As the public cloud matures, enterprises are converging on two platforms that meet their workload protection needs via a strategy based on zero-trust security.

In the early days of a new B2B information technology market, it is common for the vendor community to step up with dozens of point products, each with its own differentiators within its niche. Nowhere is this phenomenon more evident now than in public cloud security, where there is a nearly incomprehensible acronym soup of solutions, each of which solves its own slice of the broader cloud protection problem. Examples include CSPM, CIEM, DLP, IAM, multicloud networking, microsegmentation, IaC scanning, container runtime security, and vulnerability assessment, to name a few.

Even if you had the budget to buy all of these tools separately, the operational complexity associated with training the staff, integrating the products, and meeting the deadline with a dozen different vendors would be a nightmare. Fortunately, as public clouds mature, enterprises converge on two key platforms that meet their workload protection needs via a strategy based on zero-trust security: Cloud Native Application Protection Platforms (CNAPP) and Secure Access Service Edge (SASE).

Zero-trust security is a framework built around the concept of least-privileged access, in which no user or application should be inherently trusted. This framework is the opposite of a traditional secure perimeter approach in which employees and data reside in an office building.

With zero trust, every user and application is deemed hostile. But if you keep everything out, it is difficult for users and applications to communicate, so access is granted only to the specific resource that is necessary once identity and risk context have been established and verified. While zero trust has gained wide adoption for user access to applications over the last several years, many enterprises are extending it to application-to-application communication use cases.

Enter CNAPP and SASE …

**CNAPP and Zero Trust**

The job of a CNAPP is to identify, prioritize, and help mitigate cloud workload risks. These platforms provide visibility into both public cloud infrastructure and the workloads running on that infrastructure. A CNAPP also helps identify and remediate risks before deployment to the cloud by combining DevOps tools and integrated development environments (IDEs).

CNAPPs provide insights into a broad range of cloud risks, taking the place of several previously separate categories of products. Hazards include those related to misconfigurations, excessive privileges and permissions, sensitive data-at-rest, unpatched software vulnerabilities, and more. In addition, these platforms correlate across functions to help prioritize actual exploitable issues and provide an accurate picture of how an enterprise might be compromised.

Not only does a CNAPP identify and prioritize cloud risks, it assists with remediation of those risks as well, either through automated remediation or through guided manual remediation. The CNAPP process of identifying, prioritizing, and mitigating cloud risks is continuous. In dynamic cloud environments, risk posture is constantly changing.

In a zero-trust architecture, CNAPP provides the critical element of risk context that can be used to make more informed decisions about the level of access a workload should have within and across the enterprise cloud footprint. As with users, a risky cloud workload should have limited access until those risk factors are adequately mitigated.

**SASE and Zero Trust**

With risk context established, the next step is to allow access only to what is necessary. This is where SASE comes into play. SASE uses workload identity and risk context to verify access rights, applying business policies based on that context and the transaction being attempted. As context changes, access privileges are continually reassessed. SASE has traditionally been associated with the protection of user communications and has only recently begun to gain traction as a platform for the protection of workload communications.

SASE platforms connect cloud workloads directly to other workloads — without connecting them to networks — and implementation of zero trust communications for workloads. By providing this app-to-app connectivity and segmentation, SASE reduces the ability of malicious software or bad actors to move laterally across the network. SASE enables cloud workload communications for several use cases, including:

*   Cloud-to-cloud

*   Cloud-to-data center

*   Cloud-to-internet

*   Intracloud

Traditional perimeter technologies, such as firewalls, use a "passthrough" security approach, making a lousy protection tradeoff in favor of performance. If malicious traffic is found, it is often too late to stop it. A SASE-based solution thoroughly inspects every transaction, terminating every connection to hold and check encrypted traffic before forwarding it to its destination. The inspection often includes data loss and threat prevention, and access control.

**Two Parts of One Whole**

Together, CNAPP and SASE provide a comprehensive approach to cloud workload security by securing the workloads and access to the workloads while ensuring optimal application performance and user experience. Over the next few years, there will be an increasing concentration of functionality provided by point products today into one of these two platforms. The result will be widespread adoption of zero-trust security for public cloud workloads and simplification from significant tool consolidation.

**About the Author**  

    

Rich Campagna is Senior Vice President and General Manager, CNAPP, at Zscaler, where he leads strategy for securing public cloud infrastructure and workloads. In his 20+ years in technology, Rich has held product management and marketing leadership positions at Balbix, Bitglass, F5 Networks, and Juniper Networks. Rich received an MBA from the UCLA Anderson School of Management and a B.S. in Electrical Engineering from Pennsylvania State University.

Two Platforms to Rule Them All: CNAPP and SASE

Interpol says it busted fraudsters who were operating call centers for romance scams, get-rich-quick schemes, and more.

Interpol has announced that a coordinated, global law-enforcement effort has led to the arrest of 2,000 individuals and the seizure of more than $50 million in illicit funds stolen through a variety of social-engineering scams. 

The operation, code-named First Light 2022, included police raids on call centers, where cybercriminals are alleged to have been operating a variety of social engineering telephone frauds, ranging from romance scams to connected financial crimes, according to Interpol. 

The international law-enforcement agency said the effort included coordinated policework across 76 countries. In all, 1,770 individual locations were raided, leading to the arrests of thousands of accused fraudsters, operators, and money launderers, along with the identification of other suspects. 

The investigation also revealed an uptick in social media driving human trafficking, money laundering through victims' personal bank accounts, scammers posing as bank employees to trick targets into giving up credentials, and more. 

“Telecom and \[business email compromise\] BEC fraud are sources of serious concern for many countries, and have a hugely damaging effect on economies, businesses and communities.” said Rory Corcoran, director of Interpol's Financial Crime and Anti-Corruption Centre (IFCACC), in a statement about First Light 2022. “The international nature of these crimes can only be addressed successfully by law enforcement working together beyond borders."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Thousands Arrested in Global Raids on Social-Engineering Scammers

Work across the organization and take practical steps to ease user stress — prioritize user productivity by offering the right tools to avoid shadow IT and cultivate a transparent security culture. Remember the security team, too, and automate as many processes as possible.

The art of balance has never been as important as it has in the past two years. The toll that job pressures and burnout can have on the workforce is at an all-time high and at the forefront during daily conversations.

As security leaders, we can't ignore the list of ramifications that stem from employee burnout, such as apathy, disengagement, or other more serious mental health concerns.

**Practical Steps Toward Security**

Although battling something as big as employee burnout may seem daunting, there are practical steps security teams can take to streamline and ease user stress when it comes to security.

*   **Cultivate a transparent** **security culture:** Cultivate a proactive and interactive security culture to create a safe place for employees to ask questions and have transparent, open communications with security. Promote and ensure data-use policies are clear and concise. Be transparent about what you're monitoring and collecting, as well as what you're doing with that data.

*   **Investigate with empathy and assume positive intent**: Over three-quarters of insider data breaches this year have been considered nonmalicious. When you see possible data exposure or leaks coming from an insider, first presume that the users had positive intentions and approach the situation with empathy. That means asking questions to get context about the situation and a clear solution to reversing the action before it causes any damage to the organization.  
    

*   **Minimize shadow IT, prioritize user productivity**: Provide users with the right tools they need to do their jobs — and make it easy for users to contact the proper people if they want to use an alternative — so they don't have to or won't be tempted to go around security. For common business practices like sharing files externally, share the "best practice" method and make this information easily accessible to users. The more security can prioritize users' work preferences, the less burnout users will have in the first place.

**Standardize Security Best Practices**

I would be remiss to discuss burnout without acknowledging burnout among security teams. For chronically understaffed security teams who operate in a constantly evolving environment where threats, zero-day vulnerabilities, and data loss incidents are everyday occurrences, there unfortunately is no silver bullet to reduce stresses on security and technology teams. However, the one critical tip security teams should take is to:  

*   **Automate, automate, automate:** Turn fire drills into standard operating procedures and automate work wherever possible. Security should create workflows to manage the most common security alerts that require the most standard response, which frees up time to focus on the most pressing security concerns — and not just spinning unnecessary cycles and flaming burnout across security teams.

As we look toward the second half of the year, I encourage security leaders to take factors like workplace burnout and employee retention rates into consideration in tandem with the general movement toward more empathetic workplace cultures.

The notoriously stoic cybersecurity culture is changing. I expect that we'll see more organizations adapting to this shift, changing traditional titles such as "Security Manager" to "Security Culture Manager" to align with the overdue need to recognize that the culture a security team brings to the overall business is equally as important as the protections it brings to the business.

Security leaders — and their teams — play a strategic and impactful role in helping to create a safe space for employees at work. When they work across the entire organization, they can have more impact on the security culture and innovation of the company altogether so that mental health and well-being can be top of mind for all.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

How Information Security Teams Can Help Reduce Stress and Burnout

Multiple cybercrime groups have been spotted selling stolen credentials and other sensitive personal information pilfered from travel-related websites.

Much in the same way that cybercriminals followed the fervor around the pandemic, they now are doing the same with the travel boom, creating various scams that aim to take advantage of travel organizations, airlines, and individuals going on vacation.

Since the start of the year, security firm Intel 471 has tracked several cybercrime groups selling credentials and databases of stolen personal identifiable information (PII) tied to travel-related websites.

"People are starting to travel more than they have in the past few years, so there is increased attention and heightened traffic online," Intel 471 researcher Greg Otto explains. "Cybercriminals love operating in areas where a lot of people are congregating and trying to spend money ASAP."

The methods of malicious actors have evolved because of the concentration on PII: From reservations to rewards programs to security checks, these organizations collect a wide array of PII, he says.

He points to one threat actor that was specifically targeting individuals with at least 100,000 miles in their mileage rewards accounts. Other actors are seeking help in gathering additional information to perpetrate travel fraud schemes, offering up their own slate of PII as incentive.

"Financially motivated cybercriminals have realized how much value lies in the data that travel companies and organizations collect, which is why they have moved to target organizations in the travel, aviation, and hospitality industry," he says. "If that PII is not protected, it's going to be targeted."

While ransomware-as-a-service (RaaS) does not appear to pose an acute threat to the global travel industry so far, an Intel 471 blog post outlined the threat RaaS has posed to regional airlines, including low-cost Indian airline SpiceJet and an unnamed Thai airline.

**What to Do About It**

What can organizations do to deter cybercriminals from targeting their systems? Have written security policies and procedures tailored to your specific organization, Otto says, and craft expectations for protection of data, including the confidentiality of data, and set limits of permissible data access and use for employees.

"Be aware of social engineering scams, have a robust passwords policy for employees and users, and patch vulnerabilities when applicable," he says.

Meanwhile, Intel 471 also noted activity around pro-Russia hacktivist groups, namely an actor joining KillNet, which has conducted attacks against targets in Romania and other countries providing support to Ukraine.

Threat actors are using their position within the government agencies to facilitate illegal border crossings for Ukrainian males aged 18 to 60.

“Accomplices used to facilitate the activity allegedly would transfer a person seeking to cross the Moldova-Ukraine border and bypass official checkpoints,” the blog post noted.

Cybercriminals Capitalizing on Resurgence in Travel

The Japanese-language Panchan botnet has been discovered stealing SSH keys from Linux servers across Asia, Europe, and North America, with a focus on telecom and education providers.

A peer-to-peer (P2P) botnet and worm called Panchan has been actively breaching Linux servers and harvesting Secure Shell (SSH) keys to perform lateral movement — at times brute-forcing credentials.

That's according to researchers from Akamai, who discovered the botnet in late March. Written in Golang, it parses local SSH private keys and known hosts on each victim (using a static dictionary), then uses them to spread itself further.

While it could use the botnet for anything, Panchan is focused on a cryptojacking endgame for now. 

"It is mostly a cryptojacker, so I don't think it's that dangerous. But it is unique," Akamai researcher Stiv Kupchik says. "P2P communication is not that common in malware, and the SSH key harvesting also seems pretty novel. Also, I don't think I've ever seen a Japanese threat actor."

The malware is believed to have Japanese origins (it's name is a possible reference to Panchan Rina, the Japanese kickboxer), and focuses on attacking telecommunications education providers in Asia, Europe, and North America.

From Kupchik's perspective, education was likely a highly targeted vertical because of the SSH-key harvesting aspect of the botnet.

"I have seen some victim institutes that were in the same country, or very close geographically," he says. “I think that academic collaborations between institutes might yield a higher percentage of shared SSH keys than in other verticals, so maybe that is the reason."

**Unique Botnet Features**

The malware — which deploys two miners, XMrig and nbhash, has a handful of unique technical features, according to the Akamai researchers. For one, it uses NiceHash for its mining pools and wallets. Because Nicehash is a regular wallet (using certain defined Bitcoin addresses for deposits) and not a blockchain wallet, Akamai was unable to see transaction and mining details to estimate the actual revenue that Panchan has earned.

Further, to hamper traceability, the cryptominers are dropped as memory-mapped files without any disk presence, and the cryptomining can be terminated if any process monitoring is detected. 

There's also a "godmode" feature baked into the malware, in the form of an admin panel that can edit the mining configuration — another unique feature of Panchan, according to the firm.  

**Defeating Panchan**

Because the malware uses a basic list of default passwords to spread, Kupchik says one of the key steps security teams can take to stop the malware in its tracks is through password hardening.

"The dictionary that the malware uses to spread is extremely basic, so any non-default password should help thwart it," he explains. “Segmentation and access control can help mitigate the SSH key harvesting risk, and MFA can help as well."

He adds that Akamai has published indicators of compromise, queries, signatures, and scripts that organizations can use to test for infection.

The report also recommends continuous monitoring of virtual machine resources. Monitoring could alert security teams to suspicious activity since botnets focused on cryptojacking can raise machine resource usage to abnormal levels.

"In the case of Panchan, resource usage monitoring would have also terminated the cryptomining entirely," according to the report.

Wormable Panchan Peer-to-Peer Botnet Harvests Linux Server Keys

Organizations that can break out of siloed data and apply context can transform intelligence into actionable, relevant security knowledge.

For organizations struggling to defend against today's onslaught of cyberattacks, data can be both a blessing and a curse. Companies rely on data they get from outside sources, such as Cybersecurity and Infrastructure Security Agency (CISA) alerts, vendors, and threat intelligence feeds. However, all that information can be overwhelming if you don't know how to use it. Meanwhile, companies often overlook important data that resides inside their own environments.

To use threat intelligence effectively, you first need to understand what's happening inside your own environment and how your employees use network resources. With this context, you can interpret, tailor, and apply threat intelligence in a way that is specific and unique to your organization. This bespoke baseline enables you to identify anomalies in your environment and the issues they pose. All the outside threat data in the world won't help you if you don't know what your internal systems are supposed to be doing.

In general, there is too much reliance on products to solve our security problems. Security teams have become consumers of security alerts, not practitioners of security craftsmanship. As security professionals, it's not our job to stare at the great and powerful Oz but to look behind the curtain.

For example, antivirus and endpoint detection and response (EDR) tools help security teams reduce the noise of logs, keep an eye on endpoints, and identify known threats, but they won't identify all the threats in your environment. Relying on traditional tools alone is practically a guarantee of failure. Sophisticated attackers reverse engineer the same tools you rely on to protect your systems. They know how those tools work, what their capabilities are, and what their weaknesses are. Why should the attacker know more about your systems than your security team does?

**Three Tips**

Use these tips for turning your threat intel into security knowledge:

1\. **Use multiple sources of data.** By all means, take advantage of threat intel feeds and CISA alerts, but know their limitations. Threat intel feeds have limited types of information — tactics, techniques, IP addresses, domain names, or file hashes — and by the time you get the alerts, the information can be months old. New information needs to be leveraged against not only the way your systems are today but the way they were in the past. By being able to view insights across time, you achieve a new level of security awareness and confidence in your continuous security integrity.

2\. **Make the data actionable.** Security professionals often don't see threat intel as valuable because it typically lacks context. A list of IP addresses is just data if you don't understand why (and when) the addresses are considered bad. Organizations often subscribe to more than a dozen feeds, which means they will get potentially millions of pieces of information daily. The majority of this information will either lead to false positives or be irrelevant to the organization's business. The cost of this is twofold. First, there is the cost of using this information in your security gear. Imagine trying to match millions of indicators of compromise against log volume from EDR, network detection and response, and intrusion detection systems. There is also a cost associated with dealing with those red herrings.

The best solution is to consider threat intel obtained from third parties as a springboard for analysis, not the end result. For example, a feed may indicate that a file with a particular MD5 hash is malicious. While your systems may not have that exact file on them, they could have variants that are unknown to the feed provider. Understanding the similarities and connections of what exists in your environment and how far removed they are from data in threat intel feeds is the next evolutionary step in becoming a true security practitioner.

3**. Adopt a security knowledge mindset.** Threat intel is not something you have, it's something you do. Don't blindly buy a security product just because it's there; understand how it works and what its limitations are. Ask yourself the question, "How might an attacker evade it?" Security consumers would never ask questions like that, while practitioners engage across teams and functions. They break through team-siloed thinking and facilitate bidirectional sharing of knowledge. What one incident responder may attribute to "strange activity" might shed light on an active threat research case.

Functional walls around security operations center (SOC), incident response, and research teams interfere with effective communication and information sharing. All three should feed information to each other in real time. They use different tools. For example, SOCs use SIEMs, IR uses forensic tools, threat intel folks use threat intel platforms. Executives need to formalize an operational structure that breaks down the silos and reduces tool fragmentation that prohibits security knowledge between teams.

**Conclusion**

Threat intel is a good thing, but if you're locked in a silo, its effectiveness is diminished. If you can break out of the silos and apply context, intelligence can be transformed into actionable security knowledge that's specific to your organization. And to make it happen, a top-down appreciation of the value of this is required from the CEO and board of directors all the way through to the security practitioners.

Why We Need Security Knowledge and Not Just Threat Intel

Username and password combinations offered for sale on the Dark Web by criminals has increased 65% since 2020.

Passwordless technology may be one of the most hyped categories in cybersecurity at the moment, but the reality on the ground is that passwords are still widely entrenched — and wildly insecure. Some 24.6 billion complete sets of usernames and passwords are currently in circulation in cybercriminal marketplaces as of this year, a report has found.

That’s four complete sets of credentials for every person on Earth and a 65% increase since the last time this study was conducted, in 2020.

The report from the Digital Shadows Photon Research team, "Account Takeover in 2022," shows that cybercriminals continue to profit handsomely from this reality with a record-breaking wave of credential thefts, account takeover attacks (ATO), and black-market sales of access to victim accounts.  

Within the data set of credentials on the Dark Web, approximately 6.7 billion of the offerings had a unique pairing of username and password, indicating that the combination was not duplicated across databases. That's 1.7 billion more than what researchers found in 2020. The report shows that the markets selling these credentials are robust and sophisticated, with several subscription services emerging to offer criminal premium services for purchasing them. 

**'Endless List' of Breached Data**

Further bad news for security folks is that many of the passwords examined in these stolen data stores were not very secure in the first place.

“Criminals have an endless list of breached credentials they can try, but adding to this problem is weak passwords, which means many accounts can be guessed using automated tools in just seconds,” says Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows.

To wit: Nearly one in every 200 passwords found in the credentials offered for sale by criminals is 123456. Of the 50 most commonly used passwords in those collated for the report, 49 can be cracked in less than one second using tools also commonly available in underground forums. So whether a criminal buyer purchases a list of stolen credentials or a password cracker, accounts using only these credentials are extremely vulnerable to attack.

**Passwordless to the Rescue?**

This is just one in a multitude of reasons why security advocates and technology-standards organizations have been pushing so hard for more usable passwordless technology across the globe. According to a recent Dark Reading report, only 26% of IT decision-makers said they work in a passwordless organization, and 87% admitted they had at least one credential category that still depended on passwords. 

The most common systems they wished they could authenticate without passwords were workstation logins, legacy enterprise applications, and cloud applications. And those numbers primarily focus on business accounts without considering the even more thorny problem of consumer authentication, for everything from bank accounts to software subscription services.

One of the biggest pushes for passwordless authentication comes by way of the FIDO Alliance, which for more than a decade has been publishing standards for high-assurance authentication mechanisms to kick passwords to the curb. 

Earlier this year, the Fido Alliance acknowledged “we haven’t attained large-scale adoption of FIDO-based authentication in the consumer space” in its unveiling of a vision for multidevice FIDO credentials to be used in consumer use cases — important in the era of remote working from personal devices. These passkeys are more secure than passwords and are designed to make logins easier across mobile devices and desktops. In May, Apple, Google, and Microsoft reported that they’re going implement support for these standards in their platforms.

But in the meantime, Morgan explains that organizations can’t afford to ignore the ever-growing issue of stolen and trafficked credentials used for ATO.

“We will move to a passwordless future, but for now the issue of breached credentials is out of control,” says Morgan. “In just the last 18 months, we have alerted our clients to 6.7 million exposed credentials. This includes the username and passwords of their staff, customers, servers, and IoT devices. Many of these instances could have been mitigated through using stronger passwords and not sharing credentials across different accounts.”

24+ Billion Credentials Circulating on the Dark Web in 2022 — So Far

Here's a rundown of Dark Reading's reporting and commentary from and surrounding the first in-person RSA Conference since the pandemic began in 2020.

RSA Conference 2022 — If you didn't make the trip to San Francisco last week for the RSA Conference or were too busy watching the Golden State Warriors battle the Boston Celtics in the NBA Finals, Dark Reading has you covered. Here's a compilation of our news analysis and commentary before, during, and after the show:

Beware the 'Secret Agent' Cloud Middleware

New open source database details the software that cloud service providers typically silently install on enterprises' virtual machines — often unbeknownst to customers.

How 4 Young Musicians Hacked Sheet Music to Help Fight the Cold War  
In 1985, a group of klezmer musicians from the US rendezvoused with underground dissidents in Tbilisi, Georgia. This is the story of how they pulled it off with homebrew cryptography.

An Emerging Threat: Attacking 5G via Network Slices

A successful attack against 5G networks could disrupt critical infrastructure, manipulate sensor data, or even cause physical harm to humans.

In a Quickly Evolving Landscape, CISOs Shift Their 2022 Priorities

Cloud migration, DevSecOps, cyber insurance, and more have emerged as important motivators for cybersecurity investment and focus.

Why AIs Will Become Hackers

At a 2022 RSA Conference keynote, technologist Bruce Schneier asserted that artificial intelligence agents will start to hack human systems — and what that will mean for us.

Meet the 10 Finalists in the RSA Conference Innovation Sandbox

This year's finalists tackle such vital security concerns as permissions management, software supply chain vulnerability, and data governance.

Talon Grasps Victory at a Jubilant RSAC Innovation Sandbox

Spirits were high at the return of the in-person contest, which kicked off by bringing last year's virtual event winner on stage.

RSAC Startup Competition Focuses on Post-Cloud IT Infrastructure

A secure Web browser takes the top prize, and for the second year in a row malware detection is an afterthought.

Now Is the Time to Plan for Post-Quantum Cryptography

Panelists from an RSA Conference keynote agreed that organizations need to begin work on PQC migration, if they haven't already.

Mandia: Keep 'Shields Up' to Survive the Current Escalation of Cyberattacks

As Mandiant CEO Kevin Mandia's company prepares to become part of Google, the incident response company continues to investigate many of the most critical cyber incidents.

RSAC Opens With Message of Transformation

Cybersecurity needs to shift its thinking ahead of the next disruption, RSA's CEO said during the opening 2022 conference keynote.

Ransomware's ROI Retreat Will Drive More BEC Attacks

Crackdowns are driving down ransomware profits, and analysts see signs that operators are pivoting to business email compromise attacks, security researcher warned.

Communication Is Key to CISO Success

A panel of CISOs at the RSA Conference outlined what a successful first 90-day plan looks like, and it boiled down to effective communication and listening.

IBM to Buy Attack Surface-Management Firm Randori

Randori's attack-surface management software will be integrated into IBM Security QRadar extended detection and response (XDR) features.

The CISO Shortlist: Top Priorities at RSAC 2022

The buzz on the show floor during RSA Conference is about aligning the organization's security priorities with the right technology. Will Lin, managing director and founding member at Forgepoint Capital, weighs in on the biggest security priorities for 2022 — and what kind of tech senior-level executives are looking for.

Data Transformation: 3 Sessions to Attend at RSAC 2022

Three RSAC 2022 sessions take deep dives into the security considerations around data cloud transformation.

MITRE Creates Framework for Supply Chain Security

System of Trust includes data-driven metrics for evaluating the integrity of software, services, and suppliers.

5 Years That Altered the Ransomware Landscape

WannaCry continues to be a reminder of the challenges that organizations face dealing with the ransomware threat.

In Case You Missed RSA Conference 2022: A News Digest

Here are which Microsoft patches to prioritize among the June Patch Tuesday batch.

Microsoft today issued a patch for the recently disclosed and widely exploited "Follina" zero-day vulnerability in the Microsoft Support Diagnostic Tool (MSDT) as part of its scheduled security update for June.

The patch is among the more significant of the 60 security updates that the company released in total today to address vulnerabilities across its product portfolio. Microsoft assessed three of the bugs as being of critical severity: CVE-2022-30136, a remote code execution vulnerability in the Windows Network File System (NFS); CVE-2022-30163, an RCE in Windows Hyper-V; and CVE-2022-30139, a remote code execution flaw in the Windows Lightweight Access Protocol.

Microsoft assessed most of the other vulnerabilities — including many remote code execution bugs — as "important."

Affected products included Windows, Office, Edge, Visual Studio, Windows Defender, SharePoint Server, and the Windows Lightweight Directory Access Protocol.

**Fix for Follina Flaw**

Security experts identified the patch for the Follina vulnerability (CVE-2022-30190) as a priority due to how actively the bug is being exploited in the wild. The MSDT bug — disclosed on May 30 — basically gives attackers a trivially easy way to execute code remotely via Office documents, even when macros are disabled. Microsoft has warned of the vulnerability allowing attackers to view or delete data, install programs, and create new accounts on compromised systems. Cyberattacks exploiting the flaw were reported at least one month prior to Microsoft’s May 30 announcement and have since then grown, fueled by the public availability of exploit code.

Andy Gill, senior security consultant at Lares Consulting, says Microsoft's new patch for Follina prevents code injection. However, exploit code will still launch msdt.exe, he says. "Therefore, while the main risk of code execution is mitigated the software is still launched," he says.

Johannes Ullrich, dean of research at the SANS Institute, says it's a good idea therefore for organizations to keep Microsoft’s recommended mitigations for the flaw in place even after they install the MSDT update. "Users applying the monthly rollup will be protected but need to realize that the patch fixed the code injection vulnerability in msdt.exe. The diagnostic tool itself will still launch if a user opens an affected document.

"Follina has been actively exploited for a couple weeks now," Ullrich says. "\[Microsoft's\] workaround, will prevent msdt.exe from launching \[and\] should probably stay in place if it doesn't cause any problems."

**Three Critical Flaws to Patch Now**

In a blog post, Dustin Childs, communications manager at Trend Micro’s Zero Day Initiative, described the critical CVE-2022-30136 vulnerability as “eerily similar” to an NFS bug that Microsoft patched last month (CVE-2022-26937) that allows attackers to execute privileged code on vulnerable systems. Attackers can exploit the flaw by sending specially crafted RPC calls to a vulnerable server, according to ZDI. The only apparent difference in the patches is that this month's update fixes the bug in NFS V4.1, while last month's update pertained to two older NFS versions, he said.

"It's not clear if this is a variant or a failed patch or a completely new issue. Regardless, enterprises running NFS should prioritize testing and deploying this fix," Childs said.

Ullrich says this marks the third month in a row where Microsoft has issued an update to address a critical security vulnerability in NFS. "But the component is not enabled by default and so far, we do not see any exploits for these vulnerabilities," he says.

The remote code execution vulnerability in Windows Hyper-V (CVE-2022-30163) is another patch to apply ASAP, security researchers said. Kevin Breen, director of cyber threat research at Immersive, identified it as a vulnerability that is likely going to be of high value to attackers if a method for easily exploiting it is discovered. The flaw basically gives attackers a way to move from a guest virtual machine to the host in order to access all running VM machines on that system. However, exploiting the flaw — at least presently — is complex and requires the attacker to win an unspecific race condition, Breen said in emailed comments.

Meanwhile, the third critical flaw (CVE-2022-30139) is one of seven LDAP flaws that Microsoft patched this month. Though the flaw is difficult to exploit, it is one in a growing number of security issues uncovered in the directory technology. In May, for instance, Microsoft issued patches for 10 LDAP flaws, Childs said. The volume of LDAP bugs in recent months makes LDAP an attractive attack target for threat actors, he noted.

Childs also cited CVE-2022-30148, an information disclosure vulnerability in the Windows Desired State Configuration feature. The flaw is important because attackers could use it to — among other things — recover usernames and plaintext passwords from log file. "Since DSC is often used by SysAdmins to maintain machine configurations in an enterprise, they are likely some sought-after username/password combos that could be recovered," Childs wrote. The bug also facilitates lateral movement so organization using DSC need to implement Microsoft's fix for it, he said.

**'Dig a Bit Deeper'**

ZDI's analysis shows that more than half the vulnerabilities that Microsoft disclosed today are remote code execution issues. Twelve updates address elevation of privilege bugs, several of which require attackers to already have access on a system and run specially crafted code.

Breen, meanwhile, identified several other vulnerabilities organizations should address. These include two remote execution flaws in Microsoft SharePoint Server (CVE-2022-30157 and CVE-2022-30158) that enable data theft, replace documents with malicious ones, and carry out other malicious activities. Also important in the June roundup is CVE-2022-30147, a local privilege escalation flaw in Windows Installer, which Microsoft has assigned a severity rating of 7.8. That rating belies the danger these kinds of flaws present because threat actors almost always use them in attacks, Breen said.

Chris Goettl, senior director of product management at Ivanti, advises organizations to pay attention to CVE-2022-26925, a spoofing vulnerability in the Windows LSA function for enforcing security policies. The vulnerability gives attackers a way to authenticate to domain controllers and impacts all Windows servers. Microsoft has recommended that organizations prioritize domain controllers when applying the security update.

The vulnerability has been publicly disclosed and vulnerabilities for it have been detected in the wild, Goettl says. 

"The vulnerability by itself is only rated as Important by Microsoft, and the exploit code maturity is listed as unproven," Goettl says. "But dig a bit deeper and the vulnerability is much more threatening. The vulnerability has been detected in attacks, so while code samples available publicly may be unproven, there are working exploits being used."

Goettl also recommends that organizations review Microsoft's FAQ for the scheduled retirement of Internet Explorer 11 desktop app on June 15, right after Patch Tuesday.

The FAQ answers many questions on what organizations can expect when the IE11 application will be disabled, and how that affects different versions of Windows including the LTSC enterprise edition of Windows, It also offers details on configuring IE mode in the Microsoft Edge browser to support legacy applications that require IE11, and more, Goettl says.

Microsoft Patches 'Follina' Zero-Day Flaw in Monthly Security Update

The distributed denial-as-a-service websites were behind more than 200K attacks on targets including schools and hospitals.

The operator of a distributed denial-of-service (DDoS) attack business was sentenced to two years in federal prison after being found guilty of conspiracy to commit unauthorized impairment of a protected computer, conspiracy to commit wire fraud, and unauthorized impairment of a protected computer.

Matthew Gatrel offered DDoS attacks as a service on sites including DownThem.org and AmpNode.com, along with what was billed as "bulletproof" hosting. The sites offered subscription plans with varying degrees of attack capacity, power, and durations, according to the US Attorney's Office in the Central District of California, which prosecuted the case. 

Records show Gatrel's services were behind more than 200,000 attacks on victims that included homes, schools, universities, local and municipal governments, and financial institutions. 

"Gatrel ran a criminal enterprise designed around launching hundreds of thousands of cyber-attacks on behalf of hundreds of customers," prosecutors explained in court documents. “He also provided infrastructure and resources for other cybercriminals to run their own businesses launching these same kinds of attacks. These attacks victimized wide swaths of American society and compromised computers around the world.”

Gatrel's co-defendant, California resident Juan Martinez, pleaded guilty to participating in the cybercrime and was sentenced to five years' probation, the US Attorney's office said. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading