The "BoldMove" backdoor demonstrates a high level of knowledge of FortiOS, according to Mandiant researchers, who said the attacker appears to be based out of China.

Researchers analyzing data associated with a recently disclosed zero-day vulnerability in Fortinet's FortiOS SSL-VPN technology have identified a sophisticated new backdoor specifically designed to run on Fortinet's FortiGate firewalls.

The malware appears to be the work of a China-based threat actor engaged in cyber-espionage operations targeting government organizations and those working with these organizations. It is the latest example of adversaries from the country targeting firewalls, IPS, IDS, and other Internet-facing technologies that enterprises use for securing their networks, Mandiant said in a report this week.

Researchers from the company came across the malware in a public repository in December and were able to tie it to the Fortinet zero-day bug (CVE-2022-42475) based on information that Fortinet released in its initial vulnerability disclosure. The vulnerability allows an unauthenticated attacker to execute arbitrary code on affected systems and is present in multiple versions of Fortinet's FortiOS and FortiProxy technologies. When Fortinet disclosed the vulnerability, the company said it was aware of at least one incident where an attacker had exploited the flaw in the wild.

**BoldMove Backdoor**

Mandiant said the malware it discovered in December — and is tracking as "BoldMove" — is associated with the exploitation of CVE-2022-42475. Available telemetry suggests that exploit activity associated with the malware was occurring as early as October 2022. Targets have included a government entity in Europe and a managed services provider in Africa.

The BoldMove backdoor, written in C, comes in two flavors: a Windows version and a Linux version that the threat actor appears to have customized for FortiOS, Mandiant said. When executed, the Linux version of the malware first attempts to connect to a hardcoded command-and-control (C2) server. If successful, BoldMove collects information about the system on which it has landed and relays it to the C2. The C2 server then relays instructions to the malware that ends with the threat actor gaining full remote control of the affected FortiOS device.

Ben Read, director of cyber-espionage analysis at Mandiant, says some of the core functions of the malware, such as its ability to download additional files or open a reverse shell, are fairly typical of this type of malware. But the customized Linux version of BoldMove also includes capabilities to manipulate specific features of FortOS.

"The implementation of these features shows an in-depth knowledge of the functioning of Fortinet devices," Read says. "Also notable is that some of the Linux variants features appear to have been rewritten to run on lower-powered devices."

The adversary appears to have compiled the Windows version of BoldMove sometime in 2021, or well before the Linux version. Mandiant so far has not detected any exploit activity in the wild associated with that version. "The Windows sample we have is 32-bit, so \[it\] should run on most modern versions of Windows but could be compiled to run on 64-bit machines," Read says. It would not run on a Fortinet device, however.

**Tech Chops**

The new cyber-espionage campaign and the BoldMove malware that the attackers are using in the campaign continue a pattern among China-based threat actors — and advanced persistent threats from other nations as well — to target firewalls, IPS, IDS, and other network security devices.

Developing exploits for these technologies can be challenging and require substantial resources and technical chops.

With BoldMove, "the attackers not only developed an exploit, but malware that shows an in-depth understanding of systems, services, logging, and undocumented proprietary formats," Mandiant said. But the payoff for attackers can be high because a successful exploit gives them wide access to a network, without requiring any user interaction, the security vendor added.

While Fortinet's products have been an especially popular target in this regard, threat actors have targeted products from other vendors as well, including Pulse Secure VPNs, Citrix ADCs, and SonicWall. The attacks have prompted multiple advisories from the FBI, the US Cybersecurity and Information Security Agency (CISA), and others.

**Schooled in FortiOS**

Meanwhile, Fortinet itself last week described the malware associated with CVE-2022-42475 as a variant of a "generic" Linux backdoor that the threat actor has customized for FortiOS. The company said its analysis showed the malicious file may have been masquerading as a component of Fortinet's IPS engine on compromised systems.

Among the malware's more advanced features was one for manipulating FortiOS logging to avoid detection, Fortinet said. The malware can look for event logs in FortiOS, to decompress them in memory and search for and delete a specific string that enables it to reconstruct the logs. The malware can also shut down logging processes entirely.

"The complexity of the exploit suggests an advanced actor and that it is highly targeted at governmental or government-related targets," Fortinet said.

According to Fortinet, developing the exploit would have required the threat actor to have a "deep understanding" of FortiOS and the underlying hardware. "The use of custom implants shows that the actor has advanced capabilities, including reverse-engineering various parts of FortiOS," the vendor said.

