PRESS RELEASE

PITTSBURGH, PA – October 1, 2024 – ForAllSecure, the world's most advanced application security testing company, today announced it is changing its corporate name to Mayhem Security (“Mayhem”), signaling a new era of growth and opportunity aligned with its award-winning Mayhem Application Security platform.

Founded by a team of researchers from Carnegie Mellon, the company’s focus has evolved from research, development, and education to a product company centered around its Mayhem platform that quickly went from a Defense Advanced Research Project Agency (DARPA) Cyber Grand Challenge prototype to an in-demand commercialized AI-driven application security platform. Today, the Mayhem platform has been integrated into thousands of open-source projects, building a library of behavioral tests, identifying new zero-days, and helping defend against software supply chain threats. The name change follows record product achievements, with platform ARR rising 275% year over year and 78% of customers expanding their Mayhem footprint at or before their first subscription renewal.

“ForAllSecure has a long, successful history, from winning the DARPA Grand Challenge to dedicating ourselves to research and innovation in the cybersecurity industry through Mayhem Heroes, hackathons, and consulting,” said David Brumley, CEO of Mayhem. “Our new name and focus mark an important evolution for us as the Mayhem brand becomes synonymous with the platform that is transforming API security testing and has powered our growth. In fact, for several years, it was the majority of our revenue. Our new positioning is a natural next step as we continue the hard work of our dedicated researchers and hackers who will continue to push out innovative research and prototype new ways to defend software.” 

The past year has been a banner year, with the company achieving key innovation milestones. Most notably, Mayhem released Mayhem Dynamic software bill of materials (SBOM), which brings Mayhem’s runtime intelligence to the world of software composition analysis (SCA) and SBOM by looking at an application’s actual behavior to find only real, exploitable vulnerabilities, eliminating triage and investigations, and reducing false positives to increase developer velocity and minimize application risks. Mayhem re-architected its symbolic executor to test and triage 60% faster, released support for Windows-based applications, and launched a beta of automated harnessing for embedded systems. 

Under the name Mayhem Security, the company will continue to collaborate with the government and the industry to advance cybersecurity and revolutionize how organizations approach cybersecurity by automating the process of finding and fixing software vulnerabilities.

For more information, visit https://www.mayhem.security/.

You May Also Like

Introducing Mayhem: ForAllSecure Unveils New Name and Company Focus

PRESS RELEASE

NEW YORK, Oct. 9, 2024 /PRNewswire/ -- OpenGradient, a leading decentralized AI infrastructure company, has raised $8.5M in seed funding. With a mission to accelerate open-source AI, OpenGradient democratizes model ownership, streamlines AI deployment, and enables universal access to AI.

OpenGradient's end-to-end decentralized platform offers scalable AI compute on-chain, ensuring verifiability and attribution while enhancing security for AI deployment and hosting. Its multi-layer technology stack includes an EVM-compatible blockchain with its innovative heterogeneous AI compute architecture (HACA) and a proprietary library of feature-rich tools to support and scale secure AI workflows on-chain.

OpenGradient empowers developers to build and deploy optimized decentralized applications (dApps) with ease. OpenGradient's web portal and SDK allow Web2 developers to leverage its AI stack without the complexities of blockchain while enjoying the security and composability benefits of a decentralized infrastructure.

CEO and Co-Founder, Matthew Wang, said,

"Developers today face significant hurdles when developing secure software for custom AI models, often grappling with developing a variety of complex cryptographic or hardware solutions into their stack. OpenGradient revolutionizes this approach, offering near-instantaneous model deployment and secure inference of AI models in mere seconds."

The $8.5 million seed round included participation from a16z Crypto Startup Accelerator (a16z CSX), SV Angel, Coinbase Ventures, SALT Fund, Symbolic Capital, Foresight Ventures, and angel investors, including Balaji Srinivasan (ex-Coinbase CTO), Illia Polosukhin(NEAR Founder), Sandeep Nailwal (Polygon Founder), and more. OpenGradient is also currently participating in the Fall 2024 a16z CSX program in New York City.

Principal at SV Angel, Mike Liu, said,

"OpenGradient is ushering in a new era for decentralized AI by developing infrastructure to support the next generation of intelligent applications. They've built a truly disruptive tech stack at the intersection of AI and blockchain, and we're excited to support such an innovative and talented team."

The funding will be used to continue building out the decentralized infrastructure, deploying solutions and tools for AI and Web3 developers, and advancing applied ML research to grow the open-source AI ecosystem on blockchain. OpenGradient's testnet is expected to be available to developers in Q4 2024.

About OpenGradient

OpenGradient is a leading decentralized platform unlocking scalable AI compute on-chain, empowering developers to build secure, intelligent, and optimized decentralized applications. We provide on-chain AI model hosting, permissionless composability, secure inference execution, and seamless access to accelerate open-source AI and foster next-gen applications. Headquartered in New York City, the team comprises global talent with deep expertise in AI/ML, blockchain, crypto, and Web3 ecosystem. Learn more at https://opengradient.ai and follow us on X and LinkedIn.

