Barracuda research finds organizations are struggling to protect operational technology and getting breached as a result.

CAMPBELL, Calif., July 12, 2022 /PRNewswire/ -- Barracuda Networks Inc. (Barracuda), a trusted partner and leading provider of cloud-enabled security solutions, today released key findings from a report titled _The State of Industrial Security in 2022__._ Commissioned by Barracuda, the research surveyed 800 senior IT managers, senior IT security managers, and project managers responsible for industrial internet of things (IIoT)/operational technology (OT) in their organization to get their perspectives on IIoT/OT security projects, implementation challenges, security incidents, technology investments, and a variety of issues related to cybersecurity risks.

Overall, the research shows that critical infrastructure is under attack, and despite agreement that IIoT and OT security is critical, businesses are facing some significant challenges as the geopolitical landscape becomes increasingly tense. Security breaches have shown to have impacts beyond monetary losses as well, resulting in significant downtime with long-lasting breach impact. The research found:

*   **Attacks are widespread:** 94% of organizations surveyed acknowledged experiencing a security incident in the last 12 months.
*   **Geopolitical concerns:** 89% of respondents are very or fairly concerned about the impact that the current threat landscape and geopolitical situation will have on their organizations.
*   **Breaches are impacting operations:** 87% of organizations that experienced an incident were impacted for more than one day.

"In the current threat landscape, critical infrastructure is an attractive target for cybercriminals, but unfortunately IIoT/OT security projects often take a backseat to other security initiatives or fail due to cost or complexity, leaving organizations at risk," **said Tim Jefferson, SVP, Engineering for Data, Networks and Application Security, Barracuda.** "Issues such as the lack of network segmentation and the number of organizations that aren't requiring multifactor authentication leave networks open to attack and require immediate attention."

Organizations across the board have acknowledged the importance of investing even further in IIoT and OT security, with 96% of business leaders noting that their organization needs to increase their investment in industrial security. A full 72% of organizations signaled that they have either already implemented or are in the process of implementing IIoT/OT security projects, but many are facing significant challenges when it comes to implementation, including basic cyber hygiene.

*   **Manufacturing and healthcare lag behind:** Critical infrastructure organizations are leading with implementation, and 50% in oil and gas having completed projects. Only 24% in manufacturing and just 17% in healthcare have completed projects.
*   **Businesses are experiencing failures:** 93% have failed in their IIoT/OT security projects.
*   **Effective IIoT security implementations are making an impact:** For organizations with completed IIoT and OT security projects, 75% have experienced no impact at all from a major incident.
*   **Multifactor authentication (MFA) use is low:** Only 18% of companies surveyed restrict network access and enforce multifactor authentication when it comes to remote access to OT networks.
*   **Low MFA use is prevalent even in critical industries:** Critical verticals like energy (47%) allow full remote access without MFA for external users.
*   **Skills have an impact:** Less than half of organizations surveyed can handle applying security updates themselves (49%).
*   **Manual updates are cumbersome:** Organizations are hit the worst when security updates are not automatic.

IIoT and OT security continue to be a major target for attackers, but there is hope for businesses that take a proactive approach. Businesses should implement tools to combat these challenges, including the use of secure endpoint connectivity devices and ruggedized network firewalls, all centrally deployed and managed via a secure cloud service that can enable effective network segmentation and advanced threat protection, provide multifactor authentication, and even implement Zero Trust Access.

"IIoT attacks go beyond the digital realm and can have real-world implications." said **Klaus Gheri, VP Network Security, Barracuda.** "As attacks continue to rise across industries, taking a proactive security approach when it comes to industrial security is critical for businesses to avoid being the next victim of an attack."

**Resources:**

Download the full report: https://barracuda.com/iiot-2022-report  
Read the blog post: http://cuda.co/51231

**About Barracuda**

At Barracuda we strive to make the world a safer place. We believe every business deserves access to cloud-first, enterprise-grade security solutions that are easy to buy, deploy, and use. We protect email, networks, data, and applications with innovative solutions that grow and adapt with our customers' journey. More than 200,000 organizations worldwide trust Barracuda to protect them — in ways they may not even know they are at risk — so they can focus on taking their business to the next level. For more information, visit barracuda.com.

New Research Reveals 93% of Organizations Surveyed Have Had Failed IIoT/OT Security Projects

Machine learning and automation can help free up security pros for higher-value tasks.

