Main driver for the change: "Plaintext SMS messages are inherently insecure."

Private messaging app Signal plans to discontinue the ability for Android users to send and receive plaintext SMS and MMS messages with the Signal app.

The app developer cited its priority of providing security and privacy to users for the decision — as well as protecting users from surprise messaging bills from their mobile providers and providing an overall more streamlined and clear user experience.

"The most important reason for us to remove SMS support from Android is that plaintext SMS messages are inherently insecure. They leak sensitive metadata and place your data in the hands of telecommunications companies. With privacy and security at the heart of what we do, letting a deeply insecure messaging protocol have a place in the Signal interface is inconsistent with our values and with what people expect when they open Signal," the mobile messaging app provider wrote in a post late last week.

The phaseout will occur over the next few months, and Android Signal users will receive notifications on how to export SMS messages and select a default SMS messenger, as well as how to invite users to Signal who texted them via SMS. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Signal to Ditch SMS/MMS Messaging on Android

Ransom Cartel ransomware-as-a-service operator blog claims to offer a new and improved version of REvil ransomware.

Although the REvil ransomware-as-a-service operation appeared to evaporate last October, analysts have found the group's influence is still considerable. 

Notably, threat researchers from Unit 42 reported finding connections between REvil activities and that of ransomware group Ransom Cartel, an up-and-coming cybercrime group claiming to offer "the same, yet improved software" as REvil. 

Following analysis, the Unit 42 team determined Ransom Cartel somehow was able to gain access to REvil ransomware source code. Ransom Cartel also mimics REvil tactics, including double extortion, Unit 42 added. However, the researchers said there are some aspects of the REvil operation that Ransom Cartel seems to lack. 

"Based on the fact that the Ransom Cartel operators clearly have access to the original REvil ransomware source code, yet likely do not possess the obfuscation engine used to encrypt strings and hide API calls," the Unit 42 ransomware report explained, "we speculate that the operators of Ransom Cartel had a relationship with the REvil group at one point, before starting their own operation."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Tactics Tie Ransom Cartel Group to Defunct REvil Ransomware

Research report identifies the challenges as well as the opportunities for new products and services that arise from the threat that quantum computers pose to the "blockchain" mechanism.

**DUBLIN, Oct. 14, 2022 /PRNewswire/** — The report "The Quantum Threat to Blockchain: Emerging Business Opportunities" has been added to **ResearchAndMarkets.com's** offering.

This new research report identifies not only the challenges, but also the opportunities in terms of new products and services that arise from the threat that quantum computers pose to the "blockchain" mechanism. According to a recent study by the consulting firm Deloitte, approximately one-fourth of the blockchain-based cybercurrency Bitcoin in circulation in 2022 is vulnerable to quantum attack.

The analyst foresees major commercial opportunities arising to protect blockchain against future quantum computer intrusions and agrees with the White House National Security Memorandum NSM-10, released on May 04, 2022, which indicates the urgency of addressing imminent quantum computing threats and the risks they present to the economy and to national security in the latest report _"The Quantum Threat to Blockchain: Emerging Business Opportunities"_.

Although the main focus of this report is on the quantum threat to the integrity of cybercurrencies, the applicability of blockchain (and therefore the threat of quantum) is much broader than the newer types of money. Blockchain technology has been proposed for a wide range of transactions, including insurance, real estate, voting, supply chain tracking, gambling, etc.

A quantum computer-compromised blockchain would allow eavesdropping, unauthorized client authentication, signed malware, cloak-in encrypted session, a man-in-the-middle attack (MITM), forged documents, and emails. These attacks can lead to mission-critical operations disruption, reputation, and trust damage, as well as loss of intellectual property, financial assets, and regulated data. Note that this report covers both technical and policy issues relating to the quantum vulnerability of blockchain.

As things stand now, blockchains are secured with relatively garden-variety encryption schemes. However, quantum computers will have the computational power to break these schemes as they grow in power. Predictions of when quantum computers will attain such power vary from five years to never, but, the threat hangs over the cryptocurrency industry as a whole and is a dampener to its prospects.

Quantum computers directly threaten classical public-key/private key cryptography blockchain technologies because they can break the computational security assumptions of elliptic curve cryptography. They also significantly weaken the security of critical private key or hash function algorithms, which protect the blockchain's secrets.

Also, some of the early expenditures on quantum-safe technology in the cybercurrency market will undoubtedly go to protecting data from attacks later, when quantum computing resources become mature. This issue becomes more important as we grow closer to the day when powerful quantum computers become a reality. But preemptive action on the quantum threat means that the business opportunities in this space are emerging right now.

As this report makes clear, the publisher sees major commercial opportunities to protect blockchain and the technologies dependent on blockchain against future quantum computer intrusions. One area that this report focuses on especially is post-quantum encryption (PQC), in which relatively traditional encryption schemes are devised that are simply much harder to break than currently used encryption schemes. With NIST announcing a new set of PQC standards in July 2022, the publisher believes that PQC firms will be receiving major investments in the near term as a result of the growing concerns about bad actors with access to quantum computing resources.

