Report also shows that cloud-based solutions minimize complexity to enable easy adoption by small to midsize businesses.

**PRAGUE, Oct. 12, 2022 /PRNewswire/** — GoodAccess, the company reinventing secure cloud access for small and midsize businesses, today announced a white paper presenting research from Enterprise Management Associates (EMA) that shows "68% of companies believe that zero trust network access (ZTNA) is an ideal solution for addressing work-from-anywhere risk."

The paper also outlines how cloud-delivered solutions mitigate complexity and enable easy adoption by any type or size of company or organization. Cloud-based Zero Trust Network Access solutions eliminate the need for hardware and cumbersome software suites to simplify set-up and ongoing maintenance, so that even small and medium businesses can readily adopt its use. According to the white paper, "Cloud-delivered ZTNA can address many of the adoption barriers that smaller companies perceive with zero trust technologies in general."

"Complexity has always been the enemy of security and the thing that keeps it from being implemented in the first place or used as directed in the second place," said Michal Čížek, chief executive officer and co-founder, GoodAccess. "GoodAccess has re-invented VPNs to be the means of providing Zero Trust Network Access to small and medium businesses by greatly reducing complexity, expense and necessary expertise. The research and white paper from EMA corroborate our strategy and underscore its necessity."

While ZTNA provides a strong solution for "network-less" organizations where all or most employees are remote and applications and resources are cloud-based, many believe the technology is still out of reach of small and medium businesses. Results from a recent EMA survey show that:

*   Thirty-two percent (32%) of IT organizations consider budget as a barrier to zero trust adoption. The subsequent white paper points out that, "A cloud-delivered ZTNA solution is typically priced for modest budgets since they require no capital outlay."
*   Thirty-one percent (31%) of IT organizations believe zero trust is too complex to implement. The white paper counters the concern, noting, "A cloud-based solution can mitigate the complexity because they require no on-premises hardware or software, aside from client agents. Also, cloud-delivered ZTNA technology is typically configured via a web-based or SaaS GUI console."
*   Thirty-one percent (31%) of the organizations believe that they lack personnel with zero trust skills. Again, the white paper answers those concerns, stating, "Cloud-delivered ZTNA offloads much of the engineering and administrative requirements to the provider."

The paper shows how new solutions solve these traditional concerns by addressing cost, complexity and having necessary technological expertise. With cloud-based solutions, capital costs shift to affordable operational costs. Even more importantly, the complexity of installing and maintaining ZTNA becomes greatly simplified, with far less need for support time and expertise.

Commented Shamus McGillicuddy, vice president of Research, EMA, "The nature of work has permanently changed over the last few years. Hybrid and full remote work has become the standard for many companies. When businesses need to protect remote access to important business assets, cloud-delivered zero trust networking and security solutions are some of the main enablers of modern data security nowadays."

GoodAccess is a cloud-based SaaS application that enables organizations to create a resilient, Zero Trust network with identity- policy- and device-assessment-based access control and safe, deterministic connections to a company's cloud-based applications and resources. GoodAccess provides physical and virtual network segmentation to reduce attack surface and resource access with protection from phishing and unwanted employee behavior. The solution enables compliance enforcement with user activity monitoring and storing logs for all the network communication and systems. A company's risk and compliance administrator gain full visibility into who accesses your systems and when. Virtual access cards assign every user a private account and network identity.

Read a copy of the EMA white paper  
See the key principles of Zero Trust Network Access  
Start a free trial of GoodAccess  
Request a free consultation

**About EMA**

Founded in 1996, Enterprise Management Associates (EMA) is a leading industry analyst firm that provides deep insight across the full spectrum of IT and data management technologies. EMA analysts leverage a unique combination of practical experience, insight into industry best practices, and in-depth knowledge of current and planned vendor solutions to help EMA's clients achieve their goals. Learn more about EMA research, analysis, and consulting services for enterprise line of business users, IT professionals, and IT vendors at www.enterprisemanagement.com. You can also follow EMA on Twitter or LinkedIn.

**About GoodAccess**

GoodAccess is the global company dedicated to simplifying "anytime, anywhere" secure connectivity and access for small and medium businesses around the world, beginning with its free GoodAccess Starter product for unlimited usage for up to 100 employees. For companies with more than 100 employees and with the need for static IP addresses, Zero Trust access and other requirements, GoodAccess provides a competitively priced platform that maintains simplicity and ease of use. GoodAccess products are designed for set-up within 10 minutes and the flexibility to meet varying conditions.

For more information: www.goodaccess.com

**SOURCE:** GoodAccess

2 Out of 3 Companies See Zero Trust Network Access as Key to Mitigate Work-From-Anywhere Risks, According to New EMA Report

InterVision releases a new website focused on the customer experience, making B2B cybersecurity purchasing decisions easier.

**SAN JOSE, Calif. and ST. LOUIS, Oct. 12, 2022 /PRNewswire/** — InterVision, a leading information technology (IT) strategic service provider, announced today a corporate rebrand along with key findings from its Pulse study. Study results revealed that nearly half of all business leaders identify ransomware as the top threat to business operations. These announcements highlight the importance of doubling down on strategic cybersecurity measures.

The study ("Solving for Ransomware Threats: Insights Into Current Leadership Actions") shares insights from 100 IT leaders on ransomware's impact on business security. Surveyed IT leaders reported ransomware as one of the biggest threats to tech-related business in North America, with 45% citing ransomware as their top concern overall. The study also found that most organizations focus on ransomware attack recovery (46%) as opposed to prevention (21%). As a result, many IT systems cannot detect threats before they become critical to the organization. But when presented with the idea of Ransomware Protection as a Service (RPaaS), 90% of respondents were interested in the comprehensive strategy.

"With so many high-profile ransomware attacks over the past couple of years, organizations are starting to understand the urgency of implementing a ransomware protection strategy," said Allen Jenkins, CISO and VP of Cybersecurity Consulting at InterVision. "Respondents overwhelmingly identified the need to improve IT processes and technology. Creating the right bundle with Ransomware Protection as a Service (RPaaS) ensures multiple layers of protection and is a powerful step in the process of ransomware prevention."

InterVision's rebrand puts customer experience at the center of its website, making B2B cybersecurity purchasing decisions easier.

"Commitment to the customer experience has always set InterVision apart. Our suite of business continuity and disaster recovery services is best-in-class, and we prioritize customer service through 24/7 response offerings. Now, with an updated website, the customer experience is front and center from the beginning to the end of their engagement with InterVision," said Kathleen Amro, Vice President of Marketing at InterVision.

InterVision's refreshed website and brand also reflects the quality of the company's offerings — including RPaaS, which 90% of Pulse survey respondents reported interest in.

"With organizations facing the challenge of an ever-evolving threat landscape and global security talent shortage, InterVision's RPaaS will not only provide their customers with world-class protection but also the peace of mind that comes along with it," said Will Briggs, senior vice president of global channels, Arctic Wolf. "InterVision and Arctic Wolf both share a commitment to delivering positive security outcomes, and we are proud of how our security operations solutions play a key role in protecting and delighting our shared customers."

To view the full study, visit https://intervision.com/blog-solving-for-ransomware-threats/. For more information about InterVision offerings or to navigate the refreshed website, visit https://intervision.com/.

**About InterVision Systems  
**InterVision is the leading strategic services provider, delivering and supporting complex IT solutions for mid-to-enterprise and public sector organizations throughout the US. With more than 25 years of experience, coupled with one of the most comprehensive product portfolios of managed IT service offerings available, the company is uniquely positioned to guide clients through any stage of their technology journeys. InterVision drives business outcomes with an unparalleled focus on the customer experience to help organizations be more competitive, compliant, and secure. The company has headquarters in San Jose, CA, St. Louis, MO, and Richmond, Va. To learn more, visit www.intervision.com.

**SOURCE:** InterVision

InterVision Announces Study Identifying Ransomware as No. 1 Threat to Business Longevity

Early adopters reaping the benefits of improved SOC operations and efficiencies.

**SANTA CLARA, Calif., Oct. 12, 2022 /PRNewswire/** — Delivering on the promise to help organizations leverage massive scales of data for their defenses, Palo Alto Networks (NASDAQ: PANW) today announced the general availability of Cortex® XSIAM, a breakthrough autonomous security operations platform powering today's modern secure operations center (SOC) and fundamentally changing the way data, analytics and automation are used across enterprise and cloud security operations.

Earlier this year, Cortex XSIAM was made available to a number of top organizations through the XSIAM Design Partner Program. The design partners spanned healthcare, logistics, design and manufacturing, technology, public sector, and entertainment verticals. The common challenges these organizations face include overwhelming alert volumes accompanied by a high number of false positives, lack of visibility across all parts of the organization, including cloud environments, and excessive manual overhead associated with managing numerous siloed tools.

"The SOC is where some of the best cybersecurity professionals work, and it is time that they have the right platform to get their jobs done effectively. We want to give our customers a new approach to SOC operations with a focus on results, efficiency and productivity," said Lee Klarich, chief product officer, Palo Alto Networks. "Cortex XSIAM establishes an autonomous SOC where organizations can respond to threats in a fraction of the time it takes today, and analysts can focus on the highest priority incidents. The SOC of the future will be built on AI and automation — any other approach is destined for failure."

Palo Alto Networks operates its own SOC on Cortex XSIAM and has seen the benefits of intelligent data integration, machine learning-based threat models, extensive automation and proactive analysis of the IT environment to reduce the attack surface. The Palo Alto Networks SOC processes over one trillion events per month, with Cortex XSIAM automatically handling the vast majority of those events. On average, the Cortex-powered SOC detects threats in 10 seconds and responds to high priority threats in one minute, with an 80% reduction in alerts that SOC analysts need to analyze.

The feedback on XSIAM has been strong. Design partners consistently reported improved visibility, fewer incidents, reduced false positives and reduced mean time to response. Paul Alexander, director of IT operations at Imagination Technologies Group, an international leader in the creation and licensing of semiconductor System-on-Chip Intellectual Property, said, "XSIAM is already helping us to resolve and address threats way more quickly and efficiently, reduce risk and track metrics."

"We see XSIAM as a platform that combines multiple capabilities into one unified ecosystem," said David Norlin, CISO at Lumifi. "For us, that means empowering analysts to move quicker on multiple datasets, detect threats more comprehensively, and deliver an even better service to our clients."

"From our first demo of XSIAM as part of the early access program, we were shocked and impressed with the maturity of the platform," said Randy Watkins, chief technology officer at Critical Start. "This was not a beta product, but a solution that customers would immediately be able to build their entire security operations program around. The data models within XSIAM are some of the best approaches we've seen to solving the lack of consistency with log management."

"XSIAM aims at much more than SIEM and provides the engine for the autonomous SOC," said Bobby Brillhart, vice president of engineering at Norlem. "XSIAM creates unprecedented opportunities for us as an MDR provider to scale our services and significantly decrease our MTTR."

