Open source software community initiative utilizes blockchain technology.

**Sunnyvale & San Diego, Calif., May 25, 2022** — (swampUP 2022) – JFrog Ltd. (“JFrog”) (NASDAQ: FROG), the Liquid Software company and creators of the JFrog DevOps Platform, today introduced Project Pyrsia, an open-source software community initiative that utilizes blockchain technology to secure software packages (A.K.A Binaries) from vulnerabilities and malicious code. Available for sign-ups immediately, Project Pyrsia is an open-source-based, decentralized, secure build network and software package repository aimed at helping developers establish chain of provenance for their software components, creating greater confidence and trust.

“Open-source is everywhere, and while it has always been seen as a seed for innovation and modernization, the recent rise of software supply chain attacks has made every organization vulnerable,” said Shlomi Ben Haim, Co-Founder and CEO, JFrog. “Led by developers and for developers, JFrog is proud to work with the community on developing Project Pyrsia so everyone can continue to embrace open source with confidence, while protecting the software supply chain.”

Open-source software is a critical element of nearly every technology we use today – from our operating systems and browsers to the applications and services on which we depend to run our lives. Yet there’s no question the volume, sophistication and severity of software supply chain attacks has increased in the last year. In recent months the JFrog Security Research team tracked over 20 different open-source software supply chain attacks – two of which were zero-day threats. While open-source components are designed to make development more efficient, not knowing where your software comes from makes it hard-to-spot risks–seeding doubt and uncertainty about its safety.

Thus, JFrog and other open-source technology leaders, including Docker, DeployHub, Futureway, and Oracle – worked together to establish the Project Pyrsia network for validating the source and security of open-source software packages. With Pyrsia, developers can confidently use open-source software knowing their components have not been compromised, without needing to build, maintain, or operate complex processes for securely managing dependencies.

“At JFrog we believe open-source security will only be successful if we provide the community with the same tools and services that are available to enterprises,” said Stephen Chin, VP of Developer Relations, JFrog. “The combination of an open-source, customizable architecture, and a robust, active community makes Pyrsia the most transparent and trustworthy way to obtain secure software packages. We’re grateful for the help of our industry partners and the community for joining us in securing open source so it can remain a true fountain of innovation.”

Pyrsia aims to seamlessly integrate with the package management systems developers are already using today, so they can certify their software components without foregoing compatibility, security, or efficiency. Utilizing standards like Sigstore’s Cosign and Notary V2 allows developers to quickly access their containers leveraging the Pyrsia network. Using digital signatures, developers receive an immutable chain of evidence for their code, providing peace of mind from knowing the exact source of their packages.

To help guide developers on the process of using Pyrsia for validating software components, a select few entities will build and publish images that will be available for everyone’s use -otherwise known as ‘bootstrapping’ the project. Organizations interested in supporting Pyrsia can volunteer their resources to help establish the project’s first distributed network. From there, Project Pyrsia’s decentralized framework will help provide:

· An independent, secure build network for open-source software

· Trustworthiness of software packages

· Completeness of known open-source software dependencies

For more information on Project Pyrsia or to sign-up to be a contributor visit https://pyrsia.io/. You can also learn more about the project in this blog or chat directly with JFrog Community leaders and Project Pyrsia experts during swampUP 2022 taking place in San Diego, May 25 – 26. For more information and to register visit https://swampup.jfrog.com/.

**Supporting Quotes from Industry Partners**

_“The DeployHub team’s focus is firmly rooted in securing the supply chain, and there is no better place to start than fully auditing the build and package step. To that end, Pyrsia is the first open-source project to introduce improvements in this area via a ‘consensus build network.’ Disruption in this area is long overdue. DeployHub is proud to be part of this innovative team.” – Steve Taylor, CTO DeployHub, Inc._

_“At Docker we feel this is an exciting time for the community to work together on innovation around the supply chain and its core, critical components for build and packaging. We are excited to join and work together with the community on Project Pyrsia. There is a huge opportunity to build new kinds of infrastructure over the core container primitives that will foster innovation and better developer experiences.” – Justin Cormack, CTO, Docker_

_“Open-source project Pyrsia is developing a third-party attested, decentralized, distributed software package network that delivers secure, transparency and integrity for the open-source software package supply chain. Futurewei is committed to collaborating with open-source communities to accelerate the innovations for digital transformation via open-source, open standard, and open ecosystems. As open-source software becomes more pervasive, securing the open-source software supply chain becomes a critical issue. We are thrilled to be a founding member of Project Pyrsia and delighted to have the opportunity to collaborate with other members to accelerate Pyrsia for a secure and trusted open-source software supply chain ecosystem – bringing value to the open-source community.”– David Lai, Director, Cloud Infrastructure and Platform Architecture Open-Source Ecosystem Partnerships, Futurewei Technologies, Inc._

JFrog Launches Project Pyrsia to Help Prevent Software Supply Chain Attacks

Experience Centre features emerging Mastercard products and solutions for securing digital payments on a global scale, including those developed locally in Vancouver.

**MAY 25, 2022**

  
Today, Mastercard unveiled the "Experience Centre” at its _Global Intelligence and Cyber Centre of Excellence_ (“Centre of Excellence”) in Vancouver, BC, where local, national and international tech communities are invited to collaborate on cyber security innovation. The Experience Centre also features emerging Mastercard products and solutions that are already securing digital payments on a global scale, including those developed locally in Vancouver.

“Rapid advancements in digital technology have changed the way we shop, pay, work and interact, but with increased convenience comes increased risk,” said Sasha Krstic, President of Mastercard Canada. “Building on the world-class innovations developed at our Centre of Excellence in Vancouver, this new Experience Centre offers a venue for much-needed industry collaboration to anticipate and neutralize ever-expanding cyber threats to our global digital economy.”

Announced in 2020, Mastercard’s _Global Intelligence and Cyber Centre of Excellence_ is leading innovation in cyber and intelligence (C&I), artificial intelligence (AI) and the Internet of Things (IoT). Research from the Centre is already enhancing Mastercard solutions, combining the Centre’s biometric security algorithms with existing cyber capabilities is creating new approaches to enhance online security. In just two-and-a-half years, the Centre of Excellence is making quick progress against its long-term goals, such as:

*   **filing more than 30 local patents** that will secure cyberspace by building confidence in our connected devices, reducing the presence of malicious bots, bad human actors, and establishing a seamless experience for online interactions; and
*   **creating and maintaining more than 230 quality tech jobs to date,** ranging from software engineers to data scientists to product and program managers, with many more roles to fill.

“We are achieving this unprecedented level of cyber security innovation by attracting top talent from across Canada and the world to work smarter, better and faster in a creative, inclusive environment embedded in Vancouver’s vibrant tech community,” said Sasha Krstic. “Mastercard’s Centre of Excellence is not only making digital payments safer for consumers and businesses everywhere, it’s helping cement Canada’s role as a global powerhouse in cyber security innovation.”

  
Investing in Canadian Innovation

Mastercard has significantly expanded its technology footprint in Canada over the past five years. In 2020, Mastercard announced **a $510 million CAD investment** **to establish the _Global Intelligence and Cyber Centre of Excellence_ in partnership with the Government of Canada** to achieve their shared vision of building a better, more secure digital economy for everyone by leveraging Canadian innovation. This builds on the acquisitions of Vancouver-based NuData Security and Toronto-based Ethoca.

As part of its ongoing commitment to strengthening Canadian innovation, **Mastercard has proudly invested more than $6.3 million in strategic partnerships and knowledge-sharing** across Canada’s entire tech ecosystem through the _Global Intelligence and Cyber Centre of Excellence_ to-date. These investments are designed to:

*   scale C&I research and development (R&D) and bring Canadian innovations to market faster, making the global digital economy more secure;
*   nurture next-gen Canadian talent and expand STEAM opportunities for underrepresented groups, as true cyber security demands that diverse talent drive inclusive innovation; and
*   provide small businesses and entrepreneurs with the same cyber security tools and protection as larger enterprises so Canada’s economy can continue to thrive.

  
Strategic partnerships and community investments announced by Mastercard include:

*   **Digital Main Street:** creating engagement tools that help Canadian “mom and pop” businesses become more cyber aware, as well as 10 post-graduate internship spaces at the Mastercard _Global Intelligence and Cyber Centre of Excellence_ over five years;
*   **Canadian Federation of Independent Business (CFIB):** creating gamified, mobile-first cyber training for small- and medium-sized businesses;
*   **Pow Wow Pitch:** sponsoring a new tech stream in the Indigenous Entrepreneurship Program;
*   **Mitacs:** creating 50 internships at Mastercard’s _Global Intelligence and Cyber Centre of Excellence_ for graduate students across Canada over five years;
*   **University of New Brunswick:** funding the Mastercard Research Chair in IoT and a new Cyber Security Research Lab;
*   **Rogers Cybersecure Catalyst:** accelerating cyber security training and young leader development at Toronto Metropolitan University;
*   **Science World:** developing STEAM training for girls in grades 2 to 9 through the “Tech-Up” program; and
*   **Girls4Tech:** expanding cyber programming for Canadian girls.

  
“Vancouver and Canada more broadly are brimming with talent and expertise in a range of STEM fields, including cyber and intelligence,” said Mansur Mirani, VP of the Mastercard Global Intelligence and Cyber Centre of Excellence in Vancouver. “Investments across our tech ecosystems, especially in diverse communities, unlocks additional potential in our knowledge economy that will keep Canada on the forefront of global cyber security innovation for generations to come.”

Mastercard Launches Cybersecurity “Experience Centre”

Company will detail enhancements to Vulnerability Management, Detection and Response solution next month.

FOSTER CITY, Calif., May 25, 2022 /PRNewswire/ -- Qualys, Inc. (NASDAQ: QLYS), a pioneer and leading provider of disruptive cloud-based IT, security and compliance solutions, today announced it is holding the Qualys Security Conference (QSC) San Francisco in tandem with RSAC on June 7-8.

At the event, Qualys will unveil significant updates to the company's Vulnerability Management, Detection and Response (VMDR) solution. The new enhancements redefine how enterprises manage cybersecurity risk with an unprecedented capability to prioritize and remediate at scale.

Through keynotes, live demonstrations, customer presentations, training sessions and networking, the Qualys customer community will dive into the profound impact of the digital journey and converse on best practices and case studies on risk management and security automation.

The week will feature talks from Qualys experts, customer success stories and a feature keynote at the Cloud Security Alliance CxO Trust Summit:

**Qualys QSC San Francisco Featuring VMDR Live  
**QSC San Francisco will be held in person at the Palace Hotel in San Francisco. To view the full schedule and to register for the event, visit the website.

**Highlights include:**

*   **Sumedh Thakar, President and CEO:** Security Automation for the Digital Journey
*   **Nagi Prabhu, Chief Product Officer:** Bringing the Unified Power of the Qualys Cloud Platform to Address Today's Security Challenges
*   QSC customer presentations from **First American Financial** and others.
*   **VMDR LIVE:** Redefining Cybersecurity Risk Management with VMDR
    *   Introducing VMDR 2.0 with TruRisk
    *   Fireside chat with Brian Penn, **Aflac**
    *   Join VMDR Live virtually at www.qualys.com/vmdr-live.
*   **Qualys Cocktail Reception:** Come network with Qualys experts, customers and industry practitioners on Tuesday, June 7 at 6:00 pm PT at the Palace Hotel.
*   **Training Sessions:** On Wednesday, June 8, Qualys will lead two training courses, including an introduction to Qualys VMDR and How to Manage and Secure Your Container Assets.

**Qualys at RSAC  
**Attendees with RSAC credentials are welcome to join the following RSAC events to network with industry peers and learn more about Qualys:

*   **CxO Trust Summit at RSAC****: Jonathan Trull, CISO at Qualys:** Measuring the Maturity of Your Cloud Security Program. June 6, 8:30 am – 3 pm PT, RSAC – Moscone Center South, level 3
*   **DevOps Connect – DevSecOps @RSAC****:** Connect with the Qualys DevOps team to learn more about VMDR and our cloud-based IT, security and compliance solutions. June 7, 8:30 am – 4 pm PT, RSAC – Moscone Center South

**About Qualys**  
Qualys, Inc. (NASDAQ: QLYS) is a pioneer and leading provider of disruptive cloud-based Security, Compliance and IT solutions with more than 10,000 subscription customers worldwide, including a majority of the Forbes Global 100 and Fortune 100. Qualys helps organizations streamline and automate their security and compliance solutions onto a single platform for greater agility, better business outcomes, and substantial cost savings.

The Qualys Cloud Platform leverages a single agent to continuously deliver critical security intelligence while enabling enterprises to automate the full spectrum of vulnerability detection, compliance, and protection for IT systems, workloads and web applications across on premises, endpoints, servers, public and private clouds, containers, and mobile devices. Founded in 1999 as one of the first SaaS security companies, Qualys has strategic partnerships and seamlessly integrates its vulnerability management capabilities into security offerings from cloud service providers, including Amazon Web Services, the Google Cloud Platform and Microsoft Azure, along with a number of leading managed service providers and global consulting organizations. For more information, please visit www.qualys.com.

