A service that allows organizations to back up data in the cloud can accidentally leak sensitive data to the public Internet, paving the way for abuse by threat actors.

Legions of databases are being inadvertently exposed monthly, through a feature of an Amazon cloud-based data-backup service. The situation gives threat actors access to personally identifiable information (PII) that they can use in extortion, ransomware, or other threat activity, researchers have found.  

Amazon RDS is a popular platform-as-a-service that provides a database based on several optional engines, including MySQL and PostgreSQL. An RDS snapshot, or a storage volume snapshot of a database instance, is an intuitive feature that helps organizations back up their databases, allowing users to share public data or a template database to an application, researchers said.

The Mitiga Research Team recently discovered the leaks in the form of numerous Amazon Relationship Database Service (RDS) snapshots that are being shared publicly — whether intentionally or by mistake.

Over the course of one month, researchers said that they observed 2,783 RDS snapshots, 810 of which were exposed publicly during the entire time frame. Additionally, 1,859 snapshots of the 2,783 were exposed for one-to-two days, which is still enough time for attackers to pounce upon the leak, they reported.

Individuals within an organization also can share these snapshots with colleagues by using the feature without having to worry about user profiles or roles — a scenario that leads to the snapshot being shared publicly, researchers said.

"These snapshots can be shared across different \[Amazon Web Services\] accounts — in or out of the on-premises organization, as well as AWS accounts that make the RDS snapshots publicly available," researchers wrote. "With that, one might unintentionally leak sensitive data to the world, even if you use highly secure network configuration."

Some of the exposures last for months, and some for just a short period of time, in both cases potentially allowing threat actors to take advantage, they said in a blog post shared online Wednesday.

**Uncovering Cloud Misconfigurations & User Errors**

The exposure once again highlights the potential for exploitation of the fragile security posture of cloud-based services that allow for enterprise resources to be shared on the public internet, Mitiga researchers Ariel Szarf, Doron Karmi, and Lionel Saposnik noted in the post.

"Attackers are always looking for new ways to put their hands on confidential information of organizations, mostly for financial gain," they wrote. "Some cloud services that allow sharing cloud resources widely to the world \[are\] exposing a new threat to organizations — unintentional sharing of information through resources like disk snapshots (EBS), or in our case DB snapshots (RDS)."

To conduct their research, the Mitiga team developed a AWS-native technique, using AWS Lambda Step Function and boto3, that can easily be integrated into an AWS environment and customized to investigate snapshot exposure.

Unfortunately, attackers also can develop such a tool to view public snapshots and perform the same tasks, allowing them to steal data from these public-facing resources and abuse it later to extort money from organizations that own it, researchers said.

Researchers outlined several specific instances in which they could access data from exposed snapshots during a month-long investigation.

One was a MySQL database exposed for the entire month that that appeared to be from a car rental agency. Exposed data included information from car-rental transactions, including PII of customers; business-knowledge data such as the type of cars in the company's fleet; and other specific rental information.

Another snapshot exposed for less than four hours came from a database of a now-defunct dating application that included a user table containing emails, password hashes, birth dates, links to personal images, private messages, and other personal data of about 2,200 users of the app.

**No PII? Still a Problem**

Even if an RDS snapshot that's exposed publicly includes no PII, there is still a way for threat actors to find out who the database and thus its data belongs to, researchers said.

In their investigation, they were able to identify who owned account IDs for many snapshots by simply looking at the snapshot name and seeing the company name in it, they said.

Moreover, every snapshot metadata contains a field called "MasterUsername," which is the main database username, researchers explained. In many cases, that username includes either the name of the company that owns the database fully spelled out or identified in acronyms and shortcuts; or a name of a person working at the company, they said.

In the latter case, by using a method that they admitted was "a little creepy, but useful," researchers conducted LinkedIn searches to find out where the people identified in the username worked, noting that this is a method threat actors could employ to do the same.

**Mitigating the Problem**

As many organizations using Amazon RDS may not even know if they have public snapshots, identifying if there are any in their respective environments is the first step toward mitigating the issue, researchers said.

Helpfully, Amazon sends an email quickly to users if they share a snapshot publicly, notifying them about the public snapshot to ensure that it was intended to be publicly available. In the case of a test done by researchers, this email was received 23 minutes after exposure.

Researchers also outlined a step-by-step way to conduct a historical check using CloudTrail logs to discover if someone created a public snapshot that potentially can be abused.

To prevent the creation of public Amazon RDS snapshots at all, enterprises should manage permissions well by adopting a practice of "least-privilege permissions," giving them only on a strict, as-needed basis.

They also can set service control policies (SCPs), which are AWS organizational-level policies that can specify the maximum permissions for an organization, researchers said. Applying SCP on an AWS root account to deny certain operations on RDS snapshot will prevent unintended sharing of RDS DBs, they said.

Organizations also can encrypt snapshots in AWS using a KMS key, and researchers confirmed in their investigation that it's not possible to share a snapshot publicly encrypted in this way, they said.

One roadblock to mitigation is that currently there's no way to know if someone has copied a public snapshot of an Amazon RDS database, as there is no log event for copying a public snapshot to another account or restoring a database instance from another account in the snapshot owner's account, researchers said.

Mitiga approached AWS about the issue and, upon confirmation that "logging an RDS copy and restore operation is currently unavailable," made a feature request to support its addition to the platform, researchers said.

