The attack on Israeli organizations is the latest in a long line of attempts to compromise supply chains, as the APT looks to leverage that access to target a multitude of potential victims.

After detecting a Lebanese hacking group it calls Polonium abusing its OneDrive personal storage service, Microsoft says it was able to disable the group, which could have links to the Iranian government.

In its latest effort, the advanced persistent threat (APT) targeted more than 20 Israeli organizations and one intergovernmental organization. The Microsoft Threat Intelligence Center (MSTIC) says it suspended more than 20 malicious OneDrive applications created by Polonium actors in the campaign.

Among the targeted organizations were those involved in critical manufacturing, transportation systems, financial services, IT, and Israel’s defense industry, the software giant says – all of which offer an avenue to carry out downstream supply chain attacks.

"In at least one case, Polonium’s compromise of an IT company was used to target a downstream aviation company and law firm in a supply-chain attack that relied on service provider credentials to gain access to the targeted networks," according to MSTIC. "Multiple manufacturing companies they targeted also serve Israel’s defense industry, indicating a Polonium tactic that follows an increasing trend by many actors, including among several Iranian groups, of targeting service provider access to gain downstream access."

**Polonium's Infection Routine**

In 80% of the observed cases, the group exploited a flaw in Fortinet VPN appliances (likely via CVE-2018-13379 vulnerability) to gain initial access. Then they installed a custom PowerShell implant called CreepySnail on the target networks, according to Microsoft. From there, the actors deployed a set of tools named CreepyDrive and CreepyBox to abuse legitimate cloud services for command-and-control (C2) across most of their victims. 

MSTIC says with “moderate confidence” that the attacks were likely carried out with help from Iran’s Ministry of Intelligence and Security (MOIS).

"The observed activity was coordinated with other actors affiliated with Iran's \[MOIS\], based primarily on victim overlap and commonality of tools and techniques," the MSTIC assessment states. “The tactic of leveraging IT products and service providers to gain access to downstream customers remains a favorite of Iranian actors and their proxies.”

**Cyber Operations in Support of State Objectives**

Sherrod DeGrippo, Proofpoint’s vice president of threat research and detection, explains that Iran, specifically MOIS, uses a variety of organizations and affiliates to conduct cyber operations in support of Iranian government interests.

“This activity, which spans the spectrum of state responsibility, mirrors Iran’s material support to various organizations,” she says.

From DeGrippo’s perspective, this report demonstrates another example of how Iran and Israel are engaged in cyber conflict and comes amid rising gray zone tensions between Iran and its adversaries.

In March 2021, for example, Proofpoint reported on how the Iran-aligned threat actor TA453 had targeted Israeli and American medical researchers in late 2020. TA453 has historically aligned with Islamic Revolutionary Guard Corps (IRGC) priorities, targeting dissidents, academics, diplomats, and journalists.

“While this campaign may have been a one-off requirement, TA453 targeting Israeli organizations and individuals is consistent with these ever-increasing geopolitical tensions between the two countries,” she noted.

**Defense Should Focus on Authentication Activity**

Mike Parkin, senior technical engineer at Vulcan Cyber, a provider of SaaS for enterprise cyber-risk remediation, says that while knowing Polonium’s exact motivation is impossible, given the known animosity between the states involved, it’s a “reasonably safe bet” they are trying to do as much damage to their targets as possible as part of a larger agenda.

“State and state-sponsored threat actors compound the problems presented by common cybercriminal groups,” he explains to Dark Reading. “Where criminals are typically after information for sale, data to hold for ransom, or resources to use for further attacks, state-level actors often have additional, much deeper motivations,” such as cyber-espionage or destructive attacks.

Because of the overlap in techniques and tools, it can be difficult to tell the two apart, which can complicate the matter for targeted organizations, he adds.

**Fending Off State-Sponsored Cyberattacks**

To thwart attacks like these, Microsoft advises that organizations should review all authentication activity throughout their remote access infrastructure and VPNs. A particular focus should be fixed on accounts configured with single-factor authentication, to confirm authenticity and investigate any anomalous activity.

Parkin points out that access and authentication logs can easily reveal suspicious activity and keep an attempted breach from turning into a newsworthy incident.

“There is an old saying from system administration about the uselessness of keeping logs that are never reviewed,” he says. “With access logs, regular reviews for suspicious activity should be happening regularly. If not, why keep them?”

In addition to patching known vulnerabilities, Proofpoint’s DeGrippo also notes that a basic best practice for defense is ensuring that all remote-access accounts are required to enable multifactor authentication (MFA).

“Those accounts that require only single-factor authentication do not have the protection MFA provides, allowing an attacker to successfully phish or social engineer a user’s password without encountering a secondary authentication,” she adds.

**VPNs: Taking a Page From Fancy Bear**

Phil Neray, vice president of cyber-defense strategy at CardinalOps, a threat coverage optimization company, tells Dark Reading that Russian threat actor Fancy Bear (aka APT28 and Strontium) also targeted VPNs on a large scale in 2018 with the VPNFilter campaign, which similarly targeted critical infrastructure.

MITRE ATT&CK categorizes this approach as T1133 External Remote Services, with recommended mitigations including creating security information and event management (SIEM) detection queries that examine authentication logs for unusual access patterns, windows of activity, and access outside of normal business hours.

“Exploiting vulnerable VPNs as the initial access point, as in this campaign, is also attractive since VPNs are Internet-exposed on one side and provide direct access to the victim network on the other,” Neray says. “We recommend ensuring your SIEM has specific detections for it, such as monitoring for suspicious logins.”

Microsoft Disables Iran-Linked Lebanese Hacking Group Polonium

An remote code execution (RCE) vulnerability in all versions of the popular Confluence collaboration platform can be abused in credential harvesting, cyber espionage, and network backdoor attacks.

UPDATE

A critical security vulnerability in Atlassian Confluence is under active attack, opening servers to full system takeover, security researchers warned.

The bug (CVE-2022-26134) is a command-injection issue that allows unauthenticated remote code execution (RCE), affecting all supported versions of Confluence Server and Confluence Data Center. According to a forensic investigation of two zero-day attacks by Volexity, it can be exploited without needing credentials or user interaction, simply by sending a specially crafted Web request to the Confluence system.

No Atlassian Cloud sites have been impacted.

Confluence is a remote working and corporate workspace suite used for project management and collaboration among teams. As such, it houses sensitive data on projects, specific users, and potentially partners and customers; also, it tends to be integrated with other corporate resources, servers, and systems. A successful exploit would allow attackers to vacuum up data from the platform as well as pivot to burrowing deeper into an organization's network as a prelude to, say, a ransomware attack.

"By exploiting this kind of vulnerability, attackers can gain direct access to highly sensitive systems and networks," Volexity researchers noted.

Researchers have advised administrators to remove external access to their Confluence servers immediately until patches have been applied. In the meantime, Atlassian confirmed in its advisory that has rushed a fix, with patches rolling out towards the close of business ET on June 3.

A spokesperson told Dark Reading that the company has "contacted all potentially vulnerable customers directly to notify them of the fix."

**Zero-Day Atlassian Confluence Attacks**

During its investigation, Volexity followed the path of attackers in two instances, which was the same in both. To start, the culprits exploited the vulnerability to create an interactive webshell (by writing a malicious class file in memory), which gave them persistent backdoor access to the server without having to write anything to disk.

After that, the firm observed that the threat actors dropped the Behinder implant on the server, which is an open source tool for creating flexible memory-only webshells. It also allows integration with Meterpreter and Cobalt Strike, two tools that are most often used for lateral movement. Meterpreter allows users to fetch various Metasploit modules (i.e., working exploits for known bugs), while Cobalt Strike is a pen-testing tool that's often used by the bad guys to probe for and compromise new targets on the network.

Once Behinder was in place, Volexity found that the adversaries went on to install two additional webshells to disk: China Chopper and a custom file upload shell. China Chopper is a tool that's been around for a decade, which allows attackers to retain access to an infected Web server using a client-side application. The client contains all the logic required to control the target, which makes it very easy to use.

Once this basic infection setup was in place, the attackers ran several commands, including those aimed at reconnaissance (checking the operating system, looking for password repositories); stealing information and user tables from the local Confluence database; and altering Web access logs to remove evidence of exploitation, Volexity said.

While the firm detected two zero-day attacks, it's likely that the activity is more widespread. "Volexity has reason to believe this exploit is currently in use by multiple threat actors and that the likely country of origin of these attackers is China," researchers said.

**How to Prevent Confluence Compromise**

The best option beyond patching to prevent compromise is simply to disable Confluence Server and Confluence Data Center instances, remove all external access, or use IP address safelisting rules to restrict access to only trusted endpoints, researchers noted. Organizations can also add Java deserialization rules that defend against RCE injection vulnerabilities to their Web application firewalls (WAFs).

It's also important to uncover signs of any compromise, given that an infection can persist beyond patching.

"The presence of a webshell provides an attacker with the ability to maintain access to a compromised system even after a vulnerability like this one has been patched," notes Satnam Narang, senior staff research engineer at Tenable. "We observed the same following exploitation of the ProxyShell vulnerability last year, where attackers implanted webshells onto vulnerable Microsoft Exchange Server instances."

However, "these systems can often be difficult to investigate, as they lack the appropriate monitoring or logging capabilities," Volexity pointed out.

Volexity researchers offered the following advice:

*   Ensure Internet-facing Web services have robust monitoring capabilities and log retention policies to assist in the event of an incident
*   Send relevant log files from Internet-facing web servers to a SIEM or Syslog server
*   Monitor child processes of Web application processes for suspicious processes (in this case, the Python shell is a good example of this)

If past is prologue, it's good to be vigilant on this one: Attackers see Confluence as a popular target, as shown by the mass exploitation of another RCE flaw last fall, in volumes that were large enough to trigger a CISA alert.

"While there are currently no exploitation details or proof-of-concept for this vulnerability, we know from history that attackers relish the opportunity to target Atlassian products like Confluence," Narang tells Dark Reading. "We strongly encourage organizations to review their mitigation options until patches are available."

Greg Fitzgerald, co-founder at Sevco Security, also cautions organizations to take proactive steps to generally prevent zero-day attacks.

“Organizations vulnerable to this exploit cannot simply sit back and assume that this will be resolved through their typical patch management process," he tells Dark Reading. "When Atlassian releases a patch, that will be the first step for most organizations. But while patching vulnerabilities works great for the systems that you know about, the vast majority of enterprises simply don’t know the entirety of their attack surface. This is because maintaining an accurate IT asset inventory in a dynamic environment is exceptionally difficult. Threat actors figured that out a long time ago and work around the clock to exploit it. The first step to combating threats like this one is to establish a continuously updated, accurate inventory of all enterprise assets to serve as a foundational control for your security program.”

**_This post was updated at 4:45 ET to reflect that the bug is no longer unpatched._**

Actively Exploited Atlassian Zero-Day Bug Allows Full System Takeover

If you want your IT and security administrators to get buried in trivial workloads and productivity bottlenecks, having poor network object management is a great way to accomplish that.

With needs around data privacy and application management changing rapidly, many businesses have yet to master the implementation of new security standards. The challenge becomes more complex when managing objects within a multivendor security network. Each vendor has its own management platform, which often forces network security admins to define objects multiple times, resulting in a counter-effect.

First, this can be an inefficient use of valuable resources and cause workload bottlenecks. Second, it creates naming inconsistency and introduces myriad unexpected errors, leading to security flaws and connectivity problems. This raises the question: Are businesses doing enough to ensure their network objects are synchronized in legacy and greenfield environments?

**What Is Network Object Management, and Why Should We Talk About It?**

If you want your IT and security administrators to get buried in trivial workloads and productivity bottlenecks, having poor network object management is a great way to achieve it. Inconsistent or incorrect naming of network objects can introduce a seemingly limitless number of problems for your organization, from connectivity woes to gaps in network security that you can't see. In this regard, poor network object management could actually be one of the biggest "insider threats" to an organization's overall cybersecurity efforts; if object names are incorrectly paired with a particular security policy due to inconsistent naming, everything will look fine on paper until a breach occurs, and even then it might be difficult to find the vulnerability.

This is why intelligent and proactive network object management is so crucial to a multicloud strategy. On a basic level, organizations might only need to name things such as servers, IP addresses, and groups of similar objects to which fairly simple security rules might be applied. But as an organization grows, it tends to end up with more network objects than it can count, sometimes running into the tens of thousands. Even a team of dedicated IT and security professionals wouldn't be able to monitor and update such a large number of objects, and mistakes due to avoidable human error would go through the roof. It's easy to see how things could go wrong with a manual or legacy approach to naming network objects — and they do.

**Why Network Object Management Is More Important With a Multicloud Approach**

For network security policies to work effectively, so-called "objects" on the network, such as servers or groups of IP addresses, need to be named so they can be included in the policies applicable to them. One of the biggest challenges that emerges with multicloud solutions is that businesses typically end up using network traffic-filtering solutions from multiple cloud vendors. Each solution will usually have its own vendor-specific platform, forcing network and security administrators to define the objects on their network multiple times. Not only does this waste a lot of time that could be spent elsewhere in the business, but it can lead to costly errors and security gaps.

Furthermore, this opens the door to another problem — that is, name duplication. On a small scale, this is quite easily rectified by a team that knows what to look for. But for bigger organizations, name duplication can spiral into a much larger problem. It's not uncommon for two copies of the same name to end up with two distinctly separate definitions.

For instance, let's say we have a group of database servers containing three IP addresses that we name "DB1" and the relevant security policy is applied. Then somebody takes the "DB1" name and uses it to define data servers in another network environment, this time containing only two IP addresses. In this example, the security policy rule using the name "DB1" would look fine to even a well-trained eye because the names and definitions it contained would seem identical. But we're now in a situation where one of these groups would apply to two IP addresses rather than three, and that will cause more problems the more the definition is used.

**Best Practices**

It's always good to have a set of maintenance guidelines that can help you achieve a higher standard of cyber hygiene. To help you get there, below are some general best practices that can serve as your cleanup checklist for network object management.

*   Remove duplicate objects.
*   Delete expired and unused rules and objects.
*   Break up long rule sections into readable chunks.
*   Enforce object naming conventions.
*   Delete old and unused policies.
*   Document rules, objects and policy revisions.

**The Takeaway**

Network object management might not be big or exciting, but it's fundamental to the safe and secure running of multicloud network environments. If a business achieves 100% accuracy in its approach to network object management, perhaps by leveraging automation and monitoring tools, there's very little reason it can't go on to achieve 100% network performance and efficiency.

Why Network Object Management Is Critical for Managing Multicloud Network Security

Someone interested in putting together a ransomware campaign has to consider several factors. The LockBit group touts its speed over competing families to attract potential buyers for its ransowmare-as-a-service.

Recent research has suggested that modern ransomware operations run much like legitimate businesses. Both have a management structure, different teams specializing in different aspects of the operation, and they outsource work when necessary. Many ransomware crews even have a PR team to draw attention to their latest victims and success stories. Recent research from Splunk suggests some groups are branching out into marketing, as well.

Earlier this year, the LockBit group posted a table listing encryption speeds for more than 30 ransomware families, highlighting the fact that LockBit 2.0 was the fastest. Measuring how long different ransomware takes to encrypt the files in victim environments is an interesting exercise from a technical perspective, but for LockBit, it was a marketing ploy to attract potential customers for its ransomware-as-a-service (RaaS) offering, says Shannon Davis, staff security strategist on Splunk’s SURGe research team.

The barrier to entry to launch a ransomware campaign is much lower, thanks to the availability of RaaS. LockBit and other “service providers” need to attract people who want to use the tool. By listing the encryption speeds on its site, LockBit is telling customers, “We are fast, use us, we are better,” Davis says.

Davis attempted to verify LockBit’s tests and claims about being the fastest. While Davis found that LockBit was faster than other ransomware families, there were some notable differences. For example, the “latest and greatest” version, LockBit 2.0, was actually slower at encrypting files than the original LockBit 1.0. And Splunk found that PwndLocker was the second fastest – though the LockBit group had ranked it 15th out of 30.

The 10 fastest families include some very well-known names. Conti, which has been in the headlines recently, was the fourth fastest in Splunk’s tests, while LockBit placed it 19th.

There is no way to tell whether the LockBit group fudged the numbers a bit to make certain groups look worse in the analysis than they actually performed, but Davis acknowledges that there are rivalries between crews as they go “head-to-head” competing for victims. The difference in results is most likely because of differences in testing methodologies, he says.

**We Aren’t That Fast**

While the rankings themselves are interesting (and good for ransomware marketing), security teams should note just how quickly ransomware performs its job. LockBit 1.0 takes 2.33 _minutes._ Conti takes a little over a minute longer, at 3.6 minutes.

“This is faster than any network defender can handle,” says Ryan Kovar, distinguished security strategist and leader of Splunk’s SURGe research team.

    

Encryption speeds for the 15 fastest ransomware families. The full list is available on Splunk's blog.

While the slowest, Avos, takes 132 minutes – or a little over two hours – the median is about 23 minutes. That’s still much faster than many organizations can act. Enterprise defense can’t “win” during the encryption phase, so their best chance for foiling a ransomware attack is to detect the intrusion before the encryption process kicks off, Kovar says.

Mandiant’s "M-Trends 2022" report notes that ransomware families tend to spend three to five days in the victim environment collecting information before kicking off the encryption process.

“We are not going to beat \[them\] in three minutes. We need more time,” Kovar says. “We need to be acting during those three to five days.”

Back to marketing, people often underestimate the extent to which ransomware is run like a business, Kovar says. Someone analyzed and measured the encryption speeds, but more than that, someone spent the time to create a graphic and put together a post discussing its research – and Kovar notes that all of this takes many hours to do. The fact that a ransomware crew has “top-tier marketing” and is thinking in terms of “value add” shows ransomware’s maturity, Kovar says.

“APT28 doesn’t have a marketing guy,” Kovar says.

For Ransomware, Speed Matters

U.S. cybersecurity services firm expands security and identity management services with woman-owned business.

Scottsdale, Ariz., June 02, 2022 -- Cerberus Cyber Sentinel Corporation (NASDAQ: CISO), a cybersecurity consulting and managed services firm based in Scottsdale, Ariz., announced that it has completed the acquisition of Creatrix, Inc., a woman-owned cybersecurity and information technology company based in Tennessee and Maryland.

Under the terms of the agreement, Creatrix will become a wholly owned subsidiary of Cerberus Sentinel. The company was co-founded by Anna Fleeman, founder and managing director, and Sami Elhini, co-founder and president. Creatrix is recognized for its expertise in identity management as well as systems integration and software engineering, and it specializes in biometrics, vetting, credentialing, and case management.

"Creatrix is a great fit for us at Cerberus Sentinel, as we both ascribe to creating a culture of cybersecurity for our customers," said David Jemmett, CEO and founder, Cerberus Sentinel. "We welcome co-founders Anna Fleeman and Sami Elhini and their team members, who all will become Cerberus Sentinel stakeholders. This is an innovative organization that collaborates with customers to secure their operations. Their expertise pairs very well with that of our extended Cerberus Sentinel team."

“Creatrix is honored to join Cerberus Sentinel,” said Elhini. “We believe our shared vision creates great and immediate value for our customers and shareholders. Through expanded service delivery capacities and future innovation, we will be better able to address the identity and security challenges of businesses and organizations in a rapidly changing world.”

**About Cerberus Sentinel**

Cerberus Sentinel is an industry leader in managed cybersecurity and compliance (MCCP) services with its exclusive MCCP+ managed compliance and cybersecurity services plus culture program. The company is rapidly expanding by acquiring world-class cybersecurity, secured managed services, and compliance companies with top-tier talent that utilize the latest technology to create innovative solutions to protect the most demanding businesses and government organizations against continuing and emerging security threats and compliance obligations.

**Safe Harbor Statement**

This news release contains certain statements that may be deemed to be forward-looking statements under federal securities laws, and we intend that such forward-looking statements be subject to the safe-harbor created thereby. Such forward-looking statements include, among others, our belief that Creatrix is a great fit for Cerberus, as we both ascribe to creating a culture of cybersecurity for our customers; our belief that Creatrix is an innovative organization that collaborates with customers to secure their operations; our belief that Creatrix’s expertise pairs very well with that of our extended Cerberus Sentinel team; the belief that the Creatrix and Cerberus Sentinel shared vision creates great and immediate value for customers and shareholders; and the belief that through expanded service delivery capacities and future innovation, we will be better able to address the identity and security challenges of businesses and organizations in a rapidly changing world. These statements are often, but not always, made through the use of words or phrases such as "believes," "expects," "anticipates," "intends," "estimates," “predict,” "plan," “project,” “continuing,” “ongoing,” “potential,” “opportunity,” "will," "may," "look forward," "intend," "guidance," "future" or similar words or phrases. These statements reflect our current views, expectations, and beliefs concerning future events and are subject to substantial risks, uncertainties, and other factors that could cause actual results to differ materially from those reflected by such forward-looking statements. Such factors include, among others, risks related to our ability to raise capital; our ability to increase revenue and cash flow and become profitable; our ability to recruit and retain key talent; our ability to identify and consummate acquisitions; our ability to acquire, attract, and retain clients; and other risks detailed from time to time in the reports filed with the Securities and Exchange Commission, including the Annual Report on Form 10-K for the fiscal year ended December 31, 2021. You should not place undue reliance on any forward-looking statements, which speak only as of the date they are made. Except as required by law, we assume no obligation and do not intend to update any forward-looking statements, whether as a result of new information, future developments, or otherwise.

Cerberus Sentinel Completes Acquisition of Creatrix, Inc.

79% of CISOs say continuous runtime vulnerability management is an essential capability to keep up with the expanding complexity of modern multi-cloud environments.

WALTHAM, Mass.--(BUSINESS WIRE)--Software intelligence company Dynatrace (NYSE: DT) announced today the findings of an independent global survey of 1,300 chief information security officers (CISOs) in large-size organizations. The research reveals that the speed and complexity created by using multicloud environments, multiple coding languages, and open source software libraries are making vulnerability management more difficult. 75% of CISOs say that despite having a multi-layered security posture, persistent coverage gaps allow vulnerabilities into production. This highlights the growing need for observability and security to converge, paving the way toward AISecDevOps practices. This will empower organizations with a more effective way of managing vulnerabilities at runtime, and the ability to detect and block attacks in real time. The complimentary report, _Observability and security must converge to enable effective vulnerability management_, is available for download.

Findings from the research include:

*   69% of CISOs say vulnerability management has become more difficult as the need to accelerate digital transformation has increased.
*   More than three-quarters (79%) of CISOs say that automatic, continuous runtime vulnerability management is key to filling the gap in the capabilities of existing security solutions. However, just 4% of organizations have real-time visibility into runtime vulnerabilities in containerized production environments.
*   Only 25% of security teams can access a fully accurate, continuously updated report of every application and code library running in production in real time.

“These findings underscore that there are always opportunities for vulnerabilities to slip past security teams, regardless of how robust their defenses might be. Both new applications and stable legacy software are prone to vulnerabilities that are more reliably detected in production. Log4Shell was the poster child for this problem, and there will undoubtedly be other scenarios like it in the future,” said Bernd Greifeneder, Chief Technology Officer at Dynatrace. “It’s also clear that most organizations still lack real-time visibility into runtime vulnerabilities. The problem stems from the growing use of cloud-native delivery practices, which enable greater business agility, but also introduce new complexity for vulnerability management, attack detection, and blocking. The rapid pace of digital transformation means that already overstretched teams are bombarded by thousands of security alerts that make it impossible to see through the noise and focus on what matters. Teams find it impossible to respond manually to every alert, and organizations are exposed to unnecessary risk by allowing vulnerabilities to escape into production.”

Additional findings include:

*   On average, organizations receive 2,027 alerts of potential application security vulnerabilities each month.
*   Less than a third (32%) of the application security vulnerability alerts organizations receive each day require action, compared to 42% last year.
*   On average, application security teams waste 28% of their time on vulnerability management tasks that could be automated.

“Organizations realize that to manage vulnerabilities in the cloud-native era effectively, security must become a shared responsibility. The convergence of observability and security is critical to providing development, operations, and security teams with the context needed to understand how their applications are connected, where the vulnerabilities lie, and which need to be prioritized. This accelerates risk management and incident response,” continued Greifeneder. “To be truly effective, organizations should look for solutions that have AI and automation capabilities at their core, enabling AISecDevOps. These solutions empower their teams to quickly identify and prioritize vulnerabilities at runtime, block attacks in real time, and remediate software flaws before they can be exploited. This means teams can stop wasting time in war rooms or chasing false positives and potential vulnerabilities that will never make it into production. Instead, they confidently deliver better, more secure software faster.”

The report is based on a global survey of 1,300 CISOs in large-size organizations with more than 1,000 employees, conducted by Coleman Parkes and commissioned by Dynatrace in April 2022. The sample included 200 respondents in the U.S., 100 each in the UK, France, Germany, Spain, Italy, the Nordics, the Middle East, Australia, and India, and 50 each in Singapore, Malaysia, Brazil, and Mexico.

**About Dynatrace**

Dynatrace (NYSE: DT) exists to make the world’s software work perfectly. Our unified software intelligence platform combines broad and deep observability and continuous runtime application security with the most advanced AIOps to provide answers and intelligent automation from data at an enormous scale. This enables innovators to modernize and automate cloud operations, deliver software faster and more securely, and ensure flawless digital experiences. That is why the world’s largest organizations trust the Dynatrace® platform to accelerate digital transformation.

Curious to see how you can simplify your cloud and maximize the impact of your digital teams? Let us show you. Sign up for a free 15-day Dynatrace trial.

Research Reveals 75% of CISOs Are Worried Too Many Application Vulnerabilities Leak Into Production, Despite a Multi-Layered Security Approach

Conti threat actors are betting chipset firmware is updated less frequently than other software — and winning big, analysts say.

Leaked communications from within the Conti threat group reveal the Moscow-backed cybercrime group has honed its firmware attack skills and is actively targeting Intel Management Engine (ME), a microcontroller inside many iterations of the modern Intel chipset, according to a new report.

The analysis, from Eclypsium, notes that Intel chipsets aren't being targeted by Conti because they have vulnerable code, but rather the group assumes firmware patching is spotty at best. In addition, firmware attacks can evade most security tools, the analysts added.

"This can leave some of the most powerful and privileged code on a device susceptible to attack," the report detailing the Conti firmware attacks said. "The recent Conti leaks mark a critical phase in the rapidly evolving role of firmware in modern attacks."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Intel Chipset Firmware Actively Targeted by Conti Group

Gurucul automating threat detection, investigation and response (TDIR) with advanced analytics, comprehensive threat content, and a flexible enterprise risk engine for hybrid and multi-cloud environments.

RSAC 2022, Gartner SRM 2022, and Los Angeles, Calif. – Jun 2, 2022 – Gurucul, the leader in Next-Gen SIEM, XDR, UEBA and Identity Access Analytics, today announced availability of the Gurucul Security Analytics and Operations Platform. A cloud-native, unified and modular platform for consolidating core security operations center (SOC) solutions with the vital addition of Identity Threat Detection and Response (ITDR) provides a unified next-gen SOC platform. The Gurucul platform converges the company’s award winning Next-Gen SIEM, XDR, User and Entity Behavior Analytics (UEBA), Network Traffic Analysis (NTA), Security Operations and Automation Response (SOAR), and Identity Access Analytics (IAA) into a single pane of glass that is aligned with the evolving needs of the modern enterprise threat landscape – where identity has become the new perimeter.

Gurucul’s innovative platform is purpose-built to automate and accelerate data collection, event and alert correlation, detection triage, investigation, and response to targeted attacks. It combines threat intelligence with an enterprise-class risk engine, delivering precise contextual detections, prioritized investigation, and risk-driven response actions that drastically reduce mean-time-to-detection (MTTD) and mean-time-to-response (MTTR). Gurucul’s platform can also support the most complex deployments including on-premise, hybrid, and cloud (SaaS, private, GovCloud, and multi-cloud including multi-tenancy), addressing the needs of today’s modern enterprise and managed detection and response (MDR) providers.

With increased sophistication around phishing, social engineering, credential theft, and supply chain attacks, it is more important than ever to go beyond current solutions that are overly concerned with endpoint security and focus on securing identities attached to multiple entities and devices. Based on remote work risks, accelerated cloud migration, and state-sponsored threat actor groups, there has been an increase not only in targeted and organized attack campaigns, but also insider risks and threats.

“The combination of an expanding attack surface with limited resources and constantly changing tools and techniques drives security operations teams’ need for a comprehensive and consolidated platform approach. While the endpoint is critical, we must understand and work to secure the one constant, identity, which requires a new and innovative approach to threat detection, investigation and response programs,” said Saryu Nayar, CEO of Gurucul. “Early and rapid detection occurs with a full set of endpoint, network, application, identity, cloud, and IoT telemetry context along with advanced analytics, including behavioral-based, and an extensive set of trained machine learning models. Gurucul has spent over 10 years developing specialized analytics and threat content that comprehensively covers all these datasets to eliminate manual tasks and enables automation across every stage of the security operations lifecycle.”

As organizations are transforming their SOC to support multi-cloud deployments and zero trust programs, they are looking for an end-to-end solution to help them improve security analyst effectiveness in rapidly identifying and confirming, not just threats and alerts, but the entire attack campaign. While other SIEM or XDR solutions are just starting to scratch the surface of identity, Gurucul has been a provider of Identity Analytics solutions for over a decade with robust access analytics, broad integrations with various identity systems such as IAM, PAM, HRMS, CMDB, IDaaS etc., and risk-based access remediation and authentication. In conjunction with its UEBA capabilities, Gurucul helps customers get an understanding of current-state identity access and authorization policies, and access usage anomalies and risk exposures, to plan out a robust and secure zero trust strategy. The Gurucul platform is a critical part of any ongoing zero trust program as it will continuously monitor for anomalous user behaviors, access proliferation, and access misuse/violations, ensuring zero trust policies are not being evaded by either insider or external threat actors.

"Gurucul has detection and response capability for the entire cyber kill chain, covering a range of data telemetry across complex and distributed multi-cloud deployments as well as the enterprise," said Nilesh Dherange, CTO of Gurucul. “We’ve invested over a decade in building the most powerful suite of solutions in a single platform enabling real-time threat detection, investigation, and response for our customers with a quick ROI. The addition of identity and access based threat detection to its robust TDIR capabilities powered by advanced ML models, positions Gurucul to provide innovative solutions that address the ever-changing SOC needs.”

The Gurucul platform uniquely provides a set of core capabilities that goes beyond current Next-Gen SIEM and XDR solutions that are critical in improving security operations effectiveness, including:

*   Deployment Options – On-premise, hybrid, cloud (including SaaS, private, GovCloud, and multi-cloud).
*   Multi-Cloud Threat Detection, Investigation, and Response – Real-time data ingestion, correlation, analytics, detection, and risk driven response across multiple clouds.
*   Automated Data Pipeline – An Automated Data Interpretation Engine to ingest structured and unstructured data from any source.
*   Gurucul STUDIOTM – Advanced and fully customizable analytics that include transparent machine learning models to accommodate custom use cases.
*   Enterprise-Class Risk Engine – All-encompassing analytics-driven risk scoring to accelerate investigation with high-fidelity alerts and automated responses.
*   Threat Intel & Content – The largest library of threat models, MITRE ATT&CK coverage, and curated threat intelligence powered by Gurucul Threat Labs™.
*   Gurucul MinerTM – Contextual raw and normalized search across all data silos.
*   Risk Driven Security Control Automation – Out of the box case management, playbooks, workflows, and downstream integrations with the ability to customize.
*   Identity Threat Detection and Response – Identity-centric context across enterprise and multi-cloud environments, reduced identity and access threat plane, and automated threat detection early in the kill chain.

**Availability and Pricing**

The Gurucul platform is modular, delivering customized capabilities to match individual customer requirements. This includes full multi-tenancy, data segregation, flexible policy control and rapid scaling, especially suited for MDR providers. Customers can start with a single module and expand as needed with a simple license change, building towards a unified platform with no data replication or need to start over. Gurucul offers the following packaged software solutions including Next-Gen SIEM, Open XDR, UEBA, Identity Access Analytics that include or can be delivered with Network Traffic Analysis (NTA), Security Orchestration, Automation and Response (SOAR), and Fraud Analytics as stand-alone or add-on options. Gurucul’s Security Analytics and Operations Platform is available immediately from Gurucul and its business partners worldwide.

To learn more visit www.gurucul.com, or see a demo at the RSA Conference 2022 in San Francisco, Calif., June 6-9 at Booth #1443 or at Gartner SRM 2022 in National Harbor, MD, June 7-10 at Booth #1113.

**About Gurucul**

Gurucul is a global cyber security company that is changing the way organizations protect their most valuable assets, data and information from insider and external threats both on-premises and in the cloud. Gurucul’s real-time Cloud-native Next-gen Security Operations Platform provides customers with Open XDR, Next Generation SIEM, UEBA, and Identity Analytics. It combines machine learning behavior profiling with predictive risk-scoring algorithms to predict, prevent, and detect breaches. Gurucul technology is used by Global 1000 companies and government agencies to fight cybercrimes, IP theft, insider threat and account compromise as well as for log aggregation, compliance and risk-based security orchestration and automation for real-time extended detection and response. The company is based in Los Angeles. To learn more, visit https://gurucul.com/ and follow us on LinkedIn and Twitter.

###

Gurucul Launches Cloud-Native SOC Platform Pushing the Boundaries of Next-Gen SIEM and XDR with Identity Threat Detection and Response

A pair of phishing campaigns against users of WhatsApp and Telegram's Telegraph expose them to extortion, credential harvesting, and even account takeover.

Within just a few days of each other, researchers sounded the alarm about phishing campaigns against two popular, global messaging platforms, Telegraph and WhatsApp.

Lat week, Rahul Sasi, founder and CEO of CloudSEK, posted a warning on LinkedIn that WhatsApp accounts were being targeted by phishing attacks trying to trick users into placing a call to the number "\*\*67\*< 10 digit number > or \*405\* <10 digit number >". Just a few minutes later, the device would log out of WhatsApp and the attacker would have full control of the account, Sasi added.

Turns out, dialing those digits forwards a victim's calls to a number controlled by the threat actors.

"Now in the backend, the attacker triggers the WhatsApp registration process for your number and chooses the option to send OTP via phone call," Sasi wrote. "Since your phone is engaged — the OTP will go to the attacker's phone, and it's game over for you."

**Telegraph Phishing Attacks**

Likewise, recent phishing attacks on users of Telegram's privacy-focused blogging platform, Telegraph, have spiked recently. Cyberattackers are looking to harvest Microsoft 365 credentials and run cryptocurrency scams, according to analysis from Inky.

Telegraph allows users to set up webpages without registration, and Telegram deletes sent messages after they are read, helping attackers to carry out their scams anonymously. As such, the researchers said Telegram is quickly replacing the underground web as the platform of choice for cybercriminals.

"Although many such sites are available, Telegraph is more attractive than most because of its unusually libertarian heritage; its founders openly propound a 'live and let die' philosophy, catnip to phishers," Inky researcher Roger Kay wrote about the Telegraph phishing scam findings.

Phishers Having a Field Day on WhatsApp, Telegraph

RSA pivots to exclusive focus. Identity is once again the ‘beating heart’ of RSA.

BEDFORD, MA – June 1, 2022 – RSA, a global leader in identity and access management (IAM) solutions for the planet’s most security-sensitive organizations, approaches the RSA Conference in San Francisco as an organization well into a dynamic transformation, with significant announcements to make.

First among them is the company’s decision to simplify and streamline its focus and brand architecture. RSA pioneered multi-factor authentication and RSA SecurID is the most widely deployed MFA offering trusted by security-first organizations across the globe. While identity has always been central to RSA’s mission, the company has also been involved in adjacent cyber modalities. No longer: going forward those organizations focusing on integrated risk management, threat detection and response, and omnichannel fraud prevention will grow as independent companies with their own brands.

RSA’s leadership has made the decision to return to its roots and focus the RSA brand on identity. The rationale behind this shift is straightforward. RSA believes identity is the most consequential threat vector in cybersecurity and RSA is best positioned to help customers with this challenge. In addition, the RSA brand will remain affiliated with RSA Conference: the world’s preeminent conference and community for cybersecurity professionals and now an independent business.

RSA also announced the availability of an innovative new SaaS solution suite named ID Plus, a complete and flexible IAM platform offering customers the choice of cloud, on-prem and hybrid deployments. With this announcement, RSA has simplified its IAM offerings to just two brands: ID Plus and SecurID.

“We’ve accelerated a shift into being an identity-first company serving security-first customers,” said Rohit Ghai, CEO of RSA. “We’re transforming into a much more customer experience-driven organization. And we’ve leaned heavily into innovation,” continued Ghai. “We’re making tectonic-level enhancements throughout the company, and with our commitment to hyperfocus on identity we can meet our customers wherever they are on their journey to zero trust.”

RSA’s announcement will dramatically improve customer experience by greatly simplifying both the purchase and adoption of the ID Plus portfolio. The company has introduced 3 new subscription-based pricing plans with a powerful array of options that can be flexibly deployed in the cloud, on-prem or hybrid. Customers can easily adjust their deployments as their needs change. Each plan can lower a customer’s upfront costs in a meaningful way and provide customers with greater budgeting predictability. Simple and effective.

Also, at the RSA Conference, the company is introducing a truly game-changing new cloud product within the ID Plus portfolio: the DS100, a hardware authenticator specifically designed to serve RSA’s customers who have embraced a zero trust posture.

The DS100 is the first ever and only passwordless, multi-functional security solution that can dramatically enhance user experience while lowering total cost of ownership. It is the first cloud-enabled authenticator that marries the cryptographic advantages of FIDO protocols with the security benefits of a one-time password solution, a category where RSA has long been the gold standard. Unlike any other authenticator, the DS100 works plugged in or unplugged, making it the perfect, flexible authentication solution.

The DS100 is only the first of 6 or more new cloud based-solutions the company will introduce in the balance of 2022.

“Our product team is well-beyond simply ‘excited’ about the new ID Plus portfolio and the DS100,” said Jim Taylor, RSA’s Chief Product Officer and the company’s most-likely-to-geek-out-about-new-stuff person. “Everything we do is in service to the customer experience and to innovating exponentially, as RSA has done since its inception. These 2 new solutions are additional proofs of this dual emphasis.”

The company points to its new ownership as a powerful catalyst of the transformation taking place throughout RSA. In 2020, a group led by STG (Symphony Technology Group) purchased RSA. Clearlake Capital later joined the consortium to invest in the next phase of the company’s transformation.

“RSA has consistently delivered shareholder value by being a Rule of 40+ company. And the advantages inherent in RSA now being independent cannot be overstated,” said CEO Ghai. “We’re part of an organization that’s bullish about and focused on identity and cybersecurity. And we’re surrounded by a community of investors and advisors who feel the same. Truly a Virtuous Circle.”

RSA was founded by 3 pioneering MIT mathematicians who invented the RSA cryptosystem, laying the foundation for all secure data communications. Today RSA is a global leader laser-focused on identity and access management, reflecting the company’s belief that assuring digital identities throughout their lifecycle is of preeminent importance in cybersecurity. RSA focuses on serving the planet’s most security-sensitive organizations, with specialties in federal government, financial services, healthcare, energy and technology services. www.rsa.com

Source

DARKReading