**Optimized for Cloud-Native Environments**

By design, XSIAM operates across both cloud and enterprise security operations, providing true end-to-end management of threats, wherever they originate. Unlike most existing SIEM products, XSIAM comes with the ability to collect and integrate cloud telemetry that is unique to cloud-native systems. While companies born in the cloud benefit from the scale and automation of XSIAM and the ease of integration with public cloud and SaaS telemetry, organizations with legacy SIEM deployments can seamlessly transition to XSIAM as the next-generation autonomous SOC platform.

**Availability**

Cortex XSIAM is now available globally with full support across multiple cloud locations to comply with local regulations.

**Additional Resources**

*   Register for Palo Alto Networks' November event: The Modern SOC, Reimagined.
*   Join us at Ignite, Palo Alto Networks customer conference, to learn more and see XSIAM in action.
*   Follow Palo Alto Networks on Twitter, LinkedIn, Facebook and Instagram.

**About Palo Alto Networks**

Palo Alto Networks is the world's cybersecurity leader. We innovate to outpace cyberthreats, so organizations can embrace technology with confidence. We provide next-gen cybersecurity to thousands of customers globally, across all sectors. Our best-in-class cybersecurity platforms and services are backed by industry-leading threat intelligence and strengthened by state-of-the-art automation. Whether deploying our products to enable the Zero Trust Enterprise, responding to a security incident, or partnering to deliver better security outcomes through a world-class partner ecosystem, we're committed to helping ensure each day is safer than the one before. It's what makes us the cybersecurity partner of choice.

At Palo Alto Networks, we're committed to bringing together the very best people in service of our mission, so we're also proud to be the cybersecurity workplace of choice, recognized among Newsweek's Most Loved Workplaces (2021), Comparably Best Companies for Diversity (2021)and HRC Best Places for LGBTQ Equality (2022). For more information, visit www.paloaltonetworks.com.

_Palo Alto Networks, Cortex, and the Palo Alto Networks logo are registered trademarks of Palo Alto Networks, Inc. in the United States and in jurisdictions throughout the world. All other trademarks, trade names, or service marks used or mentioned herein belong to their respective owners. Any unreleased services or features (and any services or features not generally available to customers) referenced in this or other press releases or public statements are not currently available (or are not yet generally available to customers) and may not be delivered when expected or at all. Customers who purchase Palo Alto Networks applications should make their purchase decisions based on services and features currently generally available._

**SOURCE:** Palo Alto Networks, Inc.

Palo Alto Networks Ushers in the Next-Generation Security Operations Center With General Availability of Cortex XSIAM — the Autonomous Security Operations Platform

The computing giant didn't fix ProxyNotLogon in October's Patch Tuesday, but it disclosed a rare 10-out-of-10 bug and patched two other zero-days, including one being exploited.

For its October Patch Tuesday update, Microsoft addressed a critical security vulnerability in its Azure cloud service, carrying a rare 10-out-of-10 rating on the CVSS vulnerability-severity scale.

The tech giant also patched two "important"-rated zero-day bugs, one of which is being actively exploited in the wild; and further, there may be a third issue, in SharePoint, that's also being actively exploited.

Notably, however, the Microsoft didn't issue fixes for the two unpatched Exchange Server zero-day bugs that came to light in late September.

In all for October, Microsoft released patches for 85 CVEs, including 15 critical bugs. Affected products run the gamut of the product portfolio as usual: Microsoft Windows and Windows Components; Azure, Azure Arc, and Azure DevOps; Microsoft Edge (Chromium-based); Office and Office Components; Visual Studio Code; Active Directory Domain Services and Active Directory Certificate Services; Nu Get Client; Hyper-V; and the Windows Resilient File System (ReFS).

These are in addition to 11 patches for Microsoft Edge (Chromium-based) and a patch for side-channel speculation in ARM processors released earlier in the month.

**A Perfect 10: Rare Ultra-Critical Vuln**

The 10-out-of-10 bug (CVE-2022-37968) is an elevation of privilege (EoP) and remote code-execution (RCE) issue that could allow an unauthenticated attacker to gain administrative control over Azure Arc-enabled Kubernetes clusters; it could also affect Azure Stack Edge devices.

While cyberattackers would need to know the randomly generated DNS endpoint for an Azure Arc-enabled Kubernetes cluster to be successful, exploitation has a big payoff: They can elevate their privileges to cluster admin and potentially gain control over the Kubernetes cluster.

"If you are using these types of containers with a version lower than 1.5.8, 1.6.19, 1.7.18, and 1.8.11 and they are available from the Internet, upgrade immediately," Mike Walters, vice president of vulnerability and threat research at Action1, warned via email.

**A Pair (Maybe a Triad) of Zero-Day Patches – but Not THOSE Patches**

The new zero-day confirmed as being under active exploit (CVE-2022-41033) is an EoP vulnerability in the Windows COM+ Event System Service. It carries a 7.8 CVSS score.

The Windows COM+ Event System Service is launched by default with the operating system and is responsible for providing notifications about logons and logoffs. All versions of Windows starting with Windows 7 and Windows Server 2008 are vulnerable, and a simple attack can lead to gaining SYSTEM privileges, researchers warned.

"Since this is a privilege escalation bug, it is likely paired with other code-execution exploits designed to take over a system," Dustin Childs, from the Zero Day Initiative (ZDI), noted in an analysis today. "These types of attacks often involve some form of social engineering, such as enticing a user to open an attachment or browse to a malicious website. Despite near-constant anti-phishing training, especially during 'Cyber Security Awareness Month,' people tend to click everything, so test and deploy this fix quickly."

Satnam Narang, senior staff research engineer at Tenable, noted in an emailed recap that an authenticated attacker could execute a specially crafted application in order to exploit the bug and elevate privileges to SYSTEM.