The publisher believes there is also a need for relatively low-cost information-theoretically secure (ITS) solutions that instantly strengthen standardized cryptography systems used in blockchains. Thus, this report also discusses quantum-enabled blockchain architectures based on Quantum Random Number Generators (QRNG) and Quantum Key Distribution (QKD).

**Key Highlights:**

*   With NIST announcing a new set of PQC standards in July 2022, PQC firms will soon be receiving major investments in the near term , much of which will apply to blockchain. However, not all NIST-based PQC solutions will be feasible for blockchain use. Given the nature and intricacy of PQC, it will take years of planning for a successful migration to PQC-backed Blockchain protection.
*   The earliest of expenditures on quantum safe technology in the block chain market will go to protecting data from attacks later, when quantum computing resources become mature. This issue becomes more important as we grow closer to the day when powerful quantum computers become a reality. But data theft today requires preemptive action. The quantum threat to the blockchain means that business opportunities in this space are emerging right now.
*   There is a need for low-cost information-theoretically secure (ITS) solutions that instantly strengthen standardized cryptography systems used in blockchains. Already much discussed in this context are quantum-enabled blockchain architectures based on Quantum Random Number Generators (QRNG) and Quantum Key Distribution (QKD). Another important concept is quantum-enabled blockchain, which refers to an entire blockchain or some aspects of the blockchain functionality being run in quantum computing environments.
*   Mining is another aspect of blockchains vulnerable to quantum attacks. Mining is the consensus process that certifies new transactions and keeps blockchain activities protected. One risk with mining is that miners using quantum computers could launch a 51% attack. A 51% attack is when a single entity controls more than half of the computational power of the blockchain. A quantum attack on mining would undermine the network's hashing power.

**Key Topics Covered:**

**Chapter One: Introduction**  
1.1 Objective and Scope of this Report  
1.1.1 The Threat of Quantum Computers to Blockchain  
1.2 Cryptography Background to this Report  
1.2.1 Concerned Organizations  
1.2.2 NIST PQC Efforts and Beyond  
1.2.3 Addressable Market for Quantum-safe Cybercurrency  
1.3 The Goals of this Report

**Chapter Two: Classical Blockchain Cryptography and Quantum Computing Attacks**  
2.1 Overview of the Quantum Threat  
2.2 NIST and Post-quantum Cryptography  
2.2.1 Structure of the NIST PQC Effort  
2.2.2 Importance of Asymmetric Digital Signatures  
2.2.3 Impact of Doubling Key Size  
2.2.4 Algorithm Security Strength  
2.3 Advanced Encryption Standard (AES)  
2.4 Quantum Attack Resources Estimates to Break ECC and DSA  
2.5 Quantum Resistant Cryptography for Blockchains  
2.5.1 Taproot and Bitcoin Core  
2.5.2 Impact of NIST-based PQC Algorithms  
2.6 Post-quantum Random Oracle Model  
2.6.1 Modeling Random Oracles for Quantum Attackers  
2.7 Summary of this Chapter

**Chapter Three: Quantum Opportunities of the Blockchain Kind**  
3.1 Blockchain Basics  
3.1.1 What are Classical Blockchains?  
3.2 Quantum-Enabled Blockchain  
3.2.1 Role of Quantum-safe Security Technologies  
3.3 Blockchain Security  
3.3.1 Role of Conventional Cryptography  
3.3.2 Attacks on Classical Cryptography  
3.3.2.1 Some Known Attacks Against ECDSA  
3.3.2.2 ECDSA Key Pair Generation:  
3.3.2.3 Signature Computation:  
3.3.2.4 Recommendations:  
3.3.2.5 Blockchain Security Summary:  
3.4 Mitigating Cyberattacks on Blockchains  
3.5 Blockchain Security: Entropy/Randomness  
3.5.1 Examples of Low Entropy Attacks  
3.6 Random Number Generator Product Evolution  
3.6.1 PRNGs  
3.6.2 TRNGs  
3.6.3 QRNGs  
3.6.4 OpenSSL 3.0  
3.7 Summary of this Chapter

**Chapter Four: Quantum Impacts on the Cryptocurrency Business**  
4.1 Qubit and Quantum Gates  
4.1.1 Qubits  
4.1.2 Quantum Gates  
4.1.3 Quantum Fourier Transform  
4.1.4 Oracle  
4.1.5 Amplitude Amplification  
4.2 Quantum Algorithms  
4.2.1 Shor's Algorithm  
4.3 Specific Quantum Threat to Blockchains  
4.3.1 Risk of Quantum Attack in Authentication  
4.3.2 Grover's Algorithm and Hashing  
4.4 Risk of Quantum Attack in Mining  
4.5 Nonce Attacks  
4.6 Blockchain Data Structures  
4.7 Summary of this Chapter