Humans have a well-deserved reputation for being the weakest link in the cybersecurity of any size organization. Whether it's an IT specialist misconfiguring a firewall setting, a DevOps engineer failing to secure a cloud storage bucket, or a hapless business user falling for a phishing scam, the vast majority of cybersecurity breaches are primarily caused by human error creating exploitable vulnerabilities. The result is many avoidable weaknesses being pursued by criminal opportunists enabled by cheap, plentiful cybercrime tools of the trade.

Thankfully, the humans working in the security operations center (SOC), the Tier 1 and Tier 2 analysts on the front line of cyber defense, are the strongest link in cybersecurity operations. They must be kept in the loop, ideally performing higher-value tasks than keeping "eyes on the glass" to review security telemetry.

**Tools for Assisting, Not Replacing, Humans  
**

Looking to technology to help us secure technology is the right approach. The servers, Web applications, endpoints, network devices, and security measures in a company's digital landscape produce massive volumes of security telemetry and alerts that must be monitored and analyzed, but most turn out to be benign.

Identifying the meaningful alerts in high-volume event streams is the perfect job for correlation rules and unsupervised machine learning (ML) algorithms that combine human knowledge and threat intelligence with continuous learning and improvement. Machines can handle the speed and scale required for the initial screening of the high-volume stream of event logs and alerts. Also, algorithms don't get tired or have a lapse in attention, go on vacation, or call in sick.

Automating this facet of SOC operations allows these AI-based tools to do the tedious work of sifting out false positives and correlating and surfacing real alerts in real time. Automation can also go a step further, applying rules in playbooks to enrich alerts with context (which machine or user, what happened, when), contain suspicious activity in the network, and trigger an automatic response in well-defined use cases.

The result can be minimizing the volume of alerts by a factor of 10 or more, from 10,000 a day to 1,000 or less. This noise reduction saves up to 50% of expert SOC labor, dramatically increasing SOC efficiency and effectiveness.

**Humans Are the Ones Who Catch the Cybercriminals in Action  
**

This type of automation frees expert human analysts to use their experience, skills, intuition, and problem solving in the hunt for cybercriminals active in your environment. The automation feeds junior SOC analysts who triage the findings by applying human intelligence to recognizing patterns, evaluating anomalies, eliminating false positives, and identifying alerts that need further human assessment.

For example, John in HR typically accesses two databases during regular business hours. An alert comes through that John has accessed a third database on a Saturday. Only a human can determine if this new behavior is anomalous but nonthreatening. After the SOC analyst notifies the IT department about the unexpected database activity, IT confirms that John has been granted temporary access to the additional data, which is HR-related.

After triage by junior SOC analysts, high-priority alerts are forwarded to SOC senior analysts. These skilled security specialists are charged with investigating the alerts and identifying where an attack is coming from, the cybercrime groups behind the attack, methods they are using, lateral movement observed, and the dwell time of attackers. SOC experts also propose strategies for mitigation and eradication.

Humans are most essential when identifying attacks that cut across different systems, applications, and access methods. It was skilled humans who uncovered new activity on the part of Hafnium. The nation-state cybercriminals had been exploiting vulnerabilities in Microsoft Exchange servers to steal emails, compromise networks, and move laterally in affected organizations. These incursions took place for three months prior to discoveries credited by Microsoft to researchers at security firms Volexity and Dubex.

**Key Takeaways  
**

Organizations of any size, but particularly midsize and larger enterprises, can benefit from having their SOCs use artificial intelligence, unsupervised ML, and automation to remove the burden of first-level event log screening from junior analysts and provide intelligence that senior analysts can use in investigations. Such automation is necessary to handle the ever-increasing volume, velocity, and variety of security telemetry. It cannot, however, eliminate the need for the expert human analyst.

SOC analysts need not be concerned about job security in the face of ML and automation. Rather, they should welcome the improved productivity and freedom automation provides to use their intelligence and creativity for higher-value activities such as research, threat analysis, remediation, and threat hunting.

Keep Humans in the Loop in SOC Operations

Upgrades to the Exostar platform promote secure, compliant collaboration and handling of controlled unclassified information.

**HERNDON, VA, July 12, 2022 –** Exostar, a leader in trusted, secure business collaboration in highly regulated industries including aerospace and defense, today announced the availability of updates to The Exostar Platform that allow small and medium-sized businesses (SMBs) to overcome the technology, time, and cost obstacles of preparing for and demonstrating compliance with Department of Defense (DoD) cybersecurity requirements.

Firms throughout the Defense Industrial Base (DIB), including SMBs deep in the DoD supply chain, will have to acquire Cybersecurity Maturity Model Certification (CMMC) 2.0 certification as soon as May 2023 to participate in subsequent DoD contract solicitations. According to CMMC version 2.0, any member of the DIB that stores or handles Controlled Unclassified Information (CUI) during program execution must meet the 110 practices defined at CMMC Maturity Level 2. Many SMBs simply do not possess the expertise, bandwidth, or budget to go it alone.