Qualys to Unveil VMDR 2.0 at Qualys Security Conference in San Francisco

Corelight Investigator aids threat hunting and investigation through intelligent alert aggregation, built-in queries and scalable search

SAN FRANCISCO, May 25, 2022 /PRNewswire/ -- Corelight, the leader in open network detection and response (NDR), today announced Corelight Investigator, a SaaS-based solution that extends the power of open-source driven network evidence to SOC teams everywhere. Investigator delivers advanced capabilities for transforming network and cloud activity into evidence in a fast, intuitive platform that is easy to deploy and use.

Based on insights learned from savvy defenders in the Zeek open source community, Corelight Investigator provides not only advanced analytics and open access to the best network evidence, but the ability to do custom evidence enrichment unique to each environment. With Corelight Investigator, security teams can quickly accelerate threat hunting and investigations by mapping threat activity across the MITRE ATT&CK® framework and reduce alert volume with intelligent alert scoring.

"We believe that evidence is at the heart of cybersecurity for any organization," said Brian Dye, CEO of Corelight. "We have the privilege of working with defenders of critical infrastructure that can afford data lake architectures and in-house analytics teams to execute their evidence-driven cyber strategy. Corelight Investigator brings the design patterns of those elite defenders to the broader enterprise by combining advanced analytics and threat hunting capability with the power of Zeek, the industry de-facto standard for network evidence."

**Full network visibility with next-level analytics  
**Corelight Investigator brings complete visibility of the network, both on-premise and in the cloud, with evidence that spans months and years, not days and weeks. Customers can leverage machine learning, behavioral analysis, threat intelligence and signatures, mapped to the MITRE ATT&CK framework, to enable broad coverage of network-centric threats.

This evidence leads to specialized detections and enables the threat hunting necessary for advanced, persistent, and personalized attacks. In addition, it supports custom enrichment of network evidence - such as asset information, vulnerabilities, or per-asset context - and links threat hunting and incident response through custom alerts, queries, and dashboards.

"Unlike competitive 'closed' solutions, Corelight Investigator brings a new level of openness to the SaaS NDR market that enables customers to fully understand the logic behind machine learning based detections, and freely integrates these alerts with their existing tools for the broadest coverage," said Clint Sand, senior vice president of product for Corelight.

**Powered by open source and novel research  
**"Along with the advanced analytics that Corelight Labs provides, another advantage of Corelight Investigator is its ability to harness the analytical power of the open source Zeek and Suricata communities. That provides broad-based threat coverage including rapid zero-day response capabilities," said Vern Paxson, co-founder and chief scientist for Corelight. "The open-source nature of Zeek helps us illuminate _why_ a detection happened, as well as rich information about its surrounding context."

Corelight Investigator customers can access richly detailed, interlinked Zeek logs including access to DNS responses, file hashes, SSL as well as logs created by Corelight Labs - which continually creates new analytics for evolving threats and vulnerabilities using cross-customer visibility with the speed of SaaS – for both investigating those alerts and enabling threat hunting.

"As attacks continue to evolve and grow in sophistication, security teams need NDR solutions that provide not only timely and accurate detections, but the supporting context to respond quickly and effectively," said John Grady, senior analyst with ESG. "Corelight meets these requirements by bringing rich network evidence from its decades-long open source Zeek heritage, combined with novel analytics from an array of inferences, making it a powerful contender in the space."

**University of Missouri powers network visibility with Corelight Investigator  
**For many organizations, it is not possible to staff a full security or development team dedicated to parsing the expansive volumes of network traffic. This is true for the research and support services team at the University of Missouri that needed a solution that could provide full network visibility without the management overhead and other fine-tuning often required with competing solutions.

"We are a large university and we need to have full network visibility," said Aaron Scantlin, security analyst at University of Missouri. "It was simple to set up, which means the rest of my time is spent doing advanced analysis and other work."

In addition, Corelight Investigator quickly identifies threats on the network so the team can take immediate action as well as provides access to the raw data for additional investigation.

"Corelight Investigator ingests events so that we can query them in a snap," said Scantlin. "It improves our security posture by providing instant access to events we need to act on."

**Pricing and availability  
**Corelight Investigator joins the Corelight Sensor product portfolio and will be generally available in June. Corelight customers and prospects can contact sales directly for pricing information. More information Corelight Investigator can be found on the Corelight website.

**About Corelight  
**Corelight provides security teams with network evidence so they can protect the world's most critical organizations and companies. Corelight's global customers include Fortune 500 companies, major government agencies, and large research universities. Based in San Francisco, Corelight is an open-core security company founded by the creators of Zeek®, the widely-used network security technology. For more information, www.corelight.com.

Corelight Announces New SaaS Platform for Threat Hunting

Cylance co-founder Ryan Permeh has joined full time as an operating partner.

