CISA and FBI warn the RaaS provider's affiliates are striking critical industries, with more attacks expected to come from additional ransomware groups in the months ahead.

US authorities issued a warning this week about potential cyberattacks against critical infrastructure from ransomware-as-a-service (RaaS) operation AvosLocker.

In a joint security advisory, the Cybersecurity Infrastructure and Security Agency (CISA) and FBI warned that AvosLocker has targeted multiple critical industries across the US as recently as May, using a wide variety of tactics, techniques, and procedures (TTPs), including double extortion and the use of trusted native and open source software.

The AvosLocker advisory was issued against a backdrop of increasing ransomware attacks across multiple sectors. In a report published Oct. 13, cyber-insurance company Corvus found a nearly 80% increase in ransomware attacks over last year, as well as a more than 5% increase in activity month-over-month in September.

**What You Need to Know About AvosLocker Ransomware Group**

AvosLocker does not discriminate between operating systems. It has thus far compromised Windows, Linux, and VMWare ESXi environments in targeted organizations.

It's perhaps most notable for how many legitimate and open source tools it uses to compromise victims. These include RMMs like AnyDesk for remote access, Chisel for network tunneling, Cobalt Strike for command-and-control (C2), Mimikatz for stealing credentials, and the file archiver 7zip, among many more.

The group also likes to use living-off-the-land (LotL) tactics, making use of native Windows tools and functions such as Notepad++, PsExec, and Nltest for performing actions on remote hosts.

The FBI has also observed AvosLocker affiliates using custom Web shells to enable network access, and running PowerShell and bash scripts for lateral movement, privilege escalation, and disabling antivirus software. And just a few weeks ago, the agency warned that hackers have been double-dipping: using AvosLocker and other ransomware strains in tandem to stupefy their victims.

Post-compromise, AvosLocker both locks up and exfiltrates files in order to enable follow-on extortion, should its victim be less than cooperative.

"It's all kind of the same, to be honest, as what we've been seeing for the past year or so," Ryan Bell, threat intelligence manager at Corvus, says of AvosLocker and other RaaS groups' TTPs. "But they're becoming more deadly efficient. Through time they're getting better, quicker, faster."

**What Companies Can Do to Protect Against Ransomware**

To protect against AvosLocker and its ilk, CISA provided a long list of ways critical infrastructure providers can protect themselves, including implementing standard cybersecurity best practices — like network segmentation, multifactor authentication, and recovery plans. CISA added more specific restrictions, such as limiting or disabling remote desktop services, file and printer sharing services, and command-line and scripting activities and permissions.

Organizations would be smart to take action now, as ransomware groups will only grow more prolific in the months to come.

"Typically, ransomware groups take a little bit of a summer vacation. We forget that they are people, too," Bell says, citing lower-than-average ransomware numbers in recent months. September's 5.12% bump in ransomware cyberattacks, he says, is the canary in the coal mine.

"They will increase attacks through the fourth quarter. That's usually the highest we see throughout the year, as in both 2022 and 2021, and we're seeing that holds true even now," he warns. "Things are definitely climbing up all across the board."

Feds: Beware AvosLocker Ransomware Attacks on Critical Infrastructure

The Cyber Resilience Act's requirement to disclose vulnerabilities within 24 hours could expose organizations to attacks — or government surveillance.

The European Union (EU) may soon require software publishers to disclose unpatched vulnerabilities to government agencies within 24 hours of an exploitation. But many IT security professionals want this new rule, set out in Article 11 of the EU's Cyber Resilience Act (CRA), to be reconsidered.

The rule requires vendors to disclose that they know about a vulnerability actively being exploited within one day of learning about it, regardless of patch status. Some security professionals see the potential of governments abusing the vulnerability disclosure requirements for intelligence or surveillance purposes.

In an open letter signed by 50 prominent cybersecurity professionals across industry and academia, among them representatives from Arm, Google, and Trend Micro, the signatories argue that the 24-hour window is not enough time — and would also open doors to adversaries jumping on the vulnerabilities without allowing organizations enough time to fix the issues.

"While we appreciate the CRA's aim to enhance cybersecurity in Europe and beyond, we believe that the current provisions on vulnerability disclosure are counterproductive and will create new threats that undermine the security of digital products and the individuals who use them," the letter states.

Gopi Ramamoorthy, senior director of security and GRC at Symmetry Systems, says there is no disagreement about the urgency of patching the vulnerabilities. The concerns center on publicizing the vulnerabilities before updates are available, which leaves organizations at risk of attack and unable to do anything to prevent it.

"Publishing the vulnerability information before patching has raised concerns that it may enable further exploitation of the unpatched systems or devices and put private companies, and citizens, at further risk," Ramamoorthy says.

**Prioritize Patching Over Surveillance**

Callie Guenther, senior manager of cyber threat research at Critical Start, says the intent behind the CTA is commendable, but it's vital to consider the broader implications and potential unintended consequences of governments having access to vulnerability information before updates are available.

"Governments have a legitimate interest in ensuring national security," she says. "However, using vulnerabilities for intelligence or offensive capabilities can leave citizens and infrastructure exposed to threats."

A balance must be struck wherein governments prioritize patching and protecting systems over exploiting vulnerabilities, Guenther says, proposing some alternative approaches for vulnerability disclosure, starting with tiered disclosure.

"Depending on the severity and impact of a vulnerability, varying time frames for disclosure can be set," she says. "Critical vulnerabilities may have a shorter window, while less severe issues could be given more time."

A second alternative Guenther describes concerns preliminary notification, where vendors can be given a preliminary notification with a brief grace period before the detailed vulnerability is disclosed to a wider audience.

A third way focuses on coordinated vulnerability disclosure, which encourages a system where researchers, vendors, and governments work together to assess, patch, and disclose vulnerabilities responsibly.

Any rule must include explicit clauses to prohibit the misuse of disclosed vulnerabilities for surveillance or offensive purposes, she adds.

"Additionally, only select personnel with adequate clearance and training should have access to the database, reducing the risk of leaks or misuse," Guenther says. "Even with explicit clauses and restrictions, there are numerous challenges and risks that can arise."

**When, How, and How Much to Disclose**

Responsible disclosure of vulnerabilities is a process that has, traditionally, included a thoughtful approach that enabled organizations and security researchers to understand the risks and develop patches before exposing the vulnerability to potential threat actors, notes John A. Smith, CEO at Conversant Group.

"While the CRA may not require deep details about the vulnerability, the fact that one is now known to be present is enough to get threat actors probing, testing, and working to find an active exploit," he cautions.

From Smith's perspective, the vulnerability should also not be reported to any individual government or the EU; that requirement will reduce consumer confidence and damage commerce due to nation-state spying risks.

