Cisco Talos is monitoring reports of an actively exploited zero-day vulnerability in Confluence Data Center and Server. Confluence is a Java-based corporate Wiki employed by numerous enterprises. At this time, it is confirmed that all supported versions of Confluence are affected by this...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

Cisco Talos is monitoring reports of an actively exploited zero-day vulnerability in Confluence Data Center and Server. Confluence is a Java-based corporate Wiki employed by numerous enterprises. At this time, it is confirmed that all supported versions of Confluence are affected by this vulnerability.

**Vulnerability Details**

The vulnerability, CVE-2022-26134, is reportedly associated with command injection. An attacker could exploit this vulnerability to execute remote code and, per reports, is being actively exploited in the wild. The attacks delivered several payloads, including the in-memory BEHINDER implant as well as webshells, including China Chopper. In addition to the initial attacks outlined in the report, researchers confirmed additional, continued exploitation is ongoing. There is now a Proof of Concept (PoC) available so exploitation could increase in the near term.

The vulnerability itself appears to be an OGNL injection vulnerability specifically impacting the web server and can be exploited via an HTTP request. It appears that all HTTP methods are vulnerable as well. The exploitation appears to be relatively straightforward and should be resolved immediately either through patching or other mitigations.

**Mitigations**

Atlassian has released a set of patches to mitigate the vulnerability. Enterprises are encouraged to test and apply the patch immediately to mitigate the ongoing attacks, patched versions include: 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1. Additionally, they have provided a series of steps to be performed to help mitigate the risk if the patches cannot be applied for any reason.

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Talos created the following Snort coverage for CVE-2022-26134:

**SIDs: 59925-59934**

Threat Advisory: Atlassian Confluence zero-day vulnerability under active exploitation

Gurucul automating threat detection, investigation and response (TDIR) with advanced analytics, comprehensive threat content, and a flexible enterprise risk engine for hybrid and multi-cloud environments.

RSAC 2022, Gartner SRM 2022, and Los Angeles, Calif. – Jun 2, 2022 – Gurucul, the leader in Next-Gen SIEM, XDR, UEBA and Identity Access Analytics, today announced availability of the Gurucul Security Analytics and Operations Platform. A cloud-native, unified and modular platform for consolidating core security operations center (SOC) solutions with the vital addition of Identity Threat Detection and Response (ITDR) provides a unified next-gen SOC platform. The Gurucul platform converges the company’s award winning Next-Gen SIEM, XDR, User and Entity Behavior Analytics (UEBA), Network Traffic Analysis (NTA), Security Operations and Automation Response (SOAR), and Identity Access Analytics (IAA) into a single pane of glass that is aligned with the evolving needs of the modern enterprise threat landscape – where identity has become the new perimeter.

Gurucul’s innovative platform is purpose-built to automate and accelerate data collection, event and alert correlation, detection triage, investigation, and response to targeted attacks. It combines threat intelligence with an enterprise-class risk engine, delivering precise contextual detections, prioritized investigation, and risk-driven response actions that drastically reduce mean-time-to-detection (MTTD) and mean-time-to-response (MTTR). Gurucul’s platform can also support the most complex deployments including on-premise, hybrid, and cloud (SaaS, private, GovCloud, and multi-cloud including multi-tenancy), addressing the needs of today’s modern enterprise and managed detection and response (MDR) providers.

With increased sophistication around phishing, social engineering, credential theft, and supply chain attacks, it is more important than ever to go beyond current solutions that are overly concerned with endpoint security and focus on securing identities attached to multiple entities and devices. Based on remote work risks, accelerated cloud migration, and state-sponsored threat actor groups, there has been an increase not only in targeted and organized attack campaigns, but also insider risks and threats.

“The combination of an expanding attack surface with limited resources and constantly changing tools and techniques drives security operations teams’ need for a comprehensive and consolidated platform approach. While the endpoint is critical, we must understand and work to secure the one constant, identity, which requires a new and innovative approach to threat detection, investigation and response programs,” said Saryu Nayar, CEO of Gurucul. “Early and rapid detection occurs with a full set of endpoint, network, application, identity, cloud, and IoT telemetry context along with advanced analytics, including behavioral-based, and an extensive set of trained machine learning models. Gurucul has spent over 10 years developing specialized analytics and threat content that comprehensively covers all these datasets to eliminate manual tasks and enables automation across every stage of the security operations lifecycle.”

As organizations are transforming their SOC to support multi-cloud deployments and zero trust programs, they are looking for an end-to-end solution to help them improve security analyst effectiveness in rapidly identifying and confirming, not just threats and alerts, but the entire attack campaign. While other SIEM or XDR solutions are just starting to scratch the surface of identity, Gurucul has been a provider of Identity Analytics solutions for over a decade with robust access analytics, broad integrations with various identity systems such as IAM, PAM, HRMS, CMDB, IDaaS etc., and risk-based access remediation and authentication. In conjunction with its UEBA capabilities, Gurucul helps customers get an understanding of current-state identity access and authorization policies, and access usage anomalies and risk exposures, to plan out a robust and secure zero trust strategy. The Gurucul platform is a critical part of any ongoing zero trust program as it will continuously monitor for anomalous user behaviors, access proliferation, and access misuse/violations, ensuring zero trust policies are not being evaded by either insider or external threat actors.