Exostar’s Managed Microsoft 365 for CMMC directly addresses these challenges. This managed solution, based on Microsoft Teams and hosted in a Microsoft 365 Government Cloud Computing (GCC) High environment, is designed specifically for SMBs and delivers benefits including:

*   A secure workspace for SMB users within GCC High – without the expense and burden of acquiring, setting up, and managing their own tenant.
*   Rapid onboarding – subscribe today and be working tomorrow.
*   Implementation of the security controls necessary to properly protect CUI – and facilitate compliance with CMMC 2.0 and other DoD cybersecurity standards.
*   Enterprise-grade security at a price SMBs can afford, with room to grow for an enterprise license.

In addition to the launch of Exostar’s Managed Microsoft 365 for CMMC, the company has updated and upgraded its CMMC Ready Suite within The Exostar Platform to provide out-of-the-box support to accelerate SMBs throughout their CMMC 2.0 accreditation journeys:

*   Certification Assistant – Offers plainspoken descriptions of CMMC practices at all three Maturity Levels, helping SMBs to conduct compliance self-assessments and scoring, gather documentation, and prepare for any necessary third-party audits ahead of accreditation.
*   Exostar PolicyPro – Evaluates existing policies (including gap analysis) and/or generates new ones in accordance with all policy requirements defined in CMMC 2.0 practices.
*   CMMC 2.0 Basic Assessment – Provides expert guidance from Exostar-vetted cybersecurity compliance specialist partners who use Exostar’s CMMC Ready Suite to address an SMB’s unique circumstances and accelerate the accreditation process.

“SMBs are the lifeblood of the DIB. While they must improve their cybersecurity capabilities to better protect CUI throughout the DoD supply chain, CMMC 2.0 represents a heavy lift for many of these companies,” said Tony Farinaro, Exostar’s Chief Revenue Officer. “We continue to enhance and expand our CMMC offerings to make it easier and more cost effective for SMBs to meet their obligations so they can stay in the DIB, win business, and keep innovating on behalf of the DoD.”

In addition to SMBs, enterprises also can subscribe to Exostar’s Managed Microsoft 365 for CMMC, as well as purchase the other applications and services in The Exostar Platform’s CMMC Ready Suite, today.

**About Exostar**

The Exostar Platform supports exclusive communities within highly regulated industries where organizations securely collaborate, share information, and operate compliantly. Within these communities, we build trust. More than 150,000 companies and agencies in 175 countries trust Exostar to strengthen security, reduce expenditures, raise productivity, and help them achieve their digital transformation initiatives. Nearly half of the Defense Industrial Base, including 98 of the top 100, transact business over The Exostar Platform. Eleven of the top twenty global biopharmaceutical companies rely on The Exostar Platform to help them speed new medicines and therapies to market. Exostar is a Gartner Cool Vendor. For more information, please visit www.exostar.com, and follow Exostar on LinkedIn and Twitter.

Exostar Empowers SMBs with Enhanced, Low-Cost, Easy-to-Use Microsoft 365 and CMMC 2.0 Solutions

Businesses receive an invoice via email with a credit card charge and are asked to call a fake number and hand over personal information to receive a refund.

Cybercriminals are posing as Intuit's popular accounting software package QuickBooks to target Google Workspace and Microsoft 365 small business users in a voice-phishing scam.

The campaign sends a false invoice via email containing a claim that a credit card has already been charged for an order. In order to dispute the charge, victims are directed to call the number included in the email, according to researchers with INKY. The scam was first uncovered in December 2021 and the frequency of attack has accelerated sharply, they said.

The threat actors have been leveraging QuickBooks' free 30-day trial offer to set up fake accounts from which to send fraudulent invoices, impersonating major IT companies including Amazon, Apple, PayPal, and McAfee. Once the victim calls, they are asked for bank account information, login credentials, or other personally identifiable information.

"These attacks were highly effective at evading detection because they were identical to non-fraudulent Quickbooks notifications, even when examining the emails' raw HTML files closely," the report noted. "All notifications originated from authentic Intuit IP addresses, passed email authentication (SPF and DKIM) tests for intuit\[.\]com, and only contained high-reputation intuit\[.\]com URLs."

One such scam in April impersonated an Amazon Prime shipping notification, which used the strings "amazn" and "amzn" to evade detection filters. By clicking on the "print or save" or "view invoice" buttons, the victim is then taken to Intuit's website and shown a fraudulent invoice, inducing the user to call the number and give up financial information.