"Disclosure is important — absolutely. But we must weigh the pros and cons of when, how, and how much detail is provided during research and discovery to mitigate risk," he says.

An alternative to this "arguably knee-jerk approach," Smith says, is to require software companies to acknowledge reported vulnerabilities within a specified but expedited time frame, and then require them to report back on progress to the discovering entity regularly, ultimately providing a public fix within a maximum of 90 days.

Guidelines on how to receive and disclose vulnerability information, as well as techniques and policy considerations for reporting, are already outlined in ISO/IEC 29147.

**Impacts Beyond EU**

The US has an opportunity to observe, learn, and subsequently develop well-informed cybersecurity policies, as well as proactively prepare for any potential ramifications if Europe moves forward too quickly, Guenther adds.

"For US companies, this development is of paramount importance," she says. "Many American corporations operate on a global scale, and regulatory shifts in the EU could influence their global operations."

The ripple effect of the EU's regulatory decisions, as evidenced by the General Data Protection Regulation's influence on the California Consumer Privacy Act and other US privacy laws, suggests that European decisions could presage similar regulatory considerations in the US, she points out.

"Any vulnerability disclosed in haste due to EU regulations doesn't confine its risks to Europe," Guenther cautions. "US systems employing the same software would also be exposed."

Security Pros Warn That EU's Vulnerability Disclosure Rule Is Risky

Mandiant's John Hultquist says to expect anti-Israel influence and espionage campaigns to ramp up as the war grinds on.

Researchers are on the lookout for state-sponsored information operations springing from the Israel-Hamas conflict, but so far, no major initiatives have cropped up. Yet that could quickly change as more hacktivists and espionage actors enter the fray.

On a press call held this week, John Hultquist, chief analyst for Mandiant Intelligence at Google Cloud, said that so far, no "coordinated cyber activity" has been identified, but attacks are expected to increase over time as the situation continues. He called out distributed denial-of-service (DDoS) activity as a possible precursor to other types of political activity, naming Anonymous Sudan in particular as being active.

And meanwhile, he noted, expect disruptive threats begin to ramp up — or at least claims of critical infrastructure hacks.

**The Beginning of Influence Operations**

Information operations have twin definitions: They can refer to the collection of tactical information about an adversary, and/or the spread of propaganda in pursuit of a competitive advantage over an opponent.

On the latter front, Hultquist said two notable information operations campaigns have been identified so far. The first is related to Iran, which he said is "promoting narratives related to the crisis." In particular, this has involved Iranian posing as Egyptians to stir up historical hostilities in influence campaigns. In previous influence instances, groups have leveraged networks of inauthentic news sites and clusters of associated accounts across multiple social media platforms to promote political narratives in line with Iranian interests, including anti-Israeli and pro-Palestinian themes.

The messages claim that Israel was humiliated by a small force, and that this exposed the weakness of one of the most advanced military superpowers, and that Israeli soldiers are now afraid of Hamas. Hultquist said these claims have not been validated, and merit "extreme skepticism."

Another information operation campaign being monitored is related to the Dragon Bridge campaign, which was identified last year as supporting the political interests of China. Hultquist said that it was seeing activity from multiple accounts associated with the Dragon Bridge campaign and that this is consistent with how the group follows news cycles and ongoing crises to portray the United States and its allies in a negative light.

In this instance, the accounts are amplifying the stance that the initial attack on Oct. 7 was a failing by the Israeli government, which didn't seem to be aware of the incoming attacks.

Hultquist said: "The silver lining is we haven't had any indication that it's getting major pickup or authentic traction, which is consistent with previous Dragon Bridge campaigns. It's one thing to broadcast these messages and create this content. It's quite another to actually penetrate the consciousness of everyday citizens."

**Beyond Influence Campaigns: Next Phase of Attacks**

Hultquist said that going forward, more espionage activity is expected, especially from actors related to Iran and Lebanon-based Hezbollah. He also said that he expects to see activity designed to look like financially motivated cybercrime, including extortion-based ransomware deployments where no money is collected, just a threat is made around data exfiltration and leaking.

"We have definitely seen Iranian actors do exactly that in Israel, and that's something that we're sort of anticipating," he said.

Meanwhile, threats and posturing against critical infrastructure will ramp up. Just this week, threat groups declared their intention to launch disruptive attacks against Israel, Palestine, and their supporters, while Anonymous Sudan claimed it attacked the Jerusalem Post. However, Hultquist did call out the amount of "dubious information" about the severity of such attacks, and noted that many claims to successfully hit major targets are just another form of influence activity.

"We're seeing threat actors take advantage of a tremendously confusing environment by lying about what they can do and what they've accomplished, or 'almost' accomplished because they recognize that these things are hard to validate by experts," he said. “By making these dubious claims that linger in the open without being validated or invalidated, they can still have the intended effect. We anticipate we'll see a lot of that in the coming days, and it could potentially have adverse psychological effects."

Gaza Conflict Paves Way for Pro-Hamas Information Operations

The writers' strike shows that balancing artificial intelligence and human ingenuity is the best possible outcome for creative as well as cybersecurity professionals.

In the wake of the Writers Guild of America's (WGA) momentous five-month strike, one thing is abundantly clear: The creative industry stands at a crossroads where technology and human creativity must learn to coexist harmoniously. The strike, one of Hollywood's longest labor disputes, has finally drawn to a close, and its implications extend far beyond the glitzy confines of Tinseltown. At its core, this dispute revolved around the role of artificial intelligence (AI) in creative processes, a topic that demands thoughtful consideration as we navigate the uncharted territory of AI's vast potential in many sectors, including cybersecurity.

The crux of the matter lay in writers' concerns that studios could leverage AI to diminish writers' role in the creative process, and thus, their earnings and artistic recognition. The approved agreement, which bans the independent or exclusive use of AI for writing, rewriting, or crafting source material for scripts, marks a significant victory for writers' rights. It ensures that writers will be duly credited for their creative contributions, irrespective of whether they choose to leverage AI for the creative process. This provision sets a vital precedent for industries worldwide, reinforcing the principle that AI should be a tool that enhances, rather than replaces, human creativity.

**Putting AI's Power to Work, From Art to Cybersecurity**

It is important to acknowledge the undeniable power of AI across a wide variety of domains, especially as it relates to its unparalleled ability to automate routine tasks and increase efficiency. While the WGA and Screen Actors Guild — American Federation of Television and Radio Artists (SAG-AFTRA) strikes are among the first formal, organized forms of backlash against AI's potential for disruption, the possibility for rapid and transformational change is by no means limited to Hollywood.

Take, for instance, the realm of cybersecurity — and more specifically, phishing detection and remediation — where AI algorithms are already being used to swiftly and effectively identify malicious activities and intercept potential threats. These AI-driven systems analyze vast datasets and identify patterns that are often too complex for human operators to process alone. Armed with this information, the AI-driven systems are then able to reliably and efficiently prevent attacks that may otherwise have slipped through traditional defenses unnoticed.

This technology has undoubtedly elevated our ability to combat cyber threats efficiently. However, just as the WGA argued in its collective bargaining efforts, we must also acknowledge AI's inherent limitations. While AI can excel in pattern recognition and automation of repetitive tasks, it lacks the nuanced understanding, intuition, and emotional intelligence that human beings possess. AI's greatest value in the fight against cybercrime will be its ability to automate away routine tasks, making existing security professionals more efficient, and assist humans in the fight against cybercrime. It will also help make those who aren't security professionals become assets, rather than liabilities.

However, it lacks the higher-level executive capabilities required to judge things like context, intent, and significance. And, as a result, AI tools can be prone to false positives and negatives, which can have serious consequences, particularly in fields where human lives, creativity, or reputation are at stake. This is precisely why human backup is essential whenever AI is in use.

**Striking a Balance Between AI and Human Ingenuity**

The Hollywood writers' strike exemplifies the delicate balance that must be struck between AI and human creativity. The new contract wisely allows writers to use AI tools, provided they are agreeable and informed, without forcing them into AI's embrace. It mandates transparency, ensuring that writers are aware when AI-generated materials are used in their projects. This approach respects the capabilities of AI while safeguarding the irreplaceable essence of human creativity and judgment.

In essence, AI should be viewed as a powerful ally, augmenting our abilities and amplifying our potential. But it should never be allowed to undermine the spirit of human creativity and the irreplaceable role it plays in our cultural, artistic, and business landscapes. The Hollywood Writers Guild has set an important precedent that other unions and industries should heed, securing the rights of workers and preventing them from being supplanted by AI.

The future undoubtedly belongs, in part, to AI, but it also belongs to those who recognize the irreplaceable value of human ingenuity. The most powerful stories, the most profound works of art, and the most impactful technological innovations will always emerge from the singular minds of human beings. While AI represents a very powerful, very exciting addition to humanity's ever-expanding arsenal of creative enablers, it should never be confused for a replacement for the primary source, human ingenuity. With this understanding, we can create a brighter future for all.

Artificial intelligence has the awesome potential for augmenting human creativity and decision making, but never replacing it. Its greatest potential lies in empowering humanity and democratizing our ability to express ourselves in new and unimagined ways. The sooner we, as a society, embrace this role for AI, the sooner we can get over our fears and begin reaping the immense opportunities it has to offer.

What the Hollywood Writers Strike Resolution Means for Cybersecurity

WordPress Core versions prior to 6.3.2 suffer from arbitrary shortcode execution, cross site scripting, denial of service, and information leakage vulnerabilities. Versions prior to 6.3.2 are vulnerable.

The newest WordPress patch includes fixes for 8 Medium-Severity security issues, several of which are trivial to exploit.

WordPress Core 6.3.2 was released today, on October 12, 2023. It includes a number of security fixes and additional hardening against commonly exploited vulnerabilities. While all of the vulnerabilities are of Medium severity, several of them are impactful enough to potentially allow site takeover, and thus the 6.3.2 update has the most significant security fixes we’ve seen in a while.

Many of these patches have been backported to every version of WordPress since 4.1, with just a few being backported to the major version in which the functionality was released. WordPress has supported automatic core updates for security releases since WordPress 3.7, and the vast majority of WordPress sites should receive a patch for their major version of WordPress automatically over the next 24 hours. We recommend verifying that your site has been automatically updated to one of the patched versions. Patched versions are available for every major version of WordPress since 4.1, so you can update without risking compatibility issues.

The Wordfence Threat Intelligence Team released two new firewall rules today to protect Wordfence Premium, Wordfence Care, and Wordfence Response customers against the most impactful vulnerabilities patched, and these rules will be available to free Wordfence users in 30 days, on November 11th, 2023.

If your site has not been updated automatically we strongly recommend updating manually as soon as possible, as one of the vulnerabilities patched in this release can be used by an attacker with a low-privileged contributor-level account to take over a site.

Technical Analysis and Overview

As with every WordPress core release containing security fixes, the Wordfence Threat Intelligence team analyzed the code changes in detail to evaluate the impact of these vulnerabilities on our customers, and to ensure our customers remain protected.

No More ShortCode Abuse

Description: WordPress Core <= 6.3.1 – Authenticated (Subscriber+) Arbitrary Shortcode Execution

Affected Versions: WordPress Core < 6.3.2

Researcher: James Golovich & WhiteCyberSec 

CVE ID: Pending

CVSS Score: 5.4(Medium)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Fully Patched Version: 6.3.2

Wordfence Intelligence Reference 

WordPress Core is vulnerable to arbitrary shortcode execution in versions up to, and including, 6.3.1 due to a lack of input validation on the ‘shortcode’ parameter in the parse_media_shortcode AJAX function. This allows authenticated attackers, with subscriber-level privileges and above, to execute arbitrary shortcodes.

While this patch does not address a specific vulnerability, it blocks a common vector that enables attackers to exploit vulnerabilities that use shortcodes. Before WordPress 6.3.2, any authenticated user, including subscribers could execute any shortcode by calling the built-in ‘parse-media-shortcode’ AJAX handler.

The changeset in WordPress 6.3.2 restricts this AJAX handler to media shortcodes, and requires the ’embed’ shortcode to be associated with an active post ID that the user can access.

This means that a large range of SQL Injection, Sensitive Information Disclosure, and Remote Code Execution vulnerabilities that required only an active user login can now only be exploited by Contributor-level users or above.

You can find several of the shortcode-based vulnerabilities we reference by searching the Wordfence Intelligence vulnerability database.

Previously our team could not add a firewall rule to prevent the execution of arbitrary shortcodes due to the varying use cases. Fortunately, with this patch and change, the expected behavior of the parse-media-shortcode action has been restricted by WordPress Core, so we were able to create a generic firewall rule that will prevent arbitrary execution of shortcodes that are not in the allowlist from the function. Wordfence Premium, Care, and Response customers received this rule today, while those still on the free version of Wordfence will receive this rule after a 30 day delay on November 11th, 2023.

Reflected Cross-Site Scripting via Application Passwords

Description: WordPress Core 5.6-6.3.1 – Reflected Cross-Site Scripting via Application Password Requests

Affected Versions: WordPress Core < 6.3.2

Researcher: mascara7784 

CVE ID: Pending

CVSS Score: 6.1(Medium)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Fully Patched Version: 6.3.2

Wordfence Intelligence Reference 

WordPress Core is vulnerable to Reflected Cross-Site Scripting via the ‘success_url’ and ‘reject_url’ parameters when requesting application passwords in versions between 5.6 and 6.3.1 due to insufficient input sanitization and output escaping of pseudo protocol URIs. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link and accepting or rejecting the application password.

WordPress allows applications to request application passwords to be generated for them. WordPress before 6.3.2 fails to validate the redirect URIs used when a password is authorized or rejected, which means that an attacker could generate a URL for an application password request containing data: and javascript: pseduo protocol redirects. If the victim visits this URL on their site and approves or rejects the application password request, they could be redirected to a URI that executes JavaScript on their browser. WordPress 6.3.2 contains a patch for this issue.

As with all Cross-Site Scripting vulnerabilities, this can be used to take over a site by creating malicious administrators and backdoors.

All Wordfence users, including Wordfence free, Wordfence Premium, Wordfence Care, and Wordfence Response users are protected against this vulnerability by the Wordfence Firewall’s Built-in Cross-Site Scripting protection. Additionally, Wordfence disables application passwords by default.

Comment Visibility

Description: WordPress Core <= 6.3.1 – Authenticated(Contributor+) Sensitive Information Exposure via Comments on Protected Posts

Affected Versions: WordPress Core < 6.3.2

Researcher: JB Audras(WordPress Security Team) & Rafie Muhammad(Patchstack) 

CVE ID: Pending

CVSS Score: 4.3(Medium)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Fully Patched Version: 6.3.2

Wordfence Intelligence Reference 

WordPress Core is vulnerable to Sensitive Information Exposure in versions up to, and including, 6.3.1 via the comments listing. This allows authenticated users, with contributor-level privileges or above, to view comments on protected posts.

Prior to WordPress 6.3.2, it was possible for users to view comments on posts even when they did not have access to those posts. While this is in most cases a relatively low-impact issue, WordPress 6.3.2 contains a patch protecting the privacy of comments on private or protected posts.

Removing POP Chains

While WordPress Core has not had a known Object Injection vulnerability for some time, Object Injection vulnerabilities in various plugins and themes are regularly discovered by researchers, including Wordfence’s own in-house Threat Intelligence team.

All Object Injection vulnerabilities require POP chains in order to be successful. Prior to WordPress 6.3.2, potential POP chains were present in the WP_Theme, WP_Block_Type_Registry, WP_Block_Patterns_Registry, Requests/Session, Request/Iri, and Requests/Hooks classes. While we were unable to develop a functioning exploit for these in the time available, the patches involved indicate that they are designed to prevent unexpected Object Unserialization that could lead to Remote Code Execution. Credit to Marc Montpas of Automattic for discovering the vulnerable POP chains.

The Wordfence Threat Intelligence Team will continue reverse engineering this patch to determine if a firewall rule will be necessary, but at this time it has not received an official vulnerability entry because it is not technically a vulnerability on its own.

No More Searching By Email

Description: WordPress Core 4.7.0-6.3.1 – Sensitive Information Exposure via User Search REST Endpoint

Affected Versions: WordPress Core < 6.3.2

Researcher: Marc Montpas(Automattic) 

CVE ID: Pending

CVSS Score: 5.3(Medium)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Fully Patched Version: 6.3.2

Wordfence Intelligence Reference 

WordPress Core is vulnerable to Sensitive Information Exposure in versions between 4.7.0 and 6.3.1 via the User REST endpoint. While the search results do not display user email addresses unless the requesting user has the ‘list_users’ capability, the search is applied to the user_email column. This can allow unauthenticated attackers to brute force or verify the email addresses of users with published posts or pages on the site.

While WordPress prior to 6.3.2 did not directly display user email addresses to users without the “list_users” capability, it still searched the user email column in wp_users. This meant that it was possible to brute-force search or verify the email address of any user with a published post or page by including the partial email address in the search parameter, potentially impacting user privacy. The patch for this limits the search columns for users without the “list_users” capability to only the columns displayed.

Cache Poisoning Denial of Service

Description: WordPress Core 4.7.0-6.3.1 – Denial of Service via Cache Poisoning

Affected Versions: WordPress Core < 6.3.2

Researcher: s5s & raouf_maklouf 

CVE ID: Pending

CVSS Score: 5.3(Medium)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Fully Patched Version: 6.3.2

Wordfence Intelligence Reference 

WordPress Core is vulnerable to Denial of Service via Cache Poisoning in versions between 4.7.0 and 6.3.1. In cases where the X-HTTP-Method-Override header was sent in a request to a REST endpoint and the endpoint returned a 4xx error, the error could be cached, resulting in denial of service.

Responses to REST API requests are not cached for logged-in users, but WordPress Core before 6.3.2 had an edge case where, in heavily cached configurations, an unauthenticated attacker could send a request to the REST API using the X-HTTP-Method-Override header to a public endpoint and receive a 4xx error, either because the endpoint restricts access to those methods or does not support them at all. In cases where the error is cached, any other unauthenticated visitors attempting to retrieve data from that endpoint would see the cached 4xx error.

Contributor+ Stored Cross-Site Scripting in Footnotes

Description: WordPress Core 6.3-6.3.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Footnotes Block

Affected Versions: WordPress Core < 6.3.2

Researcher: Jorge Costa(WordPress Core Team) 

CVE ID: Pending

CVSS Score: 6.4(Medium)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Fully Patched Version: 6.3.2

Wordfence Intelligence Reference 

WordPress Core is vulnerable to Stored Cross-Site Scripting via the footnotes block in versions between 6.3 and 6.3.1 due to insufficient input sanitization and output escaping on the footnotes block. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress prior to 6.3.2 did not adequately sanitize the content of footnote blocks, allowing authenticated users, with Contributor-level privileges or above, to insert JavaScript that would execute when a page containing the footnotes was visited. While input is partially escaped on the client-side, it is possible to intercept a request and add unescaped script tags to the footnote metadata. WordPress has released a patch for this vulnerability in 6.3.2.

As with all Cross-Site Scripting vulnerabilities, this can be used to take over a site by creating malicious administrators and backdoors.

We have released a firewall rule to protect Wordfence Premium, Wordfence Care, and Wordfence Response users against this vulnerability, and free Wordfence users will receive the same protection in 30 days, on November 11th, 2023.

Contributor+ Stored Cross-Site Scripting in Navigation Links

Description: WordPress Core 5.9-6.3.1 – Authenticated(Contributor+) Stored Cross-Site Scripting via navigation attributes

Affected Versions: WordPress Core 5.9-6.3.1

Researcher: Rafie Muhammad & Edouard L of Patchstack 

CVE ID: Pending

CVSS Score: 6.4(Medium)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Fully Patched Version: 6.3.2

Wordfence Intelligence Reference 

WordPress Core is vulnerable to Stored Cross-Site Scripting via the arrow navigation block attributes in versions between 5.9 and 6.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor-level privileges and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress Core’s Block Editor includes a navigation block that includes arrows or chevrons to display previous and next posts. WordPress before 6.3.2 failed to adequately check or sanitize the attribute defining whether to use an arrow or a chevron. As a result, any user with access to the post editor could insert malicious JavaScript into the arrow navigation element, which would be executed whenever a visitor accessed that page.

As with all Cross-Site Scripting vulnerabilities, this can be used to take over a site by creating malicious administrators and backdoors. We were unable to successfully exploit this vulnerability at the time of publication, but will update this post if we are able to achieve a proof of concept, along with a firewall rule if needed to protect our users.

Conclusion

WordPress 6.3.2 includes patches for 5 Medium-Severity vulnerabilities as well as hardening against separate Object Injection vulnerabilities found in third-party plugins and themes. Several of these vulnerabilities are trivial to exploit and we recommend updating immediately if your site has not yet automatically done so.

We have released firewall rules to protect Wordfence Premium, Wordfence Care, and Wordfence Response customers against the most impactful vulnerabilities and these rules will be available to free Wordfence users in 30 days, on November 11th, 2023.

If you know someone who uses WordPress and isn’t keeping it automatically updated, we recommend sharing this advisory with them to ensure their site remains secure, as several of these vulnerabilities pose a significant risk.

For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence and potentially earn a spot on our leaderboard.

Special thanks to the security researchers who responsibly disclosed these vulnerabilities, as well as to Threat Intelligence Lead Chloe Chamberland for her assistance with this article and for writing the firewall rules to protect Wordfence customers.

WordPress Core 6.3.1 XSS / DoS / Arbitrary Shortcode Execution

The Embed Calendly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'calendly' shortcode in versions up to, and including, 3.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

This record contains material that is subject to copyright.

**Copyright 2012-2023 Defiant Inc.**

**License:** Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. **Read more.**

**Copyright 1999-2023 The MITRE Corporation**

**License:** CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy. **Read more.**

Have information to add, or spot any errors? Contact us at wfi-support@wordfence.com so we can make any appropriate adjustments.

CVE-2023-4995: Embed Calendly <= 3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode — Wordfence Intelligence

Ransomware attacks have only increased in sophistication and capabilities over the past year. From new evasion and anti-analysis techniques to stealthier variants coded in new languages, ransomware groups have adapted their tactics to bypass common defense strategies effectively. 
This article will cover just some of those new developments in Q3-2023 as well as give predictions on quarters to

Ransomware attacks have only increased in sophistication and capabilities over the past year. From new evasion and anti-analysis techniques to stealthier variants coded in new languages, ransomware groups have adapted their tactics to bypass common defense strategies effectively.

This article will cover just some of those new developments in Q3-2023 as well as give predictions on quarters to come. The overall aim is to establish a recap of the major targets (both sectoral and nation and region-wise), new techniques employed with an emphasis on major incidents, new developments of concern to potential targets, as well as the shape of things to come in the future of Ransomware development.

**The increased weaponization of Vulnerabilities to deliver Ransomware:**

Cyble has observed increased instances of vulnerabilities being used as a vector to deliver ransomware and other malware in recent months, with a particular emphasis on Networking devices. This marks a shift from the previously observed focus on weaponizing Managed File Transfer (MFT) software and applications.

This was observed in the impact it had high-impact vulnerabilities that led to the compromise of industry titans, as was observed in the case of the MOVEit vulnerability and the supply chain attack Barracuda Networks. All indications for Q3 and the months show that ransomware operators will continue to weaponize vulnerabilities and exploit zero-days to deliver ransomware payloads to compromise their targets.

While zero days are, by definition, unknown till they are exploited, organizations can take steps to ensure their vulnerability to an exploitable zero-day is minimized. Organizations also need to ensure that the software and products they use are up to date and implement cyber-awareness strategies to ensure that potentially exploitable vulnerabilities are identified and secured against on a priority basis.

While this is a significant finding to keep an eye on, **Cyble Research & Intelligence Labs (CRIL)** discovered several other trends in the ransomware space that are worth keeping an eye on:

**1\. Sectoral focus shift – Healthcare industry in the crosshairs**

While the first half of the year saw an increase in ransomware attacks on the Manufacturing sector, recent trends point to a shift in focus towards the Healthcare sector. This has pushed Healthcare into the top 5 most targeted sectors by Ransomware groups, accounting for nearly a quarter of all ransomware attacks. These attacks have a specific motive – to gather Protected Health Information (PHI) and other sensitive data that healthcare providers and institutions have access to and sell this data on the darkweb.

The Healthcare sector is particularly vulnerable to ransomware attacks as it has an extremely large attack surface spanning several websites, portals, billions of IoT medical devices, and a large network of supply chain partners and vendors. A standardized cybersecurity plan for this sector is thus imperative to keep this critical data secured and ensure the smooth operation of critical healthcare functions.

**2\. High-income organizations remain the primary focus**

Ransomware operators can often seem indiscriminate when it comes to their targets; however, it is a known fact that they prefer to target high-income organizations dealing with sensitive data. This not only helps boost the Ransomware operator's profile as a serious threat but also ensures a higher chance of ransomware payments being made.

The reason for this is twofold: high-income organizations have the means to pay the exorbitant ransoms demanded, and they also have a greater susceptibility to their image being tarnished with regards to appearing incompetent at handling sensitive data and retaining their reputation as a reputed firm.

Along with Healthcare, the most targeted sectors in the previous quarter were Professional Services, IT & ITES, and Construction due to their high net worth and the expanded attack surfaces.

**3\. The United States remains the most targeted nation**

While several trends around Ransomware victims and tactics have evolved on a quarterly basis, the established pattern of the United States being the most targeted region by ransomware operators is a constant. This is evidenced by the fact that in Q3-2023 alone, the United States faced more ransomware attacks than the **next 10 countries** **combined**.

The reasoning for this can be attributed to the US's unique role in being a highly digitized nation with a massive amount of global engagement and outreach. Due to geopolitical factors, the United States is also a prime target for Hacktivist groups leveraging ransomware to achieve their goals due to perceived social injustice or to protest foreign and domestic policies.

A distant second, in terms of the volume of ransomware attacks in Q3, was the United Kingdom, followed by Italy and Germany.

**4\. LOCKBIT remains a potent threat – while newer Ransomware groups are rapidly creating a name for themselves**

While LOCKBIT's total attacks were slightly lower than the previous quarter (**a 5% drop**), they still targeted the highest number of victims, with **240 confirmed victims in Q3-2023**.

Newer players on the ransomware scene have not been idle, however. Q3-2023 witnessed a surge in attacks from newer groups such as Cactus, INC Ransom, Metaencryptor, ThreeAM, Knight Ransomware, Cyclop Group, and MedusaLocker, indicating that these groups, while not having the same profile and global presence as major players like LOCKBIT, remain potent threats.

**5\. The increasing adoption of Rust and GoLang in newer ransomware variants**

Ransomware groups have always tried to make their activities harder or even impossible to detect or analyze. This makes it tricky for victims, cybersecurity experts and governments to analyze and study the ransomware, its infection vector, and mode of operation – after which corrective actions are accordingly implemented.

The recent patterns we have observed, however, showcase the growing popularity of Rust and GoLang amongst high-profile ransomware groups such as Hive, Agenda, Luna, and RansomExx. The reason for this is, again, twofold: programming languages like Rust make it harder to analyze the ransomware's activity on a victim system. They have the additional benefit of being easier to customize to target multiple Operating Systems, increasing the lethality and target base of any ransomware created using these languages.

**How have Organizations reacted to these Developments**

Every news cycle seems to contain at least one incidence of a high-profile organization or industry leader falling victim to Ransomware at some point, with the recent breaches of Caesar's Palace and MGM Casino by BlackCat/ALPHV Ransomware being prime examples.

This has even caught the attention of Government and Regulatory bodies worldwide, who have rolled out measures to help mitigate the impact and incidence of ransomware attacks. Firms have taken matters into their own hands as well by implementing practices to prevent the risk and mitigate the impact of ransomware attacks. Some notable steps we have observed are:

**1\. Emphasis on employee training**

An organization's workforce is often the first line of defense against any attack, and Ransomware is no exception. Firms have accordingly stepped up their cybersecurity training and awareness programs, rolling out mandatory cybersecurity training sessions and fostering a culture of cyber-awareness. Prime examples of this include training on how to identify phishing attempts, handling suspicious attachments, and identifying social engineering attempts.

**2\. Incident Response Planning**

Despite efforts to prevent them, Ransomware attacks can still occur due to various factors. Organizations have accounted for this and increased their focus on developing a comprehensive response to such incidents. These include legal protocols to notify authorities, internal security next steps, infosec team responses, and quarantining any affected systems/products.

**3\. Enhanced Recovery and Backups**

Ransomware attacks have two primary aims: To gain access to sensitive data and encrypt this data to render it unusable to the target organizations. To address this risk, organizations have started placing a greater focus on backing up sensitive data and creating comprehensive recovery processes for the same.

**4\. Implementation of Zero-Trust Architecture and Multi-Factor Authentication**

Ransomware groups have previously exploited the human element to enable or enhance ransomware attacks via Initial Access Brokers, phishing attacks, etc. As a response, firms have implemented Zero-Trust Architecture and MFA across all critical platforms and data, requiring multiple verified levels of authentication to grant access to sensitive data.

**5\. Intelligence sharing and collaboration with Law Enforcement**

Organizations in the same industries have created Information Sharing and Analysis Centers (ISACs) to help pool their resources and intel to help combat future ransomware attempts. They are also working closely with Law Enforcement and regulatory bodies to report ransomware attempts and help diagnose security shortcomings.

**6\. Increased adoption/use of Threat Intelligence Platforms**

Due to their specific competency in this space, as well as their advanced AI and machine learning capabilities, organizations are increasingly using **Threat Intelligence Platforms** for their expertise, anomaly detection, and behavioral analysis to gain real-time threat intelligence to help mitigate ransomware attacks.

**7\. Focus on Vulnerability Management**

Vulnerabilities have come into the limelight over the past few years in major incidents such as the recent MoveIT and PaperCut vulnerabilities enabling exploits and cyberattacks. Organizations have accordingly implemented **vulnerability management** and protocols to ensure all critical software is up-to-date and regularly patched.

**8\. Securing supply chains and vendor risk management**

In the event that a Ransomware operator cannot breach an organization, it is not atypical for them to target its supply chain via vendors, partners, and third parties who may not be as cybersecure. Organizations have accordingly rolled out vendor risk assessments to ensure that their entire supply chain is airtight and uniformly protected against potential ransomware attempts.

Discover key insights and understand how ransomware groups are evolving their tactics to target victims. **Download the Q3-2023 Ransomware Report now**.

**How can Cyble's AI-powered threat intelligence platform, Cyble Vision, assist you?**

With a keen view into both the surface and deep web, Vision can keep you a step ahead of Ransomware operators.

*   Through keen Threat Analysis, Vision can help identify weak points in your organization's digital risk footprint and guide you on how to secure these gaps that ransomware groups could potentially exploit.
*   Vision has the ability to scan your entire attack surface, extending to your vendors, partners, and third parties as well, giving you the ability to secure your entire supply chain and ecosystem from attacks.
*   Being powered by AI allows Vision to scan vast quantities of data from all parts of the surface, deep and dark web, allowing real-time updates into Threat actor behavior.
*   With a focus on Darkweb Monitoring, Vision can let you track Threat Actor patterns and actions on the Darkweb. From discussing a new variant to monitoring affiliate programs, you can stay one step ahead of Ransomware operators.

If you're interested in exploring how Vision can enhance your organization's security, reach out to Cyble's cybersecurity experts for a **free demo here**.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Ransomware attacks doubled year on year. Are organizations equipped to handle the evolution of Ransomware in 2023?

The AvosLocker ransomware gang has been linked to attacks against critical infrastructure sectors in the U.S., with some of them detected as recently as May 2023.
That's according to a new joint cybersecurity advisory released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) detailing the ransomware-as-a-service (RaaS) operation's

The AvosLocker ransomware gang has been linked to attacks against critical infrastructure sectors in the U.S., with some of them detected as recently as May 2023.

That's according to a new joint cybersecurity advisory released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) detailing the ransomware-as-a-service (RaaS) operation's tactics, techniques, and procedures (TTPs).

"AvosLocker affiliates compromise organizations' networks by using legitimate software and open-source remote system administration tools," the agencies said. "AvosLocker affiliates then use exfiltration-based data extortion tactics with threats of leaking and/or publishing stolen data."

The ransomware strain first emerged on the scene in mid-2021, and has since leveraged sophisticated techniques to disable antivirus protection as a detection evasion measure. It affects Windows, Linux, and VMware ESXi environments.

A key hallmark of AvosLocker attacks is the reliance on open-source tools and living-off-the-land (LotL) tactics, leaving no traces that could lead to attribution. Also used are legitimate utilities like FileZilla and Rclone for data exfiltration as well as tunneling tools such as Chisel and Ligolo.

Command-and-control (C2) is accomplished by means of Cobalt Strike and Sliver, while Lazagne and Mimikatz are used for credential theft. The attacks also employ custom PowerShell and Windows Batch scripts for lateral movement, privilege escalation, and disarming security software.

"AvosLocker affiliates have uploaded and used custom web shells to enable network access," the agencies noted. Another new component is an executable named NetMonitor.exe that masquerades as a network monitoring tool but actually functions as a reverse proxy to allow the threat actors to connect to the host from outside the victim's network.

CISA and FBI are recommending critical infrastructure organizations to implement necessary mitigations to reduce the likelihood and impact of AvosLocker ransomware and other ransomware incidents.

This includes adopting application controls, limiting the use of RDP and other remote desktop services, restricting PowerShell use, requiring phishing-resistant multi-factor authentication, segmenting networks, keeping all systems up-to-date, and maintaining periodic offline backups.

The development comes as Mozilla warned of ransomware attacks leveraging malvertising campaigns that trick users into installing trojanized versions of Thunderbird, ultimately leading to the deployment of file-encrypting malware and commodity malware families such as IcedID.

Ransomware attacks in 2023 have witnessed a major surge, even as threat actors are moving swiftly to deploy ransomware within one day of initial access in more than 50% of engagements, according to Secureworks, dropping from the previous median dwell time of 4.5 days in 2022.

What's more, in more than 10 percent of incidents, ransomware was deployed within five hours.

"The driver for the reduction in median dwell time is likely due to the cybercriminals' desire for a lower chance of detection," Don Smith, vice president of threat intelligence at Secureworks Counter Threat Unit, said.

"As a result, threat actors are focusing on simpler and quicker to implement operations, rather than big, multi-site enterprise-wide encryption events that are significantly more complex. But the risk from those attacks is still high."

Exploitation of public facing applications, stolen credentials, off-the-shelf malware, and external remote services have emerged as the three largest initial access vectors for ransomware attacks.

To rub salt into the wound, the RaaS model and the ready availability of leaked ransomware code have lowered the barrier to entry for even novice criminals, making it a lucrative avenue to make illicit profits.

"While we still see familiar names as the most active threat actors, the emergence of several new and very active threat groups is fuelling a significant rise in victim and data leaks," Smith added. "Despite high profile takedowns and sanctions, cybercriminals are masters of adaptation, and so the threat continues to gather pace."

Microsoft, in its annual Digital Defense Report, said 70% of organizations encountering human-operated ransomware had fewer than 500 employees, and that 80 to 90 percent of all compromises originate from unmanaged devices.

Telemetry data gathered by the company shows that human-operated ransomware attacks have gone up more than 200 percent since September 2022. Magniber, LockBit, Hive, and BlackCat comprised almost 65 percent of all ransomware encounters.

On top of that, approximately 16 percent of recent successful human-operated ransomware attacks involved both encryption and exfiltration, while a 13 percent used exfiltration only.

"Ransomware operators are also increasingly exploiting vulnerabilities in less common software, making it more difficult to predict and defend against their attacks," the tech giant said. "This reinforces the importance of a holistic security approach."

Redmond said it also observed a "sharp increase" in the use of remote encryption during human-operated ransomware attacks, accounting for 60 percent on average over the past year.

"Instead of deploying malicious files on the victim device, encryption is done remotely, with the system process performing the encryption, which renders process-based remediation ineffective," Microsoft explained. "This is a sign of attackers evolving to further minimize their footprint."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

FBI, CISA Warn of Rising AvosLocker Ransomware Attacks Against Critical Infrastructure

**PRESS RELEASE**

**REDWOOD CITY, Calif., October 11, 2023 –** Appdome, the mobile one-stop shop for mobile app defense, today released new threat evaluation tools inside ThreatScope™ Mobile XDR to deliver enhanced monitoring, investigation and threat evaluation for mobile apps and brands globally. Among the new tools is Threat-Inspect™, a powerful new ability to investigate, drill down, share and report on defenses, attacks and threats in the production environment. 

Appdome's ThreatScope™ Mobile XDR gathers thousands of threat signals from mobile app security, hacking, fraud, malware, cheat, and bot attacks from inside deployed mobile apps, and translates that data into brand relevant views that cyber, fraud and business teams can use to evaluate and respond to mobile threats and attacks in real time. The new evaluation tools include: (1) Threat-Inspect, for deep threat inspection, (2) Threat-Views™, for creating savable monitoring perspectives by app, device, OS, attacks and other parameters, and (3) Threat-Snapshots for ease of reporting and collaboration. ThreatScope Mobile XDR is pre-integrated with Appdome’s Cyber Defense Automation platform for Android & iOS apps for instant response to any cyber or fraud attack. 

"Real-time attack data from the native mobile app channel is full of surprises," said Tom Tovar, co-creator and CEO of Appdome. "Our new evaluation tools, including Threat-Inspect, allow even faster and deeper investigation into cyber and fraud data from the mobile channel and empower mobile brands to view this data from a business context."

The new threat evaluation features in ThreatScope Mobile XDR provide mobile businesses and brands: 

**Threat-Inspect™** allows cyber teams to pivot between "All" and “Unique” attacks as well as between attacks and “Impacted Devices,” to see the number of unique devices experiencing each attack. This new capability allows cyber responses to be tailored to the specific threat(s) in the production environment while also easing the remediation burden for mobile users and brands globally. 

A unique feature of Threat-Inspect is that it also can be used in conjunction with Appdome’s recently released Build-to-Test automated testing capability. Build2Test allows Appdome-protected mobile apps to be used inside automated mobile app testing suites, logging all security events for the developer to track and monitor. These logged security events are now visualized inside Threat-Inspect.  

**Threat-Views™** allows security teams to zoom in and monitor specific aspects of the mobile app defense, attack and threat data shown on ThreatScope. Create and save any number of Threat-Views to monitor one or more mobile applications, OS, OS Version, attack vector, mobile app release, Fusion Set (defense model), geographic region or other parameter. Threat-Views enable persistent business level viewing and analysis, which is essential for demonstrating ROI and keeping the overall mobile business safe. 

**ThreatScope Snapshots™**allow cyber teams to export and share real-time mobile app defense and attack snapshots from ThreatScope, Threat-Views or Threat-Inspect data. Use ThreatScope Snapshots to keep cyber, fraud, and business teams informed on progress in stopping security, fraud, malware, and other attacks, demonstrate compliance, or collaborate with other teams internally. 

Powering these features are new levels of metadata now available in ThreatScope. These include enhanced attack, threat and fraud metadata including geo-location, unique identifiers for threats and impacted installations as well as new options such as IP address and more. This metadata allows mobile brands to click to see all the in-production mobile apps and installations impacted by each attack or threat. Simply click on a specific attack or threat and choose the impact view needed by each business line. IP address and unique device data can now also be downloaded for offline analysis. 

"These enhancements to ThreatScope really raise the bar on actionable, interactive risk and threat intelligence for mobile apps," said Eric Newcomer, CTO and Principal Analyst at Intellyx. "You can drill down on device data to see which devices are impacted, and explore different views by geo-location, threat ID, and IP address – all in real time. And you can now capture and export the data for internal distribution."

Appdome's Threat-Scope Mobile XDR is the only XDR solution offering consolidated, real-time, cyber security, fraud, malware, cheat and bot attack and threat intelligence from in-production Android & iOS apps. With ThreatScope Mobile XDR, mobile brands, developers, cyber and fraud teams can immediately respond with updated security models, build-by-build and release-by-release and prioritize protections that have a real impact on the mobile business and users. The entire ThreatScope Mobile XDR capability inside Android & iOS apps without any burden on mobile dev teams, including no code, no SDK and no servers to deploy and, most importantly, no separate agent installed on the mobile device. 

"Once you see the data in ThreatScope Mobile XDR, you can't live without it," said Chris Roeckl, Chief Product Officer at Appdome. "Combining real-time data with instant action is the only way to combat the huge diversity, sophistication and relentlessness hackers, attackers and fraudsters use to compromise mobile apps, brands, and users globally."

For more information about ThreatScope™ Mobile XDR visit: www.appdome.com 

**About Appdome**  

Appdome, the mobile app economy’s one-stop-shop for mobile app defense, is on a mission to protect every mobile app in the world and the people who use mobile apps in their lives and at work. Appdome provides the mobile industry’s only mobile application Cyber Defense Automation platform, powered by a patented artiﬁcial-intelligence based coding engine, Threat-Events™ Threat-Aware UX/UI Control and ThreatScope™ Mobile XDR. Using Appdome, mobile brands eliminate complexity, save money and deliver 300+ Certified Secure™ mobile app security, anti-malware, anti-fraud, MOBILEBot™ Defense, anti-cheat, MiTM attack prevention, code obfuscation and other protections in Android and iOS apps with ease, all inside the mobile DevOps and CI/CD pipeline. Leading ﬁnancial, healthcare, mobile games, government and m-commerce brands use Appdome to protect Android and iOS apps, mobile customers and mobile businesses globally. Appdome holds several patents including U.S. Patents 9,934,017 B2, 10,310,870 B2, 10,606,582 B2, 11,243,748 B2 and 11,294,663 B2. Additional patents pending.

Appdome Announces Attack Evaluation Tools in Digital Economy's Mobile XDR

**PRESS RELEASE**

**WATERLOO, ON, Oct. 10,2023 / PRNewswire/--** BlackBerry Limited (NYSE: BB; TSX: BB), the pioneer of enterprise mobility management, today announced two major new Unified Endpoint Management (UEM) innovations — BlackBerry UEM at the edge and BlackBerry UEM for the IoT.

BlackBerry® UEM software is used for managing, monitoring, and securing all of an organization's end-user devices. Taking BlackBerry UEM to the edge will enhance enterprise productivity and employee experience by placing workloads close to the end user and their device for ultra-low latency connectivity, while maintaining the highest security standards that customers rely on and trust BlackBerry to deliver – in testing users saw up to 87% decrease in latency. The solution brings the BlackBerry Network Operations Center (NOC), the company's unique secure connectivity infrastructure, to the edge and integrates with AWS Local Zones and Availability Zones to securely place compute, storage, and other services where data is being generated and consumed. BlackBerry UEM at the edge is compatible with BlackBerry UEM on-prem and cloud.

BlackBerry UEM for the Internet of Things (IoT) will expand unified endpoint management to IoT devices enabling organizations to realize the vast benefits of the IoT and reduce unknown risks in their environment. The solution integrates BlackBerry UEM with AWS IoT Greengrass, an open source edge runtime and cloud service used on millions of IoT endpoints across the connected world – in factories, vehicles, healthcare, enterprises – to provide IoT endpoint visibility and management and empower IT teams. Advancing the company's convergence vision, this new addition to BlackBerry UEM will enable organizations to seamlessly and securely inventory and manage their IT and IoT endpoints from a single console.

"BlackBerry founded and has been a leader in the enterprise mobility management market for over twenty years. We are once again revolutionizing the market, by leapfrogging the industry in endpoint management innovation and paving the way for convergence," said Neelam Sandhu, Chief Elite Customer Success Officer, BlackBerry. "It has been wonderful to collaborate with AWS to develop BlackBerry UEM at the edge and BlackBerry UEM for the IoT, to enable our customers to unlock new business value through digital technologies, which offer the potential to transform and advance every aspect of the connected world, spanning how we live and work." 

"IoT has advanced over the past years across different industries – automotive, enterprise, medical, manufacturing. The convergence of the IoT with security at the forefront of the conversation is now emerging as a must-have for the connected world. Bridging systems in the cloud provides scale, consistency, and flexibility to organizations to access data across the IoT and developers to innovate to deliver new value. AWS is delighted to collaborate with BlackBerry on UEM edge and IoT solutions to deliver unified and innovative endpoint management solution for the future of the connected world," said Dr. Sarah Cooper, General Manager for Industry Products at AWS.

The IoT is a foundational pillar of the future of digital transformation and unlocks new business opportunities for organizations by dramatically extending the reach of information technology. The value of enterprise IoT is largely untapped today due to the heavy compute requirements of the IoT and the complexity of the IoT network. Edge computing addresses the increasing demand for real-time data processing and analysis, and increased endpoint visibility provides valuable situational awareness and security benefits, enabling organizations to easily integrate IoT into their IT strategies. 

BlackBerry UEM holds the most security certifications in the industry and is the only UEM product to be named 2023 Customers Choice by Gartner® Peer Insights™.

AWS provides reliable, scalable, and inexpensive cloud computing services to organizations around the world. For more information on AWS products click here.

For more information on BlackBerry UEM at the edge or BlackBerry UEM for the IoT, including general availability dates, register for BlackBerry Summit, taking place on October 17, where speakers from industry, enterprise and BlackBerry will reveal the future of IoT, IT and Cybersecurity and showcase the latest BlackBerry innovations.

**About BlackBerry**

BlackBerry (NYSE: BB; TSX: BB) provides intelligent security software and services to enterprises and governments around the world. The company secures more than 500M endpoints including over 235M vehicles. Based in Waterloo, Ontario, the company leverages AI and machine learning to deliver innovative solutions in the areas of cybersecurity, safety, and data privacy solutions, and is a leader in the areas of endpoint security, endpoint management, encryption, and embedded systems. BlackBerry's vision is clear - to secure a connected future you can trust.

For more information, visit BlackBerry.com and follow @BlackBerry.

_Trademarks, including but not limited to BLACKBERRY and EMBLEM Design are the trademarks or registered trademarks of BlackBerry Limited, and the exclusive rights to such trademarks are expressly reserved. All other trademarks are the property of their respective owners. BlackBerry is not responsible for any third-party products or services._

Tag

#intel