**WEST PALM BEACH, Fla.** – May 25, 2022 – SYN Ventures, the only VC firm founded and led exclusively by former Fortune 500 CISOs and C-level security leaders, today announced the closing of its $300M Fund II. The closing comes less than 12 months since the launch of its debut fund and continues the firm’s focus on early-stage cybersecurity, industrial security, national defense, privacy, regulatory compliance, and data governance start-ups.

In addition to the closing of Fund II, the firm announced that Co-founder and former Chief Scientist of Cylance, Ryan Permeh, has joined full time as an Operating Partner.

“As cybersecurity has come to the forefront of every human on the planet, the pace of innovation is exploding for both our industry and adversaries,” said Jay Leek, Managing Partner at SYN Ventures. “Adding Ryan, one of the most successful and connected entrepreneurs in our industry, to our team is incredible validation of our investment thesis and mission of protecting all companies big or small, the United States and our allies.”

SYN investments include Adlumin, Boldend, Halcyon, Metabase Q, Netography, Pangea, Phosphorus, Query.ai, SecZetta, Sevco Security, ShiftLeft, SynSaber, TrackerDetect, Revelstoke, Transmit Security, and others. The team combines over 100 years of operational security experience with investing acumen and a trusted network of dozens of CISOs that actively help entrepreneurs accelerate the growth of their companies to better protect against the ever-evolving threat landscape. Some of the firm’s CISO advisors include Cradlepoint CISO, Ben Carr; Chipotle CISO, Dave Estlick; Vista Equity Partners Managing Director and CISO, Adrian Peters; USAA CSO, Jason Witty, and more.

“Joining Jay, Patrick and the SYN team is an exciting next chapter in my career. After decades in executive leadership roles starting at McAfee, I’ve been blessed to work with the people and technologies that have been instrumental in the emergence of cybersecurity as an industry,” said Permeh. “As an entrepreneur, I couldn’t have done what I did without fantastic venture partners, including Jay and Patrick, to bring my vision to life and scale a company to become one of the first unicorns in the industry. Security is in my blood, and I’m excited to share my experience and expertise to help the next generation of entrepreneurs disrupt the industry and evolve the fabric of security.”

**About SYN Ventures**

SYN Ventures is a venture capital firm focused on investing in disruptive and innovative security companies in the cybersecurity, industrial security, national defense, privacy, regulatory compliance, and data governance industries. The firm’s dedicated security team has a proven track record with over 100 years of security investing and operational experience. SYN also has a highly distinguished network of seasoned security advisors and CISOs. For more information on SYN Ventures, please visit https://www.synventures.com/

Cybersecurity-Focused SYN Ventures Closes $300 Million Fund II

According to the findings, vishing attacks have overtaken business email compromise as the second most reported response-based email threat since Q3 2021.

MINNEAPOLIS, May 23, 2022 /PRNewswire-PRWeb/ -- Vishing (voice phishing) cases have increased almost 550 percent over the last twelve months (Q1 2022 to Q1 2021), according to the latest Quarterly Threat Trends & Intelligence Report from Agari and PhishLabs, both of which are part of the HelpSystems cybersecurity portfolio.

In Q1 2022, Agari and PhishLabs detected and mitigated hundreds of thousands of phishing, social media, email, and dark web threats targeting a broad range of enterprises and brands. The report provides an analysis of the latest findings and insights into key trends shaping the threat landscape.

According to the findings, vishing attacks have overtaken business email compromise (BEC) as the second most reported response-based email threat since Q3 2021. By the end of the year, more than one in four of every reported response-based threat was a vishing attack, and this makeup continued through Q1 2022.

"Hybrid vishing campaigns continue to generate stunning numbers, representing 26.1% of total share in volume so far in 2022," said John LaCour, principal strategist at HelpSystems. "We are seeing an increase in threat actors moving away from standard voice phishing campaigns to initiating multi-stage malicious email attacks. In these campaigns, actors use a callback number within the body of the email as a lure, then rely on social engineering and impersonation to trick the victim into calling and interacting with a fake representative."

Additional Key Findings

*   Social media impersonation attacks are on the rise. Since Q2 2021, the volume of brand impersonations increased 339% and executive impersonations 273%. According to the findings, brands prove to be convenient targets for threat actors, especially when associated with retail counterfeit operations. However, for some unique attacks, executive accounts are preyed on to make the spoofs seem more realistic.
*   Credential theft email scams continue to be the most common email threat type reported by employees, contributing to nearly 59% of all threat types encountered. Credential theft reports increased 6.9% in volume from Q4 2021.
*   The malware landscape continues to be ever changing. Qbot was once again the payload of choice for threat actors attempting ransomware attacks, but Emotet reemerged in Q1 and was the second leading payload.
*   While nearly half of all phishing sites rely on a free tool or service for staging, Q1 2022 was the first quarter in five consecutive quarters where paid or compromised services (52%) outnumbered free solutions for the use of staging phishing sites.