"While elevation of privilege vulnerabilities requires an attacker to gain access to a system through other means, they are still a valuable tool in an attacker’s toolbox, and this month’s Patch Tuesday has no shortage of elevation-of-privilege flaws, as Microsoft patched 39, accounting for nearly half of the bugs patched (46.4%)," he said.

This particular EoP problem should go to the head of the line for patching, according to Action1's Walters.

"Installing the newly released patch is mandatory; otherwise, an attacker who is logged on to a guest or ordinary user computer can quickly gain SYSTEM privileges on that system and be able to do almost anything with it," he wrote, in an emailed analysis. "This vulnerability is especially significant for organizations whose infrastructure relies on Windows Server."

The other confirmed publicly known bug (CVE-2022-41043) is an information-disclosure issue in Microsoft Office for Mac that has a low CVSS risk rating of just 4 out of 10.

Waters pointed to another potentially exploited zero-day: a remote code execution (RCE) problem in SharePoint Server (CVE-2022-41036, CVSS 8.8) that affects all versions starting with SharePoint 2013 Service Pack 1.

"In a network-based attack, an authenticated adversary with Manage List permissions could execute code remotely on the SharePoint Server and escalate to administrative permissions," he said.

Most importantly, "Microsoft reports that an exploit has likely already been created and is being used by hacker groups, but there is no proof of this yet," he said. "Nevertheless, this vulnerability is worth taking seriously if you have a SharePoint Server open to the internet."  

**No ProxyNotShell Patches**

It should be noted that these are not the two zero-day patches that researchers were expecting; those bugs, CVE-2022-41040 and CVE-2022-41082, also known as ProxyNotShell, remain unaddressed. When chained together, they can allow RCE on Exchange Servers.

"What may be more interesting is what isn’t included in this month's release. There are no updates for Exchange Server, despite two Exchange bugs being actively exploited for at least two weeks,” Childs wrote. “These bugs were purchased by the ZDI at the beginning of September and reported to Microsoft at the time. With no updates available to fully address these bugs, the best administrators can do is ensure the September … Cumulative Update (CU) is installed.”

"Despite high hopes that today's Patch Tuesday release would contain fixes for the vulnerabilities, Exchange Server is conspicuously missing from the initial list of October 2022 security updates," says Caitlin Condon, senior manager for vulnerability research at Rapid7. "Microsoft's recommended rule for blocking known attack patterns has been bypassed multiple times, emphasizing the necessity of a true fix."

As of early September, Rapid7 Labs observed up to 191,000 potentially vulnerable instances of Exchange Server exposed to the Internet via port 443, she adds. However, unlike the ProxyShell and ProxyLogon exploit chains, this group of bugs requires an attacker to have authenticated network access for successful exploitation.

"So far, attacks have remained limited and targeted," she says, adding, "That's unlikely to continue as time goes on and threat actors have more opportunity to gain access and hone exploit chains. We'll almost certainly see additional post-authentication vulnerabilities released in the coming months, but the real concern would be an unauthenticated attack vector popping up as IT and security teams implement end-of-year code freezes."

**Admins Take Note: Other Bugs to Prioritize**

As far as other issues to prioritize, ZDI's Childs flagged two Windows Client Server Run-time Subsystem (CSRSS) EoP bugs tracked as CVE-2022-37987 and CVE-2022-37989 (both 7.8 CVSS).

"CVS-2022-37989 is a failed patch for CVE-2022-22047, an earlier bug that saw some in-the-wild exploitation," he explained. "This vulnerability results from CSRSS being too lenient in accepting input from untrusted processes. By contrast, CVE-2022-37987 is a new attack that works by deceiving CSRSS into loading dependency information from an unsecured location."

Also notable: Nine CVEs categorized as RCE bugs with critical severity were also patched today, and seven of them affect the Point-to-Point Tunneling Protocol, according to Greg Wiseman, product manager at Rapid7. "\[These\] require an attacker to win a race condition to exploit them," he noted via email.

Automox researcher Jay Goodman adds that CVE-2022-38048 (CVSS 7.8) affects all supported versions of Office, and they could allow an attacker to take control of a system "where they would be free to install programs, view or change data, or create new accounts on the target system with full user rights." While the vulnerability is less likely to be exploited, according to Microsoft, the attack complexity is listed as low.

And finally, Gina Geisel, also an Automox researcher, warns that CVE-2022-38028 (CVSS 7.8), a Windows Print Spooler EoP bug, as a low-privilege and low-complexity vulnerability that requires no user interaction.

"An attacker would have to log on to an affected system and run a specially crafted script or application to gain system privileges," she notes. "Examples of these attacker privileges include installing programs; modifying, changing, and deleting data; creating new accounts with full user rights; and moving laterally around networks."

Microsoft Addresses Zero-Days, but Exchange Server Exploit Chain Remains Unpatched

New research demonstrates the use of thermal camera images of keyboards and screens in concert with AI to correctly guess computer passwords faster and more accurately.

Password-cracking and guessing attempts are successful enough as it is to put more than a little gray in the hair of experienced cybersecurity professionals. Now new research shows even more effective cracking attempts could be perpetrated by attackers equipped with a cheap thermal camera and some simple deep-learning models.

The AI-driven attacks were conceptualized and refined by Dr. Mohamed Khamis of the University of Glasgow School of Computing Science and his colleagues at the school, Norah Alotaibi and Dr. John Williamson, who are set to publish their results in an upcoming issue of the ACM Transactions on Privacy and Security journal.

The paper details their work to use off-the-shelf thermal cameras and a probabilistic model that utilized 1,500 thermal images they took of recently used keyboards to create a method of accurately cracking passwords — even in uncontrolled settings. Dubbed ThermoSecure, the method captures heat signatures via thermal cameras and analyzes them with the researchers' AI modeling to guess a password with 86% accuracy when the images are taken within 20 seconds of input, and 62% accuracy within 60 seconds of input.