Attackers Crafted Custom Malware for Fortinet Zero-Day

**Woburn, MA – January 19, 2023 –** Today Kaspersky researchers reported on a new domain name system (DNS) changer functionality used in the infamous Roaming Mantis campaign. Cybercriminals have demonstrated they can use compromised public Wi-Fi routers to try to infect more Android smartphones with the campaign’s Wroba.o malware. Attackers used the new technique against users in South Korea, but it could be soon implemented in other countries as well. 

Roaming Mantis (a.k.a Shaoye) is a cybercriminal campaign first observed by Kaspersky in 2018. It uses malicious Android package (APK) files to control infected Android devices and steal device information. It also has a phishing option for iOS devices and cryptomining capabilities for PCs. The name of the campaign is based on its propagation via smartphones roaming between Wi-Fi networks, potentially carrying and spreading the infection.

**New DNS changer functionality to attack more users via public routers**

Kaspersky discovered that Roaming Mantis recently introduced a domain name system (DNS) changer functionality in Wroba.o (a.k.a Agent.eq, Moqhao, XLoader), the malware that was primarily used in the campaign. DNS changer is a malicious program that directs the device connected to a compromised Wi-Fi router to a server under the control of cybercriminals instead of a legitimate DNS server. On the malicious landing page, the potential victim is prompted to download malware that can control the device or steal credentials.

At the moment, the threat actor behind Roaming Mantis is exclusively targeting routers located in South Korea and manufactured by a very popular South Korean network equipment vendor. To identify them, the new DNS changer functionality gets the router’s IP address and checks the router’s model, compromising targeted ones by overwriting the DNS settings. In December 2022, Kaspersky observed 508 malicious APK downloads in the country (see the Table 1). 

An investigation of malicious landing pages found that attackers are also targeting other regions using smishing instead of DNS changers. This technique employs text messages to spread malicious links that direct the victim to a malicious site to download malware onto the device or steal user info via a phishing website. Japan topped the list of targeted countries with nearly 25,000 malicious APK downloads from the landings created by cybercriminals. Austria and France followed with roughly 7,000 downloads each. Germany, Turkey, Malaysia and India rounded out the list. Kaspersky researchers predict that the perpetrators may soon update the DNS changer function to target Wi-Fi routers in those regions as well. 

**Country**  

**Number of downloaded malicious APK** 

Japan

24,645

Austria

7,354

France

7,246

Germany

5,827

South Korea

508

Turkey

381

Malaysia

154

India

28

_Table 1. The number of malicious APK downloads per country based on investigation of malicious landing pages created within Roaming Mantis campaign, the first half of December 2022_

According to Kaspersky Security Network (KSN) statistics in September – December 2022, the highest detection rate of Wroba.o malware (Trojan-Dropper.AndroidOS.Wroba.o) was in France (54.4%), Japan (12.1%) and the U.S. (10.1%). 

“When an infected smartphone connects to ‘healthy’ routers in various public places like cafes, bars, libraries, hotels, shopping malls, airports, or even homes, Wroba.o malware can compromise these routers and affect other connected devices as well,” said Suguru Ishimaru, senior security researcher at Kaspersky. “The new DNS changer functionality can manage all device communications using the compromised Wi-Fi router, such as redirecting to malicious hosts and disabling updates of security products. We believe that this discovery is highly critical for the cybersecurity of Android devices because it is capable of being widely spread in the targeted regions.” 

To read the full report on newly implemented DNS changer functionality, please visit Securelist.com.

In order to protect your internet connection from this infection, Kaspersky researchers recommend the following:

*   Refer to your router’s user manual to verify that your DNS settings haven’t been tampered with or contact your ISP for support.

*   Change the default login and password for the admin web interface of the router and regularly update your router’s firmware from the official source.

*   Never install router firmware from third party sources. Avoid using third-party repositories for your Android devices.

*   Further, always check browser and website addresses to ensure they are legitimate; look for signs such as https when asked to enter data.

*   Consider installing a mobile security solution, such as Kaspersky, to protect your devices from these and other threats.

**About Kaspersky**

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 240,000 corporate clients protect what matters most to them. Learn more at usa.kaspersky.com.

Roaming Mantis Uses DNS Changers to Target Users via Compromised Public Routers

Traditional compliance and IAM are insufficient to secure the modern enterprise. We must shift left with modern access controls to avoid costly data breaches.