"The natural response is to get right on the phone and try to back the order out, or, barring that, find a way to obtain a refund," the INKY report noted. "The phishers take advantage of this disrupted emotional state to extract personal or financial information before the victim realizes that something is off."

**Defense Requires Vigilance**

INKY recommends that recipients of these kinds of messages should refrain from calling any phone numbers they provide and be wary of requests for payment through the form of gift cards, a method unlikely to be used by businesses.

"If there is any doubt about a charge, it is best to contact the relevant credit card company to see if there really is a charge in that amount," the report noted. "Any real charge would be shown as 'pending'."

Small businesses are increasingly targets for cyberattacks, according to recent research; however, just 40% of small businesses have a cybersecurity policy. Among the key steps small businesses can take to improve their security posture is adopting strong security policies and training employees in best practices, along with tactical investments in cybersecurity software.

**Plenty of Phishing in the Sea**

Meanwhile, cybercriminals are deploying new vishing methods to defraud victims, according to a report from Kaspersky, including attacks carried out through popular social media sites or major IT service providers like PayPal. A recent vishing scam cited by Kaspersky was based on a widespread TikTok prank where friends use an automated answering-machine voice to warn them that a lot of money will soon be taken out of their bank account.

"When people are convinced to disclose their personal data during a phone call rather than on a phishing page, they often don't have the chance to consider that they are the target of a hoax — and the large number of TikTok videos with this prank is a prominent example of this," according to Kaspersky.

The security firm reports that the volume of vishing is on the rise, with 350,000 vishing emails between March and June 2022, with nearly 100,000 of these emails spotted in June alone.

QuickBooks Vishing Scam Targets Small Businesses

This Tech Tip outlines how system administrators can get started with automated continuous patching for their Windows devices and applications.

The Windows Autopatch service, which allows enterprises to automatically roll out updates for Windows 10, Windows 11, Microsoft Edge, and Microsoft 365 software, is now live, Microsoft said this week. Autopatch is intended to streamline updating operations and reduce the time it takes for systems to be patched. Originally announced in April, the feature has been in public preview since May.  

"Essentially Microsoft engineers use the Windows Update for Business client policies and deployment service tools on your behalf," wrote Lior Bela, senior product marketing manager at Microsoft, on the Microsoft IT Pro blog. "The service creates testing rings and monitors rollouts—pausing and even rolling back changes where possible."

This Tech Tip summarizes the prerequisites for using Autopatch and instructions on enabling the new feature.

**Very Specific Prerequisites**

Customers must have Windows 10/11 Enterprise E3 or E5 licenses. The organization must also have Azure Active Directory Premium and Microsoft Intune. A proxy or firewall that uses TLS 1.2 is also required.

"Azure Active Directory must either be the source of authority for all user accounts, or user accounts must be synchronized from on-premises Active Directory using the latest supported version of Azure Active Directory Connect to enable Hybrid Azure Active Directory join," Microsoft said in the deployment guide.

The endpoints that will be enrolled into Windows Autopatch must be managed by either Microsoft Intune or Configuration Manager Co-Management. Intune must be set as the mobile device management (MDM) authority or co-management must be turned on and enabled on the endpoints. The endpoints being enrolled must also have connected with Microsoft Intune within the last 28 days in order to be registered with Autopatch.

The endpoints, which must be corporate-owned (bring-your-own-device is not currently supported) should have 64-bit editions of Windows 10/11 Pro, Windows 10/11 Enterprise, or Windows 10/11 Pro for Workstations. However, Windows Autopatch will support updating of Windows 365 cloud PCs in mid-July.

**Configuring the Environment**

Since Autopatch is cloud-based, there are specific Microsoft services that must be available at all times. The four URLs that must be on the allowed list of the proxy or firewall are _mmdcustomer.microsoft.com_, _mmdls.microsoft.com_, _logcollection.mmd.microsoft.com_, and _support.mmd.microsoft.com_. 

The deployment guide lists other firewall configurations, IP ranges, and port requirements for Azure Active Directory, Microsoft Intune, Windows Update for Business, and individual Microsoft applications.

Azure Active Directory must have security defaults enabled and not have any user names that conflict with the ones Autopatch needs to use: _MsAdmin_, _MsAdminInt_, and _MsTest_. Azure AD must also be set so that conditional access policies and multifactor authentication aren’t assigned to all users. The point is that Autopatch can’t be required to have multifactor authentication enabled. 

