Getting a handle on the new risks facing AppSec by low-code/no-code development patterns

As low-code and no-code application development platforms gain more currency among business groups seeking speedy workarounds to long development backlogs, concerns about application security loom.

The low-code movement increases software engineering agility by speeding up the work of developers and enabling nontechnical business users to create their own applications and add new features to existing tools without needing to engage the engineering team. Low-code development offers the kind of elegant simplicity that’s irresistible to executives with big digital transformation aspirations.

But that kind of "it just works" opacity sends shudders down the spines of cybersecurity veterans. Any security professional with experience with emerging tech cycles instinctually understands that there be dragons in the waters that lie ahead for low-code/no-code — even if they’ve not yet mapped out exactly what kind of monsters they’re dealing with or where they are just yet.

Michael Bargury, author of the Low-Code/No-Code OWASP Top 10, will explain the exact nature of some of low-code/no-code's biggest security risks at the RSA Conference in San Francisco. Chief among them are patterns of permissioning that could throw many of the investments that organizations have made in role-based access control and identity management right out the window.

**Low-Code's Expected Explosion**

Low-code and no-code technologies provide graphical user interface (GUI) environments that make it possible to design and deploy applications and new features for fast-evolving business use cases without intensive hand-coding. These technologies include low-code application platforms (LCAP), robotic process automation (RPA), and business process automation (BPA), among others. Recent forecasting by Gartner shows that by next year the LCAP market will have doubled its revenue from 2021 and the broader low-code segment will reach nearly $32 billion.

These low-code technologies are being used by development teams to speed up and scale their work, by teams of developers and business stakeholders to improve collaboration on fast-moving digital initiatives, and by a new class of citizen developers who create their own apps without waiting for development resources.

It's that last group that’s fueling the explosion of low-code and no-code platforms and the use of low-code functionality within broader software-as-a-service (SaaS) application ecosystems. Gartner predicts that the overall low-code market will increase by 19.6% in 2023, with the fastest-growing segment being citizen automation development platforms, which are set to increase by over 30%. Analysts with the firm say that developers outside of formal IT departments already make up well over 60% of the low-code user base, and by 2026 citizen developers and other nontraditional application designers are going to make up 80% low-code users.

"Business technologists and citizen technologist personas are developing lightweight solutions to meet business unit needs for enhanced productivity, efficiency, and agility — often as fusion teams," said Jason Wong, distinguished VP analyst for Gartner in a recent low-code forecast by the firm.

**Low-Code's IAM Bombshell**

In the face of all this growth in low-code technology, Bargury is on a mission to warn security executives of the risks it poses to application security and cybersecurity postures in the near- and long-term. One of the biggest risks is the fact that these platforms are rampantly sharing credentials in order to work around strict access controls built by organizations over the years, says Bargury, co-founder and CTO of Zenity, a startup focused on low-code/no-code security.

"Let's say that you already have a SaaS platform and you've built this low-code platform on top of SaaS. Now business users can create their own applications and share those applications with their teams and other employees to use as well. So what would be the number one thing that would stop them from being able to do that in the enterprise?" Bargury says. "The answer is permissions."

As he explains, if a business user wants to create their own app, they need to get permissions granted to that app to give it access to data stores and to get it to integrate with other systems. And to get that, these citizen developers would traditionally need to wait for somebody from IT to grant that. Not only would these app designers probably hear a lot of "nos" from these teams, but just waiting for the provisioning process to run its course would essentially neutralize the whole agility value proposition of using low-code in the first place.

So, to get around this problem, many low-code/no-code platforms allow business users to build applications using their own credentials and identities. When they share those applications to other users for broader use, those credentials are shared by everyone.

"Let's say I work in finance. I build an application, and I implicitly embed my own identity within that application, and now I'm sharing that application with you," Bargury says. "You are using the app and everything works, and it's fine, you have access to data. But the underlying application is actually still using my identity to provide that access. I call this credential-sharing-as-a-service."

And as he puts it, this is a feature that low-code development platforms are proud of and actively marketing because they enable productivity. But obviously from a security perspective it can quickly turn into a nightmare. It could undermine the integrity of role-based access controls, throw off user and entity behavioral analytics, and create huge compliance risks in the future, says Morey Haber, CSO for privileged access management firm BeyondTrust

"Credential-sharing-as-a-service would impact an organization's ability to accurately provide attestation reporting for all identities utilizing the service," Haber says. "Accounts present from a low-code development platform environment would provide an unknown for accurately who has access, including foreign identities."

Chris Hughes, CISO and co-founder of Aquia, says he has a hard time seeing how low-code platforms that handle permissions in this way could possibly be used in secure coding environments.

"They are just not compatible," he says. "In fairness, this is a new risk that is now being exposed for these solutions, and now that this information is public, it needs to be amplified for all organizations to measure the risk and determine if they are violating any laws by using this type of software."

**Yet Another BYOD Scenario**

For his part, Bargury doesn't believe that blocking low-code development is the answer to these risks.

Security professionals who were around during the advent of the iPhone and other consumer-class devices and cloud services will understand that this wave of low-code development will mirror the same challenges they faced in the first days of bring-your-own-device hype. While AppSec pros have to seek ways to effectively manage these risks, there is no way that they're going to do that by stopping the low-code freight train.

"It's like when people started using mobile, and security teams were like, 'Yeah, nobody will ever use mobile with our company data.' We tried to block it, but it didn't work," says Bargury.

Low-code/no-code technology is already more pervasive in the enterprise than many security professionals even realize, he adds

"There are multiple vendors that are pushing this space forward, but some of them are the SaaS vendors, which are building low-code/no-code into their existing offerings," explains Bargury, pointing to vendors like ServiceNow, Salesforce, Microsoft, and many others that have already pushed these features into their enterprise offerings. "This is a crucial point because it means that nobody gets to choose if they will have low-code/no-code or not because it's already there."