OpenGradient Raises $8.5M to Decentralize AI Infrastructure and Accelerate Secure, Open-Source AI

The EU AI Act provides a governance, risk, and compliance (GRC) framework that helps organizations take a risk-based approach to using AI.

Source: Vitor Miranda via Alamy Stock Photo

COMMENTARY

As artificial intelligence (AI) becomes increasingly prevalent in business operations, organizations must adapt their governance, risk, and compliance (GRC) strategies to address the privacy and security risks this technology poses. The European Union's AI Act provides a valuable framework for assessing and managing AI risk, offering insights that can benefit companies worldwide.

The EU AI Act applies to providers and users of AI systems in the EU, as well as those putting AI systems on the EU market or using them within the EU. Its primary goal is to ensure that AI systems are safe and respect fundamental rights and values, including privacy, nondiscrimination, and human dignity.

The EU AI Act categorizes AI systems into four risk levels. On one end of the spectrum, AI systems that pose clear threats to safety, livelihoods, and rights are deemed an Unacceptable Risk. On the other end, AI systems classified as Minimal Risk are largely unregulated, though subject to general safety and privacy rules.

The classifications to study for GRC management are High Risk and Limited Risk. High Risk denotes AI systems where there is a significant risk of harm to individuals' health, safety, or fundamental rights. Limited Risk AI systems pose minimal threat to safety, privacy, or rights but remain subject to transparency obligations.

The EU AI Act allows organizations to take a risk-based approach when assessing AI. The framework helps establish a logical approach for AI risk assessments, particularly for High and Limited Risk activities.

**Requirements for High-Risk AI Activities**

High-Risk AI activities can include credit scoring, AI-driven recruitment, healthcare diagnostics, biometric identification, and safety-critical systems in transportation. For these and similar activities, the EU AI Act mandates the following stringent requirements:

1.  Risk management system: Implement a comprehensive risk management system throughout the AI system's life cycle.
    
2.  Data governance: Ensure proper data governance with high-quality datasets to prevent bias.
    
3.  Technical documentation: Maintain detailed documentation of the AI system's operations.
    
4.  Transparency: Provide clear communication about the AI system's capabilities and limitations.
    
5.  Human oversight: Enable meaningful human oversight for monitoring and intervention.
    
6.  Accuracy and robustness: Ensure the AI system maintains appropriate accuracy and robustness.
    
7.  Cybersecurity: Implement state-of-the-art security mechanisms to protect the AI system and its data.
    

**Requirements for Limited and Minimal Risk AI Activities**

While Limited and Minimal Risk activities don't require the same level of scrutiny as High-Risk systems, they still warrant careful consideration.

1.  Data assessment: Identify the types of data involved, its sensitivity, and how it will be used, stored, and secured.
    
2.  Data minimization: Ensure that only essential data is collected and processed.
    
3.  System integration: Evaluate how the AI system will interact with other internal or external systems.
    
4.  Privacy and security: Apply traditional data privacy and security measures.
    
5.  Transparency: Implement clear notices that inform users of AI interaction or AI-generated content.
    

**Requirements for All AI Systems: Assessing Training Data**

The assessment of AI training data is crucial for risk management. Key considerations for the EU AI Act include ensuring that you have the necessary rights to use the data for AI training purposes, as well as implementing strict access controls and data segregation measures for sensitive data.

In addition, AI systems must protect authors' rights and prevent unauthorized reproduction of protected IP. They also have to maintain high-quality, representative datasets and mitigate potential biases. Finally, they must maintain clear records of data sources and transformations for traceability and compliance purposes.

**How to Integrate AI Act Guidelines Into Existing GRC Strategies**

While AI presents new challenges, many aspects of the AI risk assessment process build on existing GRC practices. Organizations can start by applying traditional due-diligence processes for systems that handle confidential, sensitive, or personal data. Then, focus on these AI-specific considerations:

1.  AI capabilities assessment: Evaluate the AI system's actual capabilities, limitations, and potential impacts.
    
2.  Training and management: Assess how the AI system's capabilities are trained, updated, and managed over time.
    
3.  Explainability and interpretability: Ensure that the AI's decision-making process can be explained and interpreted, especially for High-Risk systems.
    
4.  Ongoing monitoring: Implement continuous monitoring to detect issues, such as model drift or unexpected behaviors.
    
5.  Incident response: Develop AI-specific incident response plans to address potential failures or unintended consequences.
    

By adapting existing GRC strategies and incorporating insights from frameworks like the EU AI Act, organizations can navigate the complexities of AI risk management and compliance effectively. This approach not only helps mitigate potential risks but also positions companies to leverage AI technologies responsibly and ethically, thus building trust with customers, employees, and regulators alike.

