First in our series addressing the top 10 unanswered questions in security: What's going to replace EDR?

Endpoint detection and response (EDR) is a cybersecurity staple. The EDR market is still growing at an impressive rate, with a compound annual growth rate projected to exceed 20% through 2027. Additionally, EDR leaders CrowdStrike and SentinelOne's latest ARR growth rates are at 59% and 122%, respectively.

However, at the same time, security professionals are realizing that endpoint detection alone isn't enough. True end-to-end visibility requires accounting for all devices, servers, containers, cloud platforms, and network data flows. Incidents like the Black Basta ransomware attacks have made the point loud and clear that organizations need to be constantly watching what is happening on the network.

In addition to the limited scope of EDR visibility and protection, there are operational challenges. Tool sprawl and complexity make it difficult for EDR to scale and increase the chances of human error that can lead to security oversights.

Extended detection and response (XDR) and managed detection and response (MDR) are rapidly emerging as more holistic solutions for security-conscious organizations. XDR expands on the capabilities of EDR by providing visibility into other attack vectors on the corporate network, rapidly growing cloud resources, sensitive identities, and unmanaged data. XDR enables SOCs to detect, proactively hunt for threats, and contain sophisticated threats from a centralized user interface.

MDR — which involves a third party providing threat hunting, alert triaging, and incident response — is useful for organizations that don't have a dedicated security operations center (SOC) or sufficient in-house cybersecurity expertise. By providing XDR-like functionality while offloading the operational complexity, MDR platforms can help these organizations drastically improve their security posture quickly.

MDR and XDR both provide the holistic threat detection and response capabilities EDR lacks, and we can expect to see more and more organizations adopt MDR or XDR instead of EDR-only in the years to come. That's good news for key players in the XDR/MDR market, like Cisco, Microsoft, CrowdStrike, SentinelOne, and Cybereason.

**Beyond XDR**

What's even more interesting than the evolution from EDR to XDR/MDR is the general consolidation of functionality we're seeing with XDR/MDR and other security tooling. For example, by aggregating network security data, XDRs are effectively competing with existing security information and event management (SIEM) tools.

This "federated logging" trend, where the tool aggregating the data also analyzes it, is becoming more popular. That may be bad news for legacy SIEMs, but it is an opportunity for vendors that can get it right. Performing the aggregation and analysis of cloud, network, and endpoint data in a single platform, these next-gen tools are paving the way for life after EDR for what remains of this year and beyond.

Uptycs' unified XDR and CNAPP platform is a prime example and inspiration of where we can expect the XDR market to go. Windows, macOS, and Linux endpoints are just one piece of the puzzle. What used to take multiple discrete tools for EDR, cloud security posture management (CSPM), cloud infrastructure entitlement management (CIEM), asset management, and compliance can all be managed with one data model.

In the years to come, we can expect to see more vendors attempt to consolidate functionality into XDR-like tools and MDR services. While integrations aren't going away anytime soon, the solutions that do the best job of limiting tool sprawl without limiting functionality will be well-positioned to become market leaders in the mid-2020s.

Now That EDR Is Obvious, What Comes Next?

In late October two new buffer overflow vulnerabilities, CVE-2022-3602 and CVE-2022-3786, were announced in OpenSSL versions 3.0.0 to 3.0.6. These vulnerabilities can be exploited by sending an X.509 certificate with a specially crafted email address, potentially causing a buffer overflow resulting in a crash or

Tuesday, November 1, 2022 15:11

In late October two new buffer overflow vulnerabilities, CVE-2022-3602 and CVE-2022-3786, were announced in OpenSSL versions 3.0.0 to 3.0.6. These vulnerabilities can be exploited by sending an X.509 certificate with a specially crafted email address, potentially causing a buffer overflow resulting in a crash or remote code execution (RCE). X.509 is the standard defining the format of public key certificates, commonly used in protocols including TLS as well as digital signatures. Importantly, these vulnerabilities can affect both the client and server in contrast to most vulnerabilities that typically impact one or the other, broadening the potential attack surface.  

These vulnerabilities could be very impactful as OpenSSL is widely used, and the affected version is included in some major Linux distributions. However, the affected version was released relatively recently in September of 2021 so adoption may not be as widespread as older versions, such as 1.1.1 and 1.0.2, which are currently unaffected by this vulnerability.  

For more information about these vulnerabilities’ impact on Cisco products, please refer to Cisco’s Security Advisory here.  

Cisco Talos is closely monitoring for potential exploitation attempts in the wild as new details of the vulnerabilities are released. We strongly recommend users mitigate affected systems as soon as possible by upgrading to version 3.0.7.  

**Vulnerability details**

A buffer overflow can be triggered by sending an X.509 certificate with a specially crafted email address in the “id-on-SmtpUTF8Mailbox” field ( OID 1.3.6.1.5.5.7.8.9 )  resulting in a crash (Denial of Service - DoS) or potential remote code execution on a vulnerable client or server. Potential opportunities for exploitation can occur if a server requests authentication information after a malicious client connects, or if a client connects to a malicious server, which would then make the client vulnerable.

CVE-2022-3602 is assigned for a 4-byte buffer overflow (single unsigned int overwrite) resulting in a crash or remote code execution. However, CVE-2022-3786 refers to the variable length overflow variant in the X.509 email address field with the potential to result in crashes.

**Coverage & Mitigations**

  
Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.  

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.  

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.  

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.  

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.  

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.  

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.  

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.  

For more information about this vulnerability’s impact on Cisco products, please refer to Cisco’s Security Advisory here.  

Cisco Talos is releasing Snort Rules: **60790, 300306-300307** to protect against exploitation of CVE-2022-3602.  

The following ClamAV signatures have been released to detect malware artifacts related to this threat:

*   Multios.Exploit.CVE\_2022\_3602-9976476-0

Threat Advisory: High Severity OpenSSL Vulnerabilities

Most of the time, Khodjibaev is combing through various dark web forums, ransomware group chats, Russian-speaking websites and other sources trying to learn of attackers’ next moves.

Monday, October 31, 2022 14:10

**A case study in why cybersecurity experience is not a prerequisite to work in security**

Azim Khodjibaev knows all sides of the “security” industry.

That doesn’t just cover cybersecurity, either — he spent the first part of his career ensuring the physical safety of civilians and military personnel, which is about as high-stakes as it gets.

Today, he’s using his knack for tracking physical threats to hunt down other types of threats on the deepest corners of the internet so Talos can stay one step ahead of threat actors.

Khodjibaev is a senior intelligence analyst with Talos’ Threat Intelligence and Interdiction team. The idea of collecting intelligence of all types has been in his life for years — he’s no stranger to geopolitical conflict growing up in the late days of the Soviet Union.

When his family immigrated to the U.S. in the mid-1990s, he knew he wanted to follow a career in political science, which led him to get his bachelor’s degree in international relations. Since then, the word “threats” has meant all sorts of things to Khodjibaev.

He spent several years in different contracting positions with the U.S. government where he worked in counterintelligence research, utilizing his native Russian language to try and warn potential targets of military action, by infiltrating various online networks and tapping other sources to learn as much as possible about adversaries’ plans. Khodjibaev was also a part of the intelligence-gathering operations in the wake of the Boston Marathon bombing in 2013 and spent time tracking the location of improvised explosive devices (IEDs) on real battlefields.

“After doing that for a while, out of the blue, I got a message on LinkedIn that actually looked like a phish because it was too good to be true,” he jokes now.

The message was a Cisco recruiter reaching out to him about a potential job opportunity at Talos in the cybersecurity space, something Khodjibaev had never directly worked in before. But after a successful interview and a promise of further education in the field, he jumped on board with Talos in 2016. One of his first challenges was to translate the infamous BlackEnergy attacks against Ukraine and pass along his findings to the Talos detection team who needed to react quickly to the cyber attack.

“For about three-and-a-half years, I was blind, I had no idea what was going on. I knew nothing about the network structure, and only knew the very basic levels of cybersecurity,” he said.

But by working on a team with cybersecurity-focused researchers, he grew his knowledge of virtual threats and how to apply his intelligence-gathering skills to focus on cyber attacks rather than kinetic ones.

Most of the time, Khodjibaev is combing through various dark web forums, ransomware group chats, Russian-speaking websites and other sources trying to learn of attackers’ next moves.

“Over time, I realized I could contribute to the entire cybersecurity enterprise by building on those human intelligence skills and cyber intelligence skills,” he said.

When Khodjibaev finds a new potential threat or piece of malware, he tries to get it to Talos’ team of reverse engineers and rule writers to write detection as quickly as possible. He also partners with the Outreach team’s researchers to put together public-facing intelligence on the threat, such as one of Talos’ blog posts or intelligence partner alerts.

“As soon as I see something that’s beyond my ability to do something, we have a very specific mechanism that Talos has developed and refined to be speedy, yet accurate, with our detection,” he said.

Most recently, Khodjibaev’s been researching the LockBit ransomware group and regularly updates his Twitter followers about the group’s ongoing developments, even leading to a mini-series of Talos Takes episodes jokingly dubbed “Days of our Ransomware” as he sees drama between these groups play out on message boards, private chats and more.

These can often be very high-risk situations, though, and Khodjibaev continually imperils himself by trying to infiltrate virtual spaces with well-funded and highly skilled threat actors, so one slip-up could make him a personal target of an attack. But it doesn’t deter him from checking as many spaces as possible for the latest developments.

“There have been times when I’ve been legitimately scared because I pushed the envelope too far,” he said. “I am paranoid and careful in a good way where I’m always documenting things. But I’ve pushed the envelope into how far I’ve gone. The bad guys need to understand and learn that if they create a space that has more than one person in it, it’s only a matter of time before someone like me gets in there and takes advantage of that.”

These high-stress situations are admittedly less of a literal life-and-death situation that Khodjibaev used to work in when he would be forced to watch videos or read plans of “violence, abuse, crimes against innocent, defenseless people.”

So, he enjoys the quieter moments of his life where he can either work in his yard at his home or get out and kayak. He’s also a rowing coach for a local high school program.

“Given that unstable childhood I went through \[in the Soviet Union\], I am really into just living a really boring suburban life,” Khodjibaev said.

Now several years into his cybersecurity journey, Khodjibaev said he’s learned that cybersecurity isn’t a problem that can only be solved by looking at raw intelligence like datasets, he more so subscribes to Matt Olney’s, the director of Threat Intelligence and Interdiction at Talos, theory that “cybersecurity is a human problem.”

“I’ve always been a curious person and have always had a low tolerance of malicious activity against people who can’t help themselves,” Khodjibaev said. “Most cybercrime is just that — it’s not these state-sponsored actors, it’s cyber criminals ruining people’s days and targeting hospitals, and schools, and I always wanted to do something about it.”

Researcher Spotlight: How Azim Khodjibaev went from hunting real-world threats to threats on the dark web

CTO recognized as cybersecurity influencer for his research and thought leadership.

**SAN FRANCISCO, Oct. 31, 2022 /PRNewswire/** — Normalyze, a data-first cloud security platform, today announced that Ravi Ithal, chief technology officer and co-founder, has been named to the Enterprise Security Tech Cyber Influencer Top 10 List. The Enterprise Security Tech Cyber Influencer Top 10 list recognizes the top cybersecurity influencers providing immense value to the industry with groundbreaking research, visionary thought leadership, and consistent leadership and culture-building accolades.

The rise of cloud computing has increased the complexity of the enterprise attack surface. A recent survey from IDC found that 98% of organizations queried reported at least one cloud data breach in the past 18 months. As a result, security teams don't know where their data resides or its value, leading to difficulty avoiding data breaches. Normalyze's secret sauce is its ability to gather all security stakeholders, from the CISO to the security engineer, to DevOps, in one user interface to discover data, classify it, and prioritize discovery of attack paths that can lead to sensitive information.

"I've been fortunate enough to be part of some industry- and category-defining cybersecurity companies for a couple of decades now and I can tell you that cybersecurity has never been more important for economic and national security as it is now. It's incredibly humbling to be recognized for the accomplishment that led to assembling the smart team at Normalyze," said Ithal. "Cloud data is adding so much complexity right now and I really believe in the work we're doing at Normalyze to share best practices and let people trust their data in the cloud again."

"We need leaders in the cybersecurity industry now more than ever," said Jack Campbell, Managing Editor, Enterprise Security Tech. "The industry is bogged down by the daily cat-and-mouse game with cyber criminals, so we need industry leaders that are forward-looking and have a vision for how we can move the industry forward and solve macro security problems instead of simply firefighting. We're honored to be able to recognize these leaders for the value that they are bringing to the market and their dedication to moving the cybersecurity industry forward."

For more information about the Enterprise Security Tech Cyber Influencer Top 10 List, please visit this page.

**About Enterprise Security Tech**

Enterprise Security Tech is a specialized cyber media company with a global presence. The Enterprise Security Tech blog is a cybersecurity blog written for CISOs, CIOs, and security-minded CEOs that brings together critical news, expert insights, and product information to help security leaders make informed business decisions. Enterprise Security Tech is also home to The Cyber Jack Podcast, which brings listeners the latest cybersecurity insights via security experts from around the industry. For more information about Enterprise Security Tech, visit our website.

**About Normalyze:**

Normalyze is a pioneering provider of cloud data security solutions helping customers secure their data, applications, identities, and infrastructure across public clouds. With Normalyze, organizations can discover and visualize their cloud data attack surface within minutes and get real-time visibility and control into their security posture including access, configurations, and sensitive data to secure cloud infrastructures at scale. The Normalyze agentless and machine-learning scanning platform continuously discovers resources, sensitive data and access paths across all cloud environments. The company was founded by industry veterans Ravi Ithal and Amer Deeba and has several customers, including Corelight, Netskope, and Orkes. The company is funded by Lightspeed Venture Partners and Battery Ventures. For more information, please visit normalyze.ai.

**SOURCE:** Normalyze

Normalyze Co-Founder and CTO, Ravi Ithal, Named to the Enterprise Security Tech Cyber Influencer Top 10 List

Plus: Important patches from Apple, VMWare, Cisco, Zimbra, SAP, and Oracle.

Other issues fixed in October are a heap buffer overflow in WebSQL tracked as CVE-2022-3446 and a use-after-free bug in Permissions API tracked as CVE-2022-3448, Google wrote in its blog. Google also fixed two use-after-free bugs in Safe Browsing and in Peer Connection.

Google Android

The Android Security Bulletin for October includes fixes for 15 flaws in the Framework and System and 33 issues in the kernel and vendor components. One of the most concerning issues is a critical security vulnerability in the Framework component that could lead to local escalation of privilege, tracked as CVE-2022-20419. Meanwhile, a flaw in the Kernel could also lead to local escalation of privilege with no additional execution privileges needed.

None of the issues are known to have been used in attacks, but it still makes sense to check your device and update it when you can. Google has issued the update to its Pixel devices and it’s also available for the Samsung Galaxy S21 and S22 series smartphones and Galaxy S21 FE.

Cisco

Cisco has urged companies to patch two flaws in its AnyConnect Secure Mobility Client for Windows after it was confirmed the vulnerabilities are being used in attacks. Tracked as CVE-2020-3433, the first could allow an attacker with valid credentials on Windows to execute code on the affected machine with system privileges.

Meanwhile, CVE-2020-3153 could allow an attacker with valid Windows credentials to copy malicious files to arbitrary locations with system-level privileges.

The US Cybersecurity and Infrastructure Security Agency has added the Cisco flaws to its already exploited vulnerabilities catalog.

While both the Cisco flaws require the attacker to be authenticated, it’s still important to update now.

Zoom

Video conferencing service Zoom patched several issues in October, including a flaw in its Zoom client for meetings, which is marked as having a high severity with a CVSS Score of 8.8. Zoom says versions before version 5.12.2 are susceptible to a URL-parsing vulnerability tracked as CVE-2022-28763.

“If a malicious Zoom meeting URL is opened, the link may direct the user to connect to an arbitrary network address, leading to additional attacks including session takeovers,” Zoom said in a security bulletin.

Earlier in the month, Zoom alerted users that its client for meetings for macOS starting with 5.10.6 and prior to 5.12.0 contained a debugging port misconfiguration.

VMWare

Software giant VMWare has patched a serious vulnerability in its Cloud Foundation

Tracked as CVE-2021-39144. The remote code execution vulnerability via XStream open source library is rated as having a critical severity with a maximum CVSSv3 base score of 9.8. “Due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation, a malicious actor can get remote code execution in the context of 'root' on the appliance,” VMWare said in an advisory.

The VMware Cloud Foundation update also addresses an XML External Entity vulnerability with a lesser CVSSv3 base score of 5.3. Tracked as CVE-2022-31678, the bug could allow an unauthenticated user to perform denial of service.

Zimbra

Software firm Zimbra has issued patches to fix an already-exploited code execution flaw that could allow an attacker to access user accounts. The issue, tracked as CVE-2022-41352, has a CVSS severity score of 9.8.

Exploitation was spotted by Rapid7 researchers, who identified signs it had been used in attacks. Zimbra initially released a workaround to fix it, but now the patch is available, you should apply it ASAP.

SAP

Enterprise software firm SAP has published 23 new and updated Security Notes in its October Patch Day. Among the most serious issues is a critical Path Traversal vulnerability in SAP Manufacturing Execution. The vulnerability affects two plugins: Work Instruction Viewer and Visual Test and Repair and has a CVSS score of 9.9.

Another issue with a CVSS score of 9.6 is an account hijacking vulnerability in the SAP Commerce login page.

Oracle

Software giant Oracle has released a whopping 370 patches as part of its quarterly security update. Oracle’s Critical Patch Update for October fixes 50 vulnerabilities rated as critical.

The update contains 37 new security patches for Oracle MySQL, 11 of which may be remotely exploitable without authentication. It also contains 24 new security patches for Oracle Financial Services Applications, 16 of which may be remotely exploitable without authentication.

Due to “the threat posed by a successful attack,” Oracle “strongly recommends” that customers apply Critical Patch Update security patches as soon as possible.

You Need to Update Google Chrome, Windows, and Zoom Right Now

Communication services provider Twilio this week disclosed that it experienced another "brief security incident" in June 2022 perpetrated by the same threat actor behind the August hack that resulted in unauthorized access of customer information.
The security event occurred on June 29, 2022, the company said in an updated advisory shared this week, as part of its probe into the digital break-in

Communication services provider **Twilio** this week disclosed that it experienced another "brief security incident" in June 2022 perpetrated by the same threat actor behind the August hack that resulted in unauthorized access of customer information.

The security event occurred on June 29, 2022, the company said in an updated advisory shared this week, as part of its probe into the digital break-in.

"In the June incident, a Twilio employee was socially engineered through voice phishing (or 'vishing') to provide their credentials, and the malicious actor was able to access customer contact information for a limited number of customers," Twilio said.

It further said the access gained following the successful attack was identified and thwarted within 12 hours, and that it had alerted impacted customers on July 2, 2022.

The San Francisco-based firm did not reveal the exact number of customers impacted by the June incident, and why the disclosure was made four months after it took place. Details of the second breach come as Twilio noted the threat actors accessed the data of 209 customers, up from 163 it reported on August 24, and 93 Authy users.

Twilio, which offers personalized customer engagement software, has over 270,000 customers, while its Authy two-factor authentication service has approximately 75 million total users.

"The last observed unauthorized activity in our environment was on August 9, 2022," it said, adding, "There is no evidence that the malicious actors accessed Twilio customers' console account credentials, authentication tokens, or API keys."

To mitigate such attacks in the future, Twilio said it's distributing FIDO2-compliant hardware security keys to all employees, implementing additional layers of control within its VPN, and conducting mandatory security training for employees to improve awareness about social engineering attacks.

The attack against Twilio has been attributed to a hacking group tracked by Group-IB and Okta under the names 0ktapus and Scatter Swine, and is part of a broader campaign against software, telecom, financial, and education companies.

The infection chains entailed identifying mobile phone numbers of employees, followed by sending rogue SMSes or calling those numbers to trick them into clicking on fake login pages, and harvesting the credentials entered for follow-on reconnaissance operations within the networks.

As many as 136 organizations are estimated to have been targeted, some of which include Klaviyo, MailChimp, DigitalOcean, Signal, Okta, and an unsuccessful attack aimed at Cloudflare.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Twilio Reveals Another Breach from the Same Hackers Behind the August Hack

**SAN FRANCISCO, October 28, 2022** — Nozomi Networks Inc., the leader in OT and IoT security, today announced the SANS 2022 OT/ICS Cybersecurity Report finds ICS cybersecurity threats remain high as adversaries set their sights on control system components. In response, organizations have significantly matured their security postures since last year. In spite of the progress, more than a third (35%) don’t know whether their organizations had been compromised and attacks on engineering workstations doubled in the last 12 months.

> “In the last year, Nozomi Networks researchers and the ICS cybersecurity community have witnessed attacks like Incontroller move beyond traditional targets on enterprise networks, to directly targeting OT,” said Nozomi Networks Co-founder and CPO Andrea Carcano. “While threat actors are honing their ICS skills, the specialized technologies and frameworks for a solid defense are available. The survey found that more organizations are proactively using them. Still, there’s work to be done. We encourage others to take steps now to minimize risk and maximize resilience.”

**ICS Cybersecurity Risks Remain High**

*   62% of respondents rated the risk to their OT environment as high or severe (down slightly from 69.8% in 2021).
*   Ransomware and financially motivated cybercrimes topped the list of threat vectors (39.7%) followed by nation-state sponsored attacks (38.8%). Non-ransomware criminal attacks came in third (cited by 32.1%), followed closely by hardware/software supply chain risks (30.4%).
*   While the number of respondents who said they had experienced a breach in the last 12 months dropped to 10.5% (down from 15% in 2021), 35% of those said the engineering workstation was an initial infection vector (doubling from 18.4% last year).
*   35% did not know whether their organizations had been compromised (down from 48%) and 24% were confident that they hadn’t had an incident, a 2x improvement over the previous year.
*   In general, IT compromises remain the dominant access vector (41%) followed by replication through removable media (37%).

**ICS Cybersecurity Postures are Maturing**

*   66% say their control system security budget increased over the past two years (up from 47% last year).
*   56% say they are now detecting compromises within the first 24 hours of an incident (up from 51% in 2021). The majority (69%) say they move from detection to containment within 6 to 24 hours.
*   87.5% have conducted a security audit of their OT/control systems or networks in the past year (up from 75.9% last year) – one-third (29%) have now implemented a continual assessment program.
*   The overwhelming majority (83%) monitor their OT system security. Of those, 41% used a dedicated OT SOC
*   Organizations are investing in ICS training and certification: 83% of respondents are professional control system certification holders – a significant jump from 54% in the last 12 months.
*   Nearly 80% have roles that emphasize ICS operations up from 50% in 2021.

**To learn more about the latest trends in OT/ICS cybersecurity:**

*   Download: The State of OT/ICS Cybersecurity in 2022 and Beyond

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Nozomi Networks-Sponsored SANS Survey Finds Security Defenses are Getting Stronger as Cyber Threats to OT Environments Remain High

This year’s theme, “See Yourself in Cyber,” allowed Talos to highlight the various positions and people that make up our organization.

Friday, October 28, 2022 09:10

As yet another October comes to an end, so does another Cybersecurity Awareness Month. Since 2004 when the President of the United States and Congress declared October Cybersecurity Awareness Month, we’ve taken the time to share our cybersecurity knowledge with the broader general public year after year. This year we focused on the 2022 theme, “See Yourself in Cyber.” As the talent gap continues to affect the cybersecurity field, Talos aims to share resources and inspire the next generation of cyber defenders.

**See yourself in cyber**

This year’s theme, “See Yourself in Cyber,” allowed Talos to highlight the various positions and people that make up our organization. From team members with military backgrounds to no formal cybersecurity education there’s a place in Talos for everyone regardless of background, location or experience.

To showcase the different roles at Talos and within the cybersecurity community, we brought together a global panel of Talos members to share their career paths and offer career advice for those looking to start a career in the cyber field. Rewatch our “See Yourself in Cybersecurity” career panel livestream to learn how you can start a career in cybersecurity.

October also featured our sixth Researcher Spotlight, Cisco Talos Incident Response Principal Engineer Yuri Kramarz. Each month we spotlight a different researcher highlighting their career journey, work at Talos and cybersecurity career advice. Read Yuri’s spotlight and the rest of our Research Spotlight series here.

Our second livestream of the month, Threat Hunting 101, brought together a panel of threat researchers to not only discuss what Threat Hunting is but also how to start a career in the field. Through the round table conversation Talos members highlighted the key skills one needs to be a successful threat hunter and shared their thoughts on where they see the future of threat hunting headed. Watch the livestream on demand to learn how Talos approaches their threat hunting programs.

October may be Cybersecurity Awareness Month, but every day, our incident responders are working to keep our customers, partners – and ultimately the internet at large -- safe. We recognized our Incident Responders of the Cisco Talos Incident Response team and how their work impacts the world and what keeps them motivated every day on a nearly 24/7 basis.

It’s never too late to start a career in the cybersecurity field regardless of your previous experience. Cisco Talos Incident Response Consultant Gergana Karadzhova shared her six tips on how to pivot into cybersecurity as a mid-career professional to encourage those looking to break into the industry. Her first tip? It’s never too late! Sammi Seaman and Jon Munshaw also recorded a Talos Takes episode reflecting on their pivot from non-security fields to careers at Talos.

Interested in joining Team Talos? You can view all our current openings and apply here. Follow along with us all year long on social media and subscribe to our Threat Source newsletter to stay up to date on the latest threats news.

See Yourself in Cyber: A Cybersecurity Awareness Month recap

Supply chain attacks were all the rage in 2020 after SolarWinds, but we seem to have forgotten how important they are.

Thursday, October 27, 2022 14:10

Welcome to this week’s edition of the Threat Source newsletter.

There are plenty of jokes about whether we’re “aware” of cybersecurity during National Cybersecurity Awareness Month. But now I’m wondering if people are aware of supply chain attacks.

I thought we hit the pinnacle of supply chain attacks in 2020 with the SolarWinds attack, when these types of attacks dominated headlines and defenders started shouting from the mountaintops about how important it is to be ready for supply chain attacks.

And then Kaseya came along a few months later when attackers found a different way to deploy malicious updates that were disguised as legitimate patches.

And still today, we’re warning about the dangers of how prevalent supply chain attacks are and how everyone needs to be ready for this attacker technique. This leaves me wondering if Kaseya and SolarWinds weren’t the breaking point — what is?

It seems like no matter how many times we see major ransomware attacks, even coming to the point of making it impossible for people to get gas, attackers are back again with another ransomware attack a few weeks later.

We still have several hurdles to overcome to fix the supply chain attack problem, as Jaeson Schultz from our Outreach team outlined in this recent post. But it’s clear that these attacks aren’t going anywhere, and neither are defenders’ warnings.

As I wrote at the start of October, it can be easy to poke fun at Cybersecurity Awareness Month because it’s impossible to define what it even means to be “aware” of cybersecurity. Clearly, there’s still awareness to spread, though, and we keep needing to spread it in regard to supply chain attacks, ransomware and pretty much every other type of cyber attack.

**The one big thing**

For the first time since collecting such data, Cisco Talos Incident Response saw an equal number of ransomware and pre-ransomware engagements, making up nearly 40 percent of threats in the third quarter of 2022. It can be difficult to determine what constitutes a pre-ransomware attack if ransomware never executes and encryption does not take place. However, Talos IR assesses that the combination of Cobalt Strike and credential-harvesting tools like Mimikatz, paired with enumeration and discovery techniques, indicates a high likelihood that ransomware is the final objective.

**Why do I care?**

This data represents what Talos IR is actively seeing in the wild over the past few months and is likely representative of the broader threat landscape.

**So now what?**

A lack of MFA remains one of the biggest impediments to enterprise security. Nearly 18 percent of engagements either had no MFA or only had it enabled on a handful of accounts and critical services. Talos IR frequently observes ransomware and phishing incidents that could have been prevented if MFA had been properly enabled on critical services, such as endpoint detection and response (EDR) solutions. Talos IR recommends disabling VPN access for all accounts that are not using two-factor authentication.

**Top security headlines of the week**

The Biden administration is preparing to release updated guidelines and warnings around election security with a few days left before the midterm elections. A bulletin reportedly being drafted includes information on threats from Russia, China and other state-sponsored actors. Election workers and local officials are also having to deal with physical threats to polling workers and locations, all while the number of volunteers is dwindling. Earlier this month, the U.S. Cybersecurity and Infrastructure Security Agency released a PSA stating that malicious cyber activity is "unlikely to disrupt or prevent voting." (Politico, Axios, Voice of America)

Apple released security updates for its iOS and iPadOS operating systems this week, including fixes for a vulnerability that “may have been actively exploited.” There are 20 vulnerabilities fixed in these updates in all. CVE-2022-42827 is the most notable vulnerability, which could allow an attacker to execute code with Kernel privileges via an attacker-controlled app. This is the third Kernel-related out-of-bounds memory vulnerability that Apple has patched in each of its previous security updates: CVE-2022-32894 and CVE-2022-32917. CVE-2022-32917 was known to be used in attacks in the wild. (Forbes, The Hacker News)

Two vulnerabilities in Microsoft's Mark of the Web (MoTW) security feature could allow an attacker to send JavaScript files that could bypass security blocks in place. Attackers are reportedly actively exploiting both issues, though Microsoft has yet to issue any formal fixes for the vulnerabilities, and there are no workarounds available. Mark of the Web protects users against files from untrusted sources, but the two vulnerabilities could allow the attackers to construct the files in a way that they are not appropriately marked by Windows. Attackers commonly use .js files as attachments or downloads that can run outside a web browser. (Dark Reading, Bleeping Computer)

**Can't get enough Talos?**

*   Talos Takes Ep. #118: Threat Hunting 101
*   Beers with Talos Ep. #127: I’m a skiddie, and you can too!
*   A bug in Abode’s home security system could let hackers remotely switch off cameras
*   Talos Incident Response Q3 2022 Quarterly Report

**Upcoming events where you can find Talos**

**Click or Treat? How not to fall for a phishing attack this Halloween** (Oct. 31)  
Virtual

**BSides Lisbon** (Nov. 10 - 11)  
Cidade Universitária, Lisboa, Portugal

**Most prevalent malware files from Talos telemetry over the past week**

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0  
**MD5:** 8c69830a50fb85d8a794fa46643493b2  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Dropper.Generic::1201

**SHA 256:** 58d6fec4ba24c32d38c9a0c7c39df3cb0e91f500b323e841121d703c7b718681  
**MD5:** f1fe671bcefd4630e5ed8b87c9283534  
**Typical Filename:** KMSAuto Net.exe  
**Claimed Product:** KMSAuto Net  
**Detection Name:** PUA.Win.Tool.Hackkms::1201

**SHA 256:** 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645  
**MD5:** 2c8ea737a232fd03ab80db672d50a17a  
**Typical Filename:** LwssPlayer.scr  
**Claimed Product:** 梦想之巅幻灯播放器  
**Detection Name:** Auto.125E12.241442.in02

Threat Source newsletter (Oct. 27, 2022): I thought we were already aware of supply chain attacks?

Even if the security bug is not another Heartbleed, prepare like it might be, they note — it has potentially sprawling ramifications.

Organizations have five days to prepare for what the OpenSSL Project on Oct. 26 described as a "critical" vulnerability in versions 3.0 and above of the nearly ubiquitously used cryptographic library for encrypting communications on the Internet.

On Tuesday, Nov. 1, the project will release a new version of OpenSSL (version 3.0.7) that will patch an as-yet-undisclosed flaw in current versions of the technology. The characteristics of the vulnerability and ease with which it can be exploited will determine the speed with which organizations will need to address the issue.

**Potentially Huge Implications**

Major operating system vendors, software publishers, email providers, and technology companies that have integrated OpenSSL into their products and services will likely have updated versions of their technologies timed for release with the OpenSSL Project's disclosure of the flaw next Tuesday. But that will still leave potentially millions of others — including federal agencies, private companies, service providers, network device manufacturers, and countless website operators — with a looming deadline to find and fix the vulnerability before threat actors begin to exploit it.

If the new vulnerability turns out to be another Heartbleed bug — the last critical vulnerability to impact OpenSSL — organizations and indeed the entire industry are going to be under the gun to address the issue as quickly as possible.

The Heartbleed vulnerability (CVE-2014-0160), disclosed in 2014, basically gave attackers a way to eavesdrop on Internet communications, steal data from services and users, to impersonate services, and do all this with little trace of their ever having done any of it. The bug existed in OpenSSL versions from March 2012 onward and affected a dizzying range of technologies, including widely used Web servers such as Nginx, Apache, and IIS; organizations such as Google, Akamai, CloudFlare, and Facebook; email and chat servers; network appliances from companies such as Cisco; and VPNs.

The disclosure of the bug triggered a frenzy of remedial activity across the industry and sparked concerns of major compromises. As Synopsys' Heartbleed.com site noted, Apache and Nginx alone accounted for a market share of over 66% of active sites on the Internet at the time Heartbleed was disclosed.

There's no telling, until Tuesday at least, if the new flaw will be anything like Heartbleed. But given the almost critical-infrastructure-like use of OpenSSL for encryption across the Internet, organizations would do well not to underestimate the threat, security experts said this week.

**Security Orgs Should Brace for Impact**

"It is a bit difficult to speculate about the impact, but past experience has shown that OpenSSL doesn't use the label 'critical' lightly," says Johannes Ullrich, dean of research at the SANS Institute.

OpenSSL itself defines a critical flaw as one that enables significant disclosure of the contents of server memory and potential user details, vulnerabilities that can be exploited easily and remotely to compromise server private keys.

Version 3.0, the current release of OpenSSL, is used in many current operating systems, such as Ubuntu 22.04 LTS and MacOS Mavericks and Ventura, Ullrich notes. Organizations can expect to receive Linux patches quickly and likely at the same time as the OpenSSL bulletin on Tuesday. But organizations should get ready now, finding out which systems use OpenSSL 3.0, Ullrich says. "After Heartbleed, OpenSSL introduced these preannouncements of security patches," he says. "They are supposed to help organizations prepare. So, use this time to find out what will need patching."

Brian Fox, co-founder and CTO at Sonatype, says that by the time the OpenSSL Project discloses the bug Tuesday, organizations need to identify if they are using a vulnerable version anywhere in their technology portfolio, which applications are using it, and how long it would take for them to remediate the issue. 

"Potential reach is always the most consequential piece of any major flaw," Fox notes. "In this instance, the largest challenge with updating OpenSSL is that often this usage is embedded inside of other devices." In these instances, it can be hard to assess exposure without asking the upstream provider of the technology, he adds.

Anything that communicates with the Internet securely could potentially have OpenSSL built in to it. And it's not just software that can be affected but hardware as well. The advance notice that the OpenSSL Project provided should give organizations time to prepare. "Finding what pieces of software or devices is the first step. Organizations should do that now, and then patching or sourcing updates from the upstream vendors will follow," Fox says. "All you can do at the moment is inventory."

**An Entire Ecosystem Might Need to Update**

A lot will also depend on how vendors of products with vulnerable versions of OpenSSL embedded in them respond to the disclosure. The OpenSSL Project's release of the new version on Tuesday is only the first step. "An entire ecosystem of applications built with OpenSSL will also have to update their code, release their own updates, and organizations will need to apply them," says John Bambenek, principal threat hunter at Netenrich.

Ideally, organizations that have dealt with Heartbleed will have an idea of where their OpenSSL installs are and which of their vendor products will require an update as well. "This is why software bills of materials can be important," Bambenek says. "They can take this time to reach out and understand their suppliers and vendors plans for updates to make sure those updates are applied as well." One likely issue that organizations need to be prepared for is how to deal with end-of-life products for which updates are not available, he adds.

Mike Parkin, senior technical engineer at Vulcan Cyber, says that without evidence of exploit activity and associated indicators of compromise, it is best that organizations follow their normal change management process for when a known update is on the way. "On the security side, it's worth putting some additional focus on systems that might be affected if an exploit emerges before the new release drops," he advises.

There's not enough information in OpenSSL Project's announcement to say how much work will be involved in the upgrade, "but unless it requires updating certificates, the upgrade will probably be straightforward," Parkin predicts.

Also on Nov. 1, the OpenSSL project will release OpenSSL version 1.1.1s, which it described as a "bug-fix release." Version 1.1.1, which it replaces, is not susceptible to the CVE that is being fixed in 3.0, the project noted.

Tag

#cisco