"Even without knowing the order of the keys, it is possible to significantly reduce the search space, which means fewer attempts are required to guess a password," the researchers wrote in their paper.

Khamis pointed to the accessible price of thermal cameras — which can be picked up for less than $200 — as a cue for why his team wanted to explore this as a potential threat vector. As he explains, this is likely an area where the bad guys are already innovating to develop ways to leverage these tools to their advantage.

"They say you need to think like a thief to catch a thief. We developed ThermoSecure by thinking carefully about how malicious actors might exploit thermal images to break into computers and smartphones," he said. "It's important that computer security research keeps pace with these developments to find new ways to mitigate risk, and we will continue to develop our technology to try to stay one step ahead of attackers."

**Not the First Thermal Rodeo**

While this is not the first piece of research touching on the use of thermal imaging to guess passwords, previous studies took pictures in highly controlled settings. This latest one focused on how the layering of AI can bridge the gap in accuracy in uncontrolled conditions that might be affected by different camera angles and user behavior. The study also examined how factors like password length and typing styles could impact the accuracy of this technique, offering some hints for mitigation measures.

For example, the jump from eight-symbol passwords up to 16-symbol passwords cut the accuracy of the attack by 26 points when images were taken 20 seconds after input. Similarly, faster-touch typists left less of a heat signature than slower "hunt-and-peck" typists, meaning that the accuracy was about 12 points lower for the former compared with the latter.

Some other mitigating factors included the use of backlit keyboards — which heat up keys enough to "light up" a thermal image enough to flummox the AI model — and the kind of plastic used in a keyboard. For example, ABS plastic retains heat for significantly less time than PBT plastic.

Of course, one of the most reliable mitigations are the ones that are cited for just about any kind of password-cracking or guessing attacks: that is, seeking out alternative login methods.

"Users can help make their devices and keyboards more secure by adopting alternative authentication methods, like fingerprint or facial recognition, which mitigate many of the risks of thermal attack," Khamis said. "In my team, we have previously proposed authentication schemes that rely on eye movements for password entry; gaze-based authentication is resistant to thermal attacks by design."

AI and Residual Finger Heat Could Be a Password Cracker's Latest Tools

Attackers could exploit the "Sandbreak" security bug, which has earned a 10 out of 10 on the CVSS scale, to execute a sandbox escape, achieve RCE, and run shell commands on a hosting machine.

A remote code execution (RCE) vulnerability in a widely used JavaScript sandbox has earned a top rating of 10 on the CVSS vulnerability risk scale; it allows threat actors to execute a sandbox escape and run shell commands on the hosting machine.  

Researchers from cloud security firm Oxeye discovered the dangerous flaw, which they dubbed "Sandbreak" in vm2, a JavaScript sandbox that has more than 16 million monthly downloads, according to its NPM package manager.

"The fact that this vulnerability has the maximum CVSS score of 10 and is extremely popular means its potential impact is widespread and critical," Oxeye architect Yuval Ostrovsky and security researcher Gal Goldshtein wrote in a blog post published Oct. 10.

Oxeye found the flaw on Aug. 16 and informed the project owners two days later. On Aug. 28, GitHub issued CVE-2022-36067 and gave the vulnerability the highest risk rating possible.

The project's maintainers reacted swiftly to issue a patch for Sandbreak in vm2 version 3.9.11, which should be applied by anyone using the sandbox because of the heightened risk of vulnerability, the researchers said.

**Sandboxes: Historically Trustworthy**

Like all sandboxes, vm2 offers an isolated environment where applications can run trusted code, serving a vital purposes in modern applications because developers or network administrators can use them to run programs or open files without affecting the app, system, or platform in which they run.  

Software developers often use sandboxes to test new programming code, and they are well known as an important tool in cybersecurity research, allowing researchers to test potentially malicious software without harming other parts of a network or app environment.

Indeed, the fact that a sandbox is so universally trusted is what makes the Sandbreak flaw so critical and should sound an alarm across all sandbox users to shore up their implementations, the researchers said.

"By their very definition, sandboxes are considered safe places and trusted as mechanisms that isolate potentially dangerous code from our applications," they wrote in the post. "But what would happen if this trust was compromised?"

**Technical Analysis**

Researchers explored just that in their investigation of Sandbreak, which they discovered while analyzing previous security lapses disclosed to the team maintaining vm2.

The bug exists in the vm2 bug reporter, which would allow cyberattackers to abuse the error mechanism in Node.js. They could customize the call stack of an error that occurred in the app to escape the sandbox, the researchers disclosed.

"Customizing the call stack can achieve this by implementing the 'prepareStacktrace' method under the global 'Error' object,'" the researchers explained in the post. "This means that when an error occurs and the 'stack' property of the thrown error object is accessed, Node.js will call this method while providing it with a string representation of the error alongside an array of 'CallSite' objects as arguments."

One of the methods exposed by the CallSite objects because of the issue is "getThis," which is responsible for returning the “this” object that was available in the related stack frame, the researchers found.

This behavior can lead to sandbox escapes because some of the "CallSite" objects "may return objects created outside the sandbox when invoking the 'getThis' method," they wrote. If an attackers could gain hold of a "CallSite" object created outside of the sandbox, they could access Node's global objects and execute arbitrary system commands from there.

**Bypassing the Mitigation**

The maintainers of vm2 were aware that overriding "prepareStackTrace" could indeed lead to a sandbox escape. They tried to mitigate the escape path by wrapping the Error object and the "prepareStackTrace" method with their own implementation, which succeeded in preventing anyone from overriding the method and performing the escape, they said.