**What Does It Mean to "Shift Left"?**

"Shift left" is a powerful concept that prioritizes catching and resolving issues earlier in a process, thereby minimizing defects and increasing quality output. In security, the methodology is being used to find vulnerabilities that are traditionally addressed in detection and remediation cycles, and preemptively address those problems upstream. While popularized in the AppSec domain, an equally powerful application of shifting left is evolving in identity management. Identity is the new security perimeter in the cloud-native world. We need to explore a new access control paradigm to reduce risk, one defined by the use of policy and automation.

**Today's World: Checkbox Compliance and IAM for the Sake of Productivity**

There's no shortage of identity-based attacks making headlines, from privilege escalation to unauthorized access, among others. Compliance, while a good signal of general security practices, isn't always an indication of real risk reduction. Quarterly or yearly access reviews "discover" overprovisioned and non-off-boarded users with sensitive access, leaving security gaps in place for months at a time. While quarterly timing might be enough to "check the box," real risk reduction would require running timely and more frequent reviews for most applications (whether they are connected to your identity provider or not). The growing number of SaaS and IaaS offerings, the impact of group sprawl, and the level of manual effort required for this makes more frequent reviews cost-prohibitive for most businesses.

We are rooted in a world that traded security for productivity. We grant as much birthright access as possible so we can avoid managing access changes downstream, but still periodically check in on this access as required by compliance. When access changes are needed, they are thrown over the wall via help-desk tickets that sit in queues for days or weeks. From a security standpoint, a lot of energy is spent on compliance and managing access, yet we're barely scratching the surface on risk reduction.

**Change Your Thinking: Access Controls That Actually Reduce Risk**

Better security outcomes in compliance and IAM necessitate that we automate like engineers and take new approaches. Alerting, quarterly reviews, and ticketing are heavy-handed detection and remediation tactics that identify and address overprivilege after it has already happened. In order to shift left, we need to modernize how access is controlled. Architecting modern access controls will require an identity-centric view into any and all technology, democratized access decision-making, the ability to define least privilege policy as code, and above all, automation wherever we can get it. A first principles-based approach to securing access is required: Users should have access for as long as they need it to do their job, and no longer. Implementing this is hard, but here are a few starters:

1\. **Democratization of access management, but central enforcement of control policy.** System owners have the best information and context for why users need access, and IT doesn't enjoy being the ticketing middleman. Access decisions made by system owners should be balanced with a centrally defined policy for managing access based on classifications. Policy should be defined in code, if possible, and managed through change management processes.

2\. **Justification for access and time-limited access.** Users only need access while they're doing a job, performing a function, contributing on a team, working on-call, and so forth. Justification is the context for why a user needs specific access at that moment. Without that justification, the access is not required and is automatically removed.

3\. **Automating user access reviews (UARs).** UARs are extremely effective at reducing standing privileges and identifying inappropriate accounts and access. The problem is that manual UARs are too time and labor intensive to run frequently, which means delays in identifying and revoking expired accounts and privileges. With automated user access reviews, we find 10% to 25% of access is regularly marked as overprovisioned, inappropriate, or unused, and is subsequently removed.

4\. **Self-service and just-in-time access provisioning.** Employees should be able to request access right when they need it from comprehensive app and resource catalogs. Accounts and permissions should be provisionable without manual touches, whether it's connected to the SSO provider or not. Policy should drive the process, so low-privilege access can be granted automatically without a human in the loop, and higher-privilege access can be routed to the correct approvers quickly and efficiently.

**Moving Forward, Shift Left With Least-Privilege Thinking, Tools, and Automation**

We need to recognize that access is messy and embrace that reality with the principle of least privilege and the automation to enforce it. We should not focus on rigidity and centralization, but rather on policy and delegation. Users change roles and teams. Sometimes you need temporary access and permissions. Employees come and go. What's important is that your environment, governed by policy and run by automation, always and predictably reverts to the minimum level of sensitive access necessary for your team. Only then can you reduce the attack surface area of identity and move from detecting breaches to avoiding them in the first place.

**About the Author**

    

Alex Bovee is co-founder and CEO of ConductorOne, a technology company focused on modern identity governance and access control. With a background in security and identity, he most recently led Okta's zero-trust product portfolio and prior to that, enterprise device security products at Lookout Mobile Security. He co-founded ConductorOne to help companies become more secure and productive through identity centric automation and access control. In his spare time, he enjoys playing guitar and shuttling his kids around to activities.

Shift Identity Left: Preventing Identity-Based Breaches

Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.

New year, new cartoon contest! We're flushed with excitement, knowing our clever, cybersecurity-minded readers are going to come up with imaginative captions for our latest cartoon, above. Here are four convenient ways to submit your ideas before the Feb. 8, 2023, deadline.

*   Email _\[email protected\]_ with the subject line "Dark Reading January Toon."
*   Via social media: Twitter, Facebook, and LinkedIn. (If you win, we'll respond to you on the same platform, requesting your email address.)

**Last Month's Winner**

Dave Brassey is one bright guy! The manager of privacy, security and risk assurance at Australia-based software company Family Zone Cyber Safety won our December "Kiss and Tell" contest for his caption, below. A $25 Amazon gift card is on the way. Thanks to everyone who submitted an idea!

    

_**"I thought this was a DevOps party? InfoSec is always trying to get in on the action!"**_

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Name That Toon: Poker Hand

The report highlights concerning security stats following two years of extreme tech growth.

**OTTAWA,** **ON****,** **Jan.** **19,** **2023** **/PRNewswire/ -** The media industry is at higher risk of cyber attack. According to the newly released State of Penetration Testing as a Service report, an average of 3.75 critical vulnerabilities were found for every MediaTech application tested in 2022. During the same period, the data & analytics industry came second with an average of 1.5 critical vulnerabilities found per client application. Across all industries, 0.9 critical vulnerabilities were identified per client application.

Critical vulnerabilities are the most severe form of application security risk, and include categories of vulnerabilities such as SQL injection (SQLi), remote code execution (RCE), command injections, and unauthorized administrative host/application access. The "OWASP Top 10" also defines a list of the most common and severe vulnerabilities facing software applications today.

Companies facing critical vulnerabilities are at high risk as these issues are easily exploitable and will have significant damaging effects if exploited by a malicious hacker. Negative consequences include unauthorized release of confidential information, access to sensitive customer data, and access to control internal systems. As such, most companies are recommended to fix these within a maximum of 5 days after discovery.

Software Secured, an Ottawa\-based penetration testing firm, released the report based on insights from their client testing in 2021 and 2022. The goal of the report is to help leaders of security and compliance teams understand the most prominent risks facing their software within the next year. Included within the report are explanations on the identified threats and recommendations for companies to stay ahead of hackers. Some other insights gained from their reporting include:

*   Increase in critical-level SQL injection attacks by 250% compared to 2021
*   Increase in high-severity Denial of Service (DoS) attacks by 133% compared to 2021
*   Cross-site scripting (XSS) findings remain the most common critical vulnerability for two years in a row

Penetration testing as a service (PTaaS) is a comprehensive security assessment that is proven to help companies secure their applications, significantly decreasing the likelihood of cyber attacks

Download the full 2022 State of Penetration Testing as a Service report here.

For more information or questions, please visit us online at softwaresecured.com or contact us with the information below:

SOURCE Software Secured

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

The Media Industry Is the Most Vulnerable to Cyber Attacks, Report Shows

ICS/OT cybersecurity firm finds 35% of CVEs in second half of 2022 unpatchable.

**CHANDLER, Ariz.****,** **Jan. 19, 2023** **/PRNewswire/ --** SynSaber, an early-stage ICS/OT cybersecurity and asset monitoring company, announced today the release of the company's second Industrial Control Systems (ICS) Vulnerabilities & CVEs Report. The report analyzes the 920+ CVEs released by CISA in the second half of 2022 to determine the following:

*   Who is reporting the vulnerabilities?
*   What remediations (if any) are available?
*   What are the severity levels and potential impacts?
*   How does the data compare to the CVEs reported in the first half of the year?

"Year after year, there is a deluge of vulnerability disclosures in industrial control systems, often creating anxiety as the security community attempts to patch or remediate each point of exposure — an impossible feat," said Ron Fabela, CTO of SynSaber. "Our goal with this report is to analyze the 920+ CVEs, and gather insights for the ICS industry regarding which CVEs should be taken most seriously and which can be accepted as a part of the organization's risk management strategy."

**Key Findings:**

*   For the CVEs reported in the second half of 2022, 35% have no patch or remediation currently available from the vendor (up from 13% in the first half of the year)
*   While 56% of the CVEs have been reported by the Original Equipment Manufacturer (OEM), 43% have been submitted by security vendors and independent researchers (these figures were consistent with the first half of 2022)
*   28% of the CVEs require local or physical access to the system in order to exploit (up from 23% during the first half of 2022)
*   Of the CVEs reported in the second half of 2022, 22% can and should be prioritized and addressed first (with organization and vendor planning)

The volume of CVEs reported via CISA ICS Advisories and other entities is not likely to decrease. It's important for asset owners and those defending critical infrastructure to understand when remediations are available, and how those remediations should be implemented and prioritized.

