Vice Society is boasting that it compromised the San Francisco transportation system, while BART maintains operations and mounts an investigation.

The San Francisco Bay Area Rapid Transit System (BART) was listed this week by ransomware group Vice Society as being among its latest victims.

Brett Callow, threat analyst with Emsisoft, flagged the Vice Society BART brag on Jan. 6. However, BART's spokesperson Alicia Trost told Dark Reading there haven't been any service disruptions as a result of a cyberattack and that an investigation is ongoing.

"We are investigating the data that has been posted," Trost told Dark Reading by email. "To be clear, no BART services or internal business systems have been impacted. As with other government agencies, we are taking all necessary precautions to respond."

Vice Society was also behind a recent spate of school breaches in the US and beyond, most recently releasing the personal information stolen from a group of 14 schools in the UK.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

San Fran's BART Investigates Vice Society Data Breach Claims

Microsoft released its monthly security update on Tuesday, disclosing 101 vulnerabilities. Of these vulnerabilities, 11 are classified as “Critical”, 89 are classified as “Important”, no vulnerability classified as “Moderate.”

Tuesday, January 10, 2023 14:01

Microsoft released its monthly security update on Tuesday, disclosing 98 vulnerabilities. Of these vulnerabilities, 11 are classified as “Critical”, 87 are classified as “Important”, no vulnerability classified as “Moderate.”

According to Microsoft all “Critical“ vulnerability are either less likely or unlikely to be exploited, except of the security bypass vulnerability CVE-2023-21743 on Microsoft SharePoint Server machines. This vulnerability has a low complexity and can be easily triggered by an attacker. In a network-based attack, an unauthenticated user could make an anonymous connection to the targeted SharePoint server.

Two of the “Critical“ vulnerabilities, which Microsoft considers to be “less likely” to be exploited due to their complexity are CVE-2023-21535 and CVE-2023-21548. These are remote code execution (RCE) vulnerability in the Windows Secure Socket Tunneling Protocol (SSTP) which allow an unauthenticated attacker to send a specially crafted connection request to a RAS server, which could lead to remote code execution (RCE) on the RAS server and run unauthorized commands on the compromised system.

There are also five “Critical“ Remote Code Execution Vulnerability which affect the Windows Layer 2 Tunneling Protocol (L2TP). Successful exploitation could allow an unauthenticated attacker to execute code on RAS servers. These five vulnerabilities are CVE-2023-21543, CVE-2023-21546, CVE-2023-21555, CVE-2023-21556 and CVE-2023-21679.

The last “Critical“ vulnerability which we want to mention is CVE-2023-21730. It is a Remote Code Execution Vulnerability in the Windows Cryptographic Services. Microsoft did not released many details about the vulnerability, except that it is triggered from the network and of low complexity.

Developers are also at risk due to CVE-2023-21779 a Remote Code Execution vulnerability in Visual Studio Code flagged as “Important“. The user would have be enticed to open a malicious file in vscode. Users should never open anything that they do not know or trust to be safe.

Talos would also like to highlight 6 “Important“ vulnerabilities that Microsoft considers “more likely” to be exploited and can be used for privilege elevation.

*   CVE-2023-21532 Windows GDI Elevation of Privilege Vulnerability 
*   CVE-2023-21541 Windows Task Scheduler Elevation of Privilege Vulnerability 
*   CVE-2023-21552 Windows GDI Elevation of Privilege Vulnerability 
*   CVE-2023-21725 Microsoft Windows Defender Elevation of Privilege Vulnerability
*   CVE-2023-21726 Windows Credential Manager User Interface Elevation of Privilege Vulnerability
*   CVE-2023-21768 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

There are more vulnerabilities marked as “Important“ in the Microsoft advisory. This includes Microsoft Office and 3D Builder applications, a Microsoft ODBC Driver and others. A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page.

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 61060-61065. For Snort 3, the following rules are also available to protect against these vulnerabilities: 300358-300360.

Microsoft Patch Tuesday for January 2023  — Snort rules and prominent vulnerabilities

In this blog post, Cisco Talos Incident Response (Talos IR) presents some of the key benefits of remote IR support and offers a list of recommendations for working on a remote incident.

Tuesday, January 10, 2023 12:01

_**Authors:** Gergana Karadzhova, Joe Schumacher, Pawel Bosek_

In this blog post, Cisco Talos Incident Response (Talos IR) presents some of the key benefits of remote IR support and offers a list of recommendations for working on a remote incident.

Some organizations see added value in having incident responders on site during an emergency. While this approach may offer certain benefits in terms of coordination, in Talos IR’s experience, the physical presence of a team on site is not crucial for the success of the overall IR. Cybersecurity threats are by definition intangible and bringing people physically together does not automatically facilitate an investigation. The traces of the malicious actors involved in a ransomware case, for example, are in the cyberspace made up by an organization’s network and the Internet, which means that, with sufficient connectivity, a remote responder team can work on the case from anywhere.

As a remote-first, follow-the-sun global team, Talos IR has extensive experience in creating a healthy, effective, and collaborative environment for customers and responders regardless of the stressful nature of IR activities. Trust needs to be built over time and proactive IR services offer the means to do this preemptively, ensuring that when an emergency happens, the responders will be able to gain appropriate access in a timely manner. Specific recommendations on how to strategically use proactive services in building this relationship are outlined in section “Adopting a ‘trust but verify’ approach.”

**Analyzing the advantages of remote IR support**

Criteria 

Remote 

On-Site 

Start of engagement 

15 minutes to four hours 

24 hours in transit 

Personnel utilization and treatment 

“Follow the sun” model, ensuring that team members rest in between shifts and lower the risk of burnout 

Usually limited to daytime. 

Risk of overstretching the team if working around the clock for multiple days 

Scalability  

Limited only by the IR team’s size  

1 – 2 people depending on the size of retainer 

Knowledge transfer between IR team and internal teams 

Primarily written  

Primarily verbal  

Efficiency  

Overall shorter period of time to start; easier to ramp up; better personnel utilization and care; transparent and lower cost 

Overall longer time to start; harder to ramp up; limited daily period of work; additional costs due to travel and accommodation 

Remote incident response offers the following key advantages in comparison to on-site support:

*   **Faster initial response –** The average industry service-level agreement for having on-site support is 24 hours in transit. Depending on the exact time when the incident was reported, the transportation options to the location, and the immediate availability of the consultants going on site, it can take anywhere between eight to 24 hours to reach the customer premises. This is significantly longer than the time needed to kick off a remote response, which in Talos IR’s experience is less than two hours.
*   **Easier to scale the response team –** IR is a team sport. Customers usually mainly interact with a few dedicated team members of the IR team, such as an Incident Commander and a few lead consultants. In the background, however, there are additional technology specialists, project managers and threat intelligence analysts working on the case. It is much easier to involve additional personnel in a remotely managed incident than to order people on site.
*   **More resource efficient –** The three most valuable resources in an incident are time, budget, and human power. In terms of human power, consider an incident which has been active for 48+ hours and is still ongoing. In such cases, having a remote team consisting of members in different time zones can ensure that work on the incident follows the sun without burning the team out. When it comes to cost management, remote incident support tends to provide great transparency of activities performed by the team, due to the centralized flow of communication and information exchange. Additional cost efficiency is generated by the fact that technical personnel do not need to set up their workplace in a new environment with emergency conditions and thus suffer a dip in productivity.

**Preparing for remote incident response**

From inception, Talos IR has been handling our emergency IR while fully remote as the norm, even predating the COVID-19 pandemic, due to the 24x7 nature of our service and global team distribution. Webex organically allows Talos IR to quickly and securely support our customers anywhere in the world. During the pandemic, we supported Cisco customers without any service interruption and created additional virtual infrastructure to ensure that all Talos IR proactive services could be securely delivered. This being said, if we do encounter a special case which might necessitate on-site presence of the response team, we discuss with the customer if it would augment the overall IR effort.

Remote IR comes with its own set of challenges. Talos IR recommends discussing your approach to the points listed below _before_ an actual emergency, as addressing shortcomings might require lead time and resources.

*   **Provisioning Access** – Having a process to get the remote IR team access to on-premises and remote consoles will accelerate the ability to investigate the incident. This process should include accounts related to, but not necessarily limited to, Virtual Private Network (VPN), Active Directory (AD), Endpoint Detection and Response (EDR), Multi-Factor Authentication (MFA), and other security controls.
*   **Regulatory & Compliance Requirements** – Data collection and sharing are often subject to country-specific laws, especially in the case of critical infrastructure and personally identifiable information (PII). Technical teams should work with the Legal Department and the Data Privacy and Governance Office to verify the exact legislation that is applicable to the different data sources that might be part of an incident. Any known limitations regarding remote collection of evidence and analysis of the data should be documented in the Incident Response Plan.
*   **Communication Cadence** – Having multiple means of communication and a set status update meeting will help ensure that everyone is kept on the same page. Communication is critical to get right during an incident but does not have to be in-person to be efficient or effective. People tend to be hyper-connected during IR, so bringing structure and predictability to the information flow benefits everyone.
*   **Gathering Evidence** – Remote evidence collection might not be possible in all incidents, but with some planning can be a viable alternative to traveling to a location or shipping an asset. You will want to ensure that there are technical representatives on-site who can assist the IR team with collecting forensic and triage data from in-scope assets.
*   **Sharing Evidence** – A reliable, high-speed network connection is essential for downloading and uploading large files to remote server(s). You will most likely be downloading the requested evidence from endpoints (e.g., workstations and servers) within your internal network and then uploading this data to a remote server for the incident responders to analyze.
*   **Scaling the Response** – Typically, an incident starts with one or two events across a large, networked environment and expands in scope as more indicators of compromise are discovered. Having the ability to contact people across the team as the incident evolves and to connect them to the investigation remotely will reduce the overall time to act and contribute to a more efficient incident response. When planning who and how you might need to engage during a possible incident, it is critical to consider your internal team along with the partners, contractors, and service providers that will be assisting with the incident response remotely.

Internal teams that will be involved in the implementation of the above preparation activities should familiarize themselves with the agreed approach as part of their preparation for IR and whenever possible, test the theoretical plan in the practice. It is highly recommended to document all relevant procedures and processes within the internal Incident Response Plan and Incident Response Playbooks, as this makes distribution and knowledge management easier in the long run.

**Adopting a “trust but verify” approach**

In the world of security there is the phrase “trust but verify,” and this mentality should be present when it comes to your IR service provider. Many companies have their first contact with the IR team during an emergency, which is one of the worst times for building trust and getting to know each other. A much better way to become familiar with your incident responders is to work with them on **proactive services**. These services by definition are non-emergency and offer more time for addressing the remote support considerations listed above through tabletop exercises, development of plans and playbooks, and threat hunts. In addition to improving your overall resiliency to cyber threats, proactive services will allow you to see what tools are typically leveraged by the IR team and what methodology they use for threat hunting. The engagements provide an opportunity for the responders and your internal teams to build trust and a better understanding of each other’s craft. An investment in the human element of virtual collaboration pays off during subsequent remote IR cases, as both sides feel more comfortable working together and can be more efficient in the execution of emergency response actions.

In most businesses, a level of remoteness was present long before the COVID-19 pandemic. Many organizations operate remotely or in different locations, whether that is multiple offices, data centers, or the homes of their employees. The increase of remote work in the last few years has led to optimization and normalization of virtual collaboration, the latter becoming an integral part of modern business operations. In a similar way, IR has grown increasingly independent of physical location as long as secure connectivity is possible. There will always be the need to physically travel to a location for response in some special cases, but that will not be the norm.

The expanded use of cloud services, the increase in remoteness in company operations, and the shortage of cybersecurity talent all speak in favor of an IR delivery model with remote-first support and members distributed around the globe. This trend emphasizes the importance of accountability and trustworthiness in each and every interaction with the IR team, whether physically or virtually. Talos IR recognizes this and is committed to delivering high-quality and efficient engagements during all emergency and proactive retainer projects.

Increasing trust, commitment, and predictability during a remote incident response

Lilith >_> of Cisco Talos discovered these vulnerabilities.
Cisco Talos recently discovered three vulnerabilities in Asus router software.
The Asus RT-AX82U router is one of the newer Wi-Fi 6 (802.11ax)-enabled routers that also supports mesh networking with other Asus routers. Like other routers, it is configurable via

Tuesday, January 10, 2023 11:01

_Lilith >\_> of Cisco Talos discovered these vulnerabilities._

Cisco Talos recently discovered three vulnerabilities in Asus router software.

The Asus RT-AX82U router is one of the newer Wi-Fi 6 (802.11ax)-enabled routers that also supports mesh networking with other Asus routers. Like other routers, it is configurable via an HTTP server running on the local network. However, it can also be configured to support remote administration and monitoring in more of an IOT style.

Talos has identified TALOS-2022-1586 (CVE-2022-35401), an authentication bypass vulnerability that can lead to full administrative privileges. An attacker would need to send a series of HTTP requests to exploit this vulnerability.

TALOS-2022-1590 (CVE-2022-38105) is an information disclosure vulnerability in the opcode of the router’s configuration service that can lead to a disclosure of sensitive information. An attacker can send a network request to trigger this vulnerability.

TALOS-2022-1592 (CVE-2022-38393) is a denial of service vulnerability, also in the opcode of the configuration service. A specially crafted network packet can lead to denial of service. An attacker can send a malicious packet to trigger this vulnerability.

Cisco Talos worked with Asus to ensure that these issues were resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update this affected product as soon as possible: Asus RT-AX82U 3.0.0.4.386\_49674-ge182230. Talos tested and confirmed this version of Asus could be exploited by these vulnerabilities.

The following Snort rules will detect exploitation attempts against these vulnerabilities: 60394 and 60473. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Vulnerability Spotlight: Asus router access, information disclosure, denial of service vulnerabilities discovered

New Add-On Empowers SOCs and MSPs to Automate & Orchestrate Incident Response for Microsoft 365.

**SAN FRANCISCO****,** **Jan. 10, 2023** **/PRNewswire/ --** Vade, the global leader in threat detection and response with 1.4 billion mailboxes protected, today announced the availability of Threat Intel & Investigation. An add-on for Vade's flagship product, Vade for M365, Threat Intel & Investigation provides the integrations, intel, and tools for SOCs and MSPs to investigate and respond to email-borne threats transiting through networks.

According to a 2021 report, breaches caused by phishing emails take an average of 213 days to be identified and another 80 days to be contained. This lag time gives cybercriminals the runway they need to conduct additional attacks on an organization, causing even more damage than the initial attack.

"Email is the #1 vector for cyberattacks," said Adrien Gendre, Chief Technology & Product Officer and cofounder at Vade. "Unfortunately, SOCs and MSPs don't always have visibility into how or when an email threat infiltrated their organization or how far it has spread throughout the network. The speed at which today's cybercriminals are working means that organizations cannot afford to lose precious time on incident response."

Vade for M365 is an AI-based email security solution for Microsoft 365 that catches the advanced phishing, spear phishing and malware threats that bypass Microsoft's native security. The Threat Intel & Investigation add-on for Vade for M365 features five core capabilities designed to empower SOCs and MSPs to automate investigations, orchestrate responses and move swiftly and with precision to live threats:

*   **File Inspector:** Deconstructs files and attachments directly in the Vade for M365 interface—without exposing administrators to risk. File Inspector reveals critical details about files and attachments, providing admins with the data required to make faster decisions, cross-check threats across networks and accelerate incident response across affected endpoints and users.
*   **Log Export:** Injects live email and event logs into any security management system, a powerful two-way integration powered by the Vade for M365 API. Connect Vade's email threat intelligence into your organizations' SIEM or SOAR to trigger automation playbooks and enhance your disaster recovery program.
*   **Reported emails:** Automates collection of user-reported emails and clusters similar, unreported emails in one dashboard, speeding user-based incident response and eliminating time-consuming, manual investigations. Receive alerts when users report emails via Outlook and quickly triage and remediate reported emails, similar emails, and forwarded emails with one click.
*   **Download emails/attachments:** Provides access to raw email intelligence for objective evaluation by threat analysts, saving precious time and resources that are typically wasted on searching for and analyzing raw email data.
*   **Add-on for Splunk:** Integrates Vade for M365 with Splunk without the need for custom software development. Combine Vade's threat intelligence with Splunk's SIEM and SOAR capabilities to have better visibility into the threat landscape and actionable insights with which to orchestrate rapid responses.

Vade partners and customers are already experiencing the benefits of Threat Intel & investigation, including Huntington Technology, a US-based MSP offering comprehensive managed services and managed security services:

"One of my helpdesk technicians excitedly came into my office last week. He asked if I had seen the new 'Reported emails' function within Vade," said William Bluford, Vice President, Huntington Technology. "He explained that we can now see which emails are reported as malicious. Not only can we see those emails, but we can see how many users are affected, and we can then remediate and remove those emails from all user mailboxes. This saves time for my helpdesk team and keeps our clients protected."

"Our customers have made clear that they need better visibility into their cybersecurity landscape," Gendre said. "They're challenged to monitor and manage threats from an array of end points, and IT is overburdened by too many complex tools. Threat Intel & Investigation was designed to give our customers the tools they need to thoroughly investigate threats, cross check those threats across their networks, and develop incident response processes—without the burden of complexity."

Threat Intel & Investigation on brings all these capabilities to Vade for M365. Vade's latest innovation will reduce incident response time, eliminate the need for additional security investments, and free up critical IT resources. Threat Intel & Investigation is available today in Vade for M365. To learn more, visit Threat Intel & Investigation.

**About Vade**

Vade is a global cybersecurity company specializing in the development of threat detection and response technology with artificial intelligence. Vade's products and solutions protect consumers, businesses, and organizations from email-borne cyberattacks, including malware/ransomware, spear phishing/business email compromise, and phishing.

Founded in 2009, Vade protects more than 1.4 billion corporate and consumer mailboxes and serves the ISP, SMB, and MSP markets with award-winning products and solutions that help increase cybersecurity and maximize IT efficiency.

To learn more, please visit www.vadesecure.com and follow us on Twitter @vadesecure or LinkedIn https://www.linkedin.com/company/vade-secure/.

SOURCE Vade

Vade Releases Advanced Threat Intel & Investigation Capabilities

State-sponsored or state-aligned advanced persistent threats (APTs) adapted to the changing geopolitical landscape in 2022. Cisco Talos observed several offensive cyber campaigns linked to several groups stemming from Russia, Iran, China, North Korea, and countries in the Indian subcontinent...

Tuesday, January 10, 2023 09:01

State-sponsored or state-aligned advanced persistent threats (APTs) adapted to the changing geopolitical landscape in 2022. Cisco Talos observed several offensive cyber campaigns linked to several groups stemming from Russia, Iran, China, North Korea, and countries in the Indian subcontinent. These groups engaged in a variety of malicious activities, including espionage, intellectual property theft, and deploying destructive malware. Major trends observed include:

*   Delivering new, custom malware and updated variants of previously known malware.
*   Exploiting publicly known vulnerabilities, such as Log4j utilities.
*   Updating tooling and behavior patterns to evade discovery.
*   Increasing APT activity in our Cisco Talos Incident Response (CTIR) engagements, including the Iran state-sponsored MuddyWater group and several China affiliated APTs.

Visit the Year in Review page for the full report, with topic summary reports, livestreams, podcasts, and other content starting December 14th.  New content will be added with each topic summary release through February.  You can access the full 2022 Cisco Talos Year in Review report directly here:

APT Topic Summary Report: Cisco Talos Year in Review 2022

In a new survey from Clever, 3 out of 4 school districts say they will increase their spending on security and privacy in the next two to three years; 1 in 4 teachers report that cybersecurity training is missing in their district.

**SAN FRANCISCO****,** **Jan. 5, 2023** **/PRNewswire/ --** Clever, the platform used by more than 70% of U.S. K-12 schools to simplify and secure digital learning, today announced a new survey of school administrators and teachers revealing that the two groups perceive security vulnerabilities differently as the district edtech stack increases. According to the data, three out of four districts say they will increase their spending on security and privacy in the next two to three years. While more than half of administrators (63%) and teachers (53%) believe that their district is prepared to take on digital security challenges, one in four teachers report that cybersecurity training is missing altogether in their district.

Last year, over 90% of educators said they will continue to use at least some of the digital tools they adopted during the pandemic, as schools increasingly embrace devices and digital platforms to enable individualized instruction and student support. But with the expanded access to technology comes greater responsibility on schools and their edtech partners to protect the information these tools may collect. In 2021, nearly a million students were impacted by 67 ransomware attacks against schools, with a cost of over $3.5 billion in downtime.  

To help district and school leaders navigate new edtech practices in this era of increased usage, Clever surveyed almost 4,000 teachers and administrators. The data suggest that educators and administrators perceive the risks in schools differently: only 11% of teachers said a cybersecurity incident would be very likely, but one in four administrators say their district already experienced a hack, phishing incident, data breach, or other cyber attack in the past year.

"Creating a safe digital learning environment requires that everyone -- administrators, educators, students -- play a role," said Mohit Gupta, who oversees security products at Clever. "Cybersecurity is a team sport, and the differences highlighted in the survey offer us a path forward to address vulnerabilities in our schools. While the groups differ on where the risks exist, they agree on what can be done: more training for educators, the use of security tools, and increased specialized staff."

Among additional key findings from Clever's Cybersecure 2023 report:

*   **Teachers and administrators see devices as the greatest tech vulnerability in their district.** Teachers (34%) and administrators (34.3%) alike believe that devices are the most vulnerable part of their technology infrastructure. However, administrators are more aware of potential risks elsewhere as well: they're five times more concerned about vulnerabilities from administrative platforms like a learning management system or student information system, and nearly three times more concerned about vulnerabilities from applications used for curriculum and instruction.
*   **When it comes to identifying risks around human usage of technology, administrators think teachers are the most likely source of security vulnerability, but teachers think students are.** Teachers, responsible for their own safe use of technology and appropriate use by their students, see students (67%) as the biggest risk for a security incident, followed by teachers (27%). In contrast, two-thirds of administrators believe that teachers pose the highest vulnerability threat, and only 19% believe it to be students. Administrators were also three times more likely than teachers to say administrators are a vulnerability.
*   **Teachers and administrators agree on what can be done to improve digital security.** Both groups believe the three most important activities to support security are: 1) more educator training; 2) more or better technology solutions; and 3) more staff focused on technology. Two-thirds of teachers indicated they would want to learn more about topics related to data privacy and security.
*   **Yet, one in four teachers say cybersecurity training is missing altogether in their district.** While the majority of administrators and educators report that privacy and security training happens in their district, a surprising 26% of teachers say they never receive training on privacy or security – representing a big opportunity for districts to shore up their practices.
*   **Increasing challenges means increased spending.** 65% say their spending on digital security will increase over the next two to three years; another 12% say it will increase significantly, and a majority say that federal stimulus dollars are helping support their efforts.

The survey, administered throughout October 2022 using Clever's user database, asked more than 800 US-based school administrators and more than 3,000 US-based educators. To see the full findings and methodology, click here.

**About Clever**

Clever is on a mission to unlock new ways to learn for all students. More than 70% of U.S. K-12 schools now use Clever to simplify access and improve engagement with digital learning. With our free platform for schools and a network of leading application providers, we're committed to advancing educational equity. Clever, a Kahoot! company, has offices in San Francisco, CA and Durham, NC but you can visit us at clever.com anytime.

SOURCE Clever

New Survey: One In Four Schools Were Victims Of Cyber Attacks In the Last Year; Administrators To Increase Spending On Privacy and Security

Happy New Year and welcoem to this week's edition of the Threat Source newsletter. 
We can’t tell if it’s the fog from Lurene’s deadly eggnog or dare we say pure rest and relaxation but we’re still digging out of our

Thursday, January 5, 2023 14:01

Happy New Year and welcome to this week's edition of the Threat Source newsletter.

We can’t tell if it’s the fog from Lurene’s deadly eggnog or dare we say pure rest and relaxation but we’re still digging out of our inboxes, trying to remember logins, and circle back on all the things we prolonged into 2023. With that we’re keeping this week’s newsletter light as we all ease back into the flow of things.

**The one big thing**

Last month Talos released our Year in Review report, a comprehensive report covering Talos’ work for the 2022 year. The initial report launched December 14th with an additional Ukraine Topic Summary Report on the same day. To discuss the initial report and Ukraine section Talos held a livestream with key contributors to the report, which can be viewed here.

**Why do I care?**

We expect this data-driven story will shed some light on Cisco’s (and the security community’s) most notable successes and remaining challenges. Through the upcoming weeks, we will be highlighting different aspects of this story, including our efforts in Ukraine, the disastrous Log4j vulnerabilities, adversarial use of offensive frameworks and software native to the victim’s machine, shifts in the ransomware landscape, the ever-present threat of commodity loaders/trojans, as well as an overview of some of the advanced persistent threats (APTs) we are most concerned with. Throughout the story, one key theme is clear: _adversaries are adapting to shifts in the geopolitical landscape, actions from law enforcement, and the efforts of defenders. Defenders will need to track and address these shifts in behavior to remain resilient._

**So now what?**

While yes, we’ve moved into another new year the Talos 2022 Year in Review is the gift that keeps on giving. If you’ve yet to read the report, you can catch the cliff notes version in our four part livestream series covering the full report and corresponding topics. Join us January 10th at 12pm ET for our next livestream 2022 Year in Review: APTs on our Talos LinkedIn or Twitter page.

**Top security headlines of the week**

The not-so-bad-guys? The LockBit ransomware group apologies for attacking the Hospital for Sick Children (SickKids) after one of its members violated their rules by attacking a healthcare organization. In their apology, LockBit stated the member is blocked and no longer in their affiliate program and offered a free decryptor for the hospital to recover impacted files. (Bleeping Computer)

Meta was fined over $4 million for breaching the EU’s General Data Protection Regulation (GDPR) personal data laws on Facebook and Instagram according to Ireland’s Data Protection Commission. In a statement the commission stated Meta breached “it’s obligations in relation to transparency” and “for its processing of personal data for the purpose of behavioral advertising”. (SecurityWeek)

All was not calm over the holidays as PyTorch has recently identified a malicious dependency under the same name as the framework’s ‘torchtriton’ library. PyTorch admins are urging users who recently installed PyTorch-nightly to uninstall the framework with the counterfeit ‘torchtriton’ dependency. (SC Media)

**Can’t get enough Talos?**

2022 Year in Review Report

Beers with Talos

Talos Takes

Ukraine Topic Summary

2022 Year in Review: Ukraine livestream on demand

**Upcoming events where you can find Talos**

CactusCon (Jan 27-28)

Mesa, AZ

Cisco Live Amsterdam (Feb 6-10)

Amsterdam, Netherlands

**Most prevalent malware files from Talos telemetry over the past week**

SHA 256: 1077bff9128cc44f98379e81bd1641e5fbaa81fc9f095b89c10e4d1d2c89274d

MD5: 26f927fb7560c11e509f0b8a7e787f79

Typical Filename: Iris QuickLinks.exe

Claimed Product: Iris QuickLinks

Detection Name: W32.DFC.MalParent

SHA 256: 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725

MD5: d47fa115154927113b05bd3c8a308201

Typical Filename: excel.exe

Claimed Product: N/A

Detection Name: W32.00AB15B194-95.SBX.TG

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934

MD5:   93fefc3e88ffb78abb36365fa5cf857c

Typical Filename: Wextract

Claimed Product:  
Internet Explorer

Detection Name: W32.File.MalParent

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507

MD5:  2915b3f8b703eb744fc54c81f4a9c67f

Typical Filename: VID001.exe

Claimed Product: N/A

Detection Name: Simple\_Custom\_Detection

SHA 256: 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa

MD5:  df11b3105df8d7c70e7b501e210e3cc3

Typical Filename: DOC001.exe

Claimed Product: n/a

Detection Name: Win.Worm.Coinminer::1201

Threat Source newsletter (Jan. 5, 2023): Digging out of our inboxes

**SANTA CLARA, Calif.****,** **Jan. 5, 2023** **/PRNewswire/ --** Netskope, a leader in Secure Access Service Edge (SASE), on the heels of its recognition as Cloud Security Services Vendor of the Year, its sixth straight ranking on the Forbes Cloud 100 list of top cloud companies, and its recognition as a Leader in the 2022 Gartner® Magic Quadrant™ for Security Service Edge (SSE), today announced an oversubscribed investment round of $401M.

The partners for this oversubscribed convertible note investment were four of the world's premier investors. The financing was led by investment funds managed by Morgan Stanley Tactical Value, with participation from Goldman Sachs Asset Management, Ontario Teachers' Pension Plan, and CPP Investments. Netskope plans to extend its technology and platform advantages and market reach through continued innovative worldwide platform development and expansion of strategic go-to-market activities, underscoring its leadership and momentum in what leading analysts estimate to be the $36 billion market opportunity for SASE by 2025.

This financing marks the latest among many recent business and financial milestones for Netskope and serves as another strong validation and indicator of the continued momentum and adoption of the company's vision, team, products, culture, and market opportunity. 

**Securing Modern Cloud Networks** 

As hybrid and remote work has become the new reality, and the use of the cloud accelerates, enterprises of all sizes need to transform their network and data security strategy and architecture. As a result, they are rapidly adopting SASE as a foundational part of their zero trust strategy, to safeguard data, support digital transformation efforts, and realize better efficiency by addressing security and networking challenges through a unified architecture. In addition, enterprises are increasingly seeking SASE capabilities from fewer sources to reduce vendor and tool sprawl. Gartner notes1 that, "by 2025, 65% of enterprises will have consolidated individual SASE components into one or two explicitly partnered SASE vendors, up from 15% in 2021."

The Netskope converged SASE platform includes Netskope's industry-leading Intelligent Security Service Edge (SSE) and Borderless SD-WAN technologies, all of which are crucial to providing the optimized access and zero trust-based security required in a modern networking and security technology stack. Netskope today is one of only a few providers of single-vendor SASE. It is also the only SASE provider recognized as a representative vendor in the 2022 Gartner Market Guide to Single Vendor SASE that also appears as a Leader in the 2022 Gartner Magic Quadrant for Security Service Edge. 

"Our vision from day one was that traditional network and security perimeters would transform, with users, data, and devices moving outside the confines of corporate network perimeters and requiring a new approach to security," said Sanjay Beri, Netskope CEO and co-founder. "With a cloud-first, data-first, and customer-centric philosophy, we built a market-leading SASE platform and one of the world's fastest and most-connected security cloud networks. We have enabled enterprises everywhere to allow their users to be mobile, efficient, and flexible while securing them and the data and applications they access, whether they are in the cloud, on the web, or are private applications on-prem and beyond. We are very proud of the team members, customers, industry luminaries, and existing and new partners announced today who are helping to enable Netskope's journey and secure the journey of all enterprises worldwide."

Over the past 12 months, Netskope has broadened its market reach in the following ways:

*   **Increased Customer Base** – to more than 2,400 total customers worldwide, including over 25 of the Fortune 100, and across all verticals including financial services, healthcare, retail, telecommunications, manufacturing, government, high tech, and beyond.
*   **Expanded SASE Platform** – through organic development of new endpoint data loss prevention, advanced cloud firewall, and zero trust network access products, as well as strategic acquisitions of WootCloud and Infiot to serve as core technology components of Netskope's innovative IoT Security and Borderless SD-WAN modules, respectively.
*   **Growing Patent Portfolio** – more than 100 global patents awarded to Netskope inventors, in data loss prevention, AI/ML, threat prevention, high speed cloud networking, and other strategic technology categories.
*   **Continued Expansion of NewEdge security private cloud** – now powered by full-compute data centers in more than 60 regions worldwide. Every Netskope NewEdge data center is accessible to every customer, with all Netskope SASE services available, providing low latency and high-performing infrastructure, and backed by industry-leading Service Level Agreements.
*   **New and Enhanced Go-to-Market Partnerships** – with some of the world's best-known cloud platform, service provider and systems integrator brands, including Orange, Deloitte, Telefonica, KPN, AWS, Google Cloud, CrowdStrike, Mimecast, Okta, and others which expand Netskope's global reach and ability to capture market share.
*   **Increased Corporate Footprint** – to more than 2,500 team members, active in over 40 countries, with open roles across teams and regions. In 2022, Netskope also enhanced its seasoned executive team with leaders from Salesforce, AWS, Cisco, Palo Alto Networks and others joining Netskope.
*   **Industry Recognition:** Recent Netskope highlights also include product, customer, and industry recognition, including:

*   Won 2022 CRN Cloud Services Vendor of the Year award
*   Won Best SASE Solution and Most Promising Unicorn awards from SC Media
*   Ranked among the highest two solutions for every single use case in the 2022 Gartner Critical Capabilities for Security Service Edge report
*   Named a Leader in the IDC Marketscape for Cloud Security Gateways
*   Awarded one of the first U.S. Federal Civilian Government SASE Contracts, led by the United States Patent and Trademark Office
*   Named for a sixth time to the Forbes Cloud 100, as one of only four security vendors to rank in the Top 50
*   Achieved best-in-class employer brand and employee experience ratings from Glassdoor
*   Achieved a Silver Medal from EcoVadis, highlighting commitment to ESG and business sustainability

"Cloud migration—and securing this modern network—represents one of the most significant and transformative technology shifts in decades," said Pedro Teixeira, managing director of Morgan Stanley and Co-Head of Morgan Stanley's Tactical Value Investing Team. "We seek to invest in high-quality companies that are driving their markets today and into the future.  Netskope epitomizes this, with its innovative SASE vision and solid execution, a robust platform with significant monetization ahead of it, a large global customer base, and defensible market leadership. We look forward to partnering with the team as they strive to realize the significant opportunity that lies ahead."

**Legal Notices**

Morgan Stanley & Co. LLC served as the sole placement agent for the note offering. Pillsbury Winthrop Shaw Pittman LLP served as Netskope's legal counsel and Latham & Watkins LLP served as Morgan Stanley Tactical Value's counsel. J Wood Capital Advisors LLC acted as financial advisor to Netskope.

This press release does not constitute an offer to sell, or a solicitation of an offer to buy, any securities of Netskope.  The securities referenced herein have not been registered under the Securities Act of 1933, as amended, and may not be offered or sold in the United States absent registration or an applicable exemption from such registration requirements.

**Gartner Disclaimer**

Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

**About Netskope**

Netskope, a global SASE leader, is redefining cloud, data, and network security to help organizations apply zero trust principles to protect data. Fast and easy to use, the Netskope platform provides optimized access and real-time security for people, devices, and data anywhere they go. Netskope helps customers reduce risk, accelerate performance, and get unrivaled visibility into any cloud, web, and private application activity. Thousands of customers, including more than 25 of the Fortune 100, trust Netskope and its powerful NewEdge network to address evolving threats, new risks, technology shifts, organizational and network changes, and new regulatory requirements. Learn how Netskope helps customers be ready for anything on their SASE journey, visit netskope.com.

Netskope Receives $401M In New Funding

Categories: News
Tags: Okta

Tags:  GitHub

Tags:  Auth0

Okta's code repository on GitHub has been accessed by an unauthorized third party, but there's no reason for customers to worry



(Read more...)




The post Okta breached last month, no customers compromised appeared first on Malwarebytes Labs.

Some of Okta’s source code fell into the hands of an unauthorized party. The code was stolen from GitHub in the first part of December, according to a statement issued by the company. In the same statement the company reassured users that there was no impact to any customers.

**Okta**

Okta is an access management company based in San Francisco. According to its own website, Okta serves over 15,000 organizations. Essentially, Okta software allows employees to log in using single sign-on—a central platform where employees can log in once in order to access resources that have been assigned to them by an organization’s IT staff. The kind of identity-first approach to security is seen by some as an important underpinning of a Zero Trust security model.

**Stolen source code**

GitHub alerted Okta about a possible breach in early December. An investigation by Okta revealed that the unauthorized access was used to copy code from the Okta Workforce Identity Cloud (WIC) code repositories.

Okta Workforce Identity Cloud provides a unified solution for secure access to any resource from any user that needs it, while maintaining the "Principle of Least Privilege" (POLP). The principle of least privilege is the idea that at any user, program, or process should have only the bare minimum privileges necessary to perform its function.

**Customers unaffected**

In the statement that was also sent out by mail to security contacts, Okta told their customers that there was no unauthorized access to the Okta service, and no unauthorized access to customer data. This includes Okta's HIPAA, FedRAMP, and DoD customers. This is because Okta does not rely on the confidentiality of its source code for the security of its services. The Okta service remains fully functional and secure.

**Auth0**

A few months ago, Okta subsidiary Auth0 disclosed a similar incident, where code repository archives that predated Okta’s acquisition of Auth0 were stolen. It never became clear how the unauthorized party, that notified Okta about the possession of the archives, exfiltrated them.

**LAPSUS$**

Okta themselves admitted to a breach that happened in January of 2022, where the LAPSUS$ cybercriminal group accessed two active customer tenants within their SuperUser application and viewed limited additional information in certain other applications like Slack and Jira that could not be used to perform actions in Okta customer tenants. The January breach was initially believed to have a much larger impact and there was talk of possibly 366 customers that might be affected.

**Measures**

When Okta learned of the latest incident, it placed temporary restrictions on access to Okta GitHub repositories and suspended all GitHub integrations with third-party applications. The company also reviewed the integrity of all the code that was recently placed on GitHub, and rotated GitHub credentials. Law enforcement has also been notified of the breach.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Tag

#cisco