Thousands of Amazon RDS Snapshots Are Leaking Corporate PII

Embracing shared responsibility, Vectra MDR reinforces customers’ SOC teams with 24/7/365 skills and expertise to mitigate today’s most advanced cyber threats.

**SAN JOSE, Calif., Nov. 16, 2022** — Vectra AI, the leader in Security AI-driven hybrid cloud threat detection and response, today announced Vectra MDR global managed detection and response (MDR) services. Vectra MDR delivers the 24/7/365 cybersecurity skills needed to detect, investigate, and respond to threats where Vectra MDR analysts and customer security analysts work together inside the Vectra Threat Detection and Response platform to hunt, detect, prioritize, investigate, and respond to attacks in progress. Whether customers choose to augment or outsource their security operations, Vectra’s shared responsibility model ensures constant communication and collaboration between Vectra MDR analysts and customer analysts.

As attack entry points go beyond traditional networks and endpoints and into public clouds, SaaS applications and identities, security teams are challenged with defending an ever-expanding hybrid cloud attack surface. More evasive attackers and overwhelming security alert noise add to the challenge as attackers find new ways to infiltrate and progress inside an organization unnoticed. Vectra MDR harnesses **Security AI-driven Attack Signal Intelligence****TM** to automate threat detection, triage and prioritization for SOC teams, thus reducing alert noise, false positives, and analyst burnout. With Vectra MDR services powered by Attack Signal Intelligence, customer security teams have complete visibility and context for how an attack progresses through the cyber kill chain — ultimately stopping them from becoming breaches.

Experience recurring meetings where our security experts discuss customer-specific and global trends, security posture, and events in your network.

Vectra MDR Services empowers security teams in the following areas:

**Human intelligence that does not sleep**

24/7/365 eyes-on-glass service, with expertise in cloud, threat intelligence, and playbook design to proactively detect, prioritize, investigate, and stop attacks.

**Security team extension**

Vectra MDR is a security team multiplier, adding analysts to your team with expertise and insights gained from hundreds of customer environments.

**Vectra platform optimization**

Advice on best practices for integrating Vectra into existing workflows and processes, while ensuring deployments are always in tip-top shape and collecting the right data to provide the coverage needed.

“With the scale and sophistication of cyber threats on the rise, security teams are burdened with overwhelming alert noise and inadequate threat signals while attempting to defend expanding hybrid cloud attack surfaces,” said Kevin Kennedy, Senior Vice President of Products at Vectra. “Vectra MDR provides security teams with the resources they need to stop attacks 24/7/365 whether they just need our security analyst expertise to augment their security operations teams or to completely outsource detection and response. Vectra MDR along with Attack Signal Intelligence gives security teams both the threat signal needed to stop attacks and the resources and expertise required to stay ahead of attacks in today’s security operations centers.”

To learn more about Vectra MDR services and Vectra Attack Signal Intelligence, please visit:

*   **Vectra MDR page**: https://www.vectra.ai/products/mdr
*   **Vectra MDR solution brief**: https://info.vectra.ai/hubfs/Vectra-MDR-services-solution-brief.pdf
*   **Vectra MDR best practices**: https://info.vectra.ai/hubfs/Vectra-MDR-services-best-practises-guide.pdf
*   **Blog:** https://www.vectra.ai/blogpost/vectra-mdr-shared-responsibility-model
*   **YouTube video**: https://www.youtube.com/watch?v=eMqDACDwpYc
*   **Press release**: www.vectra.ai/news/vectra-unveils-global-mdr-services

**About Vectra**

Vectra® is the leader in Security AI-driven hybrid cloud threat detection and response. Only Vectra optimizes AI to detect attacker methods — the TTPs at the heart of all attacks — rather than simplistically alerting on "different." The resulting high-fidelity threat signal and clear context enables cybersecurity teams to rapidly respond to threats and stop attacks from becoming breaches. The Vectra platform and services cover public cloud, SaaS applications, identity systems, and network infrastructure — both on-premises and cloud-based. Organizations worldwide rely on the Vectra platform and services for resilience to ransomware, supply chain compromise, identity takeovers, and other cyberattacks impacting their organization. For more information, visit vectra.ai.

Vectra Unveils Global Managed Detection and Response (MDR) Services With Game-Changing Attack Signal Intelligence™

Additional functionality also added to the fourth-party risk solution is providing better visibility and insights into vendor risk.

**BOSTON, Nov. 16, 2022 /PRNewswire/** — BitSight, the Standard in Security Ratings, today announced that it has enhanced its Third-Party Risk Management (TPRM) platform to provide additional insights to customers, helping them to more proactively detect and mitigate vulnerabilities and exposure across their third-party vendor ecosystem. BitSight also expanded its Fourth-Party Risk Management solution to increase visibility into risk across an organization's extended supply chain and to help manage and prioritize mitigation efforts more efficiently.

Third-Party Vulnerability Detection helps organizations to uncover, attribute, and prioritize vulnerabilities and exposures. Risk managers can use these real-time insights to respond to major security events, and in their ongoing efforts to find and remediate threats within their vendor portfolio. These enhancements allow users to save time by prioritizing vendor outreach efforts, easily access critical vulnerability data, and build stronger vendor relationships through timely and evidence-based collaboration.

"When Zero Days and other major security events occur, organizations struggle to quickly understand, remediate, and report on their exposure," said Vanessa Jankowski, Vice President and General Manager of Third Party Risk Management, BitSight. "This new capability from BitSight enables organizations to uncover, prioritize, and respond to vulnerabilities and other exposure across their vendor ecosystem. With easy access to vulnerability data that scales across an entire third-party portfolio, customers can now take action on high-priority incidents quickly, while surfacing critical information to board members and executive-level stakeholders."

BitSight also announced that it has enhanced the fourth-party capabilities within its platform by providing critical data and insights to help customers gain better visibility into concentrated risk within their extended supply chain, and more easily communicate risk emanating from fourth-party service providers.

"Customers are trying to understand the state of cyber risk not only in their third-party portfolio but in their extended digital footprint," continued Jankowski. "We're seeing networks of fourth-party vendor relationships that are indirect and increasingly complicated, making it necessary to prioritize based on impact. BitSight's enhanced fourth-party risk management capability automatically discovers service providers and products in use across the extended ecosystem, surfaces areas of risk based on concentration and fourth-party security posture, and provides visibility into fourth-party security incidents. Together, customers can connect concentration risk and security risk, allowing them to prioritize across an extended network that often goes unmanaged."

BitSight provides a complete Third-Party Risk Management offering with solutions for continuously monitoring vendor security performance, measuring security controls, mitigating supply chain risk, and quantifying cyber risk for business leaders. In September, as part of its acquisition of ThirdPartyTrust, BitSight launched its new Vendor Risk Management product to help address the evolving needs of third-party risk managers and provide customers with the tools they need to successfully manage vendor risk in one place, from procurement all the way through the lifecycle of the vendor relationship.

**About BitSight**

BitSight creates trust in the digital economy and transforms how organizations manage cyber risk. The BitSight Security Ratings Platform applies sophisticated algorithms, producing daily security ratings that range from 250 to 900, to help organizations manage their own security performance; mitigate third party risk; underwrite cyber insurance policies; conduct financial diligence; and assess aggregate risk. With the largest ecosystem of users and information, BitSight is the Standard in Security Ratings. For more information, please visit www.bitsight.com, read our blog or follow @BitSight on Twitter.

SOURCE: BitSight

BitSight Enhances Its Third-Party Risk Management Platform to Help Organizations Respond to Major Vulnerabilities

Nova introduces innovations to help stop zero-day threats, simplify security architectures, and reduce the risk of costly misconfigurations.

**SANTA CLARA, Calif., Nov. 16, 2022 /PRNewswire/** — Cyber threats continue to increase in volume and complexity with threat actors developing new ways to avoid detection — including highly evasive malware. To help organizations outpace these evolving threats, Palo Alto Networks (NASDAQ: PANW), the global cybersecurity leader, today announced PAN-OS® 11.0 Nova, the latest version of its industry leading PAN-OS software, unleashing 50-plus product updates and innovations. Amongst them are the new Advanced WildFire® cloud-delivered security service that brings unprecedented protection against evasive malware and the Advanced Threat Prevention (ATP) service which now protects against zero-day injection attacks.

"We've observed a significant increase in unique malware samples  
over the last year along with an increasing level of malware  
sophistication. A new approach is required to detect this advanced  
malware," said Anand Oswal, senior vice president, Network Security, Palo Alto Networks. "PAN-OS 11.0 Nova is a leap forward in network security.  
It stops 26% more zero-day malware than traditional sandboxes; detects  
60% more injection attacks; simplifies security architecture; and helps  
organizations adopt cybersecurity best practices. The bottom line is  
that Nova helps keep organizations one step ahead of attackers."

**Security Against Zero-Day Threats**

**Advanced WildFire:** Modern malware is highly evasive and sandbox-aware. To solve this problem, sandboxes need to continuously evolve to thwart analysis-resistant evasion techniques. The new Advanced WildFire service builds upon its custom hardened hypervisor to introduce radical new capabilities, such as intelligent run-time memory analysis combined with stealthy observation and automated unpacking to stay hidden from malware and defeat advanced evasions. These new capabilities enable Advanced WildFire to stop more highly evasive zero-day malware than traditional sandboxes.

**Advanced Threat Prevention (ATP)**: The enhanced ATP service reimagines the intrusion prevention system (IPS) with industry-first inline capabilities for stopping zero-day injection attacks. Injection attacks — one of the top attacks on the OWASP "Top 10 Web Application Security Risks" list — attempt to push malicious code into a computing system by exploiting unpatched vulnerabilities in software. Such malicious code executes remote commands that lead to data loss or full system compromise.

To protect against such injection attacks, ATP deep-learning models have been built on high fidelity telemetry data across tens of thousands of exploited vulnerabilities over the last decade. Internal testing has shown that the enhanced ATP service detects 60% more zero-day injection attacks that traditional solutions miss.

Nova not only sets up the foundation for modern day network security by continuously protecting against zero-day threats but also raises the bar for how organizations can proactively improve cyber hygiene and simplify security architectures. In addition to Advanced WildFire and Advanced Threat Prevention, notable innovations in the Nova release include:

**Simplified and Consistent Security**

**Web Proxy Support:** For customers who need to run explicit proxies in their network due to network architecture or compliance requirements, Nova introduces natively integrated proxy capabilities for Palo Alto Networks NGFWs helping to secure Web as well as non-Web traffic. Now Palo Alto Networks NGFWs and Prisma® Access support web proxy, allowing customers to deploy consistent network security across campus locations, branches and mobile users, all managed centrally.

**Integration of Next-Generation CASB:** Palo Alto Networks Next-Generation Cloud Access Security Broker (CASB), natively integrated with Nova and Prisma SASE, now includes all-new SaaS Security Posture Management (SSPM) to help find and eliminate dangerous misconfigurations in 60-plus enterprise SaaS apps. Next-Generation CASB now also has support for near-real time data protection in modern collaboration apps and suspicious user behavior detection, which helps to protect sensitive data in modern SaaS apps from compromised accounts and insider threats.

**Stronger Cyber Posture**

**AIOps:** Palo Alto Networks AIOps helps reduce misconfigurations that can lead to security breaches. AIOps, launched earlier this year, now processes 29B metrics every month across 50,000 firewalls, and proactively shares 24,000 misconfigurations and other issues with customers for resolution every month. With Nova, AIOps is even more proactive. AIOps now guards against violations of best practices and enables remediation of inefficiencies in security policies before committing changes, helping organizations strengthen defenses against cyberattacks.

In addition to all the PAN-OS software updates, a new set of 4th-generation ML-Powered NGFWs bring these new capabilities to branches, campus locations and data centers at up to 5x higher performance compared to the previous generation. The new hardware firewalls also bring the flexibility of fiber and Power over Ethernet (PoE) to small branches.

**PA-445 and PA-415 for small branches**: The PA-445 and PA-415 bring the flexibility of fiber and PoE ports to distributed enterprises and small and medium businesses. PoE powers downstream devices such as access points, IP cameras, and IP phones without the need for additional electrical circuits.The PA-445 and PA-415 also bring improved resiliency with dual power supplies and fanless cooling.

**PA-1400 Series for large branches**: The new PA-1400 Series offers up to 5x performance and up to 7x the session capacity compared to the previous generation. The PA-1400 Series is ideal for protecting large branch locations and small enterprise campuses, with support for PoE and fiber ports.

**PA-5440 for large campus locations and data centers**: We are launching the highest performing fixed-form factor in 2RU, the PA-5440. This platform offers 2x the performance of the previous generation PA-5260, and is ideal for protecting large campus locations and data centers.

"Attackers continue to develop new ways to evade traditional defenses, while security teams struggle to defend organizations with point solutions that are complex to deploy and operate," said John Grady, ESG senior analyst. "Palo Alto Networks PAN-OS 11.0 Nova addresses these critical challenges by stopping zero-day threats in real-time, simplifying security architectures, and improving cyber hygiene."

**Availability  
**PAN-OS 11.0 and most of the security services will be available in November. New ML-Powered NGFW platforms will be available in December, and SSPM will be available on the NGFW platforms in January. Most security services, including Advanced WildFire, will be compatible with previous versions of PAN-OS.

**Additional Resources**

*   Follow Palo Alto Networks on Twitter, LinkedIn, Facebook and Instagram
*   Launch event

**About Palo Alto Networks  
**Palo Alto Networks is the world's cybersecurity leader. We innovate to outpace cyberthreats, so organizations can embrace technology with confidence. We provide next-gen cybersecurity to thousands of customers globally, across all sectors. Our best-in-class cybersecurity platforms and services are backed by industry-leading threat intelligence and strengthened by state-of-the-art automation. Whether deploying our products to enable the Zero Trust Enterprise, responding to a security incident, or partnering to deliver better security outcomes through a world-class partner ecosystem, we're committed to helping ensure each day is safer than the one before. It's what makes us the cybersecurity partner of choice.

At Palo Alto Networks, we're committed to bringing together the very best people in service of our mission, so we're also proud to be the cybersecurity workplace of choice, recognized among Newsweek's Most Loved Workplaces (2022), Comparably Best Companies for Diversity (2021) and HRC Best Places for LGBTQ Equality (2022). For more information, visit www.paloaltonetworks.com.

_Palo Alto Networks, Prisma, PAN-OS and the Palo Alto Networks logo are registered trademarks of Palo Alto Networks, Inc. in the United States and in jurisdictions throughout the world. All other trademarks, trade names, or service marks used or mentioned herein belong to their respective owners. Any unreleased services or features (and any services or features not generally available to customers) referenced in this or other press releases or public statements are not currently available (or are not yet generally available to customers) and may not be delivered when expected or at all. Customers who purchase Palo Alto Networks applications should make their purchase decisions based on services and features currently generally available._

SOURCE: Palo Alto Networks, Inc.

Palo Alto Networks Announces PAN-OS 11.0 Nova to Help Keep Organizations One Step Ahead of Zero-Day Threats

Economic anxiety, staffing challenges, and growing supply chain threats are among other factors impacting cybersecurity spending and planning.

**NEW YORK and TEL AVIV, Israel, Nov. 16, 2022 /PRNewswire/** — Cymulate, the leader in cybersecurity risk validation and exposure management, today announced the results of a global survey of more than 1,000 IT and security professionals examining the influence of ongoing uncertainties in cybersecurity and cyber resilience. The 2022 Cymulate Global Readiness Survey investigated the impact of increased geopolitical tensions, economic concerns, and the Great Resignation, as well as more technical aspects such as the rise of supply chain attacks and the efficacy of best practices, on cybersecurity and cyber-readiness within enterprises.

Consolidation of cybersecurity solutions was a key theme within the findings, with 60% reporting their organization is seeking to reduce the number of solutions in use. Notably, only 20% of respondents reported affordability as the main reason, while 23% and 22% cited usability and the need to right-size their security setup as the primary driver of consolidation. "Businesses of all sizes shared that it is no longer about point solutions. With the volume of security tools and data, the need has shifted towards an integrated security suite," said Carolyn Crandall, chief security advocate at Cymulate. Economic anxiety has delayed purchasing, with most respondents noting project delays of three to six months. Interestingly, rising geopolitical tensions like the conflict in Ukraine and the standoff over Taiwan were not cited as having an impact on budget reductions or purchasing decisions.

Additional key highlights of the survey include:

*   **Cybersecurity workers are twice as likely as the overall labor market to be part of the Great Resignation**: Twice as many respondents say they are frustrated by their jobs and actively looking for new roles than the average. The rate quadrupled when cybersecurity teams are short-staffed and work conditions have worsened, or the enterprise declined to prioritize basic cyber hygiene principles.
*   **The industry remains challenged with adopting essential cybersecurity hygiene best practices:** Though a critical component of shoring up cyber resiliency, roughly one-third to almost one-half of respondents said their enterprises had yet to adopt multi-factor authentication (MFA), improved identity access management (IAM), least privileges adoption, EDR adoption, web protection, and phishing education.
*   **Frequent supply chain attacks are driving cybersecurity preparation**: 52% of respondents indicated that they believe supply chain issues to be responsible for up to a quarter of all attacks, while 26% believe it may be as high as half of all attacks. The threat of supply chain attacks is affecting organization's strategies, with 45% of respondents reporting that the vulnerability of the supply chain has led to increased cybersecurity proactiveness and preparation.
*   **The adoption of proactive cybersecurity testing is key to reducing risk and staying in front of evolving threats**: 80% of respondents said their organization had adopted some degree of proactive measures. However, only 29% reported their organization had incorporated penetration testing or other baseline measures. Additionally, only 30% of respondents said their organization had incorporated advanced proactive solutions that include breach attack simulation (BAS), attack surface management and vulnerability management, indicating significant room for growth.

With the increasing number of cyber threats and their devastating effects on business revenue, productivity and reputation, Frost & Sullivan projects the global BAS market to increase at a CAGR of 38.5% between 2021 and 2026.

The global survey was conducted on LinkedIn and gathered responses from more than 1,000 IT and security professionals representing a wide range of industries, organization sizes, and specific roles. Of the respondents, 81% occupy a technical role, such as cybersecurity, IT, or DevOps, and 70% are considered decision-makers in the organization, including individuals at the manager, director, and executive levels. The survey includes respondents from North America, Latin America, APAC, and EMEA representing companies ranging in size from less than 500 employees to more than 50,000. In addition, nearly every major industry is represented, including finance, healthcare, manufacturing, retail, and others, yielding a broadly representative sample.

**About Cymulate**

The Cymulate cybersecurity risk validation and exposure management solution provides security professionals with the ability to continuously challenge, validate and optimize their on-premises and cloud cybersecurity posture with end-to-end visualization across the MITRE ATT&CK® framework. The platform provides automated, expert and threat intelligence led risk assessments that are simple to deploy, and easy for organizations of all cybersecurity maturity levels to use. It also provides an open framework for creating and automating red and purple teaming exercises by generating tailored penetration scenarios and advanced attack campaigns for their unique environments and security policies. For more information, visit www.cymulate.com.

SOURCE: Cymulate

Cymulate Survey Finds Consolidation Is Happening, but Only 20% Cite Cost As the Reason

The race is actually a relay — one that requires collaboration to win.

As the low Earth orbit market prepares to double over the next five years, to the tune of around $20 billion, we sit on the edge of a new space race. However, amid rapidly falling launch costs and a host of technological advancements, it's safe to say that this race is heading into new territory.

These digitizations relate to the role of sensors and data processing, and a plethora of applications that aid ground control and observation operations.

One segment of the race that is still yet to pick up speed, however, relates to cybersecurity. The implications of attacks on satellites are self-evident, but the resilience and protection of these galactical systems require further exploration and a mass team effort.

**Familiarity in Space**

The difficulties that come with protecting devices in space comprise multiple complex systems within systems — each playing different roles and being deployed by different players.

Satellites are effectively just platforms with embedded systems and interfaces, including radio communications, telemetry tracking control systems, and ground segment connections. These are all essentially enterprise networks, but that also makes them avenues of opportunity for cybercriminals.

These systems are underpinned by a complex supply chain — another prime target for attackers, as we've seen on the ground through examples like SolarWinds, where the supply chain served as a gateway to all other interfaces.

Not only does this make systems in space more familiar than you might think, it also makes them more challenging to defend.

As such, the satellite door is potentially being left ajar to hacktivists, financial crusaders, and state-acting spies who can use their significant resources to target other countries' prized space assets.

**The "How" and "Why" of Space Attacks**

Why attack space when there are systems on land?

The answer is twofold, based on how familiar these satellite platforms actually are, and what attackers stand to gain by infiltrating them.

Addressing the former, "under the hood" of a satellite is a platform. More often than not, the embedded system within that platform may be as recognizable as a Linux operating system. And while the operations of the satellites themselves have traditionally been bespoke to offset that vulnerability, that too is now changing, as the market becomes more commercialized and accessible.

Any good hacker or threat actor will be familiar with the operating system, and once administration rights are attained to the environment, access to cameras, orientation, and all other interfaces becomes much more plausible.

And this "how," leads to the "why." A case study from earlier this year saw an outage of the Viasat network across Europe, at almost the exact time Russian troops entered Ukraine. As well as being a commercial broadband provider, Viasat is also used by the Ukrainian military. On closer inspection, the main damage seemed to be collateral across the continent, as a result of a misconfiguration sent down to modems.

However, upon even closer testing of the memory chips from these modems, it was revealed that they had essentially been wiped out, akin to wiping the operating system from a PC. The most plausible theory is that attackers gained access to the internal management system through a misconfiguration, developed malware to deploy across the network to wipe the modems, and pushed that malware through on the day of the invasion. It wasn't the satellite itself that was being targeted — it was merely a portal to impact connections and operations on the ground.

**Recognizable Defenses**

This link between space and Earth is what makes cybersecurity advancements in this sector so critical. Satellites in themselves are fascinating and mysterious because of the technology behind them and their locations. But, more often than not, they're simply portals to information we're trying to acquire, monitor, or use to inform decisions down on the ground.

Yes, this makes their breaches more concerning, but on a positive note, it also means the response in terms of defense can lean on familiar processes and technologies used in more reachable areas of our lives.

For example, running trusted code from equally trusted sources can be achieved through Trusted Platform Module (TPM) chips, which we find in mobile phones. Novel encryption approaches that we use to defend enterprise networks could also be applied to the data equation to offset the risk of jamming, spoofing, or relay attacks. Segmentation and using zero-trust architectures are further examples of enterprise strategies, alongside stronger authentication protocols for users, to better protect ground stations.

And all of this must be backed up by enhanced supply chain security where software bills of materials (SBOMs) should become more common practice.

**A Sprint and a Marathon**

The space race is just that: a race. Just as the landscape has evolved rapidly in recent years, it will continue to do so moving forward, and scenario planning will form a big part of cybersecurity strategy to ensure better futureproofing than we've had until now.

We're on the precipice of a new space era, and have time to get these agile and adaptable best practices in place before the attack landscape evolves in tandem. Building systems that can withstand attacks, segment risks, and contain breaches needs to be a culmination of this more concerted testing and scenario planning.

But it can't be done in isolation. The space race is a relay — a team sport where information must be generated through collaboration. Not only will this ensure a speedier launch from the new starting line, but it will give this effort endurance as the sprint turns into a marathon over the years to come.

Cybersecurity Best Practice Is Critical for Winning the New Space Race

Security executives are leaning into the powerful twinning of XDR and automated management to reduce the risk and impact of ransomware.

CISOs have a unique perspective on the world. They see security threats to which most people are oblivious, and they face challenges keeping one step ahead of hackers who are looking to penetrate their networks. This threat landscape is outlined four times a year in the "CISO Insider" — an actionable report that explores the top three issues that are most relevant in today’s threat landscape.

This quarter, rising ransomware rates, the promise of extended detection and response (XDR) in helping rapidly address emergent threats, and the need for increased automation and better tools to empower security teams to do more with limited resources have come to the forefront. Keep reading to learn how you can apply these insights to your own operations.

**How Organizations Can Respond to Extortion — and Rising Ransomware**The risk profile of ransomware is changing as cybercriminals gain easier access to improved tools and automation. When combined with the economics of successful attacks, it has put ransomware on a rapid growth trajectory.

CISOs differ on which is the more catastrophic cost to the business: business disruption or data exposure. Regardless, preparation is key. Here are some of the top ways that CISOs can guard against rising ransomware.

*   **Prepare to defend and recover:** By adopting an internal culture of zero trust with assumed breach while also deploying a system of data recovery, backup, and secure access, organizations can isolate attacks and make it much harder for threat actors to move laterally across the network. This strategy has the added benefit of minimizing an attack’s impact thanks to backups and encryption, both of which can help defend against data loss and exposure.
*   **Use a privileged access strategy:** This can minimize the potential for credential theft and lateral movement. Privileged credentials are foundational to all other security assurances — an attacker in control of your privileged accounts can undermine all other security assurances. We recommend teams focus on building a closed-loop system for privileged access that ensures only trustworthy “clean” devices, accounts, and intermediary systems are used for privileged access to business-sensitive systems.
*   **Leverage comprehensive, integrated threat detection and response capabilities:** Siloed point solutions often result in preventative gaps and slow down the detection and response to pre-ransom activities. By integrating security information and event management (SIEM) and XDR, organizations can extend prevention, detection, and response across the entire multicloud, multiplatform digital estate.

**XDR Can Help Accelerate Threat Detection and Response**Beyond prevention, how should enterprises respond in the event of an attack? Many security leaders are turning to XDR for a cross-platform vantage point. XDR helps coordinate signals across the entire ecosystem — not just endpoints — to facilitate faster threat detection and response. And while endpoint detection and response (EDR) is a proven asset that many CISOs in the "CISO Insider" report have already implemented, XDR is the next evolution.

XDR helps bring together data from disparate systems, allowing security teams to visualize the entire incident from end to end. Point solutions can make this comprehensive visibility difficult because they only show part of the attack and rely on an often-overwhelmed security team to manually correlate multiple threat signals from different portals. When we think about today’s dynamic threat landscape, XDR is particularly compelling because of its coverage and speed in helping detect and contain threats.

**Automate to Elevate the Security Team**Security leaders are faced with a security talent shortage. Automation is one way for them to help free up their existing workforce from mundane tasks so they can focus on defending against threats.

Most CISOs report adopting event-triggered or rule-based automation, but there’s a greater untapped opportunity to capitalize on built-in artificial intelligence and machine learning capabilities that enable real-time, risk-based access decisions. Automation can serve as an early warning system for future cyberattacks, and its inconveniences can be mitigated or eliminated. The most effective automation runs alongside human operators so that its artificial intelligence can both inform and be checked by human intelligence.

**Customize Cybersecurity to Meet Your Team’s Unique Needs**Ultimately, while cyber threats continue to grow and evolve alongside the Internet, security teams can still take preventative measures to help safeguard their operations. Some are more prescriptive than others — like leveraging zero trust, privileged access, and integrated threat detection and response. But it’s also important that organizations leverage their existing toolsets to its fullest capacity through automation features and built-in security detections. By learning from CISOs who are on the front lines of cybersecurity, organizations can better understand how to defend their own operations.

What Is Top of Mind for CISOs Right Now?

Leaders in operational technology/Internet of Things (OT/IoT) discovery and remediation partner to deliver best-in-class IoT enterprise security management solution.

**MOUNTAIN VIEW, Calif., Nov. 16, 2022 /PRNewswire/** — Viakoo, the leader in IoT vulnerability remediation, today announced a partnership with Nozomi Networks, the leader in OT and IoT security. Together they deliver the industry's first end-to-end, agentless IoT enterprise security management solution that discovers and remediates vulnerabilities rapidly and at scale. Customers can now rest easy knowing their IoT devices are not representing a security liability.

Unlike traditional IT devices, OT/IoT devices typically lack the same level of visibility and vulnerability management, leaving a massive attack surface that presents an open door for cyber criminals. Nozomi Networks discovers all connected OT/IoT devices, assesses them for noncompliance or vulnerabilities and automates policy-driven workflows that govern how the OT/IoT device should be configured and behave on the network. In turn, Viakoo analyzes the vulnerabilities and remediates them at scale with its patented, agentless Viakoo Action Platform. Further, Viakoo has the only OT/IoT remediation solution that addresses both the OT/IoT application and the device itself.

"The OT/IoT Security attack surface continues to grow which warrants a comprehensive, automated solution. Addressing OT/IoT security, device by device, is an arduous, expensive, and tedious task for organizations," said Frank Rubio, VP of Alliances at Viakoo. "Together with Nozomi Networks, our joint solution enables customers to quickly identify and repair OT/IoT vulnerabilities to reduce risk and administrative overhead."

In addition, together Nozomi Networks and Viakoo create a bi-directional data stream, enriching the value of both solutions and assisting in enforcing a Zero Trust environment complete with certificates, firmware patching and password management.

"Viakoo helps customers accelerate Mean Time To Repair (MTTR) with their automated remediation platform", said Chet Namboodri, Senior Vice President of Business Development and Alliances at Nozomi Networks. "Helping to close known vulnerabilities with fewer resources at scale is a key business driver for our customers which we can deliver through this partnership."

The solution is available to Viakoo and Nozomi Networks customers now.  

**About Viakoo**

Viakoo enables customers to defend their IoT attack surface. Viakoo's vision is for every connected enterprise device to be 100% visible, operational, and secured. The agentless Viakoo Action Platform keeps distributed unmanaged and IoT environments secure and continuously operational at the lowest risk and cost. Automated device cyber hygiene is reliably updated at scale with firmware, passwords, and certificates to elevate security posture and system performance to enterprise IT expectations. Viakoo Inc. is a leader in cyber hygiene for connected devices, located in Mountain View, California, USA. Follow us on Twitter, LinkedIn, and Facebook.

SOURCE: Viakoo

Viakoo Announces Strategic Alliance With Nozomi Networks to Deliver Agentless, End-to-End IoT Security at Scale

Safal Partners is helping to close the American cyber talent and diversity gap in cybersecurity.

**HOUSTON, Nov. 15, 2022 /PRNewswire/** — U.S. Department of Labor (DOL) national industry intermediary, Safal Partners, announced today that it has helped shrink our nation's critical cybersecurity workforce gap by bringing more than 1,000 new apprentices into the field over the past 12 months. Of those, 83% of new apprentices came from a diverse or historically underrepresented population, including women, minorities, Veterans, or people with disabilities.

Today's announcement was made in conjunction with Safal's participation at a White House event celebrating the culmination of the National Cybersecurity Apprenticeship Sprint launched by the White House, DOL, and U.S. Department of Commerce in July.

"We are enormously proud of our work to create a stronger and more diverse, work-ready cybersecurity and tech workforce for public and private employers nationwide," said Mukta Pandit, President of Safal Partners. "In a field that has struggled to create a more inclusionary workplace, we can point to the fact that 8 in 10 of the new apprentices we supported are from populations that are not well-represented in cyber roles."

Safal brought the new apprentices into the workforce both through its own national Registered Apprenticeship (RA) program and through development of 20 new or expanded RA programs over the past year sponsored by employers and training providers, including the first-ever national program for people with visual impairments sponsored by the Blind Institute of Technology.

Safal also announced a new partnership with the Information Systems Security Association (ISSA) to accelerate industry awareness and adoption of apprenticeship for hiring and training cyber professionals. According to Cyberseek.org there are currently more than 769,000 open cyber roles.

ISSA is a globally recognized industry nonprofit organization committed to promoting effective cybersecurity and workforce development. Safal's partnership includes work to support the association's new Apprenticeship, Internship and Mentorship initiative to be announced shortly.

ISSA is launching this initiative to bridge the gap from all paths to employment as a cyber professional. "There is a critical need to provide an opportunity to gain valuable skills and experience to begin a career in cybersecurity. Quality apprenticeships, internships and mentoring programs are the key to building the future cybersecurity workforce," said Candy Alexander, ISSA International President. "We are pleased to be partnering with Safal to launch this program."

"ISSA recognizes and is actively working toward addressing our national need for more skilled cyber professionals," said Katie Adams, Senior Director. "As the DOL cyber industry intermediary, we look forward to providing ISSA members no-cost expertise, program support, and access to resources and funding streams to adopt registered apprenticeship."

To learn more about Safal Partners RA program, visit https://cyber.safalpartners.com/national-program or contact Katie Adams, Senior Director at \[email protected\].

SOURCE: Safal Partners

More Than 1,000 New Cybersecurity Apprentices Joined Workforce in Past 12 Months

An in-depth analysis of system-destroying malware families presented at Black Hat Middle East & Africa shows a growing nuance in terms of how they're deployed.

Destructive wiper malware has evolved very little since the "Shamoon" virus crippled some 30,000 client and server systems at Saudi Aramco more than 10 years ago. Yet it remains as potent a threat as ever to enterprise organizations, according to a new study.

Max Kersten, a malware analyst at Trellix, recently analyzed more than 20 wiper families that threat actors deployed in various attacks since the beginning of this year — i.e., malware that makes files irrecoverable or destroys whole computer systems. He presented a summary of his findings at the Black Hat Middle East & Africa event on Tuesday during a "Wipermania" session.

**A Comparison of Wipers in the Wild**

Kersten's analysis included a comparison of the technical aspects of the different wipers in the study, including the parallels and differences between them. For his analysis, Kersten included wipers that threat actors used extensively against Ukrainian targets, especially just before Russia's invasion of the country, as well as more generic wipers in the wild.

His analysis showed the evolution of wipers, since Shamoon, is vastly different from other types of malware tools. Where, for example, the malware that threat actors use in espionage campaigns has become increasingly sophisticated and complex over the years, wipers have evolved very little, even though they remain as destructive as ever. A lot of that has to do with how and why threat actors use them, Kersten tells Dark Reading.

Unlike spyware and other malware for targeted attacks and cyberespionage, adversaries have little incentive to develop new functionality for concealing wipers on a network once they have managed to sneak it on there in the first place. By definition, wipers work to erase or overwrite data on computers and are therefore noisy and easily spotted once launched.

"As the wiper’s behavior needn’t stay unnoticed per se, there is no real incentive for evolvement," Kersten says. It's usually only when malware needs to remain hidden over a prolonged period of time that threat actors develop advanced techniques and carry out thorough testing before deploying their malware. 

But wipers needn't be that complex, nor well tested, he notes. For most threat actors using wipers, "the current methods are working and require little to no tweaking, other than the creation of a new wiper to use in a next attack."

Kersten found that a wiper can be as simple as a script to remove all files from the disk, or as complex as a multistage piece of malware which modifies the file system and/or boot records. As such, the time for a malware author to develop a new wiper might range from just a few minutes to a significantly longer period for the more complex wipers, he says.

**A Nuanced Threat**

Kersten advocates that enterprise security teams keep a few factors in mind when evaluating defenses against wipers. The most important one is to understand the threat actor's goals and objectives. Though wipers and ransomware can both disrupt data availability, ransomware operators tend to be financially motivated, while the goals of an attacker using wiper malware tend to be more nuanced.

Kersten's analysis showed, for instance, that activists and threat actors working in support of strategic nation-state interests were the ones who mainly deployed wipers in cyberattacks this year. In many of the attacks, threat actors targeted organizations in Ukraine, particularly in the period just prior to Russia invasion of the country in February. 

Examples of wipers that threat actors used in these campaigns included WhisperGate and HermeticWiper, both of which masqueraded as ransomware but actually damaged the Master Boot Record (MBR) on Windows systems and rendered them inoperable. 

Other wipers that attackers deployed against targets in Ukraine this year include RURansom, IsaacWiper and CaddyWiper, a tool that Russia's infamous Sandworm group attempted to deploy on Windows systems associated with Ukraine's power grid. In many of these attacks, the threat actors that actually carried them out appear to have sourced the wipers from different authors.

Another factor that security responders need to keep in mind is that wipers don't always delete files from the target system; sometimes wipers can cripple a target system by overwriting files as well. This can make a difference when attempting to recover files following a wiper attack. 

"Deleting a file often leaves the file on the disk as-is while marking the size as free-to-use for new write operations," Kersten wrote in a blog post on his research, released in tandem with his Black Hat talk on Nov. 15. This makes it possible to recover files in many instances, he said.

When a wiper tool corrupts files by overwriting them, the files can be harder to recover. In the blog post, Kersten pointed to the WhisperGate wiper, which corrupted files by repeatedly overwriting the first megabyte of each file with 0xCC. Other wipers like RURansom use a random encryption key for each file while some wipers overwrite files with copies of the malware itself. In such instances, the files can remain unusable.

The main takeaway is that organizations need to prepare for wipers in much the same way as they prepare for ransomware infections, Kersten says. This includes having backups in place for all critical data and testing recovery processes often and at scale.

"Nearly every wiper is able to corrupt a system until the point that either all files are lost or the machine wont function properly anymore.," he notes. "Since wipers are easy to build, attackers can build a new one daily if needed."

So, the focus for organizations be on the adversary’s tactics, techniques, and procedures (TTPs) — such as lateral movement — rather than the malware itself. 

"It’s better to brace for impact \[from a wiper attack\] when there is none," Kersten says, "than to be struck with full force without prior notice."

Source

DARKReading