**Chapter Five: Quantum Hash and QKD**  
5.1 Classical to Quantum Hashing Functions  
5.1.1 Summary: Quantum Hashing Functions  
5.2 Quantum Key Distribution (QKD)  
5.2.1 Technical Issues  
5.2.2 Issues Needing Work in Blockchain Enabled QKD  
5.2.2.1 Summary: QKD Technical Issues and Blockchain Integration  
5.2.2.2 Software-defined Networking QKD and Blockchain  
5.3 Notes on Interface Protocols  
5.3.1 Southbound Interface  
5.3.2 Northbound Interface Protocol  
5.3.3 Resource Allocation  
5.4 Steps Blockchain Organizations Can Take Now  
5.5 Summary of this Chapter

**About the Publisher**

**About the Analyst**

**Acronyms and Abbreviations Used In this Report**

For more information about this report visit https://www.researchandmarkets.com/r/lh4alo

**SOURCE:** Research and Markets

New Research Report Predicts Blockchain and Quantum Threat Will Quickly Spread Beyond Cybercurrencies; Surge in New Product and Services Opportunities to Come

Here's how to differentiate vendors that can back up their words with solutions and those that  cannot.

I recently found myself in a meeting with a fast-talker. I'm sure that most of you know the type and have run across them more than a few times over the course of your careers. These people spout long sentences with big words that have very little meaning. They also seem to have a response for everything (words) yet almost never follow up on or complete anything (action).

While fast-talkers can be frustrating, they can also teach us six valuable lessons about how to vet vendors — separating those that can back up their words with action (solutions) vs. those who can't.

**1\. Ask for the Data**

There is such a thing as objective truth. That truth is based on facts — also known as empirical evidence or data. When a vendor is trying to sell you on something, ask to see the data to back it up. The serious vendors will be able to show you. If a vendor can't back up its claims with data, that raises some serious questions.

**2\. Request References**

In the security and fraud space, trust is huge, and it's built up over time. Vendors that have their customers' trust have undoubtedly worked very hard to attain it. That holds value and should not be taken lightly. Ask your prospective vendor about its client list, and then ask those clients their opinions about the company.

**3\. Listen for Straightforward Answers**

I don't know about you, but when I ask a straightforward question, I expect a straightforward answer. As the adage, often attributed to Albert Einstein, goes: "If you can't explain it simply, you don't understand it well enough." If the vendor's answer becomes a monologue, something is off.

**4\. Ask for Proof**

Vendors often claim that they can do A, B, and C. If those are capabilities I need to address my operational gaps, fantastic. Still, ask them to show you how they do what they say. Vendors that truly have the capability will gladly show you — sometimes in more depth or detail than you cared to see. Vendors that are merely paying lip service to having certain capabilities will likely talk in circles or change the subject. That should clue you in to the likelihood that they probably cannot address your operational gaps.

**5\. Establish Clear Success Criteria**

When engaging with a vendor, it is important to create and document clear success criteria. What are the engagement's objectives? What operational gaps are you looking to address? What does success look like? What metrics will be used to measure it? If during the engagement the success criteria need to be adjusted, what is the process for doing so? These are among the questions that need to be answered before a vendor engagement commences. Vendors that cannot successfully meet the success criteria will most likely push back on them. This can be an indicator that the vendor can't back up their words with actions.

**6\. Require a Proof of Concept**

A proof of concept (PoC) is a common way for vendors to show value and demonstrate to customers that they can back up their words in practice. Any PoC should be governed by and measured objectively against the agreed-on success criteria. If the vendor shies away from a PoC or will not commit or agree to being measured by success criteria, that raises some questions.

It is true that many vendors in the security and fraud space say the same things. However, there are ways for enterprises to hold those vendors accountable to their words. By doing so, businesses can ensure that they get the solutions they need, rather than empty promises.

What Fast-Talkers Can Teach Us About Vetting Vendors

Foreign nations continue to target various US public entities and private industries with cyberattacks, but the coming midterms are driving more disinformation than hacking, say experts.

While traditional cyberattack operations against US government organizations have remained fairly consistent, influence and disinformation attacks by foreign nations have increased in the run-up to the US midterm elections.  

On the cyberattack front, the China-linked hacking group Budworm has targeted several government agencies, including the legislature for a US state, over the past six months, according to Symantec, part of Broadcom Software. The attack on a US government organization is the second recent incident — after a hiatus of more than six years — where the group has targeted a US private-sector agency, the company's researchers stated in an advisory.

The attack is a departure from the group's more recent strategy of targeting Southeast Asia, and could mark a shift in strategy, says Dick O'Brien, principal intelligence analyst for the Symantec Threat Hunter team.  

The group "has been mounting espionage attacks in other regions, mostly Asia and the Middle East, \[and\] earlier this year German intelligence warned of attacks on organizations in that country," he says. "We consider Budworm to be one of the more capable APT outfits, and the return to the US could signal a change in strategic priorities."