"As the variety of digital channels organizations use to conduct operations and communicate with consumers expands, bad actors are provided with multiple vectors to exploit their victims," added LaCour. "Most attack campaigns are not built from scratch; they are based on reshaping traditional tactics and incorporating multiple platforms. Therefore, to remain secure, it's no longer effective for organizations to only look within the network perimeter. They must also have visibility into a variety of external channels to proactively gather intelligence and monitor for threats.

"Additionally, security teams should invest in partnerships that will ensure the swift and complete mitigation of attacks before they result in reputational and financial damage."

Additional Resources

To learn more about the report findings, attend the live webinar at 2 PM EST on Tuesday, May 24 or watch on-demand: https://www.phishlabs.com/webinars/details/?commid=541642.

To access the complete Agari and PhishLabs Quarterly Threat Trends & Intelligence Report, visit: https://info.phishlabs.com/quarterly-threat-trends-and-intelligence-may-2022.

About Agari by HelpSystems  
Agari restores trust to your inbox by increasing overall email deliverability and preserving brand integrity. It does this through an identity-centric approach that uniquely learns sender-receiver behavior. This model protects customers, partners, and employees from devastating phishing and socially engineered attacks, such as inbound business email compromise, supply chain fraud and account takeover-based attacks, as well as from outbound email spoofing. Visit http://www.agari.com to learn more.

About PhishLabs by HelpSystems  
PhishLabs by HelpSystems is a cyber threat intelligence company that delivers Digital Risk Protection through curated threat intelligence and complete mitigation. PhishLabs provides brand impersonation, account takeover, data leakage and social media threat protection in one complete solution for the world's leading brands and companies. For more information visit http://www.phishlabs.com.

About HelpSystems  
HelpSystems is a software company focused on helping exceptional organizations secure and automate their operations. Our cybersecurity and automation software protects information and simplifies IT processes to give our customers peace of mind. We know security and IT transformation is a journey, not a destination. Let's move forward. Learn more at http://www.helpsystems.com.

Vishing Attacks Reach All Time High, According to Latest Agari and PhishLabs Report

Google has disclosed a nasty set of six bugs affecting Zoom chat that can be chained together for MitM and RCE attacks, no user interaction required.

A vulnerability chain discovered in Zoom's chat functionality can be exploited to allow zero-click remote code execution (RCE), threat hunters have revealed.

Google's Project Zero uncovered an attack path that would allow cyber adversaries to silently force a victim to connect to a man-in-the-middle (MitM) server — no user action needed. From there, attackers can intercept and modify client update requests and responses in order to send the victim a malicious update, which will automatically download and execute, thus allowing RCE.

The only capability needed to carry this off successfully is the ability to send messages to the victim over Zoom chat, Project Zero researcher Ivan Fratric noted in a posting that was made public on Tuesday.   

"With the massive popularity and broad reach of Zoom, any vulnerability that could allow a remote compromise like this is of concern," Mike Parkin, senior technical engineer at Vulcan Cyber, tells Dark Reading. "While an attack appears to require the threat actor to be on an active Zoom call with the target, the wide prevalence of the platform and the number of large group meetings means it shouldn’t be difficult for a malicious actor to find suitable victims."  

**XMPP "Stanza Smuggling" Bug  
**Zoom chat uses a messaging protocol based on XML called XMPP. Fratric explained that messages are exchanged using short snippets of XML called "stanzas" that are sent over a single stream back and forth from client to server. The initial issue is the fact that the client and server don't see eye-to-eye when interpreting whether message code is well formed, leading to parsing inconsistencies.

"The clients use gloox library for XML parsing … and Zoom's server … uses fast\_xml for XML parsing, which in turn uses an XML parser called Expat," the researcher noted. "Indeed, it turns out that Expat and gloox parse XML in a different way and (at least one) exploitable inconsistency exists."

At issue is the fact that the server's Expat parser is lax when it comes to validating tag and attribute names, Fratric said. Specifically, it will forward tag names containing question marks (i.e., "<?xml ?>") to the client, even though it shouldn't. And when the client's gloox parser sees the question-mark sequence, it will reset the parser state so that anything coming after that will be considered a legitimate root node of the next stanza.