"Your conditional access policies must not prevent our service accounts from accessing the service and must not require multi-factor authentication," Microsoft said.

**How Do I Get Started?**

Customers with Windows Enterprise E3 and E5 licenses will find Tenant Administration in the Microsoft Endpoint Manager administrator center. The option _Tenant enrollment_ in the Windows Autopatch section will begin the process to set up and configure Autopatch.

But first, Microsoft will run the online Readiness assessment tool to check the settings in Microsoft Intune and Azure Active Directory to ensure they are properly configured to work with Windows Autopatch. If issues are found, the administrator must fix them before continuing.

Once everything is ready, the tool will show an _Enroll_ button to kick off the enrollment. During the enrollment process, administrators will be guided to create the policies, groups, and accounts necessary to run Autopatch.

"Once you've enrolled devices into Autopatch, the service does most of the work. But through the Autopatch blade in Microsoft Endpoint Manager, you can fine-tune ring membership, access the service health dashboard, generate reports, and file support requests," Microsoft said.

**What Sysadmins Can’t Do**

*   It would not be possible to schedule the updates to roll out on certain days or times. The decision of when to move to the next ring is also not configurable.
*   Once a device is registered with Windows Autopatch, updates are rolled out to the devices according to its ring assignment. Currently, there is no support for individual device level control.
*   Windows Autopatch doesn't support managing update ring membership using your Azure AD groups.
*   There is currently no programmatic access via PowerShell to Autopatch

Getting Up and Running with Windows Autopatch

Python's most popular package manager is intent on securing the supply chain by requiring developers to enable two-factor authentication.

As part of the push to mandate two-factor authentication for critical projects, the Python Package Index will distribute 4,000 Google Titan security keys to developers.

PyPI, the largest package manager for Python libraries and software components, has decided to mandate two-factor authentication for maintainers of "critical" Python projects. Two-factor authentication must be enabled for developers to be able to publish, update, or modify their projects. This requirement would protect developers from account takeovers as a result of stolen credentials. There have been numerous instances of supply chain attacks where attackers took over code repositories and hijacked software libraries and modules hosted on popular package managers.

The "critical" designation is assigned to any PyPI project accounting for the top 1% of downloads over the past six months. According to the dashboard published by PyPI, over 3,800 PyPI projects and 8,200 user accounts have been identified as critical. There are currently 28,336 users who have voluntarily enabled two-factor authentication.

"Ensuring that the most widely used projects have these protections against account takeover is one step towards our wider efforts to improve the general security of the Python ecosystem for all PyPI users," PyPI's administrators announced.

The decision to mandate two-factor authentication is an attempt to improve the supply chain security of the Python ecosystem and echoes a similar decision by GitHub to mandate two-factor authentication earlier this year. Recognizing that attackers are increasingly targeting libraries on npm, PyPI's JavaScript equivalent, GitHub auto-enrolled maintainers of the top 100 npm packages with two-factor authentication back in February.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

PyPI Mandates 2FA, Plans Google Titan Key Giveaway

MINNEAPOLIS, July 12, 2022 /PRNewswire-PRWeb/ -- Core Security by HelpSystems, a leading provider of cyber threat solutions, today announced the addition of ransomware simulation to its penetration testing solution, Core Impact. Using an automated Rapid Pen Test, Core Impact users can now efficiently simulate a ransomware attack.

An Increased Need to Prepare for Ransomware Attacks

According to the 2022 Penetration Testing Report, ransomware is one of the top concerns for cybersecurity professionals. Also, a PhishLabs by HelpSystems report shows ransomware is booming, growing more than 100% year-over-year. The cost of ransomware attacks is also on the rise; the average ransom demand alone was $220,298 in 2021, with the recovery cost much steeper, averaging $1.8 million.

\- ADVERTISEMENT -

When employees open infected email attachments or click on malicious websites, they can inadvertently trigger a ransomware attack. With unwitting employees serving as one of the most common attack vectors, ransomware can be particularly difficult to avoid.

"Much like penetration testing, vulnerability management, and red teaming, ransomware simulation is an effective method of offensive (proactive) cybersecurity, helping organizations discover weaknesses before attackers find and exploit them," said Mark Bell, Managing Director of Infrastructure Protection at HelpSystems. "Adding ransomware simulation not only further enhances and centralizes the testing process, but helps employees better recognize ransomware infection methods. It can also uncover who is susceptible to these attacks, which can prompt additional training to teach employees how to be more vigilant before clicking another suspicious email.

"With ransomware here to stay, this simulation process should be considered a cybersecurity essential," said Bell. "The addition of ransomware simulation strengthens Core Impact's reputation as an all-in-one solution, providing multiple types of pen tests across vectors and other integrations."