However, security experts expect mostly a variety of influence attacks to ramp up against US government agencies and the campaigns of political candidates as the country's midterm elections approach. 

Cyber-intelligence firm Recorded Future pointed to the US intelligence community's assessment of foreign threats to the 2020 election and concluded that the country should expect more of the same in 2022.

"\[I\]n 2022, such behavior \[attempting to influence politics\] has likely only intensified against the backdrop of conventional and hybrid warfare in Ukraine, broad international ramifications of said conflict, lingering effects of a global pandemic, and a broadening distrust in traditional democratic institutions," Recorded Future stated in its report, adding: "The key motivations for influencing US elections are typically centered around adversaries' long-term geopolitical interests and furthering their own domestic goals."

Russia is focused on "sowing discord with regard to US political and societal affairs," with a focus on hindering concerted opposition to its invasion of Ukraine, while China conducts both public and private campaigns against its detractors, and Iranian actors aim to create support for a nuclear deal. Domestic extremists have become a significant disinformation threat over the past half decade, the company concluded.

**Not Just Russia**

Foreign countries continue to level a variety of attacks against public and private US organizations. In addition to Budworm, aka Aquatic Panda, cybersecurity services firm CrowdStrike has encountered North Korean hacking groups such as Stardust Chollima attacking financial organizations and stealing cryptocurrency and Iranian groups such as Charming Kitten targeting US government officials.

Recently, FBI officials warned both Republican and Democratic campaigns that they are being targeted by hackers thought to be linked to the Chinese state-sponsored APT1 group, according to The Washington Post. The hackers targeted the domains belonging to more than 100 political parties in US states with Internet scans and other attack activity, the National Security Agency (NSA) reported warned.

Such disruptive attacks and financial hacking are a constant presence, says Adam Meyers, senior vice president of threat intelligence for CrowdStrike.

"There is constantly espionage operations targeting the US — you know, constant, we are tracking it every single day," he says.

With the US midterm elections less than a month away, much of the disinformation has focused on attempting to change attitudes of undecided voters and energizing supporters to get out and vote.

In addition, some threat actors have targeted election officials with online attacks. County-level election workers are being targeted with phishing attacks, with Arizona, for example, seeing a doubling of attacks between the second and third quarters, according to endpoint detection and response (EDR) firm Trellix. Another battleground state, Pennsylvania, also saw an dramatic increase of nearly 70% in malicious e-mail messages, the company said in an Oct. 12 blog post.

The surge in e-mail messages is a reminder that election security issues affect smaller government agencies, which do not have the deep pockets of larger companies, Trellix researchers stated in the post.

"\[S\]tates and localities do not operate on an equal cybersecurity footing" as the federal government, they said. "Some will be more susceptible to attacks than others and many will continue to require the help of the federal government to not only harden themselves to these and other attacks, but also educate local election employees in cyber hygiene to thwart them at their point of attack."

**CISA, FBI: No "Successful Attack" on Election Systems**

To reassure US citizens that their votes will count, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigations (FBI) published an announcement on Oct. 4, emphasizing that the agencies have not yet seen any significant, nor successful, attack on election systems.  

"As of the date of this report, the FBI and CISA have no reporting to suggest cyber activity has ever prevented a registered voter from casting a ballot, compromised the integrity of any ballots cast, or affected the accuracy of voter registration information," the agencies stated. "Any attempts tracked by FBI and CISA have remained localized and were blocked or successfully mitigated with minimal or no disruption to election processes."

Former president Donald Trump and his supporters have pushed dispelled theories of election fraud both prior to and following the 2020 presidential election. In the Republican primaries, many Trump supporters also made claims, without evidence, of election fraud, prior to the final tally, even when they won the primary.

CISA and the FBI did not address any specific claims, but warned voters to be critical of such news.

"Be wary of emails or phone calls from unfamiliar email addresses or phone numbers that make suspicious claims about the elections process or of social media posts that appear to spread inconsistent information about election-related incidents or results," the agencies stated.

Disinformation Attacks Threaten US Midterm Elections

A cross-disciplinary effort of change is needed to attract new professionals in the coming decade.

In 2010, the Center for Strategic and International Studies (CSIS) published the report "A Human Capital Crisis in Cybersecurity," which noted "there are about 1,000 security people in the US who have the specialized security skills to operate effectively in cyberspace. We need 10,000 to 30,000."

Twelve years later, the Cyberspace Solarium Commission 2.0 Workforce Development Agenda for the National Cyber Director observed that "in the United States, there are almost 600,000 open cybersecurity jobs across the private sector and federal, state, and local governments — a remarkable gap considering that the field currently employs just over a million professionals." This is not an encouraging trend.

**Stakeholders Who Have the Power**

To effect multigenerational change, there are four distinct groups of stakeholders that have the power to best address a problem that has existed for over a decade.