As AI continues to evolve, so, too, will the regulatory landscape. The EU AI Act serves as a pioneering framework, but organizations should stay informed about emerging regulations and best practices in AI governance. By proactively addressing AI risks and embracing responsible AI principles, companies can harness the power of AI while maintaining ethical standards and regulatory compliance.

**About the Author**

General Counsel, Secureframe

Kyle McLaughlin serves as General Counsel at Secureframe, an all-in-one platform for continuous security compliance. With a proven track record counseling prominent tech companies including Cisco and Duo Security, he specializes in IP issues, security, compliance, and privacy (holding CIPP/E certification). McLaughlin earned his JD from Wayne State University Law School and completed his bachelor's degree in Political Science and English at the University of Michigan.

Risk Strategies Drawn From the EU AI Act

Cyber pros are scrambling to stay up-to-date as the businesses they work for quickly roll out AI tools and keep expanding their cloud initiatives.

A major skills gap exists for security teams when it comes to artificial intelligence (AI) and cloud implementations, which happen to be two of the fastest-growing areas when it comes to enterprises' ongoing digital transformations.

According to O'Reilly's "2024 State of Security" report, nearly 39% of respondents on security teams reported that cloud computing is a space where more skills are needed but are difficult to find.

"Cloud security requires taking concepts like access control and least privilege, and applying them to servers and services that you'll never see and may only control through an API provided by your cloud vendor," wrote Mike Loukides, author of the report. "An error in any service can compromise all your infrastructure — that's why infrastructure as code is so important. In many respects, the game doesn't change, but the stakes become much higher."

Potential talent should prioritize skills like being able think in terms of securing hundreds or thousands of virtual instances, as well as being able to use or develop tools that can reach across multiple servers, services, and cloud providers.

AI, on the other hand, represents a whole new category of threats. Roughly 34% of respondents in the survey pointed to a lack of talent when it comes to AI skills, especially regarding attack avenues such as prompt injection. However, this space is so new that researchers are only beginning to understand the threats and vulnerabilities that AI poses — and even less is known about any possible solutions. 

"The security community is only beginning to catch up with the use and misuse of AI. In the coming years, we expect a surge in AI-specific research, training, and certification," Loukides wrote.

According to Mary Treseler, chief content officer of O'Reilly Media, those hiring in the cyber industry favor those who have a traditional computer science education in addition to experience in IT work such as system admin, help desk, and software development.

"It's possible to get a cybersecurity job without a degree, provided you have relevant work experience," Treseler says. "Certifications and experiences such as bug bounty hunting or capture-the-flag participation can supplement."

Also, some organizations, such as MITRE, are already providing tools to share data on real world AI incidents, such as the AI Incident Sharing initiative under MITRE ATLAS, to combat rising threats. The tool is anonymous in order to serve as a safe space to openly share the details of cyberattacks occurring across industries and government. It's modeled after traditional intelligence-sharing, so organizations can submit incident data through the site, after which they will be considered for membership. And in Europe, an effort is underway to promote AI literacy and awareness for staff dealing with the deployment of AI systems, via the EU Artificial Intelligence Pact.

**Security Up-Skilling: A Marathon, Not a Sprint**

Upskilling to eradicate gaps in cybersecurity talent is the easiest way forward for now, experts say.

"Our global survey underscores a security landscape in flux," Laura Baldwin, president of O'Reilly, said in a press release. "As cyber threats become increasingly sophisticated, it's clear that continuous, high-quality training is no longer optional; it's essential for safeguarding our digital future. Organizations must prioritize ongoing upskilling to stay ahead of evolving risks and build robust defenses."

Certifications, books, videos, and conferences can all be valuable resources to stay up-to-date with the latest need-to-know skills.

Some of the most popular certifications, according to Treseler are CISSP, which she notes is the most versatile and requires five years of work experience, CompTIA Security+, CEH, and CISM. These are all viable options that she says potential talent can trust will give them valuable expertise in the field, but also resources that higher-ups may be looking for when scouring for new candidates.

"Security is a challenge that will never go away," Loukides wrote. "Chances are, we'll invent new risks as quickly as we retire old ones. But we can do better at meeting the challenge."

Cloud, AI Talent Gaps Plague Cybersecurity Teams

Google on Wednesday announced a new partnership with the Global Anti-Scam Alliance (GASA) and DNS Research Federation (DNS RF) to combat online scams.
The initiative, which has been codenamed the Global Signal Exchange (GSE), is designed to create real-time insights into scams, fraud, and other forms of cybercrime pooling together threat signals from different data sources in order to create

Cybercrime / Threat Detection

Google on Wednesday announced a new partnership with the Global Anti-Scam Alliance (GASA) and DNS Research Federation (DNS RF) to combat online scams.

The initiative, which has been codenamed the Global Signal Exchange (GSE), is designed to create real-time insights into scams, fraud, and other forms of cybercrime pooling together threat signals from different data sources in order to create more visibility into the facilitators of cybercrime.

"By joining forces and establishing a centralized platform, GSE aims to improve the exchange of abuse signals, enabling faster identification and disruption of fraudulent activities across various sectors, platforms and services," Google said in a blog post shared with The Hacker News.

"The goal is to create a user-friendly, efficient solution that operates at an internet-scale, and is accessible to qualifying organizations, with GASA and the DNS Research Federation managing access."

The tech giant said it has shared over 100,000 URLs of bad merchants and more than 1 million scam signals to be fed into the data platform, and that it intends to provide data from other products.

"We know from experience that fighting scams and the criminal organizations behind them requires strong collaboration among industry, businesses, civil society and governments to combat bad actors and protect users," it added.

Google further took the opportunity to note that Cross-Account Protection has been used to protect 3.2 billion users across sites and apps where they sign in with their Google Account. As a next step, the company said it's partnering with Canva, Electronic Arts, Indeed, and Microsoft-owned LinkedIn.

The development comes a week after Meta said that it's teaming up with U.K. banks to combat scams on its platforms as part of an information-sharing partnership program dubbed Fraud Intelligence Reciprocal Exchange (FIRE).

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Google Joins Forces with GASA and DNS RF to Tackle Online Scams at Scale

Multimodal AI systems can help enterprise defenders weed out fraudulent emails, even if the system has not seen that type of message before.

Source: Peshkova via Shutterstock

Artificial intelligence (AI) models that work across different types of media and domains — so-called "multimodal AI" — can be used by attackers to create convincing scams. At the same time, defenders are finding multimodal AI equally useful at spotting fraudulent emails and not-safe-for-work (NSFW) materials.

A large language model (LLM) can accurately classify previously unseen samples of emails impersonating different brands with better than 97% accuracy, as measured by a metric known as the F1 score, according to researchers at cybersecurity firm Sophos, who presented their findings at the Virus Bulletin Conference on Oct. 4. While existing email-security and content-filtering systems can spot messages using brands that have been encountered before, multimodal AI systems can identify the latest attacks, even if the system is not trained on samples of similar emails.

While the approach will likely not be a feature in email-security products, it could be used as a late-stage filter by security analysts, says Ben Gelman, a senior data scientist at Sophos, which has joined other cybersecurity firms, such as Google, Microsoft, and Simbian, in exploring new ways of using LLMs and other generative AI models to augment and assist security analysts and to help speed up incident response.

"AI and cybersecurity are merging, and this whole AI-generated attack/AI generated defense \[approach\] is going to become natural in the cybersecurity space," he says. "It's a force multiplier for our analysts. We have a number of projects where we support our SOC analysts with AI-based tools, and it's all about making them more efficient and giving them all this knowledge and confidence at their fingertips."

**Understanding Attackers' Tactics**

Attackers have also started using LLMs to improve their email lures and attack code. Microsoft, Google, and OpenAI have all warned that nation-state groups appear to be using these public LLMs for various tasks, such as creating spear-phishing lures and code snippets used to scrape websites.

As part of their research, the Sophos team created a platform for automating the launch of an e-commerce scam campaign, or "scampaigns," to understand what sort of attacks could be possible with multimodal generative AI. The platform consisted of five different AI agents: a data agent for generating information about the products and services, an image agent for creating images, an audio agent for any sound needs, a UI agent for creating the custom code, and an advertising agent to create marketing materials. The customization potential for automated ChatGPT spear-phishing and scam campaigns could result in large-scale microtargeting campaigns, the Sophos researchers stated in its Oct. 2 analysis.

"\[W\]e can see that these techniques are particularly chilling because users may interpret the most effective microtargeting as serendipitous coincidences," the researchers stated. "Spear phishing previously required dedicated manual effort, but with this new automation, it is possible to achieve personalization at a scale that hasn't been seen before."

That said, Sophos has not yet encountered this level of AI usage in the wild.

Defenders should expect AI-assisted cyberattackers to have better quality social-engineering techniques and faster cycles of innovation, says Anand Raghavan, vice president of AI engineering at Cisco Security.

"It is not just the quality of the emails, but the ability to automate this has gone up an order of magnitude since the arrival of GPT and other AI tools," he says. "The attackers have gotten not just incrementally better, but exponentially better."

**Beyond Keyword Matching**

Using LLMs to process emails and turn them into text descriptions leads to better accuracy and can help analysts process emails that might have otherwise escaped notice, stated Younghoo Lee, a principal data scientist with Sophos's AI group, in research presented at the Virus Bulletin conference.

"\[O\]ur multimodal AI approach, which leverages both text and image inputs, offers a more robust solution for detecting phishing attempts, particularly when facing unseen threats," he stated in the paper accompanying his presentation. "The use of both text and image features proved to be more effective" when dealing with multiple brands.

The capability to process the context of the text in the email augments the multimodal capability to "understand" words and context from images, allowing a fuller understanding of an email, says Cisco's Raghavan. LLMs' ability to focus not just on pinpointing suspicious language but also on dangerous contexts — such as emails that urge a user to take a business-critical action — make them very useful in assisting analysis, he says.

Any attempt to compromise workflows that have to do with money, credentials, sensitive data, or confidential processes should be flagged.

"Language as a classifier also very strongly enables us to reduce false positives by identifying what we call critical business workflows," Raghavan says. "If an attacker is interested in compromising your organization, there are four kinds of critical business workflows, \[and\] language is the predominant indicator for us to determine \[whether\] an email is concerning or not."

So why not use LLMs everywhere? Cost, says Sophos's Gelman.

"Depending on LLMs to do anything at massive scale is usually way too expensive relative to the gains that you're getting," he says. "One of the challenges of multimodal AI is that every time you add a mode like images, you need way more data, you need way more training time, and — when the text and the image models conflict — you need a better model and potentially better training" to decide between the two.

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

AI-Augmented Email Analysis Spots Latest Scams, Bad Content

Talos also discovered three vulnerabilities in Veertu’s Anka Build, a suite of software designed to test macOS or iOS applications in CI/CD environments.

Wednesday, October 9, 2024 12:00

Cisco Talos’ Vulnerability Research team recently disclosed six new security vulnerabilities across a range of software, including one in a popular PDF reader that could lead to arbitrary code execution. 

Foxit PDF Reader, one of the most popular alternatives to Adobe Acrobat, contains a memory corruption vulnerability that could allow an adversary to execute code on the targeted machine. 

Talos also discovered three vulnerabilities in Veertu’s Anka Build, a suite of software designed to test macOS or iOS applications in CI/CD environments.

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.

**Use-after-free vulnerability in Foxit PDF Reader**

_Discovered by KPC._

A use-after-free vulnerability in Foxit PDF Reader could lead to memory corruption and eventually arbitrary code execution on the targeted machine.

TALOS-2024-1967 (CVE-2024-28888) can be triggered if an adversary tricks a user into opening a specially crafted PDF that contains malicious JavaScript. Exploitation could also occur if the targeted user visits an attacker-controlled website with the Foxit PDF Reader browser extension enabled.

**Multiple vulnerabilities in GNOME project library could lead to code execution**

Two vulnerabilities in the G Structured File Library (libgsf) could lead to arbitrary code execution. 

This GNOME project supports an abstraction layer around different structure file formats such as .tar and .zip. 

TALOS-2024-2068 (CVE-2024-36474) is an integer overflow vulnerability that could allow an out-of-bounds index to be used when reading and writing to an array. This could lead to arbitrary code execution if an adversary exploited it appropriately. 

TALOS-2024-2069 (CVE-2024-42415) works similarly, but in this case, it arises when the software processes the sector allocation table.

An adversary could exploit both these vulnerabilities by tricking the targeted user into opening a malicious, specially crafted file. 

**Three vulnerabilities in Veertu Anka Build**

_Discovered by KPC._

Veertu’s Anka Build software contains three vulnerabilities, two of which are directory traversal issues. 

Anka Build is a suite of software designed to test macOS and iOS applications in CI/CD environments. The suite is a centralized dashboard for managing nodes, VM instances, templates, tags and logs. 

This software contains two directory traversal vulnerabilities — TALOS-2024-2059 (CVE-2024-41163) and TALOS-2024-2061 (CVE-2024-41922) — that could lead to the disclosure of arbitrary files. An adversary could exploit these vulnerabilities by sending the target a specially crafted HTTP request. 

Another vulnerability, TALOS-2024-2060 (CVE-2024-39755), is a privilege escalation issue that could allow a low-privileged user to force the software to update, potentially raising their access to that of a root user.

Vulnerability in popular PDF reader could lead to arbitrary code execution; Multiple issues in GNOME project

Details have emerged about multiple security vulnerabilities in two implementations of the Manufacturing Message Specification (MMS) protocol that, if successfully exploited, could have severe impacts in industrial environments.
"The vulnerabilities could allow an attacker to crash an industrial device or in some cases, enable remote code execution," Claroty researchers Mashav Sapir and Vera

Industrial Security / Critical Infrastructure

Details have emerged about multiple security vulnerabilities in two implementations of the Manufacturing Message Specification (MMS) protocol that, if successfully exploited, could have severe impacts in industrial environments.

"The vulnerabilities could allow an attacker to crash an industrial device or in some cases, enable remote code execution," Claroty researchers Mashav Sapir and Vera Mens said in a new analysis.

MMS is an OSI application layer messaging protocol that enables remote control and monitoring of industrial devices by exchanging supervisory control information in an application-agnostic manner.

Specifically, it allows for communication between intelligent electronic devices (IEDs) and supervisory control and data acquisition (SCADA) systems or programmable logic controllers (PLCs).

The five shortcomings identified by the operational technology security company impact MZ Automation's libIEC61850 library and Triangle MicroWorks' TMW IEC 61850 library, and were patched in September and October 2022 following responsible disclosure -

*   **CVE-2022-2970** (CVSS score: 10.0) - A stack-based buffer overflow vulnerability in libIEC61850 that could lead to a crash or remote code execution

*   **CVE-2022-2971** (CVSS score: 8.6) - A type confusion vulnerability in libIEC61850 that could allow an attacker to crash the server with a malicious payload

*   **CVE-2022-2972** (CVSS score: 10.0) - A stack-based buffer overflow vulnerability in libIEC61850 that could lead to a crash or remote code execution

*   **CVE-2022-2973** (CVSS score: 8.6) - A null pointer deference vulnerability that could allow an attacker to crash the server

*   **CVE-2022-38138** (CVSS score:7.5) - An access of uninitialized pointer vulnerability that allows an attacker to cause a denial-of-service (DoS) condition

Claroty's analysis also found that Siemens SIPROTEC 5 IED relied on an outdated version of SISCO's MMS-EASE stack for MMS support, which is susceptible to a DoS condition via a specially crafted packet (CVE-2015-6574, CVSS score: 7.5).

The German company has since updated its firmware with an updated version of the protocol stack as of December 2022, according to an advisory released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

The research highlights the "gap between modern technology's security demands and the outdated, hard-to-replace protocols," Claroty said, urging vendors to follow security guidelines issued by CISA.

The disclosure comes weeks after Nozomi Networks detailed two vulnerabilities in the reference implementation of Espressif's ESP-NOW wireless protocol (CVE-2024-42483 and CVE-2024-42484) that could allow replay attacks and cause a DoS condition.

"Depending on the system being targeted, this vulnerability \[CVE-2024-42483\] can have profound consequences," it said. "ESP-NOW is used in security systems such as building alarms, allowing them to communicate with motion sensors."

"In such a scenario, an attacker could exploit this vulnerability to replay a previously intercepted legitimate 'OFF' command, thereby disabling a motion sensor at will."

Alternatively, ESP-NOW's use in remote door openers, such as automatic gates and garage doors, could be weaponized to intercept an "OPEN" command and replay it at a later time to gain unauthorized access to buildings.

Back in August, Nozomi Networks also shed light on a set of unpatched 37 vulnerabilities in the OpenFlow libfluid\_msg parsing library, collectively dubbed FluidFaults, that an adversary could exploit to crash Software-Defined Networking (SDN) applications.

"An attacker with network visibility to an OpenFlow controller/forwarder can send a malicious OpenFlow network packet that leads to a denial-of-service (DoS) attack," the company said.

In recent months, security flaws have also been uncovered in Beckhoff Automation's TwinCAT/BSD operating system that could expose PLCs to logic tampering, DoS attacks, and even command execution with root privileges on the controller.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Uncover Major Security Vulnerabilities in Industrial MMS Protocol Libraries

​​​With careful planning, ongoing evaluation, and a commitment to treat cybersecurity as a core business function, SMBs can transform their vulnerabilities into strengths​​.

Source: Josie Elias via Alamy Stock Photo

COMMENTARY

Small and medium-sized businesses (SMBs) increasingly have become prime targets for cybercriminals. While large corporations often dominate headlines when breaches occur, the reality is that SMBs are at even greater risk. Almost 70% of SMBs reported experiencing at least one cyberattack in the past year. The reasons are clear: SMBs often operate with limited budgets, inadequate cybersecurity tools, and a shortage of skilled cybersecurity professionals. These factors make them particularly vulnerable to the sophisticated and evolving threats of today's cyber environment.  

SMBs are the lifeblood of our economy, and their drive and determination are truly inspiring. The businesses I interact with are exceptionally skilled and consistently deliver outstanding services and products to their customers. I must remind myself, however, that SMBs are not inherently technology companies. Because of budget challenges, they are often considered "soft targets" by threat actors.  

These smaller businesses just want their IT to work seamlessly and securely. Yet, when it comes to mitigating threats like cyber breaches, they are at a disadvantage. While many SMBs understand the importance of cybersecurity, they often need help prioritizing, implementing, and maintaining effective defenses due to limited resources — both financial and technical — compared with larger organizations.  

**Understanding the Landscape **

The range of cyber threats facing SMBs is broad and constantly evolving. Common attack vectors include phishing, ransomware, denial of service, social engineering, and session hijacking, to name a few. Each threat can cause significant harm — whether through intellectual property theft, financial extortion, or reputational damage.  

The most successful cyberattacks exploit the gaps in an organization's cyber-risk strategy. For SMBs, these gaps frequently are the result of constrained resources, limited access to skilled talent, and a reactive approach to cybersecurity. In my conversations with customers and business partners, it's clear that while the concern for cyber-risk is universal, SMBs are often the least equipped to address these risks independently.  

**People, Process, and Technology: A Comprehensive Approach **

To effectively address cyber threats, SMBs must adopt a holistic approach that focuses on three essential components: people, process, and technology.  

**1\. People: Bridging the Skills Gap **

One of the most significant challenges SMBs face is the lack of skilled cybersecurity professionals. Even the best technology and processes can fall short without the right talent. SMBs must assess their current workforce's skills and identify gaps. Addressing these gaps is crucial, whether through training existing employees, hiring new talent, or partnering with external cybersecurity firms.  

In many cases, it may be more practical for SMBs to engage with a trusted partner to supplement their in-house capabilities. Many of the customers I speak with utilize cybersecurity-focused consultancies for short- and mid-term implementations, or rely on managed service providers (MSPs). Additionally, leveraging software-as-a-service (SaaS) solutions can be a cost-effective way to access advanced security tools without requiring extensive in-house expertise. These services often have guaranteed service levels, ensuring that experienced professionals manage critical security functions.  

**2\. Process: Defining Cyber Resilience **

While each organization has unique technical requirements, the need for a well-defined cyber-resilience strategy is universal. SMBs must develop processes tailored to their specific needs and adapt to changing business demands. A one-size-fits-all approach will not suffice. Instead, SMBs should consider standard frameworks like ITIL, Agile, and DevOps as baselines for developing their cybersecurity strategies, as these frameworks can help streamline processes and strengthen the overall cybersecurity posture.  

A key takeaway from my conversations with successful SMBs is the importance of designing sustainable business processes. Cyber resilience is an ongoing journey, not a static goal requiring continuous improvement and adaptability. Every organization must regularly evaluate and update processes to keep pace with evolving needs and emerging threats. By embracing a dynamic approach to process development, SMBs can stay ahead of the curve and maintain robust defenses.  

**3\. Technology: Choosing the Right Tools **

Technology is the cornerstone of any cybersecurity strategy. Given the wide range of available tools, SMBs must carefully select the solutions that best meet their specific needs. Whether focusing on network security, data protection, or identity management, the chosen technology must be both practical and scalable.  

SMBs should focus on ensuring their technology stack aligns with their cybersecurity strategy. This means evaluating on-premises and cloud-based solutions while carefully managing access to sensitive data. The objective is to choose technology that not only addresses immediate security concerns but also strengthens long-term resilience.  

**Engaging Leadership and Industry **

A critical aspect of any successful cybersecurity program is the involvement of leadership at every level of the organization. From my discussions with business leaders who have established robust cyber resilience programs, one common theme emerges: Cybersecurity is a serious priority across the organization. It's not merely the IT department's responsibility but a critical business imperative that affects reputation, financial health, and legal compliance.  

To secure this level of commitment, SMBs must involve their leadership teams in developing and overseeing cybersecurity strategies. This entails conducting regular assessments of the program's effectiveness, incorporating feedback from both cybersecurity professionals and business leaders. When leadership is actively involved, it sends a clear message that cybersecurity is a priority, fostering a culture of security throughout the organization.  

Another critical factor is the willingness to seek external expertise. Successful SMBs often look beyond their internal resources, utilizing market analysis, user groups, vendor forums, and industry contacts to inform their cybersecurity strategies. For SMBs with limited staff and experience, these external resources offer valuable insights and support critical to the success of their programs. 

**Conclusion: A Proactive Path Forward **

Cybersecurity is not a one-time effort — it's an ongoing commitment that requires vigilance, adaptability, and strategic investment. For SMBs, the path to cyber resilience may be challenging, but it is achievable with the right approach. By focusing on the critical areas of people, processes, and technology, and engaging leadership at all levels, SMBs can develop robust defenses that safeguard their assets, reputation, and future growth.  

Ultimately, it's not just about preventing attacks. It’s about building a resilient organization that can thrive in an increasingly digital and complex business environment. As threats evolve, SMBs must continuously adapt their strategies and solutions to protect their businesses. Through careful planning, ongoing evaluation, and a commitment to treat cybersecurity as a core business function, SMBs can transform their vulnerabilities into strengths and secure their place in the digital economy.  

**About the Author**

CEO, One Identity

Mark Logan serves as Chief Executive Officer of One Identity and joined the company in June 2022. He is responsible for driving the overall growth strategy, go-to-market and P&L for One Identity. Mark is a seasoned executive with experience developing enterprise software companies to achieve successful growth. He is a proven leader with nearly two decades of C-suite experience at companies such as Emptoris (now part of IBM), Attunity, and most recently LogRhythm. Having been in the cyber security space for several years, Mark believes One Identity is in the right market at the right time to provide critically important cybersecurity protection for enterprises, public sector organizations and federal agencies.

Building Cyber Resilience in SMBs ​With ​Limited Resources

Since April, attackers have increased their use of Dropbox, OneDrive, and SharePoint to steal the credentials of business users and conduct further malicious activity.

Source: JLStock via Shutterstock

Threat actors are upping the ante on business email compromise (BEC) campaigns by combining social engineering with the use of legitimate, cloud-based file-hosting services to create more convincing attacks; the campaigns bypass common security protections and ultimately compromise the identity of enterprise users.

Since April, Microsoft has seen a rise in campaigns that have emerged over the past two years in which attackers weaponize legitimate file-sharing services like Dropbox, OneDrive, or SharePoint, which many enterprises use for workforce collaboration, Microsoft Threat Intelligence warned this week.

"The widespread use of such services … makes them attractive targets for threat actors, who exploit the trust and familiarity associated with these services to deliver malicious files and links, often avoiding detection by traditional security measures," according to the Microsoft Threat Intelligence blog post.

Attackers are combining their use with social engineering in campaigns that target trusted parties in a business user's network, and base lures on familiar conversation topics. Threat actors are thus successfully phishing credentials for business accounts, which they then use to conduct further malicious activity, such as financial fraud, data exfiltration, and lateral movement to endpoints.

Trusted cloud services are an increasingly weak enterprise security link. Indeed, various researchers have discovered attackers — including advanced persistent threat (APT) groups — using legitimate file-sharing services to deliver remote access Trojans (RATs) and spyware, among other malicious activity.

**A Typical BEC Attack Scenario**

According to Microsoft, A common attack scenario begins with the compromise of a user within an enterprise. The threat actor then uses that victim's credentials to host a file on that organization's file-hosting service and share it with the real target: those within an external organization that have trusted ties to the victim.

Attackers are specifically using Dropbox, OneDrive, or SharePoint files with either restricted access or view-only restrictions to evade common detection systems and provide a launching pad for credential-harvesting activity. The former "requires the recipient to be signed in to the file-sharing service … or to re-authenticate by entering their email address along with a one-time password (OTP) received through a notification service," establishing a trust relationship with the content. The latter can bypass analysis by email detonation systems, by "disabling the ability to download and consequently, the detection of embedded URLs within the files," according to Microsoft. "These techniques make detonation and analysis of the sample with the malicious link almost impossible since they are restricted."

To further ensure this bypass, attackers also use other techniques, including only allowing the intended recipient to view the file, or making the file accessible only for a limited time.

"This misuse of legitimate file-hosting services is particularly effective because recipients are more likely to trust emails from known vendors," according to Microsoft. Indeed, users from trusted vendors are added to allow lists through policies set by the organization on collaboration products used with the service, such as Exchange Online, so emails that are linked to phishing attacks pass through undetected.

After the files are shared on the hosting service, the targeted business user receives an automated email notification with a link to access the file securely. This is a legitimate notification about activity on the file-sharing service, so the email bypasses any protections that might have blocked a suspicious message.

**Adversary-in-the-Middle; Leveraging Familiarity**

When the targeted user accesses the shared file, he or she is prompted to verify identity by providing their email address, after which the address \[email protected\]\[.\]com sends a one-time password that the user can input to view the document.

That document often masquerades as a preview with another link purporting to allow the user to "view the message," according to Microsoft. However, it actually redirects the user to an adversary-in-the-middle (AiTM) phishing page that prompts the user is prompted to provide the password and complete the multifactor authentication (MFA) challenge.

"The compromised token can then be leveraged by the threat actor to perform the second stage BEC attack and continue the campaign," according to Microsoft.

Hosted files typically use lures to subject matter that would be a familiar topic or use familiar context based on an existing conversation held between employees of the organizations that the threat actor would be able to access thanks to the prior compromise of the anchor victim. For example, if two organizations have prior interactions related to an audit, the malicious shared files could be named "Audit Report 2024," according to Microsoft.

Attackers also leverage the oft-used psychological tactic of urgency to lure users into opening malicious files, using file names such as "Urgent:Attention Required" and "Compromised Password Reset" to get people to take the bait.

**Detecting Suspicious File-Sharing**

With these highly sophisticated BEC campaigns that neither users nor traditional email security systems detect on the rise, Microsoft recommends that enterprises use extended detection and response (XDR) systems to query for suspicious activity related to BEC campaigns that use legitimate file-sharing services.

Such queries could include identifying files with similar-sounding or the same file names that have been shared with various users. "Since these are observed as campaigns, validating that the same file has been shared with multiple users in the organization can support the detection," according to Microsoft

Defenders also can use identity-focused queries related to sign-ins from VPS or VPN providers, or successful sign-ins from a non-compliant device, "to detect and investigate anomalous sign-in events that may be indicative of a compromised user identity being accessed by a threat actor," according to the post.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Tag

#intel