However, Oxeye researchers found they could bypass this, because vm2 missed wrapping specific methods related to the "WeakMap" JavaScript built-in type, they said. "This allowed the attacker to provide their own implementation of 'prepareStackTrace,' then trigger an error, and escape the sandbox," the researchers wrote.

Knowing that the prepareStackTrace function of the Error object is the function they needed to override to escape the sandbox, Oxeye researchers went even further and decided to try to override the global Error object with their own object.

Doing this implemented the prepareStackTrace function, which allowed them to escape the sandbox. A few simple steps later and they had access to the currently executing process and could execute commands on the system running the sandbox, they said.

**Using Sandboxes Safely**

Although sandboxes by their very nature are meant to safely run untrusted code within an app or system, enterprises shouldn't automatically assume they are without risk, the researchers warned.

However, if using a sandbox in an environment is unavoidable, Oxeye recommends reducing risk by separating the logical, sensitive part of an application from the microservice that runs the sandbox code.

This will ensure that "if a threat actor successfully breaks out from the sandbox, the attack surface is limited to the isolated microservice," the researchers wrote.

Enterprises also should avoid using a sandbox that relies on a dynamic programming language such as JavaScript when possible, they said.

"The dynamic nature of the language widens the attack surface for a potential attacker, making defending against such attacks much harder," researchers observed in their post.

Critical Open Source vm2 Sandbox Escape Bug Affects Millions

The IT security executive led ICS/OT, IT/OT integration, and other security programs, as well as diversity and inclusion efforts in the industry.

Paul Brager, a leading operational technology (OT) expert and executive, passed away late last month while on a business trip.

Brager, who most recently was director of the global OT security program at energy technology company Baker Hughes, was a well-known industry leader in the industrial cybersecurity sector and worked in the IT security field for 27 years, specializing in industrial control system (ICS)/OT, IT/OT convergence, and cyber-risk topics, among other areas. He was also a researcher and a renowned speaker in the industry, including at Interop and on the Dark Reading News Desk at Black Hat USA. 

Brager also led mentoring and advocacy initiatives for people of color and for women in cybersecurity, promoting diversity and inclusion.

His wife, Keirsten Brager, a cybersecurity professional as well as an author, announced her husband's passing this week via his LinkedIn profile, noting that Paul suffered a heart attack on Sept. 27 while on a business trip in Brazil.

_**NOTE: Dark Reading editors had the honor of interviewing Paul Brager on several occasions, as well as working** **with him as a speaker for the security track of Interop in 2017**_**_. His insights on industry issues_ _always made us smarter, and our reporting more informed. Our hearts and thoughts go out to Keirsten and their childre__n,_ _Kaylie and Dylan. The industry has lost a true leader._**

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

OT Cybersecurity Leader Paul Brager Passes Away

Exposed code included private key for Intel Boot Guard, meaning it can no longer be trusted, according to a researcher.

Intel has confirmed the leak of the Unified Extensible Firmware Interface (UEFI) BIOS of Alder Lake, the company's code name for its latest processor — the 12th generation Intel Core processor — which debuted in late 2021. 

According to reports, the Intel UEFI code was first leaked late last week on 4chan, and later GitHub, and it contained 5.97GB of data. It was dated 9-30-22, likely when it was exfiltrated, analysts reported. "In addition, one thing should be noted that the key pairs required by Boot Guard during provisioning stage is also included in the leaked content," researchers from Hardened Vault who analyzed the leaked data explained. 

Researcher Mark Ermolov noted the same thing on Twitter on Oct. 8, adding, "... the Intel Boot Guard on the vendor's platforms can no longer be trusted." 

The researchers at Hardened Vault pointed out the code could be particularly useful for malicious actors who want to reverse engineer the code to find vulnerabilities. 

In a statement provided to Security Week, Intel acknowledged the breach, attributing it to a third-party and downplaying its potential security risk. "Intel does not believe this exposes, or creates, any new security vulnerabilities as we do not rely on obfuscation of information as a security measure," Intel said in a statement. "We are reaching out to customers, partners and the security research community to keep them informed of this situation." 

The Hardened Vault team said it hasn't been able to trace the data back to the leaker but suggested that the developer of the firmware solution, Insyde, might have more information to share. "But it is still impossible to confirm the person who leaked it," the team wrote. "The leak is part of Insyde solution which integrate Intel’s resources. Perhaps Insyde knows more than we do."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Intel Processor UEFI Source Code Leaked

How data-driven security can best safeguard your unique cloud operations.

The cloud is made up of extremely dynamic environments that undergo constant expansion, updating, and change. As such, securing these cloud environments requires an equally dynamic solution, uniquely differentiated from that of traditional, on-premises computing environments. Yet a recent study suggests that 32% of organizations use the same rules, processes, and tools for both on-premises and cloud security.

Using the same rules-based security approaches for the cloud is like trying to force a square peg into a round hole — it won't fit no matter how you spin it, yet far too many enterprises still try. Given their disappointing track record in securing corporate computing, rules-based systems cannot be expected to be effective in the cloud, which is both different and more challenging. The dynamic and vulnerable nature of the cloud requires enterprises to take a new approach: one that views security as a data problem whose solution provides both safety and agility.

**Accept Cloud Security for What It Is: Never the Same Day as Before**

Unprecedented data growth is forcing enterprises around the world to reconsider their data storage infrastructure, forgoing legacy architecture and migrating to cloud platforms. While the cloud promises new levels of efficiency and scale, one of its defining characteristics is constant change. The pace of software iteration is supercharged, with open source building blocks constantly churning, underlying platforms rapidly evolving, and operations horizontally scaling out and vertically tailing. As more computing moves to the cloud, the faster the potential attack surface increases, resulting in more risks and vulnerabilities. Long story short: running an operation in the cloud is an exercise in frantic change management.