For an in-depth demo of Core Impact and to see the ransomware simulation in action, visit: https://www.coresecurity.com/products/core-impact/demo-watch or visit: https://www.coresecurity.com/blog/core-impact-introduces-ransomware-simulation to learn more.

About HelpSystems  
HelpSystems is a software company focused on helping exceptional organizations secure and automate their operations. Our cybersecurity and automation software protects information and simplifies IT processes to give our customers peace of mind. We know security and IT transformation is a journey, not a destination. Let's move forward. Learn more at http://www.helpsystems.com.

Core Security by HelpSystems Introduces New Ransomware Simulator

July's security update included fixes for one actively exploited flaw, more than 30 bugs in Azure Site Recovery, and four privilege escalation bugs in Windows Print Spooler.

Microsoft today released patches for 84 vulnerabilities across its product categories, including one bug now actively exploited and four that the company rated as critical severity.

The July security update also includes fixes for four elevation of privilege vulnerabilities in the company's perennially buggy Windows Print Spooler technology, and more than 30 bugs in its Azure Site Recovery disaster recovery service. At least 12 of the 84 flaws disclosed today enable remote code execution, 11 were information disclosure-related, and four enable bypass of security features. Most of the remaining flaws enabled elevation of privilege.

**Priority One: CVE-2022-22047**

Security experts who reviewed Microsoft's latest update said the vulnerability that requires immediate attention is an elevation of privilege vulnerability (CVE-2022-22047) in the Windows Client Server Run-Time Subsystem (CSRSS) that is currently being exploited. Microsoft itself assessed the vulnerability as "Important," giving it a severity rating of 7.8 on a scale of 10. According to the company, the vulnerability — like every other bug in July's update — has not been publicly disclosed. Even so, Microsoft described the bug as being actively exploited, but did not provide any further information.

"The vulnerability allows an attacker to execute code as SYSTEM, provided they can execute other code on the target," an analysis on Trend Micro Zero Day Initiative's blog noted. "Bugs of this type are typically paired with a code execution bug, usually a specially crafted Office or Adobe document, to take over a system." Attacks of this type often leverage macros, which is why Microsoft's recent decision to delay blocking all macros by default — like it announced in February — is disheartening, the blog noted.

Chris Goettl, vice president of product management for security products at Ivanti, says organizations should not be lulled by Microsoft's characterization of the flaw as important. The fact that attackers are actively exploiting the bug makes it a priority, he says. "Organizations prioritizing using legacy rating methods could miss prioritizing the urgency of the OS update this month," he says.

**Other Bugs That Need Urgent Attention**

Other bugs in Microsoft's July update that security experts described as priorities: CVE-2022-30216, CVE-2022-22038, CVE-2022-30221, and CVE-2022-30222.

CVE-2022-30216 is a low-complexity tampering vulnerability in Windows Server Service that would allow an authenticated attacker to remotely upload a certificate to the Server service. Microsoft described the vulnerability as one that is more likely to be exploited because it requires no user interaction and low-level privileges. "While this is listed at 'Tampering', an attacker who could install their own certificate on a target system could use this bug for various purposes, including code execution," Trend Micro's ZDI said. "Definitely test and deploy this patch quickly — especially to your critical servers.”

CVE-2022-22038 is a Remote Procedure Call Runtime remote code execution vulnerability that could allow an unauthenticated attack to execute malicious code on a vulnerable system. Microsoft identified the bug as being complex to exploit because it requires an attacker "to invest time in repeated exploitation attempts through sending constant or intermittent data." Trend Micro's ZDI assessed the bug as having properties that could potentially make it wormable. "If the exploit complexity were low, which some would argue since the attempts could likely be scripted, the CVSS would be 9.8. Test and deploy this one quickly," the security vendor noted.

CVE-2022-30221 is a remote code execution vulnerability in the Windows Graphics Component. An attacker can exploit the vulnerability by convincing a user to connect to a malicious RDP server. An adversary who succeeds in doing that would be able to execute code in the context of the affected system's user, Microsoft said.

"On the surface, this one looks nasty," Kevin Breen, director of cyber threat research at Immersive Labs, said in emailed comments to Dark Reading. Microsoft has marked the vulnerability as less likely to be exploited because an attacker would need to first run a malicious RDP server and then convince a victim to connect to it. "This is not as far-fetched as it first sounds, as RDP shortcut files could be emailed to target victims, and these file types may not flag as malicious by email scanners and filters," Breen said.