This makes it possible to escape the <message> tag safeguards, he noted, to add in whatever content the attacker would like: "The <message> tag here can, of course, be replaced with <iq> or any other tag and it will be accepted by the client as the data coming from the server." He dubbed this "stanza-smuggling."

Since attackers now have complete control over the message tag, that also means they can manipulate the "from" attribute, in order to spoof messages as if coming from another user. And, Fratric noted, they can also lead the victim's contacts to malicious websites for phishing or drive-by malware attacks. This is accomplished by altering the file-integration tag, to surreptitiously replace the URL that's opened when the user wants to share a file with another user, using Dropbox, Google Drive, SharePoint, and other cloud-based services.  

**Achieving Man-in-the-Middle Status  
**The MitM attack is accomplished by changing the <strem:error> tag. Using a specially crafted stanza, bad actors can create "a 'ClusterSwitch' task in the Zoom client, with an attacker-controlled 'web domain' as a parameter," Fratric said.

To trigger the attack, adversaries can simply type and send a message to the victim containing the magic string "iddqd" in the tag. That will cause the victim client to connect to the /clusterswitch endpoint on the attacker-provided domain, thus setting up the ability to see and modify traffic between the client and the Zoom Web server.

"From /clusterswitch endpoint, a client gets a list of domains to be used for various services," Fratric explained. "Since the attacker is already in the man-in-the-middle position, they can replace any of the domains with their own, acting as a reverse proxy and intercepting communications."

**Exploiting the Client Update Process  
**The escalation to arbitrary code execution was a logical next step, Fratric noted, given that Zoom clients will periodically query the update endpoint from Zoom's Web server to see if there's anything new to install.

"Since the attacker is already in the MitM position, they can, of course, replace these endpoints and serve arbitrary data," according to the researcher.

Fratric ran into a snag here, though: The client downloads two files as part of the update process, and verifies their legitimacy — the "Installer.exe" file must be signed by "Zoom Video Communications, Inc." to start with; once installed, it checks the hash of the second .cab file.

However, it turns out that attackers can get around these hurdles with a downgrade attack.

"I served Installer.exe and .cab from Zoom version 4.4 (from mid-2019)," the researcher explained. "The installer for this version is still properly signed; however, it does not do any security checks on the .cab file."

**Patch Now**

In all, Fratric reported a total of six security vulnerabilities, including four Zoom-specific issues fixed in version 5.10.4 of the Zoom client:  

*   CVE-2022-22784 (improper XML parsing)
*   CVE-2022-22786 (update package downgrade),
*   CVE-2022-22787 (insufficient hostname validation​​),
*   CVE-2022-22785 (improperly constrained session cookies)

There's unfortunately also a software supply chain issue at work: The two others (CVE-2022-25235, CVE-2022-25236) affect the Expat parser, which is open source and used in plenty of other applications, including wares from Aruba, F5, IBM, and Oracle, as well as the Red Hat Linux distro. They're patched in Expat version 2.4.5.

"Some or all parts of the chain are likely applicable to other platforms," Fratric said.

Zoom became a popular target for "Zoom-bombing" and other attacks in the wake of the work-from-home wave during the pandemic, calling into question the security of the platform and its encryption practices. The company implemented a raft of security changes to match it's heightened status, but nonetheless, bugs like these are somewhat inevitable, researchers noted.

"In 2020, we all instantly became hyper-connected to the Internet…and so did all of the systems we use," Mark Lambert, vice president of products at ArmorCode, tells Dark Reading. "Two years later, and it is clear that there is no looking back. Unfortunately, these types of vulnerabilities are inevitable given the speed that software is released to meet business goals. The only way for us to protect ourselves is to detect as soon as possible and react even quicker."

Managing the volume of software vulnerabilities and alerts is a difficult challenge for developers, he notes. "The only way for them to keep up with the pace of delivery is to operationalize application security and embed it into their DevOps pipeline."

Zero-Click Zoom Bug Allows Code Execution Just by Sending a Message

This year's finalists tackle such vital security concerns as permissions management, software supply chain vulnerability, and data governance. Winners will be announced June 6.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Meet the 10 Finalists in the RSA Conference Innovation Sandbox

Purporting to publish leaked emails of pro-Brexit leadership in the UK, a new site's operations have been traced to Russian cyber-threat actors, Google says.

A new website has popped up called Very English Coop d'Etat, publishing what it claims are private emails from pro-Brexit leadership in the UK in an attempt to gin up conspiracy theories around the country's split from the European Union.   

Both UK foreign intelligence and Google's cybersecurity team confirmed that Russian cyberattack group Cold River is behind the campaign, according to Reuters. 

Steve Huntley, with Google's Threat Analysis Group, said that this campaign has "clear technical links" to other Cold River disinformation campaigns, according to the report.

Victims of the leaks include former MI6 spy agency head Richard Dearlove, public Brexit supporter Gisela Stuart, and historian Robert Toombs, according to the report, who say their accounts were breached by Russian government actors. 

Reuters added that this incident is the second time since 2020 that Moscow-backed cyberattackers have stolen and leaked private emails from British national officials. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Brexit Leak Site Linked to Russian Hackers

Implement zero-trust policies for greater control, use BYOD management tools, and take proactive steps such as keeping apps current and training staff to keep sensitive company data safe and employees' devices secure.

Mobile workers are productive and often essential to a business's success, but it puts an immense amount of pressure on IT to protect the company's corporate apps and data while maintaining worker privacy.

Bring your own device, also known as BYOD, challenges corporate security protocols and IT staff to protect their intellectual property and keep hackers at bay.

**BYOD Security Risks  
**When the pandemic first hit, organizations were forced to shift from mainly supporting corporate-owned, fully managed devices to supporting personal devices used for work purposes. This abrupt move to remote work forced companies to quickly shift their networking and security capabilities, creating a large amount of risk to their organization. Without proper security measures in place, these unmanaged BYOD devices grant employees access to company resources and sensitive data, which poses a potential risk for sensitive data to be leaked, inadvertently or on purpose.

With over 58% of employees saying their use of personal devices for work purposes increased during the COVID-19 pandemic, shortcuts were destined to be taken with the quick shift to remote work and BYOD. We saw IT teams prioritizing and investing in network access capabilities rather than remote security. With 84% of survey respondents saying they didn't invest in data protection, it's doubtful their security measures increased during the duration of the pandemic. As employees start to return to the office and regain access to even more company resources and sensitive data, their use of BYOD at work could expose their company to new risks.

Here's a spring-cleaning checklist to keep your employee's devices secure for their return to office and beyond:

**Step 1: Improve your BYOD security policy.** If you don't have a BYOD security policy, create one now! For the 39% of organizations that have a formal policy in place, ask yourself if your company's BYOD security policy is restrictive or too vague and adjust as needed. Consider employee's privacy and productivity concerns when making improvements to the policy.

**Step 2: Implement zero-trust security.** With 72% of organizations around the world that have either adopted or are in the process of planning or adopting zero trust, it has become the new business standard for reliable security in our "work-from-anywhere" world. Whether you're working in the office, checking your email in the airport, or working from home, zero-trust security expands beyond a company's security perimeter. Zero trust prescribes that every resource — including devices — must be assessed for potential risks or policy violations before gaining access to corporate data, giving greater control over a BYOD environment.

**Step 3: Make use of BYOD management tools.** It's difficult for companies to manage a fleet of devices across multiple departmental disciplines and mobile device management (MDM) software can help make it simple and easy. Various core functions of MDM ensure that devices are remotely available for auditing, update over the air, that software runs effectively, and devices are available for remote diagnosis and troubleshooting. According to Markets and Markets, the MDM market is anticipated to grow to $15.7 billion by 2025.

**Step 4: Keep your apps and their components up to date.** Each day, hundreds of vulnerabilities are discovered in the mobile and web space, and patches are released regularly. Developers should incorporate these patches in their applications and encourage their users to regularly update their app and their operating systems. This ensures that hackers who try to exploit these known vulnerabilities will be unsuccessful.

**Step 5: Empower employees with information.** According to Trustlook, more than 50% of employees haven't received formal instructions for how to safely use BYOD in the workplace. One of the biggest things companies can do to make sure BYOD devices are secure is empowering employees with information to understand how their devices can be risky to the company's data and create vulnerabilities. Without understanding the cause and effect of BYOD devices to the company, employees won't value a BYOD security policy.

**Step 6: Mitigate future mobile application security issues.** Don't let the wrong mobile security strategy result in customer data being stolen or misused by a cyber scam. Encourage your employees to scan all their mobile apps whether they're for personal or business use.

**Choosing Your Path  
**Large organizations with distributed and often multinational operations need to ensure employees use the latest technologies without putting corporate data and intellectual property at risk. Hybrid and remote work are here to stay, and the demand for BYOD will continue to increase. Determine which security tools and strategies are right for your organization and start implementing them before they cost you in the long run.

Source

DARKReading