The investment will allow enterprises to further secure non-human identities and safely leverage the soaring adoption of third-party apps and Generative AI services.

**New York, June 28, 2023** – Astrix Security, the enterprise’s trusted solution for securing non-human identities, has secured $25 million in Series A funding led by CRV with participation from existing investors Bessemer Venture Partners and F2 Venture Capital. This new investment brings Astrix’s total funding to almost $40 million. 

Fueled by the increased adoption of automation and generative AI initiatives, the enterprise’s connectivity to third-party applications is growing, resulting in an increase in cyber attacks targeting non-human app-to-app connections (via API keys, access tokens, service accounts, etc.) – as seen in high profile attacks against CircleCI, Mailchimp, GitHub, Microsoft, and Slack. 

Despite financial instability within the market, Astrix is experiencing exponential year-over-year growth and momentum as a leader in securing this growing threat vector. The company recently added Figma, Priceline, Bloomreach, Rapyd and many others to its customer roster and was recognized as a finalist in the 2023 RSA Innovation Sandbox contest. The business also doubled its headcount, and will use this funding to continue expanding the team in both the U.S. and Tel Aviv offices, including its research team who recently discovered GhostToken, a critical 0-day vulnerability in the Google Cloud Platform. 

“We founded Astrix to close a significant and unaddressed security gap, by allowing security teams to extend access management and threat detection to the non-human identity layer,” said Alon Jackson, CEO and co-founder at Astrix. “It’s amazing to experience the tremendous adoption by security teams, as well as see Astrix’s capabilities become essential to their every-day security arsenal. We look forward to continuing to expand our capabilities and partnerships, allowing organizations to truly reap the benefits of third-party services, especially Gen-AI apps, without compromising security.”

The enterprise environment depends on a vast web of interconnected apps, supported with an average of 10,000 app-connections for every 1,000 employees. More so, with AI-powered apps being downloaded 1506% more than last year, and often connected by employees across departments without the security team’s knowledge, having visibility and governance into every third-party connection is virtually impossible. While existing solutions focus on securing user-connections, Astrix is the first solution to focus on securing app-connections, allowing the enterprise to ensure their core systems are securely connected to each other and to third-party services.

“As a growing threat vector, there has been a shift in the market to focus on third-party connectivity,” said James Green, General Partner at CRV. “Astrix caught our eye for their innovative approach to extending IAM and threat detection to all non-human identities, giving unprecedented capabilities to manage the growing API-based third-party attack surface across all environments.”

“Partnering with Astrix from inception, we’ve seen the vast impact they’ve had on the industry in a short amount of time,” said Amit Karp, Partner at Bessemer Venture Partners. “From raising awareness to this growing attack surface to supporting some of the leading companies in the world, we’re excited for what’s to come as Astrix expands and continues protecting customers from the next supply chain attack.”

“The progress Astrix has made from seed funding to now is incredible,” said Jonathan Saacks, Managing Partner at F2 Venture Capital. “The company has made a mark on the industry already, and with the wealth of knowledge and experience from this team, we are confident they will continue to be the security asset every business needs and relies on in their toolbox.”

The Astrix Security Platform is the first solution to provide holistic visibility into all non-human connections and identities. Astrix provides a consolidated, comprehensive view of all the internal and third-party integrations within a business environment, as well as all access keys in use (i.e., API keys, OAuth tokens, service accounts, and webhooks) and the permissions and level of access granted to each one. With Astrix, businesses can extend their identity threat detection and response capabilities to non-human identities by continuously running behavioral analysis of internal and third-party apps connected to core SaaS, IaaS and PaaS systems to detect anomalies that may indicate compromised access tokens and automatically remediate risky connections.

**About Astrix Security**

Founded in Tel Aviv in 2021, Astrix Security helps cloud-first companies defend against a new generation of supply chain attacks. Astrix provides holistic visibility into all non-human connections and identities – automatically detecting and remediating over-privileged, unnecessary, misbehaving and malicious app-to-app connections to prevent supply chain attacks, data leaks and compliance violations. Led by two veterans of the Israel Defense Force 8200 military intelligence unit, CEO Alon Jackson and CTO Idan Gour, Astrix’s team is rapidly expanding. Astrix has raised nearly $40M in funding, with a Series A led by CRV, and additional investments from Bessemer Venture Partners, F2 Venture Capital, Venrock and Kmehin Ventures. Learn more at https://astrix.security or follow us on LinkedIn.

**About CRV**

CRV is a venture capital firm that invests in early-stage startups. Since 1970, the firm has invested in more than 500 startups at their most crucial stages, including Airtable, DoorDash and Vercel. Founders need more than capital to build a great company. It takes a partner who understands the entrepreneurial journey and knows what it takes to win. From founding to IPO and beyond, CRV is there every step of the way. Founders rely on CRV to be trusted, long-term, committed partners, which has helped make CRV into one of the longest-running venture capital firms in the world. Learn more about CRV and the companies shaping the future at https://www.crv.com.