Not to mention the fact that business users and executive sponsors love low-code technologies. Low-code platforms are helping them overcome lengthy application feature request backlogs that have plagued their digital transformation efforts for years. The agility and ROI of low-code is something that security practitioners cannot discount. Just like with BYOD, this is a political battle they can't win, Bargury says.

Much of Bargury's talk at RSA Conference will focus on helping AppSec practitioners understand the kinds of security guardrails they can institute around low-code platforms to make them more compatible with broader security and compliance needs of the business.

This includes better vetting of which low-code technologies are in use within the organization, more scrupulous development of policies and configuration around how low-code platforms orchestrate the provisioning of access within the applications they produce, and more robust black-box testing of applications produced by low-code technology.

"I think the worst approach would be to try and block low code because people will just use something else," he says. "The best approach would be to say, 'Here's a few approved platforms. You can do whatever you want in them. There are automated guidelines to help protect you. We got your back. Don't think about security. You are in finance, you are in sales, do your thing.' That's something that we as security practitioners need to be proactive about."

Are Low-Code Apps a Ticking Access Control Time Bomb?

Code property graphs and a threat feed powered by artificial narrow intelligence help developers incorporate AppSec into DevOps.

RSA CONFERENCE 2023 – San Francisco – Application security company Qwiet AI has announced a new threat intelligence feed for its real-time code security analysis tool PreZero to help security teams focus on remediating the fixes that will have the most impact on application security.

The data feed, called Blacklight, analyzes information about exploits that are deployed in the wild. Developers can use the data to see which vulnerabilities to address right away and which ones can wait. Just like a physical black light can reveal where that smell is coming from, Blacklight "exposes what you can't see visually," says Qwiet AI CEO Stuart McClure.

Narrowing the scope of patching is vital, considering the sheer volume of vulnerabilities reported. There were 3,239 high-severity vulnerabilities found in 2022, according to NIST's National Vulnerability Database, putting security teams in the position of having to remediate about 10 a day, every calendar day, to fix just the most serious vulnerabilities. But past research has shown that not all vulnerabilities need to be fixed right away. Only 15% of vulnerabilities get loaded into memory, which suggests 85% aren't reachable by an attacker, according to Sysdig. And of those reachable vulnerabilities, even less are exploitable in practice. In 2022 Qwiet AI, then called ShiftLeft, announced that only 3% of open source vulnerabilities were attackable.

The trick, of course, lies in identifying the 3%. PreZero asks a series of questions to whittle down vulnerabilities to a shorter list of those requiring immediate action: Does the application load the package containing the CVE? Is that package in use by the application? Can an attacker reach that package? And how can the developer mitigate the vulnerability?

A survey of PreZero users found that the new threat feed reduces the average cost per finding by nearly 25%, according to the company.

**Putting Artificial Narrow Intelligence to Work**

PreZero builds a deep neural net out of code property graphs (CPGs), which analyze JavaScript — 58 billion lines of it so far, according to McClure. The CPG is made up of three kinds of data graphs: abstract syntax trees that classify code according to syntax, data flow graphs that map variables from input through to the outputs to see how the data changes, and control flow graphs that track who controls the data and what changes are made.

The artificial narrow intelligence system uses those CPGs to build a model of what good code looks like versus vulnerable code, which it then can apply to new code that's entered into the tool.

"We're gonna go through the typical path, which is the code property graph based on these human-written policies, but we're also going to send that same code sample through our AI model and be able to determine if there's an additional vulnerability in there that the humans didn't catch or the signatures didn't catch," McClure says. "And so that's what really differentiates us."

Qwiet AI shared with Dark Reading a screenshot of a report Blacklight generated on Log4j 2.9.1, one of many versions of the logging utility affected by the Log4Shell vulnerability, to demonstrate the kind of information the feed provides. Potentially the most useful section is remediation advice, which counsels, "Users who want to avoid attacker-controlled JNDI lookups but cannot upgrade to 2.16.0 must ensure that no such lookups resolve to attacker-provided data and ensure that the JndiLookup class is not loaded."

"I've spent my time in the trenches," says Bruce Snell, Qwiet AI director of technical and product marketing. "There's something more visceral about attaching an actual exploit or a threat actor to a vulnerability."

Another interesting feature in PreZero is security insights, which flags code that would open the door to vulnerabilities if it were deployed. That's clearly useful for developers trying to write more secure code, but McClure says the security side also benefits from PreZero.

"The AppSec, cybersecurity, and CISOs would use \[PreZero\] to understand the current state of risk to the business, but then developers use it to actually get the line of code that they need to go fix," he says.

**AI Is Good Business**

Competition does abound. For example, Snyk uses AI in vulnerability scanning, as does GitHub — although the Spider Artificial Intelligence Vulnerability Scanner (SAIVS) falls into the machine learning category.

"We've had this skill shortage for as long as I can remember now, and I think it's actually worse on the AppSec side than it is in the InfoSec side," Snell says. "So having this AI that can, instead of trying to find the needle in a haystack, just produce a stack of needles and say, 'Here's the things that you need to deal with' is going to be huge. And it's really going to be the only way I think that the industry can keep up."

Getting away from signatures is something McClure has been working on since he co-founded Cylance, which he sold to BlackBerry for $1.4 billion in 2018; he's been planning out his vision of the future of AI since at least 2016. To demonstrate his hacking philosophy in action, McClure is co-presenting a technical session "Hacking Exposed — Hacking the Sec into DevOps" with Qwiet AI CTO Chetan Conikee on Wednesday April 26 at 1:15 p.m.

Qwiet AI Builds a Neural Net to Catch Coding Vulnerabilities

**SAN FRANCISCO****,** **April 24, 2023** **/PRNewswire/ --** **RSA CONFERENCE 2023 --** Cisco (NASDAQ: CSCO), the leader in enterprise networking and security, unveiled the latest progress towards its vision of the Cisco Security Cloud, a unified, AI-driven, cross-domain security platform. Cisco's new XDR solution and the release of advanced features for Duo MFA will help organizations better protect the integrity of their entire IT ecosystem.