The world of traditional business computing no longer exists. The cloud environment is far removed from on-premise's closed-off walls (and soft squishy center) guarded by multiple layers of defense. According to O'Reilly, 90% of organizations use the cloud, and Gartner estimates that over 95% of new digital workloads will be deployed on cloud-native platforms by 2025. Security professionals are facing a completely new landscape. And outdated rules-based approaches to security are only guaranteed to flood operations teams with contextless alerts, leading to poor visibility, guesswork, and fear of the unknown.

Protecting operations in the cloud is fundamentally different from protecting traditional, on-premises computing. The security industry needs to accept this fact and prioritize providing visibility and stability to its customers. By understanding the unique construction of each customer's cloud operations, the defining characteristics of their workload, and the specifics of their computing environment, security professionals can provide the foundation for customers to operate with confidence and agility as they adapt safely to each change. But such a foundation can only be achieved by data-driven techniques and comprehensive analysis.

**Monitoring and Analyzing Anomalies, Not Rules

Traditional monitoring relies on rules that trigger alerts based on known security-related issues, whether or not those issues are relevant to an organization's operations or workload. It's a somewhat backward paradigm: Rather than working to comprehend the organization's operations and maintaining their health, the rule-based paradigm focuses on understanding potential threats, based on general-purpose knowledge of the threat ecosystem. Not only does this approach require security expertise (which can be hard to find), but it also fails to make the security team an enabler that helps corporations be agile by maintaining stability in the face of changes.

When a doctor prescribes medication, a treatment that works for one patient might not work for another. Just as every patient is unique, so is every cloud environment. An organization's cloud operations are not a cookie-cutter concern, but rather a conglomeration of configurations, technologies, tools, and processes that have evolved over time, often with many detours and dusty corners. Therefore, there can be no one-size-fits-all solution to cloud security: What should be permitted, and what should be flagged as a threat or high-risk anomaly, must be based on what constitutes normal behavior in each unique cloud environment.

Fortunately, using modern data processing and machine learning techniques makes it possible to learn the salient, stable aspects of each customer's operations. These techniques mine the torrent of data about customers' cloud activities and separate out the irrelevant, ephemeral noise caused by the cloud's constant churn. From that foundation, the customer can understand the normal, healthy behavior of their operations and highlight any anomalies that might pose a threat, whether to the security or to the stability of their operations.

In particular, this approach can be highly effective in uncovering new threats before they become known, or identifying new threat variants as they appear — since exploit attempts will trigger anomalies, whether successful or not. This last benefit is of critical use in cases such as last year's Log4j vulnerability, where, over weeks and months, a succession of rapidly evolving exploits were reported by 44% of worldwide networks, as corporations struggled to remedy the vulnerability.

Taking a different approach to security in the cloud is not only a technical necessity but also a requirement from a personnel standpoint. Security teams are strapped, with alert fatigue and burnout running rampant. For even the most prepared teams, the operational and maintenance effort can be overwhelming, especially since the results are often dishearteningly lackluster. Any approach that significantly reduces the number of daily alerts can greatly improve morale and productivity. The benefits are even greater if the alerts comprise a handful of security-critical issues and data-driven anomalies, presented in an easy-to-understand context of normal operations.

It's time to let go of the past. Organizations need to say goodbye to traditional, manual rules-based security approaches and adjust for the cloud. Security should be a key concern throughout all stages of cloud software development, from build time to runtime. But cloud security should also not be a barrier that blocks agility. Rather, cloud security should be a foundation that helps maintain stability in the face of change. The best way to ensure this is via a data-driven approach to cloud security that fully accounts for the unique characteristics, structure, and dynamic behavior of each cloud environment.

**

It's Time to Make Security an Innovation Enabler

Skybox Security Cloud Edition ushers in a new era of proactive cybersecurity .

SAN JOSE, Calif., Oct. 11, 2022 — Skybox Security today announced the next generation of its award-winning Security Posture Management Platform – including the industry's first Software-as-a-Service (SaaS) solution for Security Policy and Vulnerability Management. Propelling its global customer base into the next era of proactive cybersecurity, major innovations advance its platform that continuously tests attack feasibility, exposure, remediation options, and compliance across hybrid environments.

"Today, we're delivering on our mission of building the world's leading Security Posture Management platform," said Skybox Security CEO and Founder Gidi Cohen. "Skybox equips customers with the hybrid network modeling, path analysis, and automation they need to reduce the risk of a significant data breach by 55%. Our latest innovations are significant for customers that deploy on-prem, as well as customers that will benefit from our new SaaS solution. The new Skybox Cloud Edition offering capitalizes on the speed, scale, innovation, and productivity benefits powered by the cloud to drive the pursuit of broader digital business opportunities."

**Expansion into Cyber Asset Attack Surface Management**

Challenging the status quo through a dynamic, fresh approach to Cyber Asset Attack Surface Management (CAASM), Skybox visualizes all assets through API integrations, identifies and prioritizes vulnerabilities using proprietary threat intelligence, sees gaps in security controls, and automatically provides remediation options. In addition, significant advancements to the proprietary Skybox network model enable customers to dynamically model operational technology, IT, and hybrid cloud environments – including all networking and security data related to a specific asset.

According to Gartner Research: "CAASM enables security teams to improve basic security hygiene by ensuring security controls, security posture, and asset exposure are understood and remediated. Organizations that deploy CAASM reduce dependencies on homegrown systems and manual collection processes, and remediate gaps either manually or via automated workflows. Organizations can visualize security tool coverage, support attack surface management (ASM) processes, and correct systems of record that may have stale or missing data."1

**Industry's First Solution To Automatically Map Vulnerabilities To Malware Type**

Skybox also introduced the industry's first Security Posture Management solution that connects Vulnerability Management with Threat Hunting. Building on its Exposure Management process that emphasizes publicly known vulnerabilities and identifies control gaps, Skybox now also associates vulnerabilities to malware by name, category, and distinct classes – including ransomware, Remote Access Trojans (RATs), botnets, cryptocurrency miners, trojans, and more.

"Executives and board members want to know if their cybersecurity teams are staying ahead of the latest celebrity malware such as TrickBot, REMCOS, FormBook, AZORult, Ursnif, Agent Tesla, and NanoCore," said Ran Abramson, Threat Intelligence Analyst, Skybox Research Lab. "Powered by Skybox threat intelligence, CISOs have automated analysis that can prove they retired millions of malware and exploits. No other cybersecurity solution can provide customers with our advanced vulnerability prioritization and threat trend reporting."

**Expanded Integrations Eliminate Complexity, Reduce Administrative Burden, and Provide More Effective Cybersecurity**

With over 150 integrations, Skybox Security is the only solution that builds an extensive model of a customer's unique hybrid environment, including all of the customer’s L3 devices. Expanded integrations include:

*   **Amazon Web Services (AWS):** Expanded cloud capabilities include support of AWS firewalls in distributed mode. Reduce risk while validating compliance by eliminating permissive, obsolete, shadowed, and redundant rules.
*   **Cisco Application Centric Infrastructure (ACI):** Adding new capabilities to its Cisco ACI integration, Skybox now delivers granular visibility into ACI Fabric tenants across spanning networking, micro-segmentation policies, and device attributes.
*   **Palo Alto Networks Prisma Cloud:** Furthering its commitment to shift-left security practices, vulnerabilities in container images across DevOps toolchains can now be identified and prioritized for remediation via the Skybox multi-factor risk scoring algorithm.

**Skybox Cloud Edition Accelerates Customer Value With Increased Flexibility, Scalability, Business Agility, and Resiliency**

Skybox Cloud Edition delivers the capabilities of the Skybox Security Posture Management Platform in a Software-as-a-Service (SaaS) offering to unlock additional business agility and resiliency benefits.

*   **First SaaS solution for Security Policy Management**: Leapfrogging the competition, Cloud Edition capabilities reduce software installation maintenance tasks. Streamlined licensing and deployment are designed to meet customer demand.
*   **Advanced Vulnerability and Exposure Management**: With the industry's most flexible deployment options for Vulnerability and Exposure Management (both on-premises and SaaS versions), customers can select the deployment model that aligns with their corporate and regulatory requirements.
*   **Limitless scalability**: Manage security policies, prioritize vulnerabilities, and remediate exposures across the most complex on-premises, cloud, operational technology (OT), and hybrid environments. Automate, verify, and operationalize risk reduction.
*   **Faster deployment options**: Cuts deployment time and reduces the need for procuring hardware, performing testing, and installing updates – enabling customers to unlock value faster. Customers with vast, global environments will reap huge benefits due to the size and diversity of their attack surface.
*   **Instant automatic updates**: Customers benefit immediately from the latest product innovations and platform updates. Upgrades are much less disruptive, with no need for change management resources. Seamless, automated upgrades are critical given the dynamic threat and regulatory landscapes.
*   **Guaranteed availability:** The solution is hosted in AWS for outstanding stability, performance, and guaranteed availability. Additionally, 24/7 monitoring of the tenants, across both the Network Operations Center (NOC) and Security Operations Center (SOC), maintains optimal network performance and performs real-time analysis for continuous threat mitigation.

**Customer Quotes**

"We had endless streams of vulnerability remedial work. Everything seemed extremely important. Hence why we moved to Skybox: Because it gave us exactly the prioritization model we needed." – Director of Cybersecurity, Manufacturing Organization

"The overall visibility that Skybox has given us of the network – that's something we didn't have before. You can't really put a number on that, but it's a massive impact." – Principal Network Engineer, IT Security Company

"They were getting burned out. So, this has changed at least one of my engineers' lives. He actually said it over and over, 'This is the best thing that's ever happened to me.' Had it been anyone else, I doubt we would have kept anyone in that position for long." – Information Security Manager, Financial Services Organization

"Assets that are critical are tracked in Skybox, and the risk is assessed. If there is a vulnerability, we can fix it immediately. It's reflected in Skybox, and we have evidence for future audits." – Information Security Manager, IT Security Company

**Additional Resources**

*   Skybox Security reduces the risk of data breach by 55%, Total Economic Impact™ Study reveals
*   Skybox Security featured in 6 Gartner® Hype CyclesTM, 2022

Skybox Cloud Edition is available now. To learn more about the Skybox Security Posture Management Platform, visit https://www.skyboxsecurity.com/products/security-posture-management-platform/.  
**About Skybox Security  
**Over 500 of the largest and most security-conscious enterprises in the world rely on Skybox for the insights and assurance required to stay ahead of dynamically changing attack surfaces. Our Security Posture Management Platform delivers complete visibility, analytics, and automation to quickly map, prioritize and remediate vulnerabilities across your organization. The vendor-agnostic solution intelligently optimizes security policies, actions, and change processes across all corporate networks and cloud environments. With Skybox, security teams can now focus on the most strategic business initiatives while ensuring enterprises remain protected.

Source

DARKReading