CVE-2022-30222 is another remote code execution vulnerability — this time in the Windows Shell graphical user interface. The flaw allows an unauthenticated attacker to execute code on a vulnerable system by interacting with the login screen in a specific manner, Microsoft noted. Attacks targeting the flaw likely involve little complexity and no user interaction.

"Whilst this is titled as a Remote Code Execution vulnerability, the description suggests that this is actually a Local Code Execution vulnerability," Breen said. It appears the flaw would allow an attacker to run arbitrary command from the login page as authentication is not required, he noted. "Microsoft has suggested this is less likely to be exploited. But if you use RDP, definitely prioritize this patch," Breen said.

**Windows Print Spooler Flaws Make a Comeback**

Microsoft's July update also contains fixes for four flaws in Windows Print Spooler (CVE-2022-22022, CVE-2022-22041, CVE-2022-30206, and CVE-2022-30226). Flaws in Print Spooler have been a major problem for Windows users in recent years. One of the most notable recent flaws in the technology was PrintNightmare, a remote code execution bug that affected all Windows versions and prompted an advisory from the US government and others on the need for organizations to address it urgently.

"We have seen a steady stream of vulnerability disclosures in the Print Spooler Service since the original PrintNightmare flaws were disclosed in June (CVE-2021-1675) and early July of 2021 (CVE-2021-34527)," said Satnam Narang, senior staff research engineer at Tenable, in comments emailed to Dark Reading. The flaws that Microsoft has addressed in the technology are elevation of privilege flaws, which provide attackers the ability to gain system-level privileges on vulnerable systems, he said.

The risk with these four fixes is the potential to impact print functionality, Ivanti's Goettl says.

"Since PrintNightmare, there have been many Print Spooler fixes, and in more than one of those patch Tuesday events, the changes have resulted in operational impacts," he says. "This makes administrators a little gun-shy and warrants some extra testing to ensure no negative issues occur in their organization."

**Surfeit of Azure Site Recovery Bugs**

Goettl says Microsoft resolved 33 vulnerabilities in Azure Site Recovery that could allow attackers to take a variety of actions including remote code execution, privilege escalation, and information-stealing. None of the vulnerabilities have been publicly disclosed or are currently being exploited, but the concern is in the number of vulnerabilities that were fixed, Goettl notes. "They were identified by several independent researchers and anonymous parties, which means the knowledge of how to exploit these vulnerabilities is a bit more broadly distributed," he says.

And, resolution of these flaws is not simple: It requires signing into each process server as an administrator, then downloading and installing the latest version. "Vulnerabilities like this are often easy to lose track of, as they are not managed by the typical patch management process," he notes.

Microsoft Issues Fixes for 84 Vulnerabilities: Here's What to Patch Now

LONDON and BOSTON - July 12, 2022- Privitar, the leader in modern data provisioning, today announced it has acquired Kormoon, a software platform that helps organizations manage the complexities of data privacy regulations by analyzing data usage, assessing risk, and automating compliance. Kormoon’s powerful technology will be used to extend the functionality of Privitar’s market-leading data privacy and provisioning offerings, adding new capabilities to quickly enable organizations to understand and comply with the rules governing data.

“Using data in a lawful and compliant way is often complicated, slow, and expensive. Navigating the complex web of data privacy, data sovereignty, and industry-specific regulations is incredibly challenging,” said Jason du Preez, CEO and co-founder of Privitar. “With the acquisition of Kormoon, Privitar is reinforcing our commitment to helping organizations use all of their data safely, ethically and in a compliant manner. Kormoon makes navigating data compliance incredibly simple. By combining Kormoon with Privitar’s world-class data privacy and modern data provisioning solutions, we are enabling data executives to streamline and automate compliance to ever-changing privacy rules and regulations.”

Kormoon calculates, communicates, and automates the steps to comply with relevant data rules including data privacy and protection, data localization, and cross-border transfer requirements. These include data compliance rules and requirements from around the world including Europe’s GDPR, Brazil’s LGPD, USA’s HIPAA and CCPA, and also new and emerging laws in countries such as the UAE, Saudi Arabia, China, India, and beyond. Combining powerful automation technology and inputs from expert advisors to assess an organization's level of risk, the Kormoon solution provides a simplified workflow to ensure requirements are met. Kormoon’s prescriptive guidance makes it simple for users to provide details about the data an organization collects, where they collect, access, and use it, and the data’s purpose, then recommends clear steps and actions for achieving data compliance.

