In an effort to combat phishing, Google will allow Android phones and iPhones to be used as security keys.

Security is a continuous game of cat and mouse, with defenders improving their defenses against new attack methods and techniques. At Google I/O this week, the company announced anti-phishing efforts that will make it possible to use Android and iOS devices in the same way as physical security keys.

Security keys such as Google’s Titan Security Key work well to block phishing attempts and are easy to use. Users are prompted to plug the security key into the USB port (although some are NFC-capable) and tap it to authorize a login attempt. Google is bundling this capability into mobile devices, where Android and iOS devices use Bluetooth to verify they are in physical proximity to the device the user is trying to log into.

“Like physical security keys, this helps prevent a distant attacker from tricking you into approving a sign-in on _their_ browser, giving us an added layer of security against the kind of ‘person in the middle’ attacks that can still work against SMS or Google Prompt,” wrote Google engineer Daniel Margolis in a blog post.

Google is also expanding the types of Google Prompt challenges that users may experience if their login attempts look potentially fraudulent. “If we think an account is at a higher risk, or if we see abnormal behavior, we're more likely to use these additional security measures,” Margolis said. 

A new Google Prompt challenge will require users to connect their mobile devices to the same Wi-Fi network as the device they are attempting to log into. Similar to the security key functionality, this allows the user to prove that both mobile and computing devices are in the same location.

Google made several other security announcements at Google I/O, including plans to continue auto-enrolling Google account users into two-step verification, scaling phishing protections for Google Docs, Sheets, and Slides, as well as new security and privacy features in Android. These announcements are in addition to the recent pledge with the FIDO Alliance, Apple, and Microsoft to expand support for the FIDO Sign-in standards for passwordless authentication.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Google Will Use Mobile Devices to Thwart Phishing Attacks

Malicious emails with macro-enabled Word documents are spreading a never-before-seen remote-access Trojan, researchers say.

Phishing emails purporting to contain COVID-19 safety information from the World Health Organization (WHO) are instead phishing lures intended to spread a novel remote-access Trojan (RAT) called Nerbian.

A team of Proofpoint researchers have published a report noting that so far, the Nerbian RAT, first spotted on Apr. 26, has spread primarily throughout Italy, Spain, and the UK. Notably, Nerbian is written in the Go language, taking advantage of several open source libraries, the analysts added. 

The RAT leverages multiple anti-analysis components and has cyber espionage modules for keylogging and screen grabs, researchers said, in addition to typical backdooring functionality. 

Nerbian got its name directly from the malware code, the researchers explained, which references the name of a fictional place from the novel _Don Quixote_.

"Malware authors continue to operate at the intersection of open-source capability and criminal opportunity,” Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, told Dark Reading in an emailed statement.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Novel Nerbian RAT Lurks Behind Faked COVID Safety Emails

Microsoft's May 2022 Patch Tuesday contains several bugs in ubiquitous software that could affect millions of machines, researchers warn.

Microsoft squashed 74 security vulnerabilities with its May 2022 Patch Tuesday update, including an important-rated zero-day bug that's being actively exploited in the wild and several that are likely widely present across enterprises.

It also patched seven critical flaws, 65 other important-rated bugs, and one low-severity issue. The fixes run the gamut of the computing giant's portfolio, including: Windows and Windows Components, .NET and Visual Studio, Microsoft Edge (Chromium-based), Microsoft Exchange Server, Office and Office Components, Windows Hyper-V, Windows Authentication Methods, BitLocker, Windows Cluster Shared Volume (CSV), Remote Desktop Client, Windows Network File System, NTFS, and Windows Point-to-Point Tunneling Protocol.

**3 Zero-Days, 1 Actively Exploited**  
The actively exploited bug (CVE-2022-26925) is a Windows LSA-spoofing vulnerability that rates 8.1 out of 10 on the CVSS vulnerability-severity scale – however, Microsoft notes in its advisory that it should be bumped up to critical (CVSS 9.8) if used in Windows NT LAN Manager (NTLM) relay attacks.

"\[A\]n unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using NTLM," Microsoft warns in its advisory – a concerning situation considering that domain controllers provide high-level access to privileges.

Now deprecated, NTLM uses a weak authentication protocol that can easily reveal credentials and session keys. In a relay attack, bad actors can capture an authentication and relay it to another server – which they can then use to authenticate to the remote server with the compromised user's privileges.