For more information on the report, please visit: https://synsaber.com/resources/ics-vulnerabilities-and-cves-second-half-2022/

**About SynSaber:** 

SynSaber is the simple, flexible, and scalable industrial asset and network monitoring solution that provides continuous insight into the status, vulnerabilities, and threats across every point in the industrial ecosystem, empowering operators to observe, detect and defend OT/IT systems and protect critical infrastructure. SynSaber is privately held with funding from SYN Ventures, Rally Ventures, and Cyber Mentor Fund. Learn more at SynSaber.com.

SOURCE SynSaber

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

SynSaber Releases ICS Vulnerabilities & CVEs Report Covering Second Half of 2022

Open architecture, non-standalone roaming, nation-state attacks, ransomware, and the need for more industry collaboration are among the major 5G security challenges that operators must address in the year ahead.

**ROME****,** **Jan. 19, 2023** **/PRNewswire/ --** SecurityGen, the award-winning global provider of security solutions and services for the telecoms industry, today announced its cybersecurity priorities for telecom operators in 2023.

"As 5G's global footprint increases, the number of cyber threats targeting 5G increases as well," said SecurityGen co-founder and CTO Dmitry Kurbatov. "In 2023, operators must be aware of the range of these threats and take necessary steps to properly defend their networks, protect their customers, and safeguard their operations and revenue."

Kurbatov identifies the main factors shaping the risks and threats that operators must prepare for in the year ahead as follows:

      **1.  5G related challenges**

*   **5G is open for integration - but also open to attack**

Unlike previous mobile network generations like 3G and LTE, 5G is designed from the ground up to be flexible and open for integration with multiple external systems. However, the same open architecture that enables this flexibility and easy integration can also make 5G vulnerable and exposed to threats and hidden vulnerabilities.

The challenge for operators is to maximise 5G's advanced functionality and interoperability while also recognizing this vulnerability and minimizing the threats arising from 5G's extra openness compared to previous network generations.

*   **Beware** **of** **roaming traffic from non-standalone 5G**

As operators deploy more 5G networks and more users purchase 5G smartphones, the volume of roaming traffic between 5G networks increases. But the majority of this extra roaming traffic goes through non-standalone 5G networks which still use unsecure legacy technology for their core networks, including signaling protocols such as GTP and Diameter, which have proven to be hackable in recent years.

Without proper security measures in place, 5G is vulnerable to threats originating from non-5G networks carried in non-5G network traffic – but which are able to damage and disrupt 5G services.

      **2.  Cyberattacks from hostile states and organized crime**

Telecom networks are critical national infrastructure, which makes them high-value targets for cyberattacks, especially during times of conflict and heightened geopolitical tensions. The growing use of mobile - especially 5G - for connecting and remote monitoring of everything from energy grids and automated factories to smart cities and transport systems, amplifies the damage and disruption that an attack on an operator's network could inflict. Mobile's importance also makes it a target for organized crime groups to launch financially motivated attacks of their own aimed at operators or their subscribers.

      **3.  Operators as high-value targets for ransomware**

The number and frequency of cyber-attacks such as ransomware and phishing show no signs of slowing down. The threat of ransomware is already well known: however in 2023, expect the bad actors behind them to become more advanced and more selective in their attacks - including targeting mobile networks as the means to breach telecom operators and access the valuable customer data they hold.

      **4.  New industry regulations on security but operators must do more themselves** 

National and pan-regional regulators are pushing the telecom industry to comply with new security requirements that address the heightened threat of cyberattack on digital infrastructure and telecom networks as part of it.

Mobile network security is still perceived as an after-thought. Rather than adopt a network-wide, security-by-design approach, many operators continue to rely on inefficient one-off security techniques which leave parts of their networks exposed to hackers.

      **5.  Effective cybersecurity also depends on** **collaboration**

*   **Hinders knowledge sharing**

When companies and experts share their knowledge and experience, everyone benefits. But with international cooperation undermined by current geopolitical rivalries and tensions, divisions might open between operators and other telecom industry players, industry regulators and national governments that make it more difficult to cooperate on collective joint efforts for better cybersecurity.

*   **Cyber-security skill shortages**

Cyber-security continues to suffer an ongoing shortage of skilled workers, especially in areas that require specific expertise such as telecoms. Combined with the lack of knowledge sharing, the skills shortage makes it harder to encourage and develop new talent. The telecoms industry, led by operators, needs to step up and invest in training initiatives to attract new workers and provide them with the requisite skills needed to grow the cyber-security talent pool.

Against this range of threats, Dmitry identifies the following steps for operators to strengthen the security and resilience of their 5G networks:

*   Make the security of your 5G network as much of a commercial and operational priority as its performance in terms of speed, throughput, and coverage. The current economic conditions should not put operators off investing in proper security measures. Security is more efficient and cost-effective when it is built-in across the entire system, and not just a patch on the surface.
*   Adopt a defence-in-depth approach based on continual network-wide assessments and monitoring. 5G networks are a step-change in complexity that are more like IT systems than legacy mobile networks. Regular security checks, continuous analysis and other established cybersecurity methods fine-tuned for the telecom environment will provide the level of detail and in-depth scrutiny that's needed to ensure a 5G network is secure against advanced attacks.
*   Effective 5G security requires more than just installed software solutions and automated monitoring and testing. Extensive and ongoing training is also essential, so that operator security teams can explore and stay up to date with the latest cyberthreats - and also identify new vulnerabilities as they emerge.

"Operator security teams must be mindful of the new, unique security challenges specific to 5G while at the same time not losing sight of the threats inherited by legacy technologies within 5G's set up," explained Kurbatov.

"Telecom security cannot be solved by a single-point solution, it requires a comprehensive strategic approach along with collaboration between ecosystem players. Operators and their industry partners should cooperate closely with governments and regulators to ensure cybersecurity receives the attention and investment to protect users and ensure that networks remain safe, secure and resilient," he concluded.

**About SecurityGen**

Founded in 2022, SecurityGen is a global company focused on telecom security. We deliver a solid security foundation to drive secure telecom digital transformations and ensure safe and robust network operations. Our extensive product and service portfolio provides complete protection against existing and advanced telecom security threats.

Visit www.secgen.com .

Photo: https://mma.prnewswire.com/media/1986048/SecurityGen\_Dmitry\_Kurbatov.jpg

SOURCE SecurityGen

SecurityGen Identifies the Cybersecurity Priorities for Mobile Operators in 2023

KnowBe4 partners with the Center for Cyber Safety and Education to bolster women
in cybersecurity for the fourth consecutive year.

**TAMPA, Fla., Jan. 19, 2023 /PRNewswire-PRWeb/ --** KnowBe4, the provider of the world's largest security awareness training and simulated phishing platform,  
today announced it is partnering with the Center for Cyber Safety and Education  
to launch a Women in Cybersecurity Scholarship for the fourth consecutive year.

The KnowBe4 Women in Cybersecurity Scholarship will offer $10,000 to be applied  
to tuition, fees, books and required electronics for the recipient. An (ISC)2  
Certification Education Package that includes a certification exam voucher, a  
study course and other materials, practice exams and one year of membership dues paid is also part of this scholarship program. This is a one-time award and  
students may reapply each year in the future to be considered for another  
scholarship. Applicants will be scored in three categories: passion, merit and  
financial need. The application period is now open and will close on February  
28, 2023 at 11:59 p.m. EST.

"KnowBe4 is thrilled to once again partner with the Center for Cyber Safety and  
Education for this incredible scholarship," said Kelly Barrena, VP of global  
talent brand and outreach, KnowBe4. "Women are underrepresented in the  
cybersecurity workforce, therefore it is important to support and promote  
opportunities that diversify the field and encourage women who are pursuing  
related degrees and careers. KnowBe4 looks forward to selecting a deserving  
recipient."

For more information on and to apply for the KnowBe4 Women in Cybersecurity  
Scholarship program administered by the Center for Cyber Safety and Education,  
visit https://www.iamcybersafe.org/s/knowbe4-womens-cyber-scholarships.  

About KnowBe4  
KnowBe4, the provider of the world's largest security awareness training and  
simulated phishing platform, is used by more than 54,000 organizations around  
the globe. Founded by IT and data security specialist Stu Sjouwerman, KnowBe4  
helps organizations address the human element of security by raising awareness  
about ransomware, CEO fraud and other social engineering tactics through a  
new-school approach to awareness training on security. Kevin Mitnick, an  
internationally recognized cybersecurity specialist and KnowBe4's Chief Hacking  
Officer, helped design the KnowBe4 training based on his well-documented social  
engineering tactics. Tens of thousands of organizations rely on KnowBe4 to  
mobilize their end users as their last line of defense.  

About Center for Cyber Safety and Education  
The Center for Cyber Safety and Education (Center) is a non-profit charitable  
trust committed to making the cyber world a safer place for everyone. The Center  
works to ensure that people across the globe have a positive and safe experience  
online through their award-winning educational programs, scholarships, and  
research. Visit http://www.IAmCyberSafe.org to learn more.

KnowBe4 to Offer $10,000 Women in Cybersecurity Scholarship and (ISC) 2 Certification Education Package

New program enables students and early career professionals to learn critical skills required in today's entry-level cybersecurity field, helping address urgent cyber workforce jobs gap.

**ALBUQUERQUE, N.M. and LANHAM, Md., Jan. 19, 2023 /PRNewswire/ --** The International Council of E-Commerce Consultants (EC-Council), a developer of world-class cybersecurity education programs and certifications, today announced that it has partnered with edX, a leading global online learning platform from 2U, Inc. (Nasdaq: TWOU), and committed to expanding access to vital cybersecurity education programs. EC-Council's Essentials Series is the first cybersecurity Professional Certificate of its kind to be offered on edX and includes three foundational industry certification credentials. The beginner level series is designed for learners aspiring to pursue a career in cybersecurity.

"The Essentials Series is purpose-built to help educate up-and-coming cybersecurity professionals and enable them to begin their careers," said Bill Kiriakis, Senior Vice President and Head of North America at EC-Council. "edX is a leader in online learning, bringing courses and certifications to over 46 million learners worldwide. With this new offering, edX and EC-Council can directly help address the global shortage of cybersecurity workers."

EC-Council's Essentials Series includes three individual courses covering network defense, ethical hacking, and digital forensics and costs $447 USDfor the full lab range and certification bundles. The series helps students and early career professionals learn employable skills required in today's entry-level cybersecurity field, educating students in a range of techniques and tactics across industry verticals, such as securing networks, mitigating cyber risks, conducting forensic investigations, ethical hacking, attack vectors, and more.

Cybersecurity continues to be one of the most in-demand professions. According to industry sources, there are now close to 4 million open cyber jobs worldwide and half a million open positions in the US. The industry is struggling to find and retain talent, partially due to access to training and certification programs.

"edX's professional certificate programs are designed to enhance the critical skills needed to succeed in today's most in-demand fields. They drive true career impact in an accessible and affordable way," said Andrew Hermalyn, president of partnerships at edX. "The addition of EC-Council's cybersecurity Essentials Series on edX gives learners the opportunity to earn a valuable credential from a world-class cybersecurity organization."

For more information on EC-Council's programs on edX, visit edx.org/school/ec-council.

**About EC-Council**

The sole mission of EC-Council is to advance the state of the cybersecurity profession on a global scale. Helping organizations, educators, governments, and individuals address global workforce problems is at the heart of the company's mission. To this end, it is developing and curating world-class cybersecurity education programs and certifications. It is also providing cybersecurity services to some of the largest businesses all over the world. More than 2,000 best universities, colleges, and training companies put their faith in EC-Council. This includes seven Fortune 10 companies, 47 Fortune 100 companies, the Department of Defense, global intelligence communities, and NATO. The standards for cybersecurity education are set by EC-Council programs, which have now been implemented in more than 140 countries worldwide. To acquire additional knowledge, please go to https://www.eccouncil.org/.

**About edX**

edX is the global online learning platform that exists to help learners everywhere unlock their potential. edX was founded by Harvard and MIT in 2012 to make the world's best education available to everyone. Today, as a 2U, Inc. company (Nasdaq: TWOU), edX connects over 46 million ambitious learners with the skills, knowledge, and support to achieve their goals. Together with the world's leading universities and companies, edX offers thousands of free and open courses, professional certificates, boot camps, credit-bearing micro credentials, and undergraduate and graduate degrees. Discover purpose-built online programs in technology, business, healthcare, science, education, social work, sustainability, and more at edX.org.

International Council of E-Commerce Consultants Launches Cybersecurity Essentials Professional Certificate Program on edX

There's a fine line between a hacker and an attacker, but it pays to be proactive. Consider tests by ethical hackers, a red team, or pen testers, and then bolster your company's defenses against malicious attacks.

In the world of security, there is no completely secure application or piece of software. At any point in time, a new vulnerability can be discovered, or a new exploit disclosed. The significance of recent exploits such as Log4Shell and PrintNightmare has led many organizations to re-evaluate how they efficiently and effectively discover and patch vulnerabilities before they can be exploited by an attacker.

As most organizations have expanded their technology stacks to keep pace with IT modernization and to help streamline remote work productivity, there are a host of systems and applications that cybercriminals can now exploit to gain access to sensitive company data. Keeping track of the risks and vulnerabilities within each technology is an ongoing challenge for business leaders and security teams, especially as company data is often highly dispersed across technologies and housed within different platforms.

One way to begin the process of better protecting company assets from an attack revolves around being more selective about which vulnerabilities to spend resources on.

**Assess Threat Levels**

The priority of a threat or vulnerability is subjective and will vary depending on the size of the company, the industry it operates within, and the type of data it retains. Companies need to determine if a malicious threat is affecting something that is core to their operating system and how it may impact their business. Sometimes a threat is hibernating, waiting for local privilege escalations, at which point the attacker will strike. Companies need visibility into their vulnerabilities before the malicious hacker has a chance to attack.

To do this and determine the severity of a threat, security teams cannot rely strictly on scanners anymore. If an organization is only running the same scans that the hackers run, they're doing the bare minimum to prevent automated attacks. This may work in the short term ... until the company is specifically targeted for an attack. In this case, the bad guys will be doing much more than the scanners — they will be finding new vulnerabilities, chaining vulnerabilities together, and finding new attack vectors.

Organizations must have knowledge of the same exploits that hackers have,_before_the hackers do, and patch them. One of the best ways to achieve this is utilizing ethical hackers — red teams, pen testers, bug bounties. They go beyond just using scanners. Ethical hackers find vulnerabilities that aren't being scanned for and create proof of concepts for attacks.

**Play-by-Play of an Ethical Hacker**

Here's a quick synopsis of how an ethical hacker could work to protect your organization by exposing vulnerabilities in advance:

**Step 1:** Obtain access

Hackers can often buy access to a company's internal system through the Dark Web for only a few hundred dollars. Alternatively, they can find access through leaked credentials, phishing, or other social engineering strategies.

**Step 2:** Active reconnaissance

Once into the company's internal system, they perform broad reconnaissance, including a network sweep. By doing so, they can enumerate networks, services, directories on hosts, vulnerabilities, and privileges. Using command-line controls, the hacker can look for open ports, such as Web ports, server message blocks (SMB) ports used for network shares, and remote desktop ports for managing workstations.

**Step 3:** Check for low-hanging vulnerabilities

Why pick the lock when the door is left open? Ideally, an attacker would first hope to find vulnerabilities for SMB ports, such as SMBGhost or WannaCry. If the organization has done a good job patching those SMB vulnerabilities and hardened your system, an attacker would then need to continue looking for opportunities.

**Step 4:** Target weak applications

In the attack scenario, the hacker would eventually find a vulnerable unpatched application.

**Step 5**: Elevate privileges

Unless you've disabled any default setting, the hacker would then escalate privileges from a basic user to a system user almost instantly, without the user ever knowing.

**Step 6:** Pass-the-hash

The hacker could then look for any hashes left by high-level users who logged into the endpoint in the past. Once found, a pass-the-hash attack can be executed to get access to systems as the highly privileged user, without knowing the actual user's password.

**Step 7:** Extract privileged credentials

By eventually extracting the proper credentials, the attacker could then gain access to the Domain Controller, giving them host access to Windows domain resources, as well as more workstations and other servers within the domain. With this, the hacker could manipulate systems, exfiltrate sensitive information, and essentially do anything they wanted on the domain.

This synopsis sheds light for a security team on just how easily an attack could be possible. Yet because the hacker was on the organization's side, no damage was really done, and valuable insights were collected on where/how to patch any open attack vectors and reduce the risks of malicious attackers discovering them first.

**Hacker vs. Attacker?**

In the mind of many ethical hackers, one of the biggest questions is where to draw the line. Is it OK to take advantage of an exploit if the intent is to shed light on the vulnerability? Where does a demonstration of a proof of concept cross that line into unethical territory? Would something as benign as sending a harmless email from a company account or even just typing into a Word document deserve scrutiny?

There's a fine line between a hacker and an attacker. Hacking itself is not a crime; rather, it is the motive and how a hacker applies their knowledge that differentiates doing criminal work and doing good work. Whether it's a security team, a red team, or a pen-testing group, or just an individual who found a vulnerability, one should much rather want to know about it before a malicious hacker does. It's much more difficult to clean up an attack than it is to prevent it.

With the right intentions, hacking can make the world a safer place. Just make sure to get permission — stay legal and do it with the right authorizations. Most hackers are good citizens looking to make the world a safer place.

Source

DARKReading