**About Bessemer Venture Partners** 

Bessemer Venture Partners helps entrepreneurs lay strong foundations to build and forge long-standing companies. With more than 145 IPOs and 300 portfolio companies in the enterprise, consumer and healthcare spaces, Bessemer supports founders and CEOs from their early days through every stage of growth. Bessemer’s global portfolio has included Pinterest, Shopify, Twilio, Yelp, LinkedIn, PagerDuty, DocuSign, Wix, Fiverr, and Toast and has $20 billion of assets under management. Bessemer has teams of investors and partners located in Tel Aviv, Silicon Valley, San Francisco, New York, London, Hong Kong, Boston, and Bangalore. Born from innovations in steel more than a century ago, Bessemer’s storied history has afforded its partners the opportunity to celebrate and scrutinize its best investment decisions (see Memos) and also learn from its mistakes (see Anti-Portfolio). 

**About F2**  

F2 Venture Capital is a Tel Aviv-based VC firm that invests in early-stage technology companies on the cutting edge.

Our team members have been investors, operators, and engineers in startups and multinational giants that changed the game over the last twenty years. With $500 million assets under management and personalized support, F2 powers visionary founders on their bold missions.

F2 also operates Israel’s most active pre-seed investment platform, to back founders with guidance, network, and capital from day zero. More details @ www.f2vc.com

Astrix Security Raises $25M in Series A Funding

The combination of data science expertise, cloud resources, and Cato's vast data lake enables real-time, ML-powered protection against evasive cyberattacks, reducing risk and improving security.

**TEL AVIV, Israel, June 27, 2023** — Cato Networks, provider of the world's leading single-vendor SASE platform, introduced today real-time, deep learning algorithms for threat prevention as part of Cato IPS. The algorithms leverage Cato's unique cloud-native platform and vast data lake to provide highly accurate identification of malicious domains, which are often used in phishing and ransomware attacks. In testing, the deep learning algorithms identified nearly six times more malicious domains than reputation feeds alone. Cato's Security Research Manager, Avidan Avraham, and Cato Data Scientist Asaf Fried presented on the use of machine learning to detect C2 communications at the AWS Summit in Tel Aviv.

**Tapping Deep Learning to Stop Phishing and Ransomware Attacks**

Real-time identification of malicious domains and IPs is essential to stopping phishing, ransomware, and other cyber threats. The traditional approach – relying on domain reputation feeds to categorize and identify malicious domains – has proven far too inaccurate as domain generation algorithms (DGAs) enable attackers to quickly generate new domains, which lack reputation. At the same time, users continue to click through to malicious domains mimicking well-known brands (such as microsoftt\[dot\]com or amazonlink\[dot\]online) whose lack of reputation also makes detection by reputation feeds alone unreliable. 

Cato's real-time, deep-learning algorithms address both problems. The algorithms prevent access to DGA-registered domains by identifying those new domains infrequently visited by users and with letter patterns common to DGAs. They block cybersquatting by hunting for domains with letter patterns similar to well-known brands. And the algorithms stop brand impersonation by examining parts of the webpage, such as the favicon, images, and text. 

These radical advancements in network security are enabled by the cloud-native architecture of Cato’s technology. Real-time deep learning algorithms require significant compute resources to avoid disrupting the user experience. The Cato SASE Cloud provides those resources. In milliseconds, Cato inspects flows, extracts their destination domain, measures the domain's risk, and infers the necessary results from the traffic without disrupting the user experience. 

At the same time, deep learning models need extensive training data. The massive data lake underlying Cato SASE Cloud provides that resource. Built from the metadata of every flow traversing Cato and further enriched by 250+ threat intelligence feeds, the deep learning algorithms benefit from analyzing patterns across all Cato customers. Those insights are further enhanced by custom analyses derived from customers' traffic—the result: precise, algorithmic identification of suspicious domains. 

**Real-time Deep Learning Yields 6X Improvement in Threat Detection**

Cato Research Labs routinely observes tens of millions of network connection attempts to DGA domains from across the 1700+ enterprises using the Cato SASE Cloud. For example, of the 457,220 network connection attempts to DGA domains made in a sample period, only 66,675 (15 percent) were listed in the 250+ threat intelligence feeds consumed by Cato. By contrast, Cato algorithms identified the rest, over 390,000 additional DGA domains, a nearly six-fold improvement.

**Real-time, Deep Learning: Just One Part of Cato’s Multitiered Security Protection **

Cato's real-time, deep learning algorithms are not the only way Cato detects and stops threats. The Cato SASE Cloud's combination of SWG, NGFW, IPS, NGAM, CASB, DLP, RBI, and ZTNA provides multitiered protection against exploitations, disrupting cyberattacks at multiple points in MITRE's ATT&CK Framework.

The deep learning algorithms are the latest AI and ML