**Cybersecurity buyers** should generally stop buying point solutions and instead focus on a strategy of long-term consolidation of technical cybersecurity capabilities. Although the latest shift-left-zero-trust-artificial-intelligence-XDR-machine-learning "solution" may provide comprehensive coverage against the latest techniques from an advanced persistent threat, it's meaningless unless your organization has actual proof of engagement by an advanced persistent threat (APT) that uses those techniques. Each new point solution has a training and operations burden, typically a minimum of two people who must learn to design and operate the solution.

Unfortunately, each new solution also needs to be integrated into the organization's existing security stack, which takes precious time and resources, and where visibility failures may provide coverage for threat actors to hide. By comparison, an integrated security stack might not immediately cover every conceivable technology threat permutation, but it will take fewer human resources to own and operate, and those staff tasked with operations will have in-depth knowledge as a result.

**HR professionals** should de-emphasize the importance of certifications for interns and junior and midcareer professionals and instead focus on on-the-job training and clearly defined career paths for cybersecurity professionals. The issue with certifications has existed since before CSIS in 2010 observed, "It is the consensus of the Commission that the current professional certification regime is not merely inadequate; it creates a dangerously false sense of security." Part of the reason for the workforce gap is the sheer number of entry-level job postings that require certifications; the specificity of the job descriptions also has been repeatedly shown to discourage otherwise-qualified women and minorities from even applying.

Retaining cybersecurity professionals is similarly difficult, as many junior and midcareer professionals will change jobs every two to five years to gain expertise with new technologies and additional security domains. Both hiring and retention can be managed effectively with well-defined career paths for cybersecurity professionals, such as those defined by the National Institute of Standards and Technology's (NIST) National Initiative for Cybersecurity Education (NICE) program. When supplemented by paid training from employers, employees are more likely to stay, which further reduces the cybersecurity skills gap.

**Compliance professionals** should be aware that their security counterparts are continuously overextended and seek to automate as many compliance operations as feasible. When responding to an internal assessment or an external audit, compliance professionals regularly rely on the security team to collect evidence of internal control operation and effectiveness. Realistically, this is an "extra" job duty on the part of security professionals, and as such, these tasks may be done in a rush or put off to the last minute, due to the more pressing duties on their limited time. These activities include manual tasks such as taking a screenshot of the password policy and saving it in a defined location or creating a PDF report showing that all hard drives are encrypted. As these compliance activities do not require creativity or intuition, they are prime opportunities for automation, which will lessen the time burden on security professionals. This may also result in a positive change in budgetary priorities, as an organization that has automated many compliance operations can hire additional security staff rather than additional compliance staff.

**Individual cybersecurity professionals** should reach out to middle schools and high schools to find opportunities to speak to young people about their jobs. A persistent misconception in secondary education is that cybersecurity jobs require a programming background, yet most cybersecurity jobs require no expertise in programming. Individual contributors across all disciplines — including sales, marketing, UX design, customer success, DFIR, and red teamers — should try to speak to one secondary school audience about what they do, why they love their job, and how their job has a middle-class salary that likely only required a two-year degree. That last part will resonate with many secondary school students and their parents who are considering how long it may take to pay off a four-year university degree.

Despite there not being a single solution to solving the cybersecurity workforce gap, there are reasons to be hopeful. The cybersecurity community attracts people who like working in teams and sharing their knowledge and experiences. A cross-disciplinary effort of behavioral changes across stakeholders based on shared values may be our best solution moving forward for the next decade.

4 Stakeholders Critical to Addressing the Cybersecurity Workforce Gap

Offers solution to accelerate identity intelligence through simplified, yet extensive, visibility of user activity.

**WALTHAM, Mass., Oct. 17, 2022 (GLOBE NEWSWIRE)** — Imprivata, the digital identity company for mission- and life-critical industries, today announced the expansion of its integrated digital identity platform to defragment identities across a broad set of clinical and enterprise applications, with full visibility into individual user access activity. This integration leverages Imprivata OneSign, the company’s single sign-on solution, as the identity source for Imprivata FairWarning, its risk analytics and intelligence offering, to uniquely provide the necessary view of users across the entire application ecosystem to ensure compliance and reduce security risks.  

Healthcare organizations must understand quickly and easily who is accessing protected health information (PHI) to accurately detect, investigate, and prevent major issues before they happen. However, an alarming 51% of organizations don’t monitor access to critical systems and data. For most, it is difficult to understand anomalous behavior across the network as user IDs are not consistent across applications. As a result, it can be extremely challenging to remain compliant with HIPAA and other regulations while preventing hacks and data breaches.

“Today’s security, compliance, and privacy professionals are facing unprecedented complexities that create barriers to delivering efficient and seamless access to technology resources needed for optimum patient care delivery,” said Mark McArdle, Chief Products and Design Officer at Imprivata. “Solving complex digital identity challenges is our key priority, so we’re proud to extend our platform of capabilities to make their jobs easier and their organizations more secure.”

Available immediately, this integration enables healthcare organizations to:

*   **View enforced policy violations across the ecosystem** to identify high-risk users at-a- glance
*   **Increase match rates and accelerate user risk scoring via artificial intelligence (AI)** to understand and assess risk based on cross-application activity
*   **Simplify management of user lists in one place** to replace manual management of user lists in each EHR or data source
*   **Automate processes** for updating user information as they move into new roles or departments

Imprivata FairWarning and Imprivata OneSign contribute broadly to the Imprivata Digital Identity Framework (DIF), a guide to enabling, controlling, and monitoring identities across highly complex ecosystems.

For more information, visit www.imprivata.com.

**About Imprivata**   
Imprivata is the digital identity company for mission- and life-critical industries, redefining how organizations solve complex workflow, security, and compliance challenges with solutions that protect critical data and applications without workflow disruption. Its platform of interoperable identity, authentication, and access management solutions enable organizations in over 45 countries to fully manage and secure all enterprise and third-party digital identities by establishing trust between people, technology, and information.

Imprivata Expands Its Integrated Digital Identity Platform to Defragment Identities Across Disparate Applications

Microsoft highlighted emerging confidential computing offerings for Azure during its Ignite conference.

Microsoft is putting hardware in charge of data protection in Azure to help customers feel confident about sharing data with authorized parties within the cloud environment. The company made a series of hardware security announcements at its Ignite 2022 conference this week to highlight Azure's confidential computing offerings.

Confidential computing involves creating a Trusted Execution Environment (TEE), essentially a black box to hold encrypted data. In a process called attestation, authorized parties can place code inside the box to decrypt and access the information without first having to move the data out of the protected space. The hardware-protected enclave creates a trustworthy environment in which data is tamper-proof, and the data isn't accessible to even those with physical access to the server, a hypervisor, or even an application.

"It's really kind of the ultimate in data protection," Mark Russinovich, Microsoft Azure's chief technology officer, said at Ignite.

**On Board With AMD's Epyc**

Several of Microsoft's new hardware security layers take advantage of on-chip features included in Epyc — the server processor from Advanced Micro Devices deployed on Azure.

One such feature is SEV-SNP, which encrypts AI data when in a CPU. Machine-learning applications move data continuously between a CPU, accelerators, memory, and storage. AMD's SEV-SNP ensures data security inside the CPU environment, while locking off access to that information as it goes through the execution cycle.

AMD's SEV-SNP feature closes a critical gap so data is secure at all layers while residing or moving in the hardware. Other chip makers have largely focused on encrypting data while in storage and in transit on communication networks, but AMD's features secure data while being processed in the CPU.

That offers multiple benefits, and companies will be able to mix proprietary data with third-party datasets residing in other secure enclaves on Azure. The SEV-SNP features use attestation to ensure incoming data is in its exact form from a relying party and can be trusted.

"This is enabling net new scenarios and confidential computing that was not possible before," said Amar Gowda, principal product manager at Microsoft Azure, during an Ignite webcast.

For example, banks will be able to share confidential data without the fear of anyone stealing it. The SEV-SNP feature will bring encrypted bank data into the secure third-party enclave where it could mingle with datasets from other sources.

"Because of this attestation and memory protection and integrity protection, you can rest assured that the data does not leave the boundaries in the wrong hands. The whole thing is about how do you enable new offerings on top of this platform," Gowda said.

**Hardware Security on Virtual Machines**

Microsoft also added additional security for cloud-native workloads, and the non-exportable encryption keys generated using SEV-SNP are a logical fit for enclaves where data is transient and not retained, James Sanders, principal analyst for cloud, infrastructure, and quantum at CCS Insight, says in a conversation with Dark Reading.

"For Azure Virtual Desktop, SEV-SNP adds an additional layer of security for virtual-desktop use cases, including bring-your-own-device workplaces, remote work, and graphics-intensive applications," Sanders says.

Some workloads haven't moved to the cloud because of regulation and compliance limitations tied to data privacy and security. The hardware security layers will allow companies to migrate such workloads without compromising their security posture, Run Cai, a principal program manager at Microsoft, said during the conference.

Microsoft also announced that the Azure virtual desktop with confidential VM was in public preview, which will be able to run Windows 11 attestation on confidential VMs.

"You can use secure remote access with Windows Hello and also secure access to Microsoft Office 365 applications within confidential VMs," Cai said.

Microsoft has been dabbling with the use of AMD's SEV-SNP in general-purpose VMs from earlier this year, which was a good start, CCS Insight's Sanders says.

Adoption of SEV-SNP is also important validation for AMD among data center and cloud customers, as previous efforts at confidential computing relied on partial secure enclaves rather than protecting the entire host system.

"This was not straightforward to configure, and Microsoft left it to partners to provide security solutions that leveraged in-silicon security features," Sanders says.