**Threat Detection and Response****

Cisco's XDR strategy converges its deep expertise and visibility across the network and endpoints into one turnkey, risk-based solution. Now in Beta with General Availability coming in July 2023, Cisco XDR simplifies investigating incidents and enables security operations centers (SOCs) to immediately remediate threats. The cloud-first solution applies analytics to prioritize detections and moves the focus from endless investigations to remediating the highest priority incidents with evidence-backed automation.

"The threat landscape is complex and evolving. Detection without response is insufficient, while response without detection is impossible. With Cisco XDR, security operations teams can respond and remediate threats before they have a chance to cause significant damage," said Jeetu Patel**, Executive Vice President and General Manager of Security and Collaboration at Cisco.** "Cisco continues to ensure that 'if it's connected, you're also protected.' We are uniquely positioned to deliver integrated solutions that simplify securing today's increasingly complex, hybrid multi-cloud environments without compromising user experience."

While traditional Security Information and Event Management (SIEM) technology provides management for log-centric data and measures outcomes in days, Cisco XDR focuses on telemetry-centric data and delivers outcomes in minutes. It natively analyzes and correlates the six telemetry sources that Security Operations Center (SOC) operators say are critical for an XDR solution: endpoint, network, firewall, email, identity, and DNS. On the endpoint specifically, Cisco XDR leverages insight from 200 million endpoints with Cisco Secure Client, formerly AnyConnect, to provide process-level visibility of where the endpoint meets the network.

"The true measure of XDR is its ability to deliver actual security outcomes, real and measurable benefit to organizations — early detection, impact prioritization, and effective and efficient response," said Frank Dickson**, Group Vice President, Security & Trust, IDC.** "True results need to be quantifiable numerically and not just qualitatively described with words. Cisco XDR delivers a clear framework for enabling organizations to achieve such tangible outcomes."

In addition to Cisco's native telemetry, Cisco XDR integrates with leading third-party vendors to share telemetry, increase interoperability, and deliver consistent outcomes regardless of vendor or technology. The initial set of out-of-the-box integrations at general availability include:

*   **Endpoint Detection and Response (EDR)**: CrowdStrike Falcon Insight XDR, Cybereason Endpoint Detection and Response, Microsoft Defender for Endpoint, Palo Alto Networks Cortex XDR, SentinelOne Singularity, Trend Vision One
*   **Email Threat Defense:** Microsoft Defender for Office, Proofpoint Email Protection
*   **Next-Generation Firewall (NGFW):** Check Point Quantum, Palo Alto Networks Next-Generation Firewall
*   **Network Detection and Response (NDR):** Darktrace DETECT™ and Darktrace RESPOND™,  ExtraHop Reveal(x)
*   **Security Information and Event Management (SIEM):** Microsoft Sentinel

"Throughout Logicalis' decades-long pursuit to becoming a world class integrator; we have recognized the impact extensibility can have on the viability and efficacy of any solution," said Brad Davenport**, Vice President of Technical Architecture, Logicalis**. "With the launch of Cisco XDR, we can finally provide our customers with XDR outcomes as a solution or managed offering. We see this as a natural progression for us along the security maturity journey. Logicalis is very excited to put our combined expertise to work for our clients and offer Cisco XDR to help them achieve their business outcomes."

**Zero Trust and Access Management**

As attackers increasingly target gaps in weaker multi-factor authentication (MFA) implementations, Cisco is redefining what is essential for access management. Every business needs three key pillars for its access management strategy: enforcing strong authentication, verifying devices, and reducing the number of passwords in use. This is why, beginning on May 1st, Cisco is adding Trusted Endpoints to all its paid Duo Editions. Previously just available in Duo's highest tier, Trusted Endpoints allows only registered or managed devices to access resources. By delivering Trusted Endpoints alongside Single Sign On, MFA, Passwordless, and Verified Push within the entry-level Duo Essentials edition, Cisco is delivering the most secure, cost-effective, and user-friendly access management solution on the market.

To learn more, visit Cisco.com/go/security.   

**Supporting Quotes**

"Darktrace DETECT and RESPOND, parts of the Darktrace Cyber AI Loop, can quickly contain and disarm threats, whether known or unknown, and with a high degree of fidelity. Our collaboration with Cisco will provide our mutual customers with added visibility into security incidents and actions across cloud, network and OT," said Mattheus Bovbjerg**, Vice President of Integrations, Darktrace.** We look forward to expanding this collaboration to additional coverage areas including email and SaaS applications in the future."

"As organizations embrace the network as the essential source for cybertruth, our partnership with Cisco offers enterprises the ability to integrate ExtraHop with best-of-breed products for a more comprehensive view of their IT environments," said Jesse Rothstein**, Chief Technology Officer and Co-Founder, ExtraHop**. "Joint customers will benefit from ExtraHop's enterprise-grade, high–fidelity detections with network decryption and support for more than 80+ protocols, while also seamlessly integrating with log and endpoint solutions to achieve more streamlined investigations."

"SentinelOne is excited to team with Cisco to deliver market-leading solutions that allow our joint customers to push the boundaries of security," said Akhil Kapoor**, Vice President of Technology Partnerships and Business Development, SentinelOne**. "We look forward to integrating our EDR and Cloud Workload Protection (CWPP) solutions with Cisco to help organizations of all sizes secure tomorrow today."

"Our vision for XDR is to provide customers with a comprehensive, consolidated view of their security posture, enabling them to respond to threats quickly and effectively," said Mike Gibson**, Senior Vice President of Global Services and Customer Success, Trend Micro**. "The integration with Cisco XDR is a significant step forward in the evolution of cybersecurity. By leveraging the strength of both solutions, we are able to offer our customers a unified solution that expands telemetry insights to gain a greater perspective of their security environment enabling them to detect threats faster and respond more effectively."

**Additional Resources**

*   **Blog**: XDR and the Importance of Cross-Domain Correlated Telemetry
*   **Blog**: Simplify Your Security Operations with Cisco XDR, Launching at RSAC
*   **Blog**: Raising the Bar: Duo Redefines What is Essential for Access Management 

**About Cisco** 

Cisco (NASDAQ: CSCO) is the worldwide leader in technology that powers the Internet. Cisco inspires new possibilities by reimagining your applications, securing your data, transforming your infrastructure, and empowering your teams for a global and inclusive future. Discover more on The Newsroom and follow us on Twitter at @Cisco. 

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. 

SOURCE Cisco Systems, Inc.

**

Cisco Unveils Solution to Rapidly Detect Advanced Cyber Threats and Automate Response

The issue could then allow the malicious actor to generate arbitrary logs which can trigger malicious commands to be run with elevated privileges.

Monday, April 24, 2023 10:04

_Tim Brown of Cisco Security Advisory EMEA discovered these vulnerabilities and contributed to this blog post._

A Cisco security researcher recently discovered two vulnerabilities in the IBM AIX Unix platforms that could be exploited to inject commands and logs into targeted systems with elevated privileges.

AIX is a more than 20-year-old set of operating systems for Unix that run on various IBM platforms.

TALOS-2023-1690 (CVE-2023-26286) is a vulnerability in AIX’s errlog() syscall functionality that can be triggered if an adversary sends a specially crafted syscall. This could then allow the malicious actor to generate arbitrary logs which can trigger malicious commands to be run with elevated privileges. An adversary could also exploit TALOS-2023-1690 to gain out-of-bounds memory access.

TALOS-2023-1691 (CVE-2023-28528) exists in AIX’s invscout setUID binary. In this case, the adversary could send a specially crafted command line argument to gain the ability to inject arbitrary commands.

While the vulnerability in invscout is relatively run-of-the mill, the vulnerability with errlog() is more notable. In this case, the malicious input is supplied by user via a non-privileged syscall resulting in the AIX kernel writing the data to a privileged device (/dev/error). From there, a privileged service (errdaemon) runs as root and reads from the device and misprocesses it, resulting in command execution and/or memory corruption. The vulnerability is notable for the following reasons:

*   The errlog() syscall does not limit who can access it, nor which kernel and user-land errors it can be used to raise.
*   The same configurable mechanism by which errdaemon handles events written to /dev/error, could also be used by adversaries to construct a persistence mechanism, with errdaemon being configured to perform malicious activities when an appropriately constructed message is logged by a user.

*   On systems where the errors are collected and fed to a SIEM or other network monitoring solution, this presents opportunities for detection beyond on-device telemetry, as can be seen with the related Snort rule.

Cisco Talos worked with IBM to ensure these vulnerabilities are resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update these affected products as soon as possible: IBM Corporation AIX, version 7.2. Talos tested and confirmed this version of AIX could be exploited by these vulnerabilities.

The following Snort rules will detect exploitation attempts against the TALOS-2023-1690 vulnerability: 61154 and 61155. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall Management Center or Snort.org.

Vulnerability Spotlight: Vulnerabilities in IBM AIX could lead to command injection with elevated privileges

Integrated platform enables enterprises to seamlessly execute their mobile-first security strategy.

**SAN FRANCISCO, Calif., RSAC 2023 - April 24, 2023** \-- Zimperium, the leading mobile security solution for endpoints and apps, today announced the launch of the Zimperium Mobile-First Security Platform™. This single platform unifies Zimperium Mobile Threat Defense (MTD)\-_formerly known as zIPS_\- and Mobile Application Protection Suite (MAPS), unleashing powerful new features designed for teams who bear security responsibility across the entire mobile security spectrum. Through a ‘single pane of glass’, customers now have centralized access to and management of both Zimperium’s mobile application security and endpoint security solutions, providing them full mobile coverage to dynamically adapt to emerging threats.

“Today’s CISOs need to prioritize a mobile-first security strategy to stay ahead of attacks. There are a host of point solutions on the market for securing devices and applications, but none come together to provide an end-to-end platform to unlock the power of a mobile-powered business strategy,” said Shridhar Mittal, Chief Executive Officer at Zimperium. “The Zimperium Mobile-First Security Platform uniquely provides the most comprehensive mobile capabilities for risk reduction, global visibility, threat detection and response for both endpoints and apps.”

The launch of the platform comes at a time when attacks against mobile devices and apps are increasing exponentially. As an example, recent changes in the forthcoming iOS 17 will purportedly allow for the sideloading of third party apps, putting mobile devices at even greater risk. Our world is becoming increasingly mobile, and the Bring Your Own Device (BYOD) trend that exploded during the pandemic has become a staple of business operations. At the same time, mobile applications are being used for everything from banking to managing medical devices and have become a critical part of many enterprise's business models. Unfortunately, this has opened the door to new attack vectors across devices and apps and has created an expanded, distributed attack surface for enterprises to manage and secure. According to recent research, half of organizations suffered a mobile-related compromise in 2022. 

The Zimperium Mobile-First Security Platform uniquely combines capabilities across mobile threat defense (MTD) and mobile app security (MAPS) such as:

*   **Centralized management and access** to device and app security through a single interface on any cloud and on-premises.
*   **Protection for all devices** against critical mobile threats such as phishing, spyware, and rogue networks.
*   **Privacy-by-design** to protect employee privacy on both corporate and BYOD devices as they work from anywhere, anytime.
*   **Pervasive risk management for apps** to find risks in apps you develop and third-party apps used by employees. 
*   **Advanced in-app protection** to prevent reverse engineering, protect cryptographic keys, and create self-defending apps.
*   **An enhanced mobile ecosystem** with enterprise integrations including SIEMS, IAM**,**XDR**,**DevOps workflows, ticketing systems, GitHub action and, fraud systems.
*   **Deep forensics** and enhanced search capabilities to enable advanced threat hunting.

All of this is made possible by the unification of the platform and its key security solutions:

*   Zimperium Mobile Application Protection Suite (MAPS) helps enterprises build secure and compliant mobile applications. It's the only unified solution that offers comprehensive in-app protection and threat visibility across the entire lifecycle of an application.

*   Zimperium Mobile Threat Defense (MTD), with its unique, dynamically adapting, on- device protection is the only MTD solution that can protect users against known and unknown threats. Zimperium MTD offers zero-touch activation and privacy-first design, providing users with a trustworthy and seamless experience. In addition, MTD now offers new customizable branding for a company’s logo and color scheme, enabling trust and improved end-user adoption.

"The Zimperium Mobile-First Security Platform protects mobile applications and devices for today’s mobile-powered business. Its real-time threat visibility and response uniquely provides continuous protection against known and unknown threats," said Ayush Patidar, Analyst, Quadrant Knowledge Solutions. "With on-device protection and real-time app security including app scanning, app shielding, runtime protection, and protection of cryptographic keys, the platform provides protection against phishing, spyware, rogue networks, and malicious app attacks. Owing to these capabilities, Zimperium has scored strong overall ratings across the performance parameters of the technology excellence and the customer impact in SPARK MatrixTM for Mobile Threat Management (MTM) and In-App Protection market and has been placed as a technology leader in 2022."

To learn more about how the Zimperium Mobile-First Security Platform can solve your enterprise’s biggest mobile and application security challenges, click here. To access Zimperium MTD on the App Store, click here. To access Zimperium MTD on Google Play, click here.

Zimperium will also be onsite at the upcoming RSA Conference in San Francisco from April 24–27, please visit our booth #1727 South Hall.

**About Zimperium**

Zimperium provides the only mobile-first security platform purpose-built for enterprise environments. With machine learning-based protection and a single platform that secures everything from endpoints to applications, Zimperium provides on-device mobile threat defense and in-app protection to address today’s growing and evolving mobile security threats. environments. Zimperium is headquartered in Dallas, Texas and backed by Liberty Strategic Capital and SoftBank. For more information, follow Zimperium on Twitter (@Zimperium) and LinkedIn (https://www.linkedin.com/company/zimperium), or visit www.Zimperium.com.

Zimperium Launches Unified Mobile Security Platform for Threat Detection, Visibility, and Response

Powered by Cribl, a CrowdStrike Falcon Fund partner, and available to CrowdStrike Falcon platform customers.

**AUSTIN, Texas and RSA Conference 2023, SAN FRANCISCO, April 24, 2023** – CrowdStrike (Nasdaq: CRWD) today introduced CrowdStream, powered by open observability company Cribl, which transforms how customers can get any data, from any security or IT source, directly into the CrowdStrike Falcon platform to solve XDR, log management and AI-based analytics challenges in a rapid, cost effective way.

Organizations struggle to get the complete visibility across the security and IT data sources needed to effectively stop increasingly sophisticated adversaries as they move across attack surfaces to breach organizations. Collecting and routing this siloed data is creating a heavy burden of complexity and cost, especially as data volumes continue to exponentially grow across ever-multiplying data sources.

CrowdStream is a new native platform capability that directly connects any data source into the CrowdStrike Falcon platform using Cribl’s observability pipeline technology. By sitting between data sources and their destination, CrowdStream provides an elegant and cost-effective way to get data into the CrowdStrike Falcon platform to greatly accelerate the adoption of XDR and log management, as well as aggregating the required data to train advanced AI/ML models.

CrowdStream transforms an organization’s ability to unify siloed security and IT data by:

• **Easily connect and rout****e** data from any source into the CrowdStrike Falcon platform, accelerating the adoption of XDR and log management by minimizing the complexity and cost of onoboarding data sources.

• **Unify data within the CrowdStrike Falcon platform for insights** and near-instant search at petabyte scale to provide the rich visibility and aggregated telemetry needed to eliminate threats, run deep analytics and hunt for adversaries.

• **Cut log management costs** by sending the right data (and only the right data) to a modern log management solution such as CrowdStrike Falcon LogScale. Recently, a large financial institution switched to CrowdStrike Falcon LogScale and saved at least $5 million dollars over three years in infrastructure and licensing costs.

• **Consolidate** point products by centralizing and normalizing data within the CrowdStrike Falcon platform to continuously address new security and IT use cases with fully integrated capabilities built on a unified data model.

“Cybersecurity is ultimately a data problem. Today’s adversary techniques are growing more sophisticated including the use of initial access, lateral movement, privilege escalation, defense evasion and data extortion. However, organizations are still struggling to effectively and efficiently collect the right data from a variety of security and IT point products they deploy to root out and shut down threats from adversaries,” said Michael Sentonas, president at CrowdStrike. “For organizations to stay ahead of these threats, it is imperative they have real-time visibility and data at their fingertips. We see the CrowdStream technology as a game-changer that significantly improves our customer’s ability to get the right data, from any source, directly into the CrowdStrike Falcon platform to solve the hardest security and IT challenges in an elegant, cost-effective way.”

“Cribl is a proud CrowdStrike Falcon Fund partner, as we were one of CrowdStrike’s first investments. We see this expanded strategic partnership with CrowdStrike as another step to solving the massive data problem that cybersecurity teams face today,” said Clint Sharp, co-founder and CEO, Cribl. “By making the process of data collection for the CrowdStrike Falcon platform easier, CrowdStream will revolutionize the way that organizations quickly gain value from XDR and log management.”

**Additional Resources**

• For more information on CrowdStream, please visit the CrowdStrike blog and Cribl website.

**About Cribl**

Cribl makes open observability a reality for today’s tech professionals. The Cribl product suite defies data gravity with radical levels of choice and control. Wherever the data comes from, wherever it needs to go, Cribl delivers the freedom and flexibility to make choices, not compromises. It’s enterprise software that doesn’t suck, enables tech professionals to do what they need to do, and gives them the ability to say “Yes.” With Cribl, companies have the power to control their data, get more out of existing investments, and shape the observability future. Founded in 2017, Cribl is a remote-first company with an office in San Francisco, CA. For more information, visit www.cribl.io or our LinkedIn, Twitter, or Slack community.

**About CrowdStrike**

CrowdStrike (Nasdaq: CRWD), a global cybersecurity leader, has redefined modern security with one of the world’s most advanced cloud-native platforms for protecting critical areas of enterprise risk – endpoints and cloud workloads, identity and data.

Powered by the CrowdStrike Security Cloud and world-class AI, the CrowdStrike Falcon® platform leverages real-time indicators of attack, threat intelligence, evolving adversary tradecraft and enriched telemetry from across the enterprise to deliver hyper-accurate detections, automated protection and remediation, elite threat hunting and prioritized observability of vulnerabilities.

Purpose-built in the cloud with a single lightweight-agent architecture, the Falcon platform delivers rapid and scalable deployment, superior protection and performance, reduced complexity and immediate time-to-value.

CrowdStrike: We stop breaches.

CrowdStrike Introduces CrowdStream to Accelerate and Simplify XDR Adoption

A new "all-in-one" stealer malware named EvilExtractor (also spelled Evil Extractor) is being marketed for sale for other threat actors to steal data and files from Windows systems.
"It includes several modules that all work via an FTP service," Fortinet FortiGuard Labs researcher Cara Lin said. "It also contains environment checking and Anti-VM functions. Its primary purpose seems to be to

A new "all-in-one" stealer malware named **EvilExtractor** (also spelled Evil Extractor) is being marketed for sale for other threat actors to steal data and files from Windows systems.

"It includes several modules that all work via an FTP service," Fortinet FortiGuard Labs researcher Cara Lin said. "It also contains environment checking and Anti-VM functions. Its primary purpose seems to be to steal browser data and information from compromised endpoints and then upload it to the attacker's FTP server."

The network security company said it has observed a surge in attacks spreading the malware in the wild in March 2023, with a majority of the victims located in Europe and the U.S. While marketed as an educational tool, EvilExtractor has been adopted by threat actors for use as an information stealer.

Sold by an actor named Kodex on cybercrime forums like Cracked since October 22, 2022, it's continually updated and packs in various modules to siphon system metadata, passwords and cookies from various web browsers as well as record keystrokes and even act as a ransomware by encrypting files on the target system.

The malware is also said to have been used as part of a phishing email campaign detected by the company on March 30, 2023. The emails lure recipients into launching an executable that masquerades as a PDF document under the pretext of confirming their "account details."

The "Account\_Info.exe" binary is an obfuscated Python program designed to launch a .NET loader that uses a Base64-encoded PowerShell script to launch EvilExtractor. The malware, besides gathering files, can also activate the webcam and capture screenshots.

"EvilExtractor is being used as a comprehensive info stealer with multiple malicious features, including ransomware," Lin said. "Its PowerShell script can elude detection in a .NET loader or PyArmor. Within a very short time, its developer has updated several functions and increased its stability."

The findings come as Secureworks Counter Threat Unit (CTU) detailed a malvertising and SEO poisoning campaign used to deliver the Bumblebee malware loader via trojanized installers of legitimate software.

Bumbleebee, documented first a year ago by Google's Threat Analysis Group and Proofpoint, is a modular loader that's primarily propagating through phishing techniques. It's suspected to be developed by actors associated with the Conti ransomware operation as a replacement for BazarLoader.

UPCOMING WEBINAR

Zero Trust + Deception: Learn How to Outsmart Attackers!

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

The use of SEO poisoning and malicious ads to redirect users searching for popular tools like ChatGPT, Cisco AnyConnect, Citrix Workspace, and Zoom to rogue websites hosting tainted installers has witnessed a spike in recent months after Microsoft began blocking macros by default from Office files downloaded from the internet.

In one incident described by the cybersecurity firm, the threat actor used the Bumblebee malware to obtain an entry point and move laterally after three hours to deploy Cobalt Strike and legitimate remote access software like AnyDesk and Dameware. The attack was ultimately disrupted before it proceeded to the final ransomware stage.

"To mitigate this and similar threats, organizations should ensure that software installers and updates are only downloaded from known and trusted websites," Secureworks said. "Users should not have privileges to install software and run scripts on their computers."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New All-in-One "EvilExtractor" Stealer for Windows Systems Surfaces on the Dark Web

The transition from traditional logins to cryptographic passkeys is getting messy. But don’t worry—there’s a plan.

There was never a question that it would take years to transition the world away from passwords. The digital authentication technology, though deeply flawed, is pervasive and inveterate. Over the last five years, though, the secure-authentication industry association known as the FIDO Alliance has been making real progress promoting “passkeys,” a password-less alternative for signing into applications and websites. And yet, you probably still use a lot of passwords every day. In fact, you may not have any accounts protected by a passkey at all, despite broad adoption from Microsoft, Google, Apple, and many more.  

At the RSA security conference in San Francisco next week, Christiaan Brand, co-chair of the FIDO2 technical working group and an identity and security product manager at Google, will present a talk on new features and growth in passkey adoption. He also plans to examine the current challenges that passkeys face in countering the inertia passwords have built up over decades—and the long game of slowly grinding down the password's dominance.

“What I want to highlight is how far we’ve come, but which problems still remain unsolved,” Brand says. “Passwords are everywhere, and they are bad, but everyone is accustomed to them. Users don’t want to be surprised, and they don’t like change. So it’s very important to think about passkeys as an augmentation. We need to kind of push users toward the thing that will be easier and more secure."

Over the past year, Brand says, FIDO has made significant progress rolling out features to support its password-less vision. The infrastructure is now in place to back up passkeys so they can sync between devices, get services to prompt users about passkeys rather than always defaulting to username and password, and use Bluetooth-based proximity sensing to share passkey authentication between devices. All three of these points address major usability issues that FIDO publicly set out to improve a year ago.

In practice, though, there are still hurdles, and developing these solutions has taken time. For example, Brand says the new Bluetooth-based proximity-sensing protocol was carefully engineered to avoid the security issues that often plague Bluetooth implementations. The idea was to strip away most of Bluetooth's functionality and exclusively use the protocol for proximity checks rather than any data transfers. This approach has allowed passkeys to bypass many of Bluetooth's quirks and reliability issues when attempting to pair devices. 

Developing a coherent “user experience” (UX) for passkeys across different operating systems and web services is an ongoing challenge, though. If you, say, log into your Google account from a Mac using traditional passwords, your credentials still get checked against what Google has on file for your account on one of the company's servers. But the security and phishing-resistant benefits of passkeys come from the fact that they work differently. If you use a passkey to log into your Google account from a Mac, the cryptographic check happens locally and Apple is never directly involved—everything the user experiences during the interaction is facilitated by macOS, not Google.

“If I'm Google implementing passkeys, I cede a lot of control to Apple if my user is on an Apple device, I cede a lot of control to Microsoft if the user is on a Windows device, I cede a lot of UX control to Android and browsers,” Brand says. “So I think we’re in the technology infancy, where all of these different platforms have come up with different UX patterns and UX paradigms. Stitching all of that together is kind of tricky, and that’s probably going to take another nine to 12 months for the industry to support.”

Another big challenge with establishing consistency and continuity will be the long transition to passkeys alone. For the foreseeable future, services must continue to support username and password logins and make sure those systems are as secure and up-to-date as possible while primarily supporting the growth and evolution of passkeys. As password login systems fade from prominence and are neglected, they could produce new types of security exposures in their disrepair.

For now, though, the tech industry is still in the early stages of this long haul transition.

“Part of the problem is that all the stuff that I have in my presentation, we haven’t really seen this put into practice yet,” Brand says. “There are passkey implementations out there, and some folks have dipped their toe in the water, but a lot of the stuff isn’t really in the mainstream consciousness of developers, and certainly not for users. The mass, super-scale adoption is still something that we’re working to make happen.”

The War on Passwords Enters a Chaotic New Phase

Cisco and VMware have released security updates to address critical security flaws in their products that could be exploited by malicious actors to execute arbitrary code on affected systems.
The most severe of the vulnerabilities is a command injection flaw in Cisco Industrial Network Director (CVE-2023-20036, CVSS score: 9.9), which resides in the web UI component and arises as a result of

Software Update / Network Security

Cisco and VMware have released security updates to address critical security flaws in their products that could be exploited by malicious actors to execute arbitrary code on affected systems.

The most severe of the vulnerabilities is a command injection flaw in Cisco Industrial Network Director (CVE-2023-20036, CVSS score: 9.9), which resides in the web UI component and arises as a result of improper input validation when uploading a Device Pack.

"A successful exploit could allow the attacker to execute arbitrary commands as NT AUTHORITY\\SYSTEM on the underlying operating system of an affected device," Cisco said in an advisory released on April 19, 2023.

The networking equipment major also resolved a medium-severity file permissions vulnerability in the same product (CVE-2023-20039, CVSS score: 5.5) that an authenticated, local attacker could abuse to view sensitive information.

Patches have been made available in version 1.11.3, with Cisco crediting an unnamed "external" researcher for reporting the two issues.

Also fixed by Cisco is another critical flaw in the external authentication mechanism of the Modeling Labs network simulation platform. Tracked as CVE-2023-20154 (CVSS score: 9.1), the vulnerability could permit an unauthenticated, remote attacker to access the web interface with administrative privileges.

"To exploit this vulnerability, the attacker would need valid user credentials that are stored on the associated external authentication server," the company noted.

"If the LDAP server is configured in such a way that it will reply to search queries with a non-empty array of matching entries (replies that contain search result reference entries), this authentication bypass vulnerability can be exploited."

While there are workarounds that plug the security hole, Cisco cautions customers to test the effectiveness of such remediations in their own environments before administering them. The shortcoming has been patched with the release of version 2.5.1.

**VMware ships updates for Aria Operations for Logs**

VMware, in an advisory released on April 20, 2023, warned of a critical deserialization flaw impacting multiple versions of Aria Operations for Logs (CVE-2023-20864, CVSS score: 9.8).

UPCOMING WEBINAR

Defend with Deception: Advancing Zero Trust Security

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

"An unauthenticated, malicious actor with network access to VMware Aria Operations for Logs may be able to execute arbitrary code as root," the virtualization services provider said.

VMware Aria Operations for Logs 8.12 fixes this vulnerability along with a high-severity command injection flaw (CVE-2023-20865, CVSS score: 7.2) that could allow an attacker with admin privileges to run arbitrary commands as root.

"CVE-2023-20864 is a critical issue and should be patched immediately," the company said. "It needs to be highlighted that only version 8.10.2 is impacted by this vulnerability."

The alert comes almost three months after VMware plugged two critical issues in the same product (CVE-2022-31704 and CVE-2022-31706, CVSS scores: 9.8) that could result in remote code execution.

With Cisco and VMware appliances turning out to be lucrative targets for threat actors, it's recommended that users move quickly to apply the updates to mitigate potential threats.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Cisco and VMware Release Security Updates to Patch Critical Flaws in their Products

Heading to San Francisco next week? Here are all the Talos and Cisco Secure talks and events you won't want to miss.

Thursday, April 20, 2023 14:04

Welcome to this week’s edition of the Threat Source newsletter.

We’re firing up the conference circuit again for 2023, kicking things off next week with the RSA Conference in San Francisco. Cisco has a ton of exciting announcements, keynotes and talks lined up for the week, but there are also plenty of Talos-focused events to take in.

We’ll be at our own booth giving “flash talks” throughout the conference and will generally be around to answer questions about Talos, provide service demos and talk about the latest security offerings from Cisco. In case you’re having a hard time finding the Cisco booth, use RSA’s map here. The main Talos team will be at North Expo N-5845 and Cisco Talos Incident Response will be at South Expo S-1027.

Here are some of the other major events at RSA that we’re taking part in.

*   Brad Garnett, the head of Cisco Talos Incident Response, is joining the Cisco Secure Security Stories podcast for a live recording on Tuesday the 25th at 11 a.m. PT inside the Customer Lounge at the Marriott Marquis. Head up to the fifth floor and look for the Sierra K room! Brad will be discussing the latest trends and attacker TTPs his team is seeing in the field.
*   Cisco has a special sponsored talk on Wednesday the 26th from 9:40 – 10:30 a.m. PT with Nick Biasini, the head of Talos Outreach, and AJ Shipley, Cisco Secure’s vice president of product management for threat, detection and response. This session will analyze why industry partnerships are a must for security to win. Come meet A.J. and Nick in the Moscone South building, or if you can’t make it, a recording will be available for RSA attendees.
*   There will be two live Beers with Talos episodes on the 26th at 2 p.m. PT and the 27th at 9 a.m. PT. Join the BWT gang for gameshows, security hot takes and general debauchery. Both recording sessions will be in the Customer Lounge.
*   If you want a chance to meet the BWT hosts and some other special Talos guest, join us in the Customer Lounge on Wednesday at 4 p.m. PT for a meet-and-greet and networking session. This is an open session with Talos experts, Beers with Talos and members of the Cisco CISO Advisory panel.
*   The latest episode of ThreatWise TV from (now Talos’ own!) Hazel Burton also has a rundown of everything you can expect from Cisco and Talos at RSA. You can also read Cisco’s preview blog post here.

**The one big thing**

The UK’s National Cyber Security Center (NCSC) released a report this week on a sustained campaign by a Russian intelligence agency targeting a vulnerability in routers that Cisco published a patch for in 2017. This campaign, dubbed "Jaguar Tooth," is an example of a much broader trend of sophisticated adversaries targeting networking infrastructure to advance espionage objectives or pre-position for future destructive activity. While infrastructure of all types has been observed under attack, attackers have been particularly successful in compromising infrastructure with out-of-date software.

**Why do I care?**

In short, there are extremely sophisticated actors who are increasingly targeting network infrastructure devices from a variety of manufacturers. Talos and Cisco are concerned that insufficient awareness and patching, the reliance on end-of-life equipment and the necessity for always-on connectivity makes too many infrastructure devices easy prey. The results of these issues range from being an unwitting participant in criminal activity to events of true national security impact.

**So now what?**

Relying on out-of-date gear or utilizing out-of-date protocols and technologies will eventually cost your organization. Work with your vendor to give yourself the best chance of defending your environment. Talos’ blog also has a series of recommendations for defending and updating aging network infrastructure. For the specific Jaguar Tooth campaign, users who haven’t already should patch affected devices immediately.

**Top security headlines of the week**

**A 21-year-old was arrested for allegedly leaking sensitive Pentagon and Department of Defense documents and images on a Discord server.** The images eventually made their way onto other popular social media platforms in the public eye. The U.S. military is increasingly relying on Discord and other emerging social platforms for recruitment but has become a popular place for leakers to share secrets and other sensitive information. One of the other users on the Discord server where the most recent slate of images was leaked said the alleged leaker wanted to make sure “we know what’s going on with our tax dollars,” though the user who spoke to CNN was only 17 years old.  A 2021 report from the U.S. House of Representatives found that user moderation on platforms like Discord is not enough to prevent leaks, saying “the risks of relying too much on user moderation when the userbase may not have an interest in reporting problematic content.” (Washington Post, Slate, CNN)

The U.S. Cybersecurity and Infrastructure Security Agency **released new guidance for software manufacturers to adopt secure-by-design principles** and make the software more secure from the start of its lifecycle rather than being tacked on as later patches. Some of the major recommendations include having companies take ownership of the security implications of their products, embracing “radical transparency” toward security issues and ensuring there is support from company leadership to prioritize product security.  Other federal agencies from Australia, Canada, the United Kingdom, Germany, Netherlands and New Zealand published similar guidelines. (FedScoop, CISA)

**Montana is set to be the first U.S. state to ban downloads of the popular social media app TikTok,** citing security and data privacy concerns related to the app’s Chinese owners. The bill, which is set to be signed into law soon, is likely to spark a Constitutional debate around First Amendment freedom of speech protections and national digital privacy law. The state is likely to also face technical challenges around restricting downloads, and access to, the app. Company representatives from TikTok called the bill an "attempt to censor American voices” and “egregious government overreach.” A similar ban is being considered in U.S. Congress but faces a more uphill battle than in Montana’s Republican-controlled legislature. (Wired, Buzzfeed)

**Can’t get enough Talos?**

*   Talos Takes Ep. #134: How to best prepare for, and respond to, supply chain attacks
*   Cisco urges users to keep its network hardware up-to-date
*   Threat Roundup for April 7 – 14
*   Vulnerability Spotlight: Hard-coded password vulnerability could allow attacker to completely take over Lenovo Smart Clock

**Upcoming events where you can find Talos**

**RSA** **(April 24 - 27)**

San Francisco, CA

**Cisco Talos Incident Response: On Air** **(April 27)**

Virtual

**Cisco Live U.S.** **(June 4 - 8)**

Las Vegas, NV

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** e248b01e3ccde76b4d8e8077d4fcb4d0b70e5200bf4e738b45a0bd28fbc2cae6  
**MD5:** 1e2a99ae43d6365148d412b5dfee0e1c  
**Typical Filename:** PDFpower.exe  
**Claimed Product:** PdfPower  
**Detection Name:** Win32.Adware.Generic.SSO.TALOS

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

**SHA 256:** 4ad8893f8c7cab6396e187a5d5156f04d80220dd386b0b6941251188104b2e53  
**MD5:** cdd331078279960a1073b03e0bb6fce4  
**Typical Filename:** mediaget.exe  
**Claimed Product:** MediaGet  
**Detection Name:** W32.DFC.MalParent

Tag

#cisco