“Kormoon's platform aims to improve time and cost efficiency of providing data privacy and protection advice to businesses worldwide. We help organizations understand and keep on top of data compliance rules by providing them with a simple workflow, access to regularly updated knowledge, and a cost-effective way to understand what it is that they need to do,” said Paul McCormack, founder of Kormoon. “By uniting with Privitar, we are empowering organizations with a one-stop-shop that ensures that their data is safe, compliant, and accessible for decision making.”

**About Privitar**

Privitar empowers organizations to use their data safely and ethically. Our modern data provisioning solution builds collaborative workflows and policy-based data privacy and access controls into data operations. Only Privitar has the right combination of technology, domain expertise, and best practices to support data-driven innovation while navigating regulations and protecting customer trust.

Founded in 2014, Privitar is headquartered in London, with regional headquarters in Boston and locations throughout the US and Europe. For more information, visit www.privitar.com.

**About Kormoon**

Kormoon is a software platform that calculates, communicates, and automates the steps professionals need to take to comply with relevant data rules, including data privacy and protection, data localization, and cross-border transfer requirements.

Privitar Announces Kormoon Acquisition, Extending Data Privacy and Provisioning Capabilities

Data quality is key in an effective TDIR solution. Omdia's threat detection data life cycle highlights the considerations for effective data-driven threat detection.

Threat detection, investigation, and response (TDIR) solutions all rely on data to deliver accurate, consistent, and performant threat detection, prioritization, and analysis. Enterprises need good data from the right places, refined and applied in the right ways, to detect and ultimately mitigate threats.

For that reason, Omdia believes taking a data-driven life-cycle approach is the best strategy to ensure data-related elements of the TDIR process are effective.

Below is a brief review of the steps in the Omdia threat detection data life cycle, a multistage process through which enterprise cybersecurity operations (SecOps) leaders may consider the tactical implications of how data is utilized by their TDIR solutions for the purpose of threat detection.

*   **Acquisition:** Identify the relevant data types or sources pertinent to the threat detection process, confirm the location of the data, and identify the steps for acquiring this data, both technical and business.
*   **Ingestion:** Threat detection data must be confirmed as valid and permitted for the system where it will be utilized, and then ingested in streaming real-time mode or batched and ingested at intervals based on different factors.
*   **Processing:** Unprocessed logs are analyzed in detail to determine key characteristics, such as origin, source format or schema, and data values or elements. It is often necessary to reformat or parse the logs into a preferred format to ensure consistency and accelerate other steps in the life cycle. After parsing, data is validated to ensure it conforms to system parameters.
*   **Normalization:** Unnecessary, and redundant data is deduplicated, reduced, and/or removed; new solution-specific fields are added, and the output is further standardized with common metadata classifiers. Logs that enter the system with significant variances are adjusted to appear similar.
*   **Bypassing normalization:** Some threat detection data systems intentionally do not conduct a normalization stage. In this scenario, the normalization step is skipped, and data moves directly from processing into categorization.
*   **Categorization:** The contents of the data are further examined to identify which established system attributes should be assigned to the data. The purpose of categorization is to delineate the contextual relevance of the data during subsequent analysis.
*   **Enrichment:** New data is augmented with additional data attributes that add context or create logical connections to other data, system-defined attributes, or events. In nearly all instances effective enrichment is driven at least in part by analytics, technology that analyzes data over time, identifies patterns in the data, and creates a baseline of so-called "normal" or expected activity for a given use case.
*   **Indexing:** Data is added to an index that denotes where it is located within the storage system. An index exists to optimize the performance of the system when the data is accessed.
*   **Storage:** Data then enters the storage phase, typically for a definite period, based on policy. Contemporary TDIR solutions increasingly rely on cloud-based data-lake technology, residing either directly in a public cloud environment or in a third-party environment managed by the vendor or provider.
*   **Analysis:** Once added to the dataset, data is analyzed on an ongoing basis. Many TDIR solutions reanalyze the existing dataset when new data is added. Analysis also occurs on a per query basis, as well as for proactive threat hunting.
*   **Valuation:** Process by which the business value of all lifecycle data is evaluated on an ongoing basis in support of TDIR process improvement or desired business outcomes.

Omdia believes achieving different, better results from TDIR requires the implementation of different, better approaches within the threat detection data life cycle.

Though there are inherent challenges with the life cycle, especially in the areas of data processing and normalization, there are also fascinating innovations taking root, particularly customized categorization schemas (nonstandard indexing to accelerated data analysis) and security data lake-houses (storage environments that combine the best of data lakes and data warehouse).

Regardless, a process-centric approach to the threat detection data life cycle with careful attention to detail will provide better, more consistent TDIR results, and set the stage for further data life-cycle innovation.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading