services to the .gov TLD (Top Level Domain).

"The Internet has made the United States government more accessible for constituents than ever before, whether they're applying for a passport, learning health and safety recommendations for their communities, or reaching out to a representative," said Matthew Prince, co-founder & CEO of Cloudflare. "Having a reliable and secure DNS for government agencies is critical to instill trust in all .gov activity, and working with us to achieve this is a testament to the reliability and security of the Cloudflare network."

CISA is the nation’s risk advisor, working with partners to defend against today’s threats and collaborating to build more secure and resilient infrastructure for the future. CISA builds the nation’s capacity to defend against cyber attacks by providing cybersecurity tools, incident response capabilities, and assessment services to safeguard the Federal IT enterprise, state and local partners, and systems that support national critical functions.

DNS is a core Internet service that is foundational to the security of the applications that sit on top of it. CISA turned to Cloudflare to provide registry and DNS services to meet the need for highly available DNS services that enhance resilience and simplify security operations for .gov domain users. CISA makes .gov domains available at no cost to US-based government organizations, but it takes more than registering a domain to put it on the Internet. DNS services guide visitors to the site. The .gov TLD registry and DNS services are available to all bona fide U.S.-based government organizations.

With this contract, Cloudflare will provide managed name servers for the .gov zone and authoritative DNS hosting for .gov domain names. Cloudflare will support CISA’s goals:

*   Reducing the attack surface of .gov-related infrastructure and government organizations
*   Automating sensitive portions of DNS security management, setting DNS records that make it hard to successfully impersonate the government in email by default, and offering new features
*   Gaining visibility to better detect and prevent certain DNS ecosystem issues instead of reacting to them

Cloudflare recently achieved FedRAMP moderate authorization and is available on the FedRAMP marketplace. Cloudflare provides security, performance, and reliability services through its global network to over 40 United States Federal Government agencies. In 2021, CISA began utilizing Cloudflare to deliver a protective DNS resolver solution for all Federal Civilian Executive Branch (FCEB) agencies. Cloudflare is committed to supporting critical government functions, including the nation's election infrastructure. Through its Athenian Project, Cloudflare provides services for free to state, county, and local officials administering elections.

For more information, visit:

*   Cloudflare for Public Sector

**About Cloudflare** Cloudflare, Inc. (www.cloudflare.com / @cloudflare) is on a mission to help build a better Internet. Cloudflare’s suite of products protect and accelerate any Internet application online without adding hardware, installing software, or changing a line of code. Internet properties powered by Cloudflare have all web traffic routed through its intelligent global network, which gets smarter with every request. As a result, they see significant improvement in performance and a decrease in spam and other attacks. Cloudflare was awarded by Reuters Events for Global Responsible Business in 2020, named to Fast Company's Most Innovative Companies in 2021, and ranked among Newsweek's Top 100 Most Loved Workplaces in 2022.

**Forward-Looking Statements** This press release contains forward-looking statements within the meaning of Section 27A of the Securities Act of 1933, as amended, and Section 21E of the Securities Exchange Act of 1934, as amended, which statements involve substantial risks and uncertainties. In some cases, you can identify forward-looking statements because they contain words such as “may,” “will,” “should,” “expect,” “explore,” “plan,” “anticipate,” “could,” “intend,” “target,” “project,” “contemplate,” “believe,” “estimate,” “predict,” “potential,” or “continue,” or the negative of these words, or other similar terms or expressions that concern Cloudflare’s expectations, strategy, plans, or intentions. However, not all forward-looking statements contain these identifying words. Forward-looking statements expressed or implied in this press release include, but are not limited to, statements regarding the capabilities and effectiveness of Cloudflare’s Registry and Authoritative DNS solutions and its other products and technology, the benefits to the U.S. government and Cloudflare’s other customers from using Cloudflare’s Registry and Authoritative DNS solutions and its other products and technology, the expected functionality and performance of Cloudflare’s Registry and Authoritative DNS solutions and its other products and technology, the benefits to Cloudflare from achieving FedRAMP moderate authorization, Cloudflare’s technological development, future operations, growth, initiatives, or strategies, and comments made by Cloudflare’s CEO and others. Cloudflare’s actual results could differ materially from those stated or implied in forward-looking statements due to a number of factors, including but not limited to, risks detailed in its filings with the Securities and Exchange Commission (SEC), including Cloudflare’s Quarterly Report on Form 10-Q filed on November 3, 2022, as well as other filings that we may make from time to time with the SEC.

The forward-looking statements made in this press release relate only to events as of the date on which the statements are made. We undertake no obligation to update any forward-looking statements made in this press release to reflect events or circumstances after the date of this press release or to reflect new information or the occurrence of unanticipated events, except as required by law. We may not actually achieve the plans, intentions, or expectations disclosed in Cloudflare’s forward-looking statements, and you should not place undue reliance on Cloudflare’s forward-looking statements.

Cloudflare Wins CISA Contract for Registry and Authoritative Domain Name System (DNS) Services

Establish clear and consistent processes and standards to scale lite threat modeling's streamlined approach across your organization.

New development happens all the time at busy software companies. But is secure development happening as well?

A process called lite threat modeling (LTM) involves stakeholders in secure development, ensuring that security is baked in and not bolted on. What is LTM, and how does it differ from traditional threat modeling?

**The Lite Threat Modeling Approach**

LTM is a streamlined approach to identify, assess, and mitigate potential security threats and vulnerabilities in a system or application. It's a simplified version of traditional threat modeling, which typically involves a more comprehensive and detailed analysis of security risks.

With LTM, we're not manually sticking pins into the system or app to see if it breaks, as we would with pen testing. Rather, we poke "theoretical holes" in the application, uncovering possible attack avenues and vulnerabilities.

Here are some questions to consider asking:

*   Who would want to attack our systems?
*   What components of the system can be attacked, and how?
*   What's the worst thing that could happen if someone broke in?
*   What negative impact would this have on our company? On our customers?

**When Are LTMs performed? **

It's best to perform an LTM whenever a new feature is released, a security control is changed, or any changes are made to existing system architecture or infrastructure.

Ideally, LTMs are performed _after_ the design phase and _before_ implementation. After all, it's much, much easier to fix a vulnerability before it gets released into production. To scale LTMs across your organization, be sure to establish clear and consistent processes and standards. This can involve defining a common set of threat categories, identifying common sources of threats and vulnerabilities, and developing standard procedures for assessing and mitigating risks.

**How to Perform LTMs at Your Organization **

To start performing LTMs within your own organization, first have your internal security teams lead your LTM conversations. As your engineering teams get more familiar with the process, they can begin performing their own threat models.

To scale LTMs across your organization, be sure to establish clear and consistent processes and standards. This can involve defining a common set of threat categories, identifying common sources of threats and vulnerabilities, and developing standard procedures for assessing and mitigating risks.

**Common LTM Mistakes to Avoid**

Security people are great at threat modeling: They often expect the worst and are imaginative enough to think up edge cases. But these qualities also lead them to fall into LTM traps, such as:

*   **Focusing too much on outliers.** This occurs during an LTM exercise when the focus of the conversation veers away from the most realistic threats to its outliers. To solve this, be sure to thoroughly understand your ecosystem. Use information from your security information and event management (SIEM) and other security monitoring systems. If you have, say, 10,000 attacks hitting your application programming interface (API) endpoints, for example, you know that's what your adversaries are focused on. This is what your LTM should be focused on as well.
*   **Getting too technical.** Often, once a theoretical vulnerability has been discovered, technical people jump into "problem-solving mode." They end up "solving" the problem and talking about technical implementation instead of talking about the impact that vulnerability has on the organization. If you find this is happening during your LTM exercises, try to pull the conversation back: Tell the team that you're not going to talk about implementation yet. Talk through the _risk and impact_ first.
*   **Assuming tools alone handle risks.** Frequently, developers expect their tools to find all the problems. After all, the reality is that a threat model isn't meant to find a specific vulnerability. Rather, it's meant to look at the overall risk of the system, at the architectural level. In fact, insecure design was one of OWASP's most recent Top 10 Web Application Security Risks. You need threat models at the architectural level because architectural security issues are the most difficult to fix.
*   **Overlooking potential threats and vulnerabilities.** Threat modeling isn't a one-time exercise. It is important to regularly reassess potential threats and vulnerabilities to stay ahead of ever-changing attack vectors and threat actors.
*   **Not reviewing high-level implementation strategies.** Once potential threats and vulnerabilities have been identified, it's important to implement effective countermeasures to mitigate or eliminate them. This may include implementing technical controls, such as input validation, access control or encryption, as well as nontechnical controls, such as employee training or administrative policies.

**Conclusion**

LTM is a streamlined approach for identifying, assessing, and mitigating potential security threats and vulnerabilities. It is extremely developer-friendly and it gets secure code moving by doing threat modeling early in the software development life cycle (SDLC). Better still, an LTM can be done by software developers and architects themselves, as opposed to relying on labs to run threat modeling.

By developing and implementing LTMs in a consistent and effective manner, organizations can quickly and effectively identify and address the most critical security risks, while avoiding common pitfalls and mistakes.

Fast-Track Secure Development Using Lite Threat Modeling

Critical national infrastructure, widespread cybercrime, and cyber insecurity are major risks in the report

A lot has happened in the 12 months since the World Economic Forum's (WEF) previous "Global Risks Report." Russia invaded Ukraine. The consequential impact on the supply of food and energy has led to a cost-of-living crisis being experienced by many. Extreme weather events have become a reality for more and more people. This rapid change is the backdrop to the report.

The 2023 report highlights that there is no single dominating crisis that the world is facing and there are, and will continue to be, constant crises that organizations, governments, and countries must navigate. Attacks on critical national infrastructure (CNI), widespread cybercrime, and cyber insecurity are highlighted as major risks throughout the next 10 years in the WEF's "Global Risks Report 2023," published on Jan. 11.

In terms of current crises identified in the WEF report — those emerging or present today — cyberattacks on critical infrastructure is the only technological risk appearing on the chart. CNI attacks are much sought after by malicious threats, as they can result in high-profile trust failures, potential pay dirt for ransomware, and could even lead to civil unrest.

The report comments: "Alongside a rise in cybercrime, attempts to disrupt critical technology-enabled resources and services will become more common, with attacks anticipated against agriculture and water, financial systems, public security, transport, energy and domestic, space-based and undersea communication infrastructure."

Examples of such attacks today include the UK's Royal Mail, currently dealing with a "cyber incident" that has resulted in the organization asking people to stop sending mail and parcels abroad. The outage of the NOTAM (Notice to Air Missions) system that grounded flights in the US on Jan. 11 is being investigated as a potential "nefarious cyber incident," although this is just one aspect of an investigation into the outage ordered by President Biden. Attacks on healthcare institutions, water supplies, fuel pipelines, and more all serve to remind what the "C" in CNI is there for — if something is defined as critical, it needs strong cybersecurity protection and resilience to keep people and societies safe and operational, as it will always be a target for cyberattack.

**Risks Ranked**

There is much to read in the 98-page WEF report. Although there are seven risks appearing in both the two- and 10-year outlooks ahead of widespread cybercrime and cyber insecurity, this is the leading technological risk, at No. 8 in both these outlooks.

There is actually little reference to cybercrime specifically in the report beyond the definition of "widespread cybercrime and cyber insecurity," which is described as "Increasingly sophisticated cyberespionage or cybercrimes. Includes, but is not limited to: loss of privacy, data fraud or theft, and cyber espionage."

Cybercrime is an everyday reality today. As just one example, ransomware continues to be a scourge on society and organizations, but the potential opportunities and yields are so great that it is here to stay. Phishing, crashing websites, and identity theft are just some further examples of cybercrime that are set to continue. Omdia's security breaches tracker has consistently shown that data exposure is the leading outcome of security breaches, accounting for around two-thirds of breaches in the first half of 2022.

This approximate two-thirds number has been consistent since 2019. The tracker also analyses the share of breaches by industry or vertical and healthcare was the biggest sector to be affected by security breaches in the first half of 2022, followed by the government sector. The healthcare and governmental sectors have interchanged "top spot" over the same three-year period as for data exposure. It's fair to say that data is poorly protected today and that government and healthcare are huge targets for data because of the sort of information they hold.

Cyber insecurity is useful terminology when we know that many organizations do not have adequate cybersecurity capabilities. Omdia's "IT Enterprise Insights 2022-23" found that 27% of organizations describe themselves as "well advanced" in managing security, identity, and privacy, and a further 34% as "advanced," this does leave 39% of organizations with a substantially inadequate approach.

WEF's Global Risks Report 2023 Keeps Cybersecurity on the Agenda

A security vendor's investigation of infrastructure associated with a new, crypto-focused Magecart skimmer leads to discovery of cryptoscam sites, malware distribution marketplace, Bitcoin mixers, and more.

Cybercriminals engaged in one form of criminal activity can sometimes have their hands in a wide range of other nefarious campaigns as well, as researchers recently discovered when analyzing the infrastructure associated with a fresh iteration of a Magecart skimmer.

Magecart is a notorious — and constantly evolving — syndicate of multiple groups that specializes in placing card skimmers on e-commerce sites to steal payment card information. Over the years, groups belonging to the syndicate have executed numerous — sometimes massive — heists of card information from websites, including those belonging to major companies like TicketMaster and British Airways.

Researchers from Malwarebytes recently observed a threat actor deploying a payment card skimmer — based on a framework called mr.SNIFFA — on multiple e-commerce sites. mr.SNIFFA is a service that generates Magecart scripts that threat actors can dynamically deploy to steal credit and debit card information from users paying for purchases on e-commerce websites. The malware is known for employing various obfuscation methods and tactics like steganography to load its payment card stealing code onto unsuspecting target websites.

**Sprawling Crime Haven**

Their investigation of the infrastructure used in the campaign led to the discovery of a sprawling network of other malicious activities — including cryptocurrency scams, forums for selling malicious services, and stolen credit card numbers — that appeared linked to the same actor. 

"Where one criminal service ends, another one begins — but often times they are linked," said Jerome Segura, director of threat intelligence at Malwarebytes, in a blog post summarizing the company's research. "Looking beyond snippets of code and seeing the bigger picture helps to better understand the larger ecosystem as well as to see potential trends."

In the Magecart campaign that Malwarebytes observed, the threat actor used three different domains for deploying different components of the attack chain. Each of the domains had crypto-inspired names. The domain that injected the initial redirect component of the infection chain for instance had the name "saylor2xbtc\[.\]com," apparently in a nod to noted Bitcoin proponent Michael Saylor. Other celebrities were referenced too: A domain named "elon2xmusk\[.\]com" hosted the loader for the skimmer, while "2xdepp\[.\]com" contained the actual encoded skimmer itself.

Malwarebytes found the three domains hosted on infrastructure belonging to DDoS-Guard, a Russia-based bulletproof hosting company with a reputation for hosting shady websites and operations. The security vendor's investigation showed each of the three domains were associated with a wide range of other malicious activities.

The IP address, which hosted the skimmer loader for instance, also hosted a fraudulent version of home décor and decoration company Houzz's website. Similarly, the IP address for 2xdepp\[.\]com — the site hosting the skimmer — hosted a website selling tools like RDP, Cpanel, and Shells, and another website that offered a service for mixing cryptocurrencies —something that cybercriminals often use to making illicitly earned money harder to trace. 

Researchers at Malwarebytes further discovered blackbiz\[.\]top, a forum that cybercriminals use to advertise various malware services, hosted on the same subnet.

**Crypto-Related Scams**

Malwarebytes decided to see if there were any other websites hosted on DDoS Guard that might have the same "2x" in their domain names as the three sites associated with the Magecart campaign had. The exercise revealed multiple fraudulent websites engaged in illicit cryptocurrency related activities. 

"These fake sites claim to be official events from Tesla, Elon Musk, MicroStrategy, or Michael J. Saylor and are tricking people with false hopes of earning thousands of BTC," Segura said. "These crypto-giveaway scams have grown five-fold in H1 2022, according to a September 2022 report by Group-IB," he added.

Malwarebytes also discovered multiple other sites on DDoS Guard that appeared linked to the Magecart operator. Among them were phishing sites spoofing TeamViewer, AnyDesk, MSI, a Web portal named after journalist Brian Krebs for selling stolen credit card data, and one site selling a range of phishing kits.

Malwarebytes' research highlights the still sprawling nature of some cybercrime groups, even as others have begun to specialize in specific cybercriminal activities with a view to collaborating with others on joint malicious campaigns. 

Over the past few years, threat actors such as Evil Corp, North Korea's Lazarus Group, DarkSide, and others have earned reputations for being both big and varied in their operations. More recently though, others have begun to focus more narrowly on their specific skills.

Research that security vendor Trend Micro conducted last year showed that increasingly, cybercriminals with different skills are conglomerating to offer cybercrime-as-a-service. The company discovered these criminal services to be comprised of groups offering either access-as-a-service, ransomware-as-a-service, bulletproof hosting, or crowdsourcing teams focused on finding new attack methods and tactics.

"From an incident-response mentality, this means \[defenders\] will have to identify these different groups completing specific aspects of the overall attack, making it tougher to detect and stop attacks," Trend Micro concluded.

Researchers Find 'Digital Crime Haven' While Investigating Magecart Activity

In the ad, cybercriminals are offering to sell employee-level access to Telegram, researchers warn.

For the non-negotiable price of $20,000, threat actors claim they can provide insider access to Telegram servers running the encrypted instant messaging platform preferred by a security-conscious clientele.

The ad, posted on a Dark Web marketplace and discovered by the researchers of SafetyDetectives, boasts that the access is high-level and provided "through their employees."

Rather than providing remote access, the seller is hawking "an offering of correspondence for six months," the SafetyDetectives team added.

"It is impossible to say how many users, or Telegram servers, may be impacted," the report explained. "However, if the vendor’s claims are valid, an insider in the internal Telegram network would be able to exfiltrate logs and compromise user data."

Meanwhile, it seems Telegram might have a broader phishing problem.

**Phishing Explodes on Telegram**

The discovery comes on the heels of the release of new data from Cofense that shows that the abuse of Telegram bots exploded by 800% in 2022, driven by threat actors using malicious HTML attachments to deliver credential phishing attempts. Telegram bots are also attractive to spear-phishers because they're free and easy to set up and run.

"Threat actors appreciate the ease of setting up bots in a private or group chat, the bots' compatibility with a wide range of programming languages, and ease of integrations into malicious mediums such as malware or credential phishing kits," the Cofense report said. "Coupling the ease of Telegram bot setup and use with the popular and successful tactic of attaching an HTML credential phishing file to an email, a threat actor can quickly and efficiently reach inboxes while exfiltrating credentials to a single point using an often-trusted service."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

$20K Buys Insider Access to Telegram Servers, Dark Web Ad Claims

SBOMs aren't enough. OpenSSF's Alpha-Omega brings in new blood to help secure the open source projects most impactful to the software supply chain.

The intricate labyrinth of open source dependencies across the global software supply chain has created an application security puzzle of mammoth proportions. Whether open source or closed, most of the world's software today is built on third-party components and libraries. Consequently, one piece of vulnerable code in even the smallest of open source projects can have a domino effect that impacts thousands of other applications, APIs, cloud infrastructure components, and more.

This issue is becoming one of the most pressing security concerns of CISOs today, and at an individual enterprise level, organizations are hard at work tackling it with projects like building out software bills of materials (SBOMs), establishing open source security management standards, and creating technical guardrails for developers to follow them.

But these efforts don't necessarily solve the problem at a more systemic level. According to many experts in the open source community, in order to make the biggest dent in the downstream supply chain, more effort needs to be put into helping open source project maintainers clean up their code.

This is the goal of the Alpha-Omega Project. About to hit its one-year anniversary next month, Alpha-Omega is a big-picture security project put together by the Open Source Security Foundation (OpenSSF) and its parent organization, the Linux Foundation, to address the fundamental issues in software supply chain security.

The "Alpha" side of the project is focused on collaborating with the maintainers of the open source projects most critical to the broader supply chain — including notables like node and jQquery — to help them level up the security posture of their code. These are projects hand-selected by the OpenSSF Securing Critical Projects working group using expert opinion and data from benchmarks like the Open SSF Criticality Score to determine the projects with the biggest downstream impact.

The "Omega" side of the project turns to the long-tail of software supply chain security, using automation and tooling to identify critical security vulnerabilities across a range of 10,000 widely deployed open source projects. It's an effort to scale up the remediation of the lowest-hanging, most obvious flaws that are pervasive across the supply chain.

Funded initially by Google and Microsoft, with additional toolchain and personnel support from financial giant Citi, Alpha-Omega wrapped up 2022 by snagging an additional $2.5 million from Amazon Web Services. More crucially, the project is preparing for 2023 with two new critical hires — Yesenia Yser, formerly a product security engineer for Red Hat, and Jonathan Leitschuh, who just finished up his one-year stint as the first Dan Kaminsky Fellow for Human Security. Yser steps in as a senior software security engineer, and Leitschuh will continue his research on automating open source security research and remediation as a senior software security researcher.

**Alpha-Omega Project's First Year**

This project is one of several high-profile security projects spearheaded and fundraised by OpenSSF and Linux Foundation in the past year to tackle the systemic issues in open source security. Following the organizations' successful model for rapid funding and action on security projects, Alpha-Omega has already made headway on a number of significant fronts.

According to the project's first annual report, the project has already engaged with five different open source projects: Node.js, the Eclipse Foundation, the Rust Foundation, jQuery, and the Python Software Foundation. Over the course of 2022, Alpha-Omega doled out $1.5 million in grants to different projects, including $460,000 to the Rust Foundation, $400,000 to the Eclipse Foundation, and $300,000 to Node. In the case of Node, that support helped it reactivate the Node Security Working Group and get it working on a security and threat model for Node.js. It also spurred the triaging of 20 different vulnerability reports across the project's code base.

Additionally, Alpha-Omega recently released the initial version of the Omega Analysis Toolchain, which orchestrates 27 different security analyzers for identifying critical vulnerabilities in open source packages. The project also released a number of experimental tools, including a triage portal to make security research and reporting more efficient.

For year two, the project plans to accelerate work on the Omega side of the house.

**What 2023 Has in Store for the Project**

The addition of Yser and Leitschuh to the Alpha-Omega Project will not only infuse more brainpower, time, and talent into existing efforts, but also plenty of enthusiasm for moving the needle on open source security.

"Open source software is in every piece of equipment that is used today, from our automotives, airplanes, phones, trackers, and even utility systems," says Yser, who has deep roots in the DevSecOps and software supply chain worlds. In her position at Red Hat she was the supply chain ops technical lead.

"The vision for the project has a global impact of improving the security posture of open source software, supply chain security, and the lives of folks around the world," she says.

Yser will be working directly on improving the Omega toolchain and the triage portal to help engineer improvements in how projects and vulnerability impacts are analyzed and prioritized for mitigation.

"For the Omega tool chain, a goal for this year will be to have an operationalized system that a maintainer or developer can leverage," she says. "For the Triage Portal, the goal will be to support a researcher's ability to triage a discovered finding via importing a SARIF report to the portal and handle their investigation within the system. The system will remain limited to the Alpha-Omega team until noted otherwise, but thanks to open source software, a researcher can run their own instance and submit pull requests to the repository and support the overall mission."

Yser will be working in close collaboration with Leitschuh, who brings significant and very fresh experience to bear in the area of scaling and automating fixes across open source projects. He spent last year's fellowship working on this exact problem. His goal is to continue the work he did there and use what he learned to further his mission of rooting out the most prevalent and impactful flaws lurking across a wide swath of open source projects.

"We may not know where those little pegs are that are holding up the entire software industry exist," Leitschuh says. "It could be one of those tiny little pieces of software that has 15 stars on GitHub that nobody knows, but it's holding up the entire Internet. So how do we secure those projects that no one knows about but \[are\] somehow fundamental to the entire supply chain?"

He says his work during the fellowship helped him further home in on his niche of not necessarily going very deep on any one security vulnerability, but instead looking at a certain type of vulnerability and developing automated ways of finding that same flaw in lots of different places across the open source ecosystem. This dovetails perfectly with the Omega ethos, which is what led him to his newest gig.

Leitschuh will keep supporting refinements on automated methods for running down flaws in Data Flow and Control analysis and auto pull request generation. But he's also going to be continuing the very manual work of collaboration. One of the important lessons he learned last year is that a lot of the work ahead of him and his Alpha-Omega team is not necessarily technical. It's about building relationships with maintainers to help them see how sometimes even simple fixes to their projects can have a huge impact on global software supply chain security postures.

"Technologists and software people, we don't always love the human element — it's easier for us to sit down and write a line of code that detects this thing and throw it over a wall than it is for us to engage with an actual person and try to convince them this is a thing worth fixing," he says.

He explains how one instance last year illustrates this point perfectly. In this case he worked with a maintainer of a YAML Parser that had a 6-year-old remote code execution flaw that had a lot of downstream impact. For a long time when Leitschuh approached him about it, the maintainer told him, "Don't trust untrusted YAML. This is not my vulnerability."

Finally, after sitting the maintainer down in a video call with lots of technical debate, Leitschuh was able to show him that the change he requested was extremely narrow and could have a huge impact.

"So he's now willing to fix this 6-year-old remote code execution vulnerability in this YAML Parser because someone like me sat down with him on a video call, finally, and had a conversation with him to convince him the minimal thing that he needed to do to make it more secure," he says.

While Leitschuh could have automated fixing the vulnerability downstream, the more elegant fix was having this discussion instead.

"I thought it was worth it for me to sit down and spend the time focusing on this one piece of software to try to convince this maintainer. Having those conversations is what's going to have a wider positive impact writ large on the entire industry," he says. "At that point you just need boots on the ground. You need people that know what they're talking about to sit down and spend time that is required to engage with an actual person."

Software Supply Chain Security Needs a Bigger Picture

**CAMBRIDGE, England****,** **Jan. 12, 2023** **/PRNewswire/ --** Darktrace, a global leader in cyber security artificial intelligence, today released three new cyber-threat trend reports revealing 2022 attack data observed across its global customer fleet.1 The industry reports pertain to the energy, healthcare, and retail sectors respectively.

"These industry-specific reports are the first of their kind released by Darktrace, representing an important effort to surface the data underpinning the rapidly evolving threat landscape that we are defending against," commented Toby Lewis, Global Head of Threat Analysis, Darktrace.

"The trends reveal crucial sector-specific challenges, from the tendency for hackers to siphon off the energy sector's resources in the form of crypto\-jacking, through to the invaluable nature of patient data which leads to data exfiltration in the healthcare sector," commented Lewis. "The surge in credential-based attacks across the retail sector reflects the fact that identity theft will be a key trend for 2023, increasing the need for AI-based behavioral analytics for understanding employee actions in rich context and authenticating the actions taken using certain credentials."

**Energy Sector: Key Findings**

Against the backdrop of a global energy crisis, Darktrace's energy sector report reveals that illegal crypto\-mining threats,whereby bad actors steal energy and processing power from other devices and networks, are on the rise across the industry. Notable findings include:

*   High-priority crypto\-mining accounted for 13 times more of all observed cyber incidents in the UK energy sector in 2022 compared to 2021
*   High-priority crypto\-mining accounted for 3 times more of all observed cyber incidents in the US energy sector in 2022 compared to 2021

The report divulges two real-world crypto\-mining threat finds from a European and US energy organization respectively, which were both stopped by Darktrace's AI technology. In the former case, attackers were caught attempting to mass pool crypto\-mining capabilities using 5 internal servers at the organization.

**Retail Sector: Key Findings**

As online shopping remains popular, Darktrace's retail sector report reveals that over the course of 2022, criminals increasingly turned toward credential theft, spoofing and stuffing to target this multi-billion-dollar industry's online infrastructure. Notably:

*   Credential theft, spoofing and stuffing accounted for over 170% more of all observed cyber incidents in the US retail sector in 2022 compared to 2021
*   Credential theft, spoofing and stuffing accounted for over 14% more of all observed cyber incidents in the UK retails ector in 2022 compared to 2021
*   Credential theft, spoofing and stuffing accounted for over 70% more of all observed cyber incidents in the Australian retail sector in 2022 compared to 2021

One threat find in the report from August 2022 details the discovery of a never-before-seen attack tool lying dormant inside a well-known UK automotive retailer. Months before Darktrace had been adopted by the retailer, one of its devices had become infected with novel malware that lay dormant, establishing a foothold and waiting for the right time to launch an attack. After deployment, Darktrace AI caught the malware when it made multiple authentication attempts using spoofed credentials for one of the organization's security managers. If successful, the attack could have undermined the organization's entire security posture, allowing malicious software to gain control of the company's infrastructure from within.

**Healthcare Sector: Key Findings**

Often viewed as a 'soft target' for cyber-criminals, hospitals and other healthcare organizations are extremely rich data sources from which attackers can make a profit by selling patient information such as medical records, credit cards or banking details. Darktrace's healthcare sector report notably revealed:

*   Data exfiltration was one of the top 3 observed threats faced by healthcare providers globally, with organizations in the UK and Australia suffering an increased volume in 2022
*   The most common attack type observed across healthcare globally in 2022 was suspicious network scanning, a form of intelligence gathering which often constitutes the initial phase of a cyber-attack

The report details a real-world sophisticated threat faced by a US healthcare provider in which a malicious PowerShell script was discovered to be deployed on one of the organization's internal servers, an attempt to give bad actors remote control over the target network. The threat was autonomously thwarted by Darktrace's RESPOND™ technology before attackers could do harm.

**About Darktrace**

Darktrace (DARK.L), a global leader in cyber security artificial intelligence, delivers complete AI-powered solutions in its mission to free the world of cyber disruption. Breakthrough innovations from the Darktrace Cyber AI Research Centre in Cambridge, UK and its R&D centre in The Hague, The Netherlands have resulted in over 125 patent applications filed and significant research published to contribute to the cyber security community. Darktrace's technology continuously learns and updates its knowledge of 'you' for an organization and applies that understanding to achieve an optimal state of cyber security. It is delivering the first ever Cyber AI Loop, fuelling a continuous end-to-end security capability that can autonomously prevent, detect, and respond to novel, in-progress threats in real time. Darktrace employs over 2,200 people around the world and protects over 8,100 organizations globally from advanced cyber-threats. It was named one of TIME magazine's 'Most Influential Companies' in 2021.

The data pertains to the period January-October 2022 and is compared with the same period in 2021.

Darktrace Publishes 2022 Cyberattack Trend Data For Energy, Healthcare & Retail Sectors Globally

**SAN FRANCISCO -- (****BUSINESS WIRE****) --** Cloudflare, Inc. (NYSE: NET), the security, performance, and reliability company helping to build a better Internet, today announced an expansion of its relationship with Microsoft to help customers easily deploy, automate, and enhance their organization’s Zero Trust security.

Working from anywhere is more common than ever, and critical applications have moved to the cloud—no longer residing inside an office protected by a secure perimeter. This fundamental shift in where and how people work has caused enterprises to rethink legacy tools and abandon the traditional castle-and-moat approach to security, looking towards Zero Trust instead. As CIOs continue to navigate this paradigm shift, Cloudflare has developed a new set of integrations with Microsoft to help organizations on this journey. Now, mutual customers can seamlessly deploy Zero Trust security tools in minutes, with no complex code changes, and add industry-first features, such as Cloudflare’s Remote Browser Isolation technology.

"When I speak with CIOs, I continue to hear that their number one concern remains security, closely followed by adapting to the new hybrid world,” said Matthew Prince, CEO and co-founder at Cloudflare. “We want to make it easier than ever for IT leaders to deploy Zero Trust security across the enterprise and keep users safe wherever they are working from. I’m thrilled that we are deepening our integration with Microsoft so we can help our joint customers easily deploy Zero Trust security across some of the most used applications in the workplace.”

Through these new integrations, Cloudflare now provides a comprehensive identity driven approach to protect applications, users, devices and networks from attacks. These integrations pair Microsoft Identity solutions and Cloudflare network security tools to create a quality Zero Trust offering.

“A cloud-native Zero Trust security model has become an absolute necessity as enterprises continue to adopt a cloud-first strategy,” said Joy Chik, President, Identity and Network Access, Microsoft. “Cloudflare has developed robust product integrations with Microsoft to help security and IT leaders prevent attacks proactively, dynamically control policy and risk, and increase automation in alignment with Zero Trust best practices.”

Cloudflare and Microsoft Azure Active Directory (Azure AD) customers can now:

*   **Deploy Zero Trust Security without changing one line of code:** Now joint customers can choose to define specific rules in either Azure AD or in Cloudflare Access i.e. which users can access specific applications based on various factors such as user risk level, device platform, location, etc. and enforce across both products without changing a line of code.
*   **Isolate high-risk users automatically with industry leading browser isolation technology:** By integrating Cloudflare’s Remote Browser Isolation with Azure AD, high-risk users, such as temporary employees, are contained proactively in a remote browser session for added security.
*   **Save IT teams hundreds of hours of manual work:** Cloudflare Access will use the System for Cross-Domain Identity Management (SCIM) to directly integrate with Azure AD. Groups are automatically synced across Cloudflare and Azure Active Directory platforms and groups, saving hundreds of hours of manual work from IT teams.
*   **Keep sensitive Government data off of the public Internet:** By connecting Azure Government Cloud to Cloudflare’s global network via the Secure Hybrid Access (SHA) program, Government customers (‘GCC’) will be able to keep sensitive traffic secure by staying off of the public Internet. Additionally, Government customers (‘GCC’) will be able to define and enforce granular rules defining who can access what using the joint solution from the dashboard without any code changes.

Cloudflare has worked with Microsoft since 2018 to provide mutual customers with an improved Internet experience by securing web applications and safeguarding employees with identity and device protections. Cloudflare’s deep integrations across Microsoft 365 and Azure have supported many of the largest Fortune 500 companies on their Zero Trust journey, enabling customers to simply and easily support their security and performance needs. Most recently, Microsoft named Cloudflare the winner of its Security Software Innovator of the Year award.

To learn more about Cloudflare’s integration with Microsoft, check out the resources below:

*   Blog: Expanding our collaboration with Microsoft: proactive and automated Zero Trust security for customers
*   Joint reference architecture
*   Joint Zero Trust Webinar
*   Microsoft landing page
*   Docs: Enable SCIM on the Zero Trust dashboard
*   Docs: Use multiple Azure AD Conditional Access Policies with Access
*   Docs: Isolate Azure AD risky users

**About Cloudflare**

Cloudflare, Inc. (www.cloudflare.com / @cloudflare) is on a mission to help build a better Internet. Cloudflare’s suite of products protect and accelerate any Internet application online without adding hardware, installing software, or changing a line of code. Internet properties powered by Cloudflare have all web traffic routed through its intelligent global network, which gets smarter with every request. As a result, they see significant improvement in performance and a decrease in spam and other attacks. Cloudflare was awarded by Reuters Events for Global Responsible Business in 2020, named to Fast Company's Most Innovative Companies in 2021, and ranked among Newsweek's Top 100 Most Loved Workplaces in 2022.

**Forward-Looking Statements**

This press release contains forward-looking statements within the meaning of Section 27A of the Securities Act of 1933, as amended, and Section 21E of the Securities Exchange Act of 1934, as amended, which statements involve substantial risks and uncertainties. In some cases, you can identify forward-looking statements because they contain words such as “may,” “will,” “should,” “expect,” “explore,” “plan,” “anticipate,” “could,” “intend,” “target,” “project,” “contemplate,” “believe,” “estimate,” “predict,” “potential,” or “continue,” or the negative of these words, or other similar terms or expressions that concern Cloudflare’s expectations, strategy, plans, or intentions. However, not all forward-looking statements contain these identifying words. Forward-looking statements expressed or implied in this press release include, but are not limited to, statements regarding Cloudflare’s partnership with Microsoft and the potential resulting benefits to Cloudflare customers, the potential benefits to customers of integrating Cloudflare and Microsoft products, the potential opportunity for Cloudflare to attract additional customers and to expand sales to existing customers through Cloudflare’s product integrations with Microsoft, the expected functionality and performance of Cloudflare’s Zero Trust and other products and technology, Cloudflare’s technological development, future operations, growth, initiatives, or strategies, and comments made by Cloudflare’s CEO and others. Actual results could differ materially from those stated or implied in forward-looking statements due to a number of factors, including but not limited to, risks detailed in Cloudflare’s filings with the Securities and Exchange Commission (SEC), including Cloudflare’s Quarterly Report on Form 10-Q filed on November 3, 2022, as well as other filings that Cloudflare may make from time to time with the SEC.

The forward-looking statements made in this press release relate only to events as of the date on which the statements are made. Cloudflare undertakes no obligation to update any forward-looking statements made in this press release to reflect events or circumstances after the date of this press release or to reflect new information or the occurrence of unanticipated events, except as required by law. Cloudflare may not actually achieve the plans, intentions, or expectations disclosed in Cloudflare’s forward-looking statements, and you should not place undue reliance on Cloudflare’s forward-looking statements.

Cloudflare Expands Relationship With Microsoft

This move accelerates the company’s vision of becoming the de facto identity security platform of choice for the modern enterprise.

**AUSTIN, January 12, 2023 –** SailPoint Technologies, Inc., the leader in enterprise identity security, today announced it has acquired SecZetta, the leading provider of third-party identity risk solutions. With nearly half of today’s enterprises comprised of non-employees, organizations need to factor this growing group of identities into their approach to identity security. With SecZetta, SailPoint will help companies gain better visibility into all types of identities, across both employee and non-employee identities – from third-party contractors to temporary workers, and non-human identities – all from a single, market-leading identity security platform. This acquisition will give enterprises the centralized approach needed, plus the proper identity proofing required to fully validate non-employee identities across their businesses. 

"The enterprise identity landscape has changed significantly in the last few years. We went from a largely in-office workforce to a distributed, virtual workforce and now a hybrid workforce. On top of that, most enterprises no longer rely solely on full-time employees to keep their business running. Yet not all of these companies have considered how this change impacts their approach to identity security," said Grady Summers, EVP Product for SailPoint. "With SecZetta, we can quickly give our customers the consolidated intelligence and visibility they need to ensure proper oversight into all identities and their technology access needs, regardless of whether they are a full-time employee or not."

SailPoint and SecZetta have a long-standing partnership. Once SecZetta’s solutions are fully integrated into SailPoint’s Identity Security Cloud platform, SailPoint will deliver a unified platform to customers — providing context-rich identity information with the right level of intelligence needed to answer the "who should have access to what", "when" and "why" questions for this unique, often under-secured set of identities. With SecZetta, SailPoint will also be able to further help companies with identity consolidation efforts, merging and organizing workforce data across authoritative sources to create a centralized repository of identities.  This identity intelligence will then be offered as a packaged offering within the Identity Security Cloud platform to deliver the next generation of identity security — one that provides the critical layer of risk management and governance needed across both employee and non-employee identities from a single platform.

"Acquiring SecZetta allows us to quickly address an emerging threat to our customers’ business — and that is this gap in visibility over non-employee identities. Here at SailPoint, we want to be known as the kind of company our customers can always rely on to anticipate and solve for their needs as they continue to evolve," said Mark McClain, CEO and Founder, SailPoint.  "This announcement underscores our relentless focus on accelerating our vision of becoming the de facto identity security platform of choice that discovers, manages and secures all identities across the modern enterprise." 

**About SailPoint**

SailPoint is the leading provider of identity security for the modern enterprise. Enterprise security starts and ends with identities and their access, yet the ability to manage and secure identities today has moved well beyond human capacity. Using a foundation of artificial intelligence and machine learning, the SailPoint Identity Security Platform delivers the right level of access to the right identities and resources at the right time—matching the scale, velocity, and environmental needs of today’s cloud-oriented enterprise. Our intelligent, autonomous, and integrated solutions put identity security at the core of digital business operations, enabling even the most complex organizations across the globe to build a security foundation capable of defending against today’s most pressing threats.

SailPoint Acquires SecZetta to Provide Identity Security for Non-Employee Identities

Unpatched Cisco bugs, tracked as CVE-2023-20025 and CVE-2023-20026, allow lateral movement, data theft, and malware infestations.

Two security vulnerabilities in Cisco routers for small and midsize businesses (SMBs) could allow unauthenticated cyberattackers to take full control of a target device to run commands with root privileges. Unfortunately, they'll remain unpatched even though proof-of-concept exploits are floating around in the wild.

Among other things, a successful compromise could allow cyberattackers to eavesdrop on or hijack VPN and session traffic flowing through the device, gain a foothold for lateral movement within a company's network, or run cryptominers, botnet clients, or other malware.

"It’s an attractive target from a technical point of view. As an attacker, if you manage to get remote code execution on core routing or network infrastructure, your ability to move laterally increases exponentially," noted Casey Ellis, founder and CTO at Bugcrowd, in an emailed comment.

**Critical-Rated Bug Offers Root Privileges**

The first bug is a critical-rated authentication bypass issue (CVE-2023-20025) that exists in the Web management interface of the devices and carries a rating of 9 out of 10 on the CVSS vulnerability-severity scale.

Meanwhile, the second flaw — tracked as CVE-2023-20026 — can allow remote code execution (RCE) with a caveat: an attacker would need to have valid administrative credentials on the affected device to be successful, so the bug is rated medium, with a 6.5 CVSS score.

They both affect all versions of the RV016, RV042, RV042G, and RV082 routers, which have reached end of life (EoL). As such, the appliances therefore no longer receive security updates, according to the networking giant's Jan. 11 advisory.

The advisory noted that both bugs are "due to improper validation of user input within incoming HTTP packets," so an attacker needs only to send a crafted HTTP request to the Web-based management interface to gain root access on the underlying operating system.

Cisco "is aware that proof-of-concept exploit code is available for the vulnerabilities that are described in this advisory," it said, though in-the-wild attacks have so far not been spotted.

While there are no workarounds that address the bugs, a possible mitigation would be to disable remote management of the routers and block access to ports 443 and 60443, according to Cisco, meaning the routers would only be accessible through the LAN interface.

"It’s always a best practice not to allow remote administration of network devices accessible from the open internet, however, small business using some MSP/MSSPs have to leave it open for their service providers," John Bambenek, principal threat Hunter at Netenrich, noted via email. "That said, this is the worst of all worlds with PoC code publicly available and no ... patches available."

Replacing the devices is the best course of action to fully protect one's business, the researchers noted.

**Big Impact, Even at EoL**

Researchers noted that the routers' existing installed base is significant, even though the devices have been discontinued. It's not uncommon for out-of-date gear to linger on in business environments well after it's been cut off — offering a rich playground for cyberattackers.

"The Cisco small business routers affected by these vulnerabilities still see reasonably widespread usage, though they are all officially end of life," Mike Parkin, senior technical engineer at Vulcan Cyber, said via email. "The challenge will be that these devices are typically found in small businesses with limited resources or used by individuals who may not have the budget to replace them."

And, it's not just SMBs who are affected, Bugcrowd's Ellis noted: "SMB routers are very widely deployed, and in a post-COVID hybrid/work from home world, it’s not just an SMB problem. Branch offices, COEs, and even home offices are potential users of the vulnerable product."

Source

DARKReading