Microsoft's Russinovich said that Azure services to manage hardware and deployment of code for confidential computing are coming. Many of those managed services will be based on Confidential Consortium Framework, which is a Microsoft-developed open source environment for confidential computing.

"Managed service is in preview form ... we've got customers that are kicking the tires on it," Russinovich said.

Microsoft Secures Azure Enclaves With Hardware Guards

The authentication bypass flaw in FortiOS, FortiProxy and FortiSwitchManager is easy to find and exploit, security experts say.

Concerns over a critical authentication bypass vulnerability in certain Fortinet appliances heightened this week with the release of proof-of-concept (PoC) exploit code and a big uptick in vulnerability scans for the flaw.

The bug (CVE-2022-40684) is present in multiple versions of Fortinet's FortiOS, FortiProxy and FortiSwitchManager technologies. It allows an unauthenticated attacker to gain administrative access to affected products via specially crafted HTTPS and HTTP requests, and potentially use that as entry point to the rest of the network.

Bharat Jogi, director of vulnerability threat research at Qualys says researchers at the company have observed mass scans being carried out by various threat actors to identify Internet facing vulnerable systems for compromise.

"They are compromising these systems to create a super\_admin user which provides them with complete access and control," Jogi says. "Once this level of access is achieved, they have the ability to delete any trace of their successful exploitation attempt, making it difficult for organizations to track compromised assets in their environment."

If this flaw is successfully exploited, an attacker would have complete access to the organization's internal systems that were previously protected by Fortinet's firewalls, he says. "Having a compromised firewall is like laying out a red carpet for threat actors to stroll right into your organization's environment," Jogi notes.

**Added to CISA's Known Exploited Vulnerabilities Catalog**

The US Cybersecurity and Infrastructure Security Agency (CISA) earlier this week added the vulnerability to its Known Exploited Vulnerabilities catalog. Federal executive branch agencies—which are required to remediate vulnerabilities in the catalog within specific deadlines—have until Nov. 1 to address it. Though the deadline applies only to federal agencies, security experts have previously noted how it is a good idea for all organizations to monitor the vulnerabilities in the catalog and follow CISA's deadline for implementing fixes.

Fortinet privately notified customers of the affected products about the vulnerability last Friday, along with instructions to immediately update to patched versions of the technology the company had just released. It advised companies that could not update for any reason to immediately disable Internet-facing HTTPS administration until they could upgrade to the patched versions. 

"Due to the ability to exploit this issue remotely, Fortinet is strongly recommending all customers with the vulnerable versions to perform an immediate upgrade," Fortinet said in its private notification, a copy of which was posted on Twitter the same day.

Fortinet followed up with a public vulnerability advisory on Monday describing the flaw and warning customers of potential exploit activity. The company said it was aware of instances where attackers had exploited the vulnerability to download the configuration file from affected systems and to add a malicious super\_admin account called "fortigate-tech-support".

Since then, penetration testing from Horizon3.ai has released proof-of-concept code for exploiting the vulnerability along with a technical deep dive of the flaw. A template for scanning for the vulnerability has also become available on GitHub.

Exacerbating the concerns is the relatively low bar for exploiting the flaw. "This vulnerability is extremely easy for an attacker to exploit. All that is required is access to the management interface on a vulnerable system," Zach Hanley, chief attack engineer at Horizon3.ai, tells Dark Reading

**Increase in Scanning Activity for the Flaw**

Qualys isn't the only company observing increased vulnerability scanning for the flaw. James Horseman, exploit developer at Horizon3.ai says public data from GreyNoise—which tracks Internet scanning activity hitting security tools—shows the number of unique IPs using the exploit has grown from the single digits a few days ago, to over forty as of Oct. 14.

"We expect the number of unique IPs using this exploit to rapidly increase in the coming days," Horseman says. It is not hard for attackers to find vulnerable systems, he adds: A Shodan search for instance shows more than 100,000 Fortinet systems worldwide. 

"Not all of these will be vulnerable, but a large percentage will be," Horseman says.

Johannes Ullrich, dean of research at the SANS Institute, says he has observed scans associated with an older FortiGate vulnerability (CVE-2018-13379,) hitting SANS' honeypots in the days following disclosure of the new bug. He says there are two theories why that might be happening.

One of them is that an attacker may have tried to catch as many devices as possible that had not yet been patched for the old vulnerability. Given the attention the new vulnerability has gotten it is likely the old vulnerability will get patched as well now, he says.

"Or the attacker was trying to find Fortinet devices to exploit using the new vulnerability once it is available," he theorizes. "The old vulnerability scanner they had sitting on the shelf may still work to identify Fortinet devices."

**A Popular Attacker Target**

Concerns over vulnerabilities in Fortinet products are not new. The company's technologies—and those of others selling similar appliance—have been frequently targeted by attackers trying to gain an initial foothold on target network. 

Last November. The FBI, CISA and others issued an advisory warning of Iranian advanced persistent threat actors exploiting vulnerabilities in Fortinet and Microsoft products. A similar alert in April 2021 warned of attackers exploiting flaws in FortiOS to break into multiple government, commercial, and technology services.  

"These vulnerable devices are often edge devices, so an attacker could potentially use this vulnerability to gain access to an organization's internal networks to launch further attacks," Hanley says.

Fortinet itself has recommended that organizations that are able to, must update to the newly patched versions of FortiOS, FortiProxy and FortiSwitch Manager. For organizations that cannot immediately update, Fortinet has provided guidance on how to disable the HTTP/HTTPS interface or limit IP addresses that can reach the administrate interface of the affected products.

Hanley says organizations sometimes may not be able to patch due to the potential downtime associated with updating a device. "However, an organization should be able to apply \[the\] workaround to prevent this vulnerability from being exploited on unpatched machines by following Fortinet’s guidance."

Qualys' Jogi adds, "It is also crucial to review any attempts of exploit to identify systems that may have already been compromised. If an organization is unable to patch their systems, then they must disable the system admin interface immediately."

Concerns Over Fortinet Flaw Mount; PoC Released, Exploit Activity Grows

Such exploits sell for up to $10 million, making them the single most valuable commodity in the cybercrime underworld.

Over the past few years, there's been an increase in the number of attackers targeting Apple, especially with zero-day exploits. One major reason is that a zero-day exploit might just be the most valuable asset in a hacker's portfolio — and hackers know it. In 2022 alone, Apple has discovered seven zero-days and has followed up these discoveries with the required remedial updates. But it doesn't seem like the cat-and-mouse game will die anytime soon.

In 2021, the number of recorded zero-days overall was more than double the figures recorded in 2020, showing the highest level since tracking began in 2014, according to a repository maintained by Project Zero. MIT Technology Review attributed this rise to the "rapid global proliferation of hacking tools" and the willingness of powerful state and non-state groups to invest handsomely in the discovery and infiltration of these operating systems. Threat actors actively search for vulnerabilities, find a way to exploit them, then sell the information to the highest bidder.

**The Zero-Day Battles**

Suffering repeatedly from these infiltrations is the tech giant, Apple. After recovering from 12 recorded exploitations and remediation in 2021, Apple was welcomed into the new year of 2022 with two zero-day bugs in its operating systems and a WebKit flaw that could have leaked users' browsing data. Barely one month after releasing 23 security patches to fix those issues, another flaw was discovered — one that would allow attackers to infect users' devices when they process certain malicious Web content.

Fast-forward to August 17 and Apple revealed it had found two new vulnerabilities in its operating system: CVE-2022-32893 and CVE-2022-32894. The first vulnerability gives remote code execution (RCE) access to Apple's Safari Web browser kit, used by every iOS and macOS-enabled browser. The second, another RCE flaw, gives attackers complete and unrestricted access to the user's software and hardware. Both vulnerabilities affect most Apple devices — especially the iPhone 6 and later models, iPad Pro, iPad Air 2 onwards, iPad 5th generation and newer models, iPad mini 4 and newer versions, iPod touch (7th generation), and macOS Monterrey. Recognizing the risk level of such a threat, Apple recently released security updates to remediate these "actively exploited" vulnerabilities. This would be the fifth and sixth zero-day vulnerability exploited in Apple's systems just this year.

A couple weeks later, speculations about another zero-day exploit arose. One research team, in particular, said it found an ad on the Dark Web offering a supposedly weaponized version of an Apple vulnerability for over €2 million. While these speculations remain unconfirmed, soon after Apple released security updates for its seventh actively exploited zero-day vulnerability of 2022: CVE-2022-32917. According to the advisory, attackers could leverage this flaw to create applications that execute arbitrary code with kernel capabilities.

Zero-day exploits sell for up to $10 million, Digital Shadows' Photon Research Team reports, positioning them as the single most expensive commodity in the cybercrime underworld. With a bounty like that, the market for these exploits are bound to expand and further exacerbate cyber threats.

**Apple Isn't Alone in the Zero-Day Wild**

Apple is not alone in this struggle. In recent months, tech giants like Microsoft, Adobe, and Google have also had to patch zero-day vulnerabilities that have been actively exploited in the deep Web. A June article on Dark Reading noted that there had been "a total of 18 security vulnerabilities exploited as unpatched zero-days in the wild," and the number has since risen to 24. From all indications, attackers won't slow down anytime soon, especially as new variants of already patched zero days continue to surface.

As adversaries continue to find loopholes across systems and security architectures, enterprise leaders must keep prioritizing proactive defenses to stay ahead of attacks. One way to be proactive, according to Craig Harber, CTO at Fidelis Cybersecurity, is for organizations to map cyber terrains by gaining full visibility into their entire systems.

"Discovery is a ballet of strategy, inventory, and evaluation. Organizations need the ability to continuously discover, classify, and assess assets — including servers, enterprise IoT, laptops, desktops, shadow IT, and legacy systems," he notes.

Source

DARKReading