"Gurucul has detection and response capability for the entire cyber kill chain, covering a range of data telemetry across complex and distributed multi-cloud deployments as well as the enterprise," said Nilesh Dherange, CTO of Gurucul. “We’ve invested over a decade in building the most powerful suite of solutions in a single platform enabling real-time threat detection, investigation, and response for our customers with a quick ROI. The addition of identity and access based threat detection to its robust TDIR capabilities powered by advanced ML models, positions Gurucul to provide innovative solutions that address the ever-changing SOC needs.”

The Gurucul platform uniquely provides a set of core capabilities that goes beyond current Next-Gen SIEM and XDR solutions that are critical in improving security operations effectiveness, including:

*   Deployment Options – On-premise, hybrid, cloud (including SaaS, private, GovCloud, and multi-cloud).
*   Multi-Cloud Threat Detection, Investigation, and Response – Real-time data ingestion, correlation, analytics, detection, and risk driven response across multiple clouds.
*   Automated Data Pipeline – An Automated Data Interpretation Engine to ingest structured and unstructured data from any source.
*   Gurucul STUDIOTM – Advanced and fully customizable analytics that include transparent machine learning models to accommodate custom use cases.
*   Enterprise-Class Risk Engine – All-encompassing analytics-driven risk scoring to accelerate investigation with high-fidelity alerts and automated responses.
*   Threat Intel & Content – The largest library of threat models, MITRE ATT&CK coverage, and curated threat intelligence powered by Gurucul Threat Labs™.
*   Gurucul MinerTM – Contextual raw and normalized search across all data silos.
*   Risk Driven Security Control Automation – Out of the box case management, playbooks, workflows, and downstream integrations with the ability to customize.
*   Identity Threat Detection and Response – Identity-centric context across enterprise and multi-cloud environments, reduced identity and access threat plane, and automated threat detection early in the kill chain.

**Availability and Pricing**

The Gurucul platform is modular, delivering customized capabilities to match individual customer requirements. This includes full multi-tenancy, data segregation, flexible policy control and rapid scaling, especially suited for MDR providers. Customers can start with a single module and expand as needed with a simple license change, building towards a unified platform with no data replication or need to start over. Gurucul offers the following packaged software solutions including Next-Gen SIEM, Open XDR, UEBA, Identity Access Analytics that include or can be delivered with Network Traffic Analysis (NTA), Security Orchestration, Automation and Response (SOAR), and Fraud Analytics as stand-alone or add-on options. Gurucul’s Security Analytics and Operations Platform is available immediately from Gurucul and its business partners worldwide.

To learn more visit www.gurucul.com, or see a demo at the RSA Conference 2022 in San Francisco, Calif., June 6-9 at Booth #1443 or at Gartner SRM 2022 in National Harbor, MD, June 7-10 at Booth #1113.

**About Gurucul**

Gurucul is a global cyber security company that is changing the way organizations protect their most valuable assets, data and information from insider and external threats both on-premises and in the cloud. Gurucul’s real-time Cloud-native Next-gen Security Operations Platform provides customers with Open XDR, Next Generation SIEM, UEBA, and Identity Analytics. It combines machine learning behavior profiling with predictive risk-scoring algorithms to predict, prevent, and detect breaches. Gurucul technology is used by Global 1000 companies and government agencies to fight cybercrimes, IP theft, insider threat and account compromise as well as for log aggregation, compliance and risk-based security orchestration and automation for real-time extended detection and response. The company is based in Los Angeles. To learn more, visit https://gurucul.com/ and follow us on LinkedIn and Twitter.

###

Gurucul Launches Cloud-Native SOC Platform Pushing the Boundaries of Next-Gen SIEM and XDR with Identity Threat Detection and Response

RSA pivots to exclusive focus. Identity is once again the ‘beating heart’ of RSA.

BEDFORD, MA – June 1, 2022 – RSA, a global leader in identity and access management (IAM) solutions for the planet’s most security-sensitive organizations, approaches the RSA Conference in San Francisco as an organization well into a dynamic transformation, with significant announcements to make.

First among them is the company’s decision to simplify and streamline its focus and brand architecture. RSA pioneered multi-factor authentication and RSA SecurID is the most widely deployed MFA offering trusted by security-first organizations across the globe. While identity has always been central to RSA’s mission, the company has also been involved in adjacent cyber modalities. No longer: going forward those organizations focusing on integrated risk management, threat detection and response, and omnichannel fraud prevention will grow as independent companies with their own brands.

RSA’s leadership has made the decision to return to its roots and focus the RSA brand on identity. The rationale behind this shift is straightforward. RSA believes identity is the most consequential threat vector in cybersecurity and RSA is best positioned to help customers with this challenge. In addition, the RSA brand will remain affiliated with RSA Conference: the world’s preeminent conference and community for cybersecurity professionals and now an independent business.

RSA also announced the availability of an innovative new SaaS solution suite named ID Plus, a complete and flexible IAM platform offering customers the choice of cloud, on-prem and hybrid deployments. With this announcement, RSA has simplified its IAM offerings to just two brands: ID Plus and SecurID.

“We’ve accelerated a shift into being an identity-first company serving security-first customers,” said Rohit Ghai, CEO of RSA. “We’re transforming into a much more customer experience-driven organization. And we’ve leaned heavily into innovation,” continued Ghai. “We’re making tectonic-level enhancements throughout the company, and with our commitment to hyperfocus on identity we can meet our customers wherever they are on their journey to zero trust.”

RSA’s announcement will dramatically improve customer experience by greatly simplifying both the purchase and adoption of the ID Plus portfolio. The company has introduced 3 new subscription-based pricing plans with a powerful array of options that can be flexibly deployed in the cloud, on-prem or hybrid. Customers can easily adjust their deployments as their needs change. Each plan can lower a customer’s upfront costs in a meaningful way and provide customers with greater budgeting predictability. Simple and effective.

Also, at the RSA Conference, the company is introducing a truly game-changing new cloud product within the ID Plus portfolio: the DS100, a hardware authenticator specifically designed to serve RSA’s customers who have embraced a zero trust posture.

The DS100 is the first ever and only passwordless, multi-functional security solution that can dramatically enhance user experience while lowering total cost of ownership. It is the first cloud-enabled authenticator that marries the cryptographic advantages of FIDO protocols with the security benefits of a one-time password solution, a category where RSA has long been the gold standard. Unlike any other authenticator, the DS100 works plugged in or unplugged, making it the perfect, flexible authentication solution.

The DS100 is only the first of 6 or more new cloud based-solutions the company will introduce in the balance of 2022.

“Our product team is well-beyond simply ‘excited’ about the new ID Plus portfolio and the DS100,” said Jim Taylor, RSA’s Chief Product Officer and the company’s most-likely-to-geek-out-about-new-stuff person. “Everything we do is in service to the customer experience and to innovating exponentially, as RSA has done since its inception. These 2 new solutions are additional proofs of this dual emphasis.”

The company points to its new ownership as a powerful catalyst of the transformation taking place throughout RSA. In 2020, a group led by STG (Symphony Technology Group) purchased RSA. Clearlake Capital later joined the consortium to invest in the next phase of the company’s transformation.

“RSA has consistently delivered shareholder value by being a Rule of 40+ company. And the advantages inherent in RSA now being independent cannot be overstated,” said CEO Ghai. “We’re part of an organization that’s bullish about and focused on identity and cybersecurity. And we’re surrounded by a community of investors and advisors who feel the same. Truly a Virtuous Circle.”

RSA was founded by 3 pioneering MIT mathematicians who invented the RSA cryptosystem, laying the foundation for all secure data communications. Today RSA is a global leader laser-focused on identity and access management, reflecting the company’s belief that assuring digital identities throughout their lifecycle is of preeminent importance in cybersecurity. RSA focuses on serving the planet’s most security-sensitive organizations, with specialties in federal government, financial services, healthcare, energy and technology services. www.rsa.com

New Cloud Pricing and Products Proof of RSA’s Transformation

Microsoft Philanthropies is expanding its cybersecurity skills for jobs campaign to 23 countries and partnering with Women in CyberSecurity (WiCyS) to build a cybersecurity workforce that is not just larger but also more diverse.

COOKEVILLE, TENN. (PRWEB) JUNE 02, 2022

As cyberthreats continue to expand and progress worldwide, the need for qualified cybersecurity professionals is increasing with experts predicting there will be 3.5 million cybersecurity jobs open by 2025, a 350% increase over eight years. Microsoft Philanthropies is expanding its cybersecurity skills for jobs campaign to 23 countries and partnering with Women in CyberSecurity (WiCyS) to build a cybersecurity workforce that is not just larger but also more diverse.

The expansion will include: Australia, Belgium, Brazil, Canada, Colombia, Denmark, France, Germany, India, Ireland, Israel, Italy, Japan, Korea, Mexico, New Zealand, Norway, Poland, Romania, South Africa, Sweden, Switzerland, and the United Kingdom.

The countries were chosen because of an elevated cyberthreat risk, gap in the workforce and lack of diversity. One of the traditionally excluded populations Microsoft wants to provide opportunities for are women, who are significantly underrepresented. In the countries where Microsoft expanded its cybersecurity skilling campaign, only 17% of the cybersecurity workforce are female. Microsoft is working to understand the skills gap, offering free training, helping train more teachers, and providing more support to diverse and underserved job seekers, which is where WiCyS will help.

WiCyS is working to expand its student chapters in the 23 countries by promoting the retention and advancement of women in cybersecurity. WiCyS has over 5,700 members worldwide, including several in those countries Microsoft is trying to engage. WiCyS also has over 160 student chapters, largely in the U.S.

WiCyS student chapters receive funding, access to resources and conferences as well as networking opportunities for both students and faculty advisors. The group of women, men, allies, and advocates meets monthly to participate in CTFs, hackathons, engage in cyber trivia, and learn new technical skillsets. Other events include hosting resume workshops, mock interviews, career development panels, speed networking events and more.

“Thanks to this collaboration, WiCyS seeks to expand our global cyber sisterhood far and wide,” said Lynn Dohm, WiCyS executive director. “While WiCyS works to ensure equity in the gender imbalanced cybersecurity workforce, the student chapter initiative creates a community on campuses so that women are retained in their field of study, grow their network, and have a reliable gateway for future advancement opportunities.”

For more information on the Microsoft Philanthropies Global Student Chapter Initiative, visit http://www.wicys.org/initiatives/wicys-global-student-chapter-initiative-made-possible-by-microsoft-philanthropies/

**About WiCyS:**  
Women in CyberSecurity (WiCyS) is a nonprofit organization with international reach dedicated to the recruitment, retention and advancement of women in cybersecurity. Founded by Dr. Ambareen Siraj from Tennessee Tech University through a National Science Foundation grant in 2013, WiCyS offers opportunities, trainings, events, and resources for its members. Strategic partners include Tier 1: Amazon Web Services, Bloomberg, Carnegie Mellon University – Software Engineering Institute, Cisco, Fortinet, Google, Intel, Lockheed Martin, Meta, Microsoft, Optum, Sandia National Laboratories, SentinelOne. Tier 2: Abbvie, JPMorgan Chase & Co., Linkedin, McKesson, Navy Federal Credit Union, Nike, Wayfair, Workday. To partner, visit https://www.wicys.org/support/strategic-partnerships/.

Microsoft Philanthropies Collaborates With WiCyS to Help Close the Cybersecurity Skills Gap

By Jon Munshaw. 
Welcome to this week’s edition of the Threat Source newsletter. 
Many of you readers may be gearing up for a West Coast swing over the next few weeks through San Francisco and Las Vegas for RSA and Cisco Live, respectively. And we’re right behind you!  
Talos...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

_By Jon Munshaw._ 

Welcome to this week’s edition of the Threat Source newsletter. 

Many of you readers may be gearing up for a West Coast swing over the next few weeks through San Francisco and Las Vegas for RSA and Cisco Live, respectively. And we’re right behind you!  

Talos will have plenty of representation at both conferences, including giving lightning talks at the Cisco Secure booth, several features talks and spots, live podcast recordings, and more. To get you ready for RSA, I wanted to highlight a few special things we’re doing at the conference you should know about before you go.  

As always, you can keep posted on our latest plans and talk schedule by following us on Twitter. 

**Main booth** 

Stop by the main Talos and Cisco Secure booth at Moscone North Hall to say hi, ask questions and get the latest information on what we’re up to. 

At the booth, we’ll be premiering a new video series and giving out some of our newest stickers created in the image of our favorite malware “mascots.” Everyone will be jealous if you have one of these on your laptop. 

**Evolving Your Defense: Making Heads or Tails of Threat Actor Trends** 

Nick Biasini and Pierre Cadieux are hosting our sponsored session on June 7 at 9:40 a.m. PT. In this talk, they’ll be breaking down the latest threat actor tactics, techniques and procedures and telling you which ones you should be worried about and what can be ignored. 

**Beers with Talos/Security Stories** 

We’re hosting two live podcasts back-to-back at the Marriott Marquis: Sierra C ballroom from 2 – 5 p.m. PT on June 7. Security Stories and Beers with Talos are getting together to play a game of “Would I lie to you?”  

Talos’ vice president, Matt Watchinski, will be on hand for both episodes, along with other special guests.  

The Beers with Talos episode will cover Talos’ work in Ukraine, and we’ll hear from the audience about their hottest security takes.  

**The one big thing **

A recently discovered zero-day vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT) made headlines over the past few days. CVE-2022-30190, also known under the name "Follina," exists when MSDT is called using the URL protocol from an application, such as Microsoft Office, Microsoft Word or via an RTF file. An attacker could exploit this vulnerability to gain the ability to run arbitrary code on the targeted system. 

  

> **Why do I care? **
> 
> If an attacker were to successfully exploit this vulnerability, they could execute remote code on the targeted machine. Needless to say, that’s bad. This is just the latest in a string of Microsoft vulnerabilities to make headlines over the past 12 months, including PrintNightmare and multiple Exchange Server issues. If those cases have taught us anything, it’s that attackers aren’t afraid to look for vulnerable Microsoft products to try and gain a foothold on a targeted network or machine.  
> 
> **So now what? **Although a patch hasn't been released yet, Microsoft has provided workarounds and Windows Defender protections for the CVE and malware exploiting this vulnerability. Cisco Talos has also released coverage to protect against this vulnerability, including multiple Snort rules and a ClamAV signature.   

**Other news of note**

Costa Rica’s government was hit with another ransomware attack, this time from the Hive group. Hive took down the country’s health department’s online services earlier this week, adding to the problems Costa Rica is facing after Conti launched a ransomware attack in May. Security experts say there is evidence that Conti and Hive may be working together to extort the Costa Rican government. This is all going on as the Conti group claims it’s shutting down and splitting up into smaller groups. The Hive operators have not yet declared a ransom amount. (Bleeping Computer, Krebs on Security, CSO Online) 

The U.S. Department of Justice seized three domains associated with selling and collecting stolen and leaked personal information. Authorities said the sites, WeLeakInfo, IPStress and OVH Booster all assisted attackers in carrying out denial-of-service attacks. In 2020, the DoJ seized very similar domains, including “weleakinfo.com,” which at the time, offered users the ability to “review and obtain the personal information illegally obtained in over 10,000 data breaches.” (Recorded Future, Department of Justice) 

The FBI recently thwarted an attempted cyber attack on a Boston children’s hospital, according to the agency’s director. Chris Wray, speaking at an event in Boston, received intelligence last summer ahead of time that allowed the agency to stop what he called “one of the most despicable cyberattacks I've seen.” Wray added that the attack came from an Iranian state-sponsored actor. The same hospital faced similar attacks in 2014 and 2019, he said. (ABC News, NBC 10 Boston) 

**Can’t get enough Talos? **

*   Researcher Spotlight: Martin Lee, EMEAR lead, Talos Strategic Communications
*   Threat Roundup for May 20 - 27
*   Talos Takes Ep. #98: Maybe don't panic about that F5 BIG-IP vulnerability

  

**Upcoming events where you can find Talos ****REcon (June 3 – 5, 2022)  
Montreal, Canada ****RSA 2022 (June 6 – 9, 2022)  
San Francisco, California ****Cisco Live U.S. (June 12 – 16, 2022)  
Las Vegas, Nevada ****Most prevalent malware files from Talos telemetry over the past week  **

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  **MD5:** 93fefc3e88ffb78abb36365fa5cf857c  **Typical Filename:** Wextract    
**Claimed Product:** Internet Explorer    
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg  

**SHA 256:** 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645    **MD5:** 2c8ea737a232fd03ab80db672d50a17a    **Typical Filename:** LwssPlayer.scr      
**Claimed Product:** 梦想之巅幻灯播放器      
**Detection Name:** Auto.125E12.241442.in02    

**SHA 256:** 4b34e3637fa7af93ab628ae5adad2c7f3464053316963297844324a4f649a206   
**MD5:** 3632f27604f5a82cf73b9ade710a1656  **Typical Filename:** mediaget\_installer\_467.exe    
**Claimed Product:** N/A    
**Detection Name:** FileRepPup:MediaGet-tpd  

**SHA 256:** a9f7d7525aad1c7007ae9d1d3fc531a1065b28225c5b7efb7347aaf77d9aba92    
**MD5:** 8f90e544a48d75f42f9d44811320689c   **Typical Filename:** tata communications wholesale retai lpak ncl ethopia napal spice srilanka bd cli bangladesh.wsf    
**Claimed Product:** N/A     
**Detection Name:** Xml.Dropper.Valyria::100.sbx.vioc  

**SHA 256:** 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5   **MD5:** 8c80dd97c37525927c1e549cb59bcbf3   **Typical Filename:** Eternalblue-2.2.0.exe     
**Claimed Product:** N/A     
**Detection Name:** Win.Exploit.Shadowbrokers::5A5226262.auto.talos

Threat Source newsletter (June 2, 2022) — An RSA Conference primer

New operational analytics and AI/ML platform drives contextual intelligence and prioritized actions to anticipate risky behaviors, disrupt threats and insure business resilience.

SAN JOSE, Calif. , June 1, 2022 /PRNewswire/ -- Netenrich, a leading security and operations analytics SaaS company, today announced that the company will showcase its new Resolution Intelligence platform® at the 2022 RSA Conference on June 6-9 at the Moscone Center in San Francisco. Netenrich will feature product demos and present platform details in the Google Cloud Security Booth #1943, South Expo Hall.

**Netenrich at RSA 2022  
**Netenrich invites security professionals and conference attendees to learn how they can optimize their security operations with analytics leveraging Google Chronicle. Managed service providers (MSSPs, MSPs, GSIs) benefit by plugging into the data analytics platform to quickly build innovative services and transform their business at service-provider scale.

Netenrich will share the latest advances in security operations, as well as the strategies and solutions security professionals need to secure their data against the most critical issues and behaviors. Visit booth #1943 during the times listed below:

*   Tuesday, June 7 from 10:00 AM – 12:00 PM PDT
*   Wednesday, June 8 from 4:00 PM – 6:00 PM PDT
*   Thursday, June 9 from 10:00 AM – 12:00 PM PDT

**Theater Presentation in booth**

*   Thursday, June 9 at 11:45 AM PDT

**Netenrich + Chronicle Happy Hour**

RSA attendees are invited to the Netenrich + Chronicle Happy Hour at the Monarch club on Wednesday, June 8, from 6 – 9 pm PDT. Come enjoy music, drinks, and live entertainment.

*   RSVP to secure your invite and bring your ID and RSA badge
*   **Monarch, 101 6th Street, San Francisco, CA 94114**

Follow Netenrich on Twitter , LinkedIn, and YouTube

SOURCE Netenrich

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Netenrich Debuts Resolution Intelligence Secure Digital Operations Platform at RSA 2022

Password management solution delivers proactive, seamless approach to protecting privacy and login credentials for consumers and businesses; Password Management market expected to reach $3 billion by 2026.

**SAN FRANCISCO, June 1, 2022** — Lookout, Inc., a leading provider of endpoint and cloud security solutions, today announced it has acquired SaferPass, an innovative Password Management company that provides secure online identity solutions for both consumers and businesses. By adding Password Management technology to its suite of security solutions, Lookout is expanding on its mission to deliver proactive protection and safeguard customer data for individuals and businesses.

Whether shopping online, banking, or connecting to corporate applications and email, usernames and passwords have become the standard form of authentication to validate a user’s identity and enable access to sensitive information. Passwords can be difficult to use and incredibly insecure, especially in cases where a user has many accounts. On average, people have more than 100 accounts with an associated password to remember. In addition, human-generated passwords are often algorithmically weak; according to the Verizon Data Breach Investigations Report, 81% of data breaches leveraged weak, stolen or reused employee passwords, and every time a password is reused, it opens the door to a potential data breach. Additionally, nearly 64% of people reuse the same passwords across their online accounts. If login credentials are compromised, the consequences can be serious – including personal identity theft or stolen corporate information.

SaferPass delivers a robust, innovative solution for identity and password management to both consumers and businesses, enabling users to securely manage their passwords, banking and other sensitive information across devices. The SaferPass solution provides an encrypted digital vault that stores secure login information used to access services through mobile apps and web browsers. In addition to keeping a user’s identity, credentials and sensitive data safe, the product helps create strong, unique passwords through a password generator tool that ensures the individual is not using the same password in multiple places and that their password has not been compromised in a previous breach.

According to Mordor Intelligence, the Password Management market on its own, was valued at over $1.2 billion in 2020 and is expected to reach over $3 billion by 2026.

“We are pleased to welcome the SaferPass team to Lookout, and excited to combine our respective solutions to deliver better value to consumers and businesses alike,” said Jim Dolce, Lookout CEO. “Today, every password owned by an employee is a potential access point to organizations both small and large. At the same time, large scale data breaches have leaked billions of consumer emails and passwords on the dark web, putting individuals at risk of identity theft and financial fraud. The SaferPass team shares our vision for providing seamless security solutions that address all access points and protect personal and corporate data wherever it may reside. This is an exciting next step in Lookout’s evolution.”

The acquisition of SaferPass broadens the Lookout portfolio of security solutions and expands the opportunity for its carrier ecosystem and channel partners – it also expands Lookout’s footprint in Central Europe through its new location in Bratislava, Slovakia. SaferPass will now operate under the Lookout brand and leadership and the SaferPass team will be fully integrated into the Lookout organization. The financial terms of this transaction have not been disclosed.

****Additional Resources****

*   To learn more about Lookout for SMBs and Consumers, visit: https://protection.lookout.com/
*   To learn more about the Lookout Security Platform, visit: https://www.lookout.com/products/platform
*   Sign up for a free trial of Lookout.

Follow the Lookout blog and join the conversation on LinkedIn and Twitter.

Lookout Acquires SaferPass To Address The Rising Threat Of Identity Theft

Vectra offers a free of charge security assessment for your cloud tenant.

SAN JOSE, Calif. , June 1, 2022 /PRNewswire/ -- Vectra AI, a leader in AI-driven threat detection and response for hybrid and multi-cloud enterprises, today announced the launch of Vectra Protect, a posture management tool designed to discover and mitigate security risks in Microsoft 365 (M365). Vectra Protect combines 50,000+ hours of expert research and development with automation to analyze an organization's M365 security posture and provide customized implementation plans to remediate risk. To ensure all organizations, regardless of security staffing or resources, can have access to the solution, Vectra is extending a free sign-up for an Azure Active Directory scan until September 30, 2022.

With the accelerated use of M365 collaboration tools, which now have over 270 million users, cyber attackers are actively targeting access management tools like Azure AD to enter other SaaS tools and enterprise network assets. They then establish a foothold to launch ransomware attacks, steal intellectual property and gain unauthorized access to sensitive user data. With its scanning engine, Vectra Protect combines insights from the M365 Graph API with PowerShell module data to provide a truly holistic view into the integrity of every identity in an organization's M365 environment. As the only scan designed to uncover identity security issues in M365, Vectra Protect provides organizations with:

*   **Quick, actionable remediation insights:** With its multi-stage methodology, the scan provides organizations with actionable results within hours. Rather than hindering the security team with more alerts, the scan creates a comprehensive risk mitigation map that provides a path to implementation with clear guidance on risk and operational impact.
*   **Tailored cloud support:** Organizations can gain insight into the severity of vulnerabilities, material changes to their configuration state, the operational impact of the required solution, and the steps for remediation aligned to their applicable industry standards and regulatory requirements.
*   **Configuration correction and compliance:** Vectra Protect delves deep into the configuration complexities of M365, highlighting misconfigurations with clear context to guide companies to complete risk resolution and provide security teams with the proof they need to show their policies are effective and compliant.
*   **Confidence in collaboration:** By understanding areas where risks and configuration issues persist, organizations can fulfill the promises of cloud technology without creating unmanaged risk. Organizations can gain efficiencies in implementing and using SaaS tools like M365 by eliminating default settings and aligning operations, information technology, security, and audit teams on security priorities.

"Azure AD has become a large attack vector as cybercriminals look to exploit the lack of security controls and solutions currently available for the tool," said Aaron Turner, CTO of SaaS Protect at Vectra AI. "Organizations must understand that Microsoft's default security settings are not specifically tailored to their business operations or industry, which introduces waves of unnecessary risk. Combining this with the constant changes in M365, both internally and externally, leaves a host of potential vulnerabilities and configuration issues that organizations are responsible for correcting. Vectra Protect helps unravel this complexity to deliver the visibility and assurance organizations need to protect these essential business tools."

The free Vectra Protect for Azure AD scan, a value up to $50,000, will be readily available to any M365 customer operating in any M365 environment\*. The scan focuses on a common foothold for unauthorized access and risk: access management in the active directory. Turner will be showcasing the technology and enumerating how to protect the M365 tenant and hunt for threats during RSAC 2022 in San Francisco, CA. You can register for his session here.

For more details about Vectra Protect for Azure AD and to request a free scan, please visit: https://www.vectra.ai/azure-ad-scan

\*Exclusions apply.

**About Vectra AI  
**Vectra® is a leader in cyber threat detection and response for hybrid and multi-cloud enterprises. The Vectra platform uses AI to detect threats at speed across public cloud, identity, SaaS applications, and data centers. Only Vectra optimizes AI to detect attacker methods—the TTPs at the heart of all attacks—rather than simplistically alerting on "different". The resulting high-fidelity threat signal and clear context enables cybersecurity teams to respond to threats sooner and to stop attacks in progress faster. Organizations worldwide rely on Vectra for cybersecurity resilience in the face of dangerous cyber threats and to prevent ransomware, supply chain compromise, identity takeovers, and other cyberattacks from impacting their businesses. For more information, visit vectra.ai.

Help Organizations to Mitigate Risk in Microsoft 365 with 'Vectra Protect'

Rising threat of data breaches and ransomware attacks drives need for complete and accurate real-time information about devices and their risks.

ANTA CLARA, Calif., June 1, 2022 /PRNewswire/ -- Ordr has raised an additional $40 million to meet the growing need for organizations to understand, manage, and secure the growing number of connected devices in their environment, including Internet of Medical Things (IoMT), Internet of Things (IoT), and Operation Technology (OT). The funding round was co-led by Battery Ventures and Ten Eleven Ventures, with participation from new investor Northgate Capital and continuing investors Wing Venture Capital, Unusual Ventures, Kaiser Permanente Ventures, and Mayo Clinic. Other investors in Ordr's Series C include Silicon Valley entrepreneurs René Bonvanie, former CMO of Palo Alto Networks, Dan Warmenhoven, former Chairman and CEO of NetApp, and Dominic Orr, former Chairman and CEO of Aruba Networks. With this funding, Ordr has raised more than $90 million to date.

Ordr addresses two key enterprise initiatives associated with a growing reliance on and adoption of connected devices: **digital transformation** and **Zero Trust**. Each new device connection increases an organization's attack surface, along with the potential for a breach or ransomware attack. In industries such as healthcare and manufacturing, a cyberattack impacting an IoT device can easily disrupt the entire business or become a life-threatening situation. For organizations to move quickly from "detection" to "response" requires insights into the compromised device, where it's located, and what policies can be applied.

Ordr has raised an additional $40 million in Series C funding.

Ordr offers complete and accurate asset visibility, automates and enforces Zero Trust policies, and accelerates incident response by hours with insights into devices and risks. As a result, Ordr experienced more than **140% year-over-year growth** in new customer revenue in its most recent quarter ending on March 31, 2022, is **deployed in 3 of the world's top 6 hospitals**, and has been adopted across more than **150 manufacturing sites**.

"Ordr has built a platform that not only solves an important market issue - the need to definitively understand and protect what is connecting to your organization's network - but is truly scalable to keep pace with the speed of today's businesses. We've worked with Ordr's team and seen firsthand how well they've executed against aggressive goals. This additional funding will accelerate Ordr's market leadership and success in the market," said Dharmesh Thakker, general partner at Battery Ventures.

"We believe the connected device security market needs a strong, open, and independent player that prioritizes customer success, focuses on time-to-value, and integrates with all the key components of a customer's security and network infrastructure. This funding validates our best-in-class approach and solidifies our leadership in the market," said Greg Murphy, Ordr CEO.

Ordr plans to use the Series C funding to accelerate its sales and marketing efforts, especially in vertical markets such as **healthcare**, where the company has been named a market leader in the Healthcare IoT security industry by analyst firm KLAS Research for three consecutive years. The company will also look to further capitalize on steadily increasing demand from **manufacturing and financial services**, expand its channel and partnership programs, and accelerate investments in customer success.

"In order to advance their digital transformation goals, every organization needs to enable the visibility and security of connected devices, including IoT, IoMT, and OT. Ordr is a much-needed innovator in the market, with the ability to not only deliver granular visibility into devices, risks, and behaviors, but also automate and enforce Zero Trust policies to secure these devices from attacks," said Justin Stebbins, partner, Northgate Capital.

"As an early investor in the company, I have witnessed Ordr's impressive product evolution and growing traction within critical sectors, including healthcare, manufacturing, education, and extended enterprise IoT. They have developed one of the most scalable and technically robust platforms in the market, and some of the world's leading organizations depend on it to fulfill important security needs and deliver business insights. The time is right to accelerate the company's mission to be the leader in connected device security. We believe in their success and look forward to the next chapter." said Alex Doll, Founder and Managing Partner of Ten Eleven Ventures.

Since its last round of funding, Ordr has experienced tremendous growth, coinciding with an increased understanding of the organizational risk represented by unknown connected devices. Some additional highlights since the last funding round include:

*   Named a KLAS Research Healthcare IoT Security Market Leader for an unprecedented three years in a row.
*   Named a Representative Vendor in the 2022 Gartner Market Guide for Medical Device Security Solutions for the second year in a row.
*   Continued product innovation and market leadership in the healthcare industry with the launch of Clinical Defender, streamlining management of connected medical devices.
*   Enhanced the company's integrations with Cisco, making it even easier for Cisco customers to roll out Ordr across their network environments.
*   Launched the Ransom-Aware Rapid Assessment to help companies quickly and accurately assess their ransomware risks.
*   Successfully achieved SOC2 compliance to keep customer data secure.

"Data privacy and security are imperative IT initiatives within the healthcare industry with connected device security in particular as a critical need given the increase in connected devices in health care facilities. Kaiser Permanente Ventures is pleased to continue its investment in Ordr as a key technology leader in this space, to help protect connected devices automatically, preemptively and at scale across the enterprise," said Chris Stenzel, executive managing director, Kaiser Permanente Ventures.

Continuing the momentum of the past year, Ordr today also strengthened its executive team with the addition of Paul Davis as the company's new vice president of customer success. Paul has decades of experience in customer-facing roles at Axis Security, Splunk, Cisco, and other leading organizations. At Ordr, he will be responsible for managing customer relationships and ensuring the successful implementation and use of Ordr technology.

**About Ordr**

Ordr makes it easy to secure every connected device, from traditional IT devices to newer and more vulnerable IoT, IoMT, and OT. Ordr Systems Control Engine uses deep packet inspection and advanced machine learning to discover every device, profile its risk and behavior, map all communications and protect it with automated policies. Organizations worldwide trust Ordr to provide real-time asset inventory, address risk and compliance and accelerate IT initiatives. Ordr is backed by top investors including Battery Ventures, Wing Venture Capital, Ten Eleven Ventures, Northgate Capital, Kaiser Permanente Ventures, and Unusual Ventures.

For more information, visit www.ordr.net and follow Ordr on Twitter and LinkedIn.

SOURCE Ordr

Ordr Secures $40 Million in Series C Funding to Answer Increased Demand for Connected Device Security

A recently discovered zero-day vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT) made headlines over the past few days. CVE-2022-30190, also known under the name "Follina," exists when MSDT is called using the URL protocol from an application, such as Microsoft Office, Microsoft...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

A recently discovered zero-day vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT) made headlines over the past few days. CVE-2022-30190, also known under the name "Follina," exists when MSDT is called using the URL protocol from an application, such as Microsoft Office, Microsoft Word or via an RTF file. An attacker could exploit this vulnerability to gain the ability to run arbitrary code on the targeted system.

Although a patch hasn't been released yet, Microsoft has provided workarounds and Windows Defender protections for the CVE and malware exploiting this vulnerability. Cisco Talos has also released coverage to protect against this vulnerability, the full details of which are available below.

The most direct workaround is to disable the MSDT URL protocol by launching the command prompt as administrator and running the following commands:

*   To back up the existing registry values, run "reg export HKEY\_CLASSES\_ROOT\\ms-msdt filename" where filename is the name of the backup you will be creating.
*   To implement the workaround, run "reg delete HKEY\_CLASSES\_ROOT\\ms-msdt /f"
*   To undo the work around, run "reg import filename" where filename is the name assigned in the steps above.

**Ongoing exploitation**

Cisco Talos is aware of ongoing exploitation in the wild, so users are encouraged to test and implement the workaround as quickly as possible to mitigate risk.

An example of a maldoc exploiting this vulnerability consists of configuring the external references of the maldoc to point to the exploit payload, which, in this case, is written inHTML.

The HTML hosted on the remote location contains the actual exploit.

Using the ms-msdt schema and troubleshooting package "PCWDiagnostic," the attacker can launch arbitrary code on the infected endpoint.

  
**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The following ClamAV signatures are available to detect malware related to this threat:

**Win.Exploit.CVE\_2022\_30190-9951234-1**

**IOCs****Hashes**

4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784  
8e986c906d0c6213f80d0224833913fa14bc4c15c047766a62f6329bfc0639bd  
fe300467c2714f4962d814a34f8ee631a51e8255b9c07106d44c6a1f1eda7a45  
710370f6142d945e142890eb427a368bfc6c5fe13a963f952fb884c38ef06bfa  
d61d70a4d4c417560652542e54486beb37edce014e34a94b8fd0020796ff1ef7

**Malicious URLs**

hxxps\[://\]www\[.\]xmlformats\[.\]com/office/word/2022/wordprocessingDrawing/RDF842l\[.\]html  
hxxps\[://\]www\[.\]sputnikradio\[.\]net/radio/news/3134\[.\]html  
hxxps\[://\]exchange\[.\]oufca\[.\]com\[.\]au/owa/auth/15\[.\]1\[.\]2375/themes/p3azx\[.\]html

Tag

#cisco