That said, the bug is tougher to exploit than most, explains Trend Micro Zero Day Initiative (ZDI) researcher Dustin Childs in a Tuesday blog. "The threat actor would need to be in the logical network path between the target and the resource requested (e.g., man-in-the-middle), but since this is listed as under active attack, someone must have figured out how to make that happen."

Tyler Reguly, manager of security R&D at Tripwire, tells Dark Reading that the bug could be related to a previously seen threat known as PetitPotam, which emerged in July to allow attackers to force remote Windows systems to reveal easily crackable password hashes.

"Based on Microsoft’s provided links, this looks to be related to the previous PetitPotam patch," he notes, adding that researchers will be guessing about that. "This is a prime example of where detailed executive summaries that explain what is happening were useful in the past. It would be great if Microsoft could return to providing those on a regular basis," he says.

Microsoft also patched two other zero-days, including a critical bug (CVE-2022-29972, CVSS not available) in Insight Software's Magnitude Simba Amazon Redshift ODBC Driver – "a third-party ODBC data connector used to connect to Amazon Redshift, in Integration Runtime (IR) in Azure Synapse Pipelines, and Azure Data Factory," as ZDI's Childs explains.

He adds, "This update is complicated enough for Microsoft to blog about the bug and how it affects multiple Microsoft services."

The final zero-day (CVE-2022-22713, CVSS 5.6) is an important-rated bug in Windows Hyper-V that could allow denial-of-service (DoS).

**Leading Lights: Critical Microsoft Security Bugs to Patch Now**  
As far as other patches for admins to prioritize this month, some of the critical-rated issues are far-reaching across organizational infrastructure and could affect millions of companies, researchers warn.

"The big news is the critical vulnerabilities that need to be highlighted for immediate action," Chris Hass, director of security at Automox, tells Dark Reading. "This month features vulnerabilities in a number of applications that are prevalent in most enterprise organizations, including NSF, Remote Desktop Client, and Active Directory."

For instance, the critical bug affecting Windows Network File System, or NFS (CVE-2022-26937, CVSS 9.8) could allow unauthenticated remote code-execution (RCE) in the context of the highly privileged NFS service, according to Microsoft's advisory. To boot, its ubiquity is Log4j-like: It "is present in every Windows Server version from 2008 forward," Hass says, "which puts most organizations at risk if action isn't taken quickly."

Further, "these types of vulnerabilities will potentially appeal to ransomware operators as they could lead to the kind of exposure of critical data, often part of a ransom attempt," Kevin Breen, director of cyber threat research at Immersive Labs, tells Dark Reading.

In terms of who should especially prioritize the patch, "NFS isn't on by default, but it's prevalent in environment where Windows systems are mixed with other OSes such as Linux or Unix. If this describes your environment, you should definitely test and deploy this patch quickly," Childs warns.

As for other critical bugs to consider, Breen flags CVE-2022-22017 (CVSS 8.8), an RCE issue in the also-ubiquitous Remote Desktop (RDP) Client.

"With more remote workers than ever, enterprises need to put anything affecting RDP on the radar — especially given its popularity with ransomware actors and access brokers," he warns.

The Active Directory bug (CVE-2022-26923, CVSS 8.8) is found in Domain Services and could allow elevation of privilege thanks to an issue with the issuance of certificates. ZDI, which reported the bug, says that an attacker can gain access to a certificate to authenticate to a DC with a high level of privilege, allowing any domain-authenticated user to become a domain admin if Active Directory Certificate Services are running.

"This is a very common deployment," Childs says. "Considering the severity of this bug and the relative ease of exploit, it would not surprise me to see active attacks using this technique sooner rather than later."

Of less concern, Breen says, are a group of 10 RCE bugs in LDAP (the most severe, CVE-2022-22012, has a CVSS score of 9.8). These "appear particularly threatening; however, they have been marked by Microsoft as 'exploitation less likely' as they require a default configuration unlikely to exist in most environments," he notes. "It's not to say there is no need to patch these, rather a reminder that context is important when prioritizing patches."

**The Worst of the Rest**  
A handful of other vulnerabilities that also stood out to researchers are worth noting here, starting with Windows Print Spooler, which has long presented an attractive bull's-eye for cyberattackers.

"There were several Windows Print Spooler vulnerabilities patched this month, including two information disclosure flaws (CVE-2022-29114, CVE-2022-29140) and two elevation of privilege flaws (CVE-2022-29104, CVE-2022-29132)," Satnam Narang, staff research engineer at Tenable, tells Dark Reading. "All of the flaws are rated as important, and two of the three are considered more likely to be exploited. Windows Print Spooler continues to remain a valuable target for attackers since PrintNightmare was disclosed nearly a year ago. Elevation-of-privilege flaws in particular should be carefully prioritized, as we've seen ransomware groups like Conti favor them as part of its playbook."

Breen also highlighted two other important-rated bugs as patching priorities:

*   CVE-2022-29108, a remotely executable flaw in Sharepoint that could likely be abused by an attacker seeking to move laterally across an organization. "Requiring authenticated access to exploit, it could be used by a threat actor to steal confidential information or inject documents with malicious code or macros that could be part of a wider attack chain," Breen warns.
*   A bug in Azure Data Factory (no CVE assigned) is remotely exploitable and can expose an enterprise’s confidential data, according to Breen.

Virsec CTO and co-founder Satya Gupta says that overall, the broader context of Microsoft's patching trends is important to consider for defenders. Specifically, in the last year, more than a third of the patches (1,330, or 36%) are for RCE issues.

"This of course represents a massive opportunity for malicious actors to compromise nearly any customer," he says. "In total, several of May's vulnerabilities represent a Log4j level of exposure, particularly if you consider what it would take to patch millions of servers."

What to Patch Now: Actively Exploited Windows Zero-Day Threatens Domain Controllers

US State Department outlines coordinated government effort to provide Ukraine with cybersecurity intelligence, expertise, and resources amid invasion.

The US State Department today announced a coordinated effort between several government agencies to provide Ukraine with the cybersecurity technical expertise, resources, and threat intelligence necessary to protect the electrical grid and Internet access as Russia continues to wage war on the country. 

US agencies assisting with Ukraine's cybersecurity defenses include the following:

*   The **Federal Bureau of Investigation (FBI)** has shared information it has on cyberattacks planned against Ukraine.
*   The **US Agency for International Development (USAID**) has provided service providers with hands-on technical support for the government's cybersecurity defense, and handed over 6,750 communications devices, including data terminals and satellite phones, to key infrastructure operators.
*   The **Department of Energy** is helping integrate Ukraine's electrical grid with the European Network of Transmission system Operators for Electricity (ENTSO-E), which includes meeting cybersecurity and resiliency requirements. 
*   The **Cybersecurity and Infrastructure Agency (CISA)** is working on providing technical details to the appropriate Ukrainian authorities. 

The announcement added that prior to the February 2022 Russian invasion, the US had already provided Ukraine with more than $40 million in what it calls "cyber capacity development." 

"The U.S. government's efforts, closely coordinated with private sector and international partners, support Ukraine’s network defenders and telecommunications professionals, who continue to defend Ukrainian networks and repair infrastructure, often at direct risk to their lives," the State Department's fact sheet said. "The United States condemns actions that block or degrade access to the Internet in Ukraine, which sever critical channels for sharing and learning information, including about the war."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

US Pledges to Help Ukraine Keep the Internet and Lights On

COVID-19 and a December 2021 cyberattack combined to put the future of Abraham Lincoln's namesake college in peril.

The home page of Lincoln College in Illinois says the impact of COVID-19 followed by a crippling December 2021 cyberattack have combined to force the institution to close its doors after 157 years. 

The permanent closure is set to take effect on May 13 — unless Lincoln College receives what the statement calls "... a transformational donation or partnership to sustain Lincoln College beyond the current semester." 

Although the school says no personal identifying information was stolen, the cyberattack, which lasted for more than three months, shut down the school's student recruitment, retention, and fundraising operations. NBC News reported that Lincoln was hit with a ransomware attack. 

“Lincoln College has been serving students from across the globe for more than 157 years,'" said David Gerlach, president of Lincoln College, in the statement. “The loss of history, careers, and a community of students and alumni is immense.”

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Lincoln College Set to Close After Crippling Cyberattack

Kaspersky researchers discovered that cybercriminals made approximately 65,000 attacks between July 2021 and April 2022.

**Woburn, MA – May 10, 2022 —** Kaspersky researchers have revealed that the number of attacks exploiting numerous vulnerabilities in Windows Print Spooler have risen noticeably over the past four months. While Microsoft regularly releases patches for its Print Spooler, a software that manages the printing process, cybercriminals continue to actively exploit its vulnerabilities giving them the opportunity to distribute and install malicious programs on victims’ computers that can steal stored data.

Over the past year, various vulnerabilities in Windows Print Spooler have been discovered. By abusing them, cybercriminals have been able to take control of servers and victims’ machines, even without a special admin access.

The most well-known vulnerabilities are CVE-2021-1675 and CVE-2021-34527 (aka PrintNightmare), which were discovered in late June 2021. PrintNightmare was accidentally published by researchers as a proof of concept (PoC) exploit for a critical Windows Print Spooler vulnerability. The exploit was quickly removed from GitHub, however, some users had already managed to download it and then republished it. In late April 2022, a highly severe vulnerability (tracked as CVE-2022-22718) was also discovered in Windows Print Spooler. Microsoft had already issued a patch against this threat but the attackers were still able to exploit this vulnerability and gain access to corporate resources.

Kaspersky researchers discovered that cybercriminals made approximately 65,000 attacks between July 2021 and April 2022. Moreover, Kaspersky experts detected that roughly 31,000 of these hits occurred during the last four months, from January to April. This suggests that vulnerabilities in Windows Print Spooler remain a popular attack route for cybercriminals, which means users need to be aware of any patches and fixes that Microsoft releases.

_The global statistics on detections of attacks exploiting Windows Print Spooler vulnerabilities from July 2021 to April 2022_

The exploitation of vulnerabilities in Windows Print Spooler has hit numerous countries with the number of overall attacks still growing. From July 2021 to April 2022, nearly a quarter of detected hits came from Italy. After Italy, users in Turkey and South Korea were the most actively attacked. Kaspersky researchers also discovered that over the past four months attackers were most active in Austria, France and Slovenia.

_TOP 5 countries being targeted by attacks exploiting Windows Print Spooler vulnerabilities from July 2021 to April 2022_

_“Windows Print Spooler vulnerabilities are a hotbed for emerging new threats,”_ said Alexey Kulaev, security researcher at Kaspersky. _“We anticipate a growing number of exploitation attempts to gain access to resources within corporate networks, accompanied by a high-risk of ransomware infection and data theft. Through some of these vulnerabilities, attackers can gain access not only to victims’ data but also to the whole corporate server. Therefore, it is strongly recommended that users follow Microsoft’s guidelines and apply the latest Windows security updates.”_

To protect yourself from cybercriminals’ attacks through vulnerabilities in the Windows Print Spooler, Kaspersky recommends:

*   Installing patches for new vulnerabilities as soon as possible. Once downloaded, threat actors can no longer abuse the vulnerability.
*   Performing a regular security audit of your organization’s IT infrastructure to reveal any gaps and vulnerable systems.
*   Using a protection solution for endpoints and mail servers with anti-phishing capabilities to decrease the chance of infection through phishing attempts.
*   Using dedicated services that can help fight against high-profile attacks. The Kaspersky Managed Detection and Response service can help identify and stop attacks in their early stages, before attackers achieve their goals.
*   Installing anti-APT and EDR solutions, enabling threat discovery and detection, along with investigation and timely remediation of incidents’ capabilities. Provide your SOC team with access to the latest threat intelligence and regularly upskill them with professional training. All of the above is available within the Kaspersky Expert Security framework.

Cybercriminals Are Increasingly Exploiting Vulnerabilities in Windows Print Spooler

New research-focused division focused on advancing innovation in the field of security operations.

EDEN PRAIRIE, MN – May 10, 2022 – Arctic Wolf®, a global leader in security operations, today announced the launch of Arctic Wolf Labs, a new research-focused division focused on advancing innovation in the field of security operations.

Security and IT teams are consistently under-resourced and overburdened, unable to keep up with the thousands of alerts they receive each day, let alone find the time or proper resources to conduct their own threat research or develop new detection techniques needed to outpace today’s well-resourced threat actors. Continuing the paradigm shift that Arctic Wolf is driving to make effective Security Operations achievable for organizations of virtually any size, the mission of Arctic Wolf Labs is to develop cutting-edge technology and tools that are designed to enhance the company’s core mission to end cyber risk, while also bringing comprehensive security intelligence to Arctic Wolf’s customer base and the security community-at-large.

Leveraging the more two trillion security events the Arctic Wolf Security Operations Cloud ingests, parses, enriches, and analyzes each week, Arctic Wolf Labs will be responsible for performing threat research on new and emerging adversaries, developing advanced threat detection models, and driving improvement in the speed, scale, and detection abilities of Arctic Wolf’s solution offerings.

The Arctic Wolf Labs team will bring together Arctic Wolf’s security and threat intelligence researchers, data scientists, and security development engineers with deep domain knowledge in artificial intelligence (AI), security R&D, as well as advanced threat offensive and defensive methods and technologies. The team will be led by Daniel Thanos, a seasoned security R&D executive with more than 20 years of experience overseeing security product development, threat intelligence, and AI research teams for innovative start-ups, large industrial companies, and organizations in the telecommunications and financial services industries.

“The extensive size of the data lake created by Arctic Wolf’s Security Operations Cloud represents a significant opportunity for Arctic Wolf to be disruptive in the areas of threat intelligence, security research, and artificial intelligence,” said Daniel Thanos, vice president, Arctic Wolf Labs. “Innovation is a core value at Arctic Wolf, and with the creation of Arctic Wolf Labs we are further extending our commitment to creating technology and solutions that we believe will secure customers today, as well as in the future.”

“The Arctic Wolf Security Operations Cloud fuels a powerful data and automation flywheel. As more customers use our solutions, the network effects of our AI-enabled data pipeline continuously enhance our threat detection and prevention capabilities,” said Dan Schiappa, chief product officer, Arctic Wolf. “The research that Daniel and the Arctic Wolf Labs team intend to conduct we believe will be instrumental in further accelerating this flywheel, helping enable our customers to stay ahead of threat actors and their novel attack techniques.”

The formation of Arctic Wolf Labs builds upon the recent contributions Arctic Wolf has made to cybersecurity research community, which includes the creation of open-source deep scan tools used by organizations worldwide to understand the impact of the critical Log4Shell and Spring4Shell vulnerabilities, as well as the publication of threat research that details the innerworkings of major ransomware and e-crime groups.

To learn more about Arctic Wolf Labs, visit arcticwolf.com/labs

**Additional Resources:**

*   Join the conversation with Arctic Wolf on Facebook, Twitter, LinkedIn, and YouTube
*   Visit arcticwolf.com to learn more about our security operations solutions
*   If you're ready to get started, request a demo, get a quote, or conduct a Security Operations Maturity Assessment
*   Want to join Arctic Wolf's Partner Program? Apply today

**About Arctic Wolf:**

Arctic Wolf® is a global leader in security operations, delivering a premier cloud-native security operations platform designed to end cyber risk. Powered by threat telemetry spanning endpoint, network, and cloud sources, the Arctic Wolf® Security Operations Cloud ingests and analyzes more than two trillion security events a week across the globe, enabling critical outcomes for security use cases and optimizing customers’ disparate security solutions. The Arctic Wolf® Platform delivers automated threat detection and response at scale, and empowers organizations of virtually any size to establish world-class security operations with the push of a button.

For more information about Arctic Wolf, visit arcticwolf.com or follow us on Twitter, LinkedIn, or Facebook.

Arctic Wolf Launches Arctic Wolf Labs Focused on Security Operations Research and Intelligence Reporting

The Dark Crystal remote access Trojan (aka DCRat) breaks a few stereotypes, with coding done by a solo developer, using an obscure Web language and offering it at a frighteningly low price.

A bargain-basement, $5 price tag on a 3-year-old remote access Trojan (RAT) has concerned some security researchers, who see the move as signs of a possible race to the bottom in terms of pricing — or that new, disrupting developers are entering the cybercriminal market.

According to an analysis of the malware by software and security firm BlackBerry, an extremely low-cost variant of the malware known as the Dark Crystal RAT (aka DCRat) appears to be the brainchild of a sole Russian developer. The creator wrote the code in the popular C#, but also coded the administrative server in the relatively obscure JPHP, a clone of the PHP Web language that runs on a Java virtual machine. The malware platform has become popular with entry-level hackers but has many of the features — such as a modular architecture and custom plug-ins — of better-known programs.

The malware may only be a niche threat, but the development of new — albeit, minor — attack tools highlights the fact that companies need to be vigilant, says Jim Simpson, director of threat intelligence at BlackBerry.

"Nothing makes it especially dangerous — it is another thing to be aware of and take the usual precautions over," he says, adding that companies should make sure that their end users are trained on spotting and reporting suspicious emails and that multifactor authentication is deployed. "It is likely someone, seeing a gap in the market for a cheaper toolset, created something that would work for people looking to fill that need."

Yet the low, low price of the software has rung some warning bells for researchers. In the world of legitimate software, open source and free is the name of the game, but profit-minded cybercriminals offering bottom-of-the-barrel pricing is an anomaly, the researchers said.

"This price range is a curious feature, as it makes it seem like the author is not particularly profit-driven," the BlackBerry researchers stated in the analysis. "It could be that they’re simply casting a wide net, trying to get a little money from a lot of maliciously minded people. It could also be that they have an alternative source of funding, or this is a passion project rather than their main source of income."

Simpson notes that a lone-wolf operator has lower operating costs and overhead, so that could lead to lower prices. In addition, while the original price had been set at 500 rubles, the devaluation of the Russian currency led the developer to set the latest prices in US dollars. 

"If you pay a pittance for something, you would be wise to expect it to be less functional or poorly supported, but DCRat seems to break that rule in a way that’s deeply perplexing," the researchers said. "This RAT's code is being improved and maintained daily. If the threat is being developed and sustained by just one person, it appears that it’s a project they are working on full-time."

**Inside the World of the Dark Crystal (RAT)  
**The Dark Crystal malware first appeared at least as early as 2018, with the program written in Java, according to a May 2020 analysis by incident response firm Mandiant. In 2019, the developer added a customized plug-in frameworks and redesigned the program using C#. In 2020, the program had at least 50 different commands and had caught the attention of incident responders, according to Mandiant's analysis.

The DCRat malware has three different components: A malicious program that runs on the compromised systems, a single webpage written in PHP that acts as the command-and-control interface, and the administrator tool written in JPHP, an uncommon programming language typically used by beginning programmers interested in games. The use of JPHP is likely because the developer is conversant in that programming language rather than because of any specific advantage, BlackBerry's Simpson says.

"The client itself is now .NET based," he says. "It’s only the admin panel — server-side — that is developed in JPHP, and it’s unlikely chosen for its obfuscation, more likely for its ease of development and portability between operating systems."

The evolution of DCRat fits right in with the trend of groups moving to create their own infrastructure, with the goal of turning access, compromise, and ransomware into services. While some remote access platforms — such as the industrial control system (ICS)-focused Pipedream — are the product of teams sponsored by nation-states, others come from smaller groups of cybercriminal operators that are focused on staying ahead of defenders and reverse engineers, just like DCRat.

The REvil malware, for example, has returned from the dead, after international investigators and law-enforcement agencies disrupted the group and Russia arrested some of the group's members. A recent ransomware sample and reconstituted infrastructure suggest that someone, or some group, with connections to the previous operators are now reviving the ransomware-as-a-service (RaaS) offering.

While DCRat's cut-rate malware does not measure up to many threats, the attack tool is frequently being improved, and threat-intelligence analysts should keep an eye on its evolution, the BlackBerry team noted.

5-Buck DCRat Malware Foretells a Worrying Cyber Future

Company delivers new vulnerability management offering to help resource-constrained organizations combat increasing attacks on mission-critical SAP applications .

BOSTON, May 10, 2022 – Onapsis, the leader in business-critical application cybersecurity and compliance, today announced the release of Onapsis Assess Baseline. In a world where business-critical applications are under attack every day, this new offering accelerates organizations’ abilities to kickstart their SAP vulnerability management programs by better aligning with the SAP Security Baseline.

The exponential growth of targeted ransomware and the increased threat of cyber warfare due to global conflict means that organizations must re-evaluate how they secure their most critical systems. Amid this evolving, more aggressive threat landscape, companies struggle to keep up with patching the growing number of vulnerabilities exploited by threat actors to gain access to their business-critical applications. Onapsis Assess Baseline empowers companies of any size to accelerate time-to-value by simplifying deployment with a new SaaS-based, zero-footprint model and focusing on a core, targeted set of critical vulnerabilities as first steps on their journey to ensure cybersecurity, compliance, and availability of their SAP applications. When organizations are ready to take on more, Onapsis Assess Baseline offers easy expansion to additional scope for vulnerability management as well as capabilities for continuous threat monitoring and application security testing.

**Key Organizational Benefits with Onapsis Assess Baseline:**

Reduce Implementation Overhead with an Accelerated Deployment: Whether in their own cloud, on-premises, or through Onapsis’ SaaS platform, Assess Baseline offers quick deployment and implementation with zero footprint scanning.

Accelerate Time-to-Value for SAP Vulnerability Management: Onapsis SaaS users can scan with Assess Baseline against the SAP-recommended security baseline requirements for an organization’s SAP systems within hours. The scans deliver powerful context around critical vulnerabilities, instructions on how to mitigate, and confidence that patches were applied, saving valuable resource time.

Technology that Scales and Grows When You’re Ready: Deploy where you want. Scan across the entire SAP landscape. Start small and target the most critical systems first, get them aligned to a baseline, and then expand the security scope across the organization on your terms.

“Securing business-critical applications has always been challenging, but there’s a larger bullseye on the backs of organizations today - more than ever before - as sophisticated threat actors increasingly target Enterprise Resource Planning (ERP) systems,” said Mariano Nunez, CEO of Onapsis. “We have successfully helped the world’s largest and most sophisticated organizations integrate their business applications into their cybersecurity and compliance programs. Now, Assess Baseline makes it easy for customers who are getting started with their SAP application security programs to quickly and effectively jumpstart protecting the applications that power their businesses.”

The Onapsis Platform secures the critical SAP applications that keep the global economy running. The platform is purpose-built to deliver impactful vulnerability management, advanced threat detection, custom code inspection, and automated compliance that enables global organizations to accelerate their business and digital transformation initiatives. The Onapsis Platform is deeply informed by the latest threat intelligence and security guidance from the Onapsis Research Labs. This market-leading team has discovered more than 800 zero-day vulnerabilities and is responsible for multiple critical global CERT alerts.

“Today’s threat landscape requires a holistic approach to securing business-critical SAP applications such as ERP software,” said Steve Biskie, national ERP risk and automation services leader with RSM US LLP.

“It is exciting to see Onapsis continuing to innovate its solutions to assist companies on their security maturity journey. The new Baseline license can help pave the way for more organizations to have an entry point into vulnerability management for SAP applications that could help keep their critical data and applications safe and compliant.”

Attending the SAP Sapphire conference? Visit the Onapsis booth to learn more: #PA219

To schedule a time to speak with an Onapsis expert while at Sapphire, please visit: https://onapsis.com/sapphire-22

**About Onapsis**

Onapsis protects the business-critical applications that run the global economy, from the core to the cloud. The company’s cybersecurity and compliance solution offering, The Onapsis Platform, uniquely delivers vulnerability management, threat detection and response, change assurance, and continuous compliance for business-critical applications from leading vendors such as SAP, Oracle, Salesforce, and other SaaS platforms.

Onapsis is headquartered in Boston, MA, with offices in Heidelberg, Germany and Buenos Aires, Argentina, and proudly serves more than 300 of the world’s leading brands, including 20% of the Fortune 100, 6 of the top 10 automotive companies, 5 of the top 10 chemical companies, 4 of the top 10 technology companies, and 3 of the top 10 oil and gas companies.

The Onapsis Platform is powered by the Onapsis Research Labs, the team responsible for the discovery and mitigation of more than 800 zero-day vulnerabilities in business-critical applications. The reach of our threat research and platform is broadened through leading consulting and audit firms such as Accenture, Deloitte, IBM, PwC, and KPMG — making Onapsis solutions the standard in helping organizations protect their cloud, hybrid, and on-premises business-critical information and processes.

For more information, connect with us on Twitter or LinkedIn, or visit us at https://onapsis.com/.

Onapsis Announces New Offering to Jumpstart Security for SAP Customers

How can you safeguard your organization amid global conflict and uncertainty?

Cybersecurity has always been a moving target. Most recently, a two-year global pandemic and the war in Eastern Europe have heightened the risk of cyberattacks, prompting President Joe Biden to urge US companies to "harden \[their\] cyber defenses immediately."

Consider the current cybersecurity landscape. In 2021, US businesses weathered a 17% increase in data breaches from 2020. Also in 2021, organizations experienced the highest average cost of a data breach in 17 years at $4.24 million, up almost 10% from the previous year. Common attack vectors include compromised credentials, phishing, and cloud misconfiguration. Now, modern warfare has been redefined to include cyber warfare.

As CISO, your job is to ensure there are controls and processes in place to help mitigate risk to the organization, and the current global instability has upped the risk ante for all organizations. You have already been working to identify and prioritize risks from fraudulent SMS, phishing emails, ransomware attempts, breaches, distributed denial-of-service (DDoS) attacks, fake landing pages, and more. But how can your organization double down on cybersecurity to stay one step ahead of the curve?

Based on this current global landscape, it is time for CISOs to rethink their strategies.

**1\.** **Realize that the security playbook has changed — at least for now.  
**The landscape has changed, and the playbook must change, as well. Previously, we've seen cybercriminals focus on ransomware or phishing attempts — attacks focused on monetary incentives. If we think about potential nation-state activity, we will see fewer financially motivated attacks and more attempts to disrupt or shut down specific services or networks, including DDoS attacks.

Rather than infiltration and breaches, we will see more backbone-level attack attempts (think ISP and uptime) that affect availability and continuity. This could also extend to major cloud providers and Internet resources. Bad actors may focus on resources that allow people to continuously share and exchange free-flowing information — including services tied to the economy. Their aim is to affect, disrupt, and destabilize continuity, preventing major organizations from delivering value. There is also the potential for more "strategic viability" cyberattacks against critical infrastructure systems, such as those driving power generation or electricity production.

In the past, we saw more concealed interaction. In other words, prior attempts were cloaked; one host country could launch an attack from another unwitting host. Now, the cloak is gone, and there is less effort to conceal attacks.

**2**. **Make visibility a priority.  
**Organizations need the appropriate controls and mechanisms in place to "see" where specific traffic and requests come from so they can start making the difficult decisions about where they will allow traffic to come from.

This is not just about enabling safe access, but also creating the ability to control the flow of traffic and requests to your company and assets. You need to drill down into activity across your platforms and assess everything from a geolocation perspective. Have you deployed technology that allows you to actively contextualize traffic patterns based on what's happening globally? If several major service providers experience an outage, can this be attributed to global interference at a nation-state level? If, when, and how will this affect your organization? Can you detect if a nation-state threat actor targets your organization, and, if so, can you trace the exact location and source? Also, keep in mind that criminal hacking groups can work closely with nation-states, which makes a proxy attack possible.

**3**. **Keep your security controls under control.  
**As CISO, you should maintain an updated risk register. This risk register should identify threats, outline the probability they will affect your organization, and present the overall potential impact. This framework, which should be broken down into sections that align with various business units and stakeholders (such as infrastructure, internal systems, and Web applications) should help you prioritize identified risks.

You should also be up to date on cybersecurity compliance regulations, standards, frameworks, and certifications (such as GDPR, ISO 27001, PCI-DSS, and FIPS, SOC) that ensure the security, processing integrity, and privacy of sensitive data. Security controls, specifically, encompass data encryption, network firewalls, password policies, network access control, and more.

Keep in mind that new standards may be imposed by your host/home government amid ongoing conflict. This could affect, for example, who you allow to access your platforms. The security and IT teams will be tasked with using existing controls or leveraging them in an alternative capacity to meet new government mandates — mandates that may apply internally to a company or companies that operate with them. You may be called upon to prevent traffic from geo-specific locations to better safeguard customer data or to fulfill an applicable restriction from a governing body. Also, your organization's customers may ask if you have can block or deny access to your platform based on a certain region.

**Conclusion  
**When it comes to cybersecurity, no one person can control all the variables — especially variables at a global level. In addition to your usual risk mitigation efforts, you should be prepared to adopt new policies and processes — depending on the "temperature" of global events. If cybersecurity is a moving target, it's moving even faster now. Organizations that reinforce their defenses (and prepare for additional safeguards) will have the best playbook for pre-empting and preventing new types of fraud, breaches, and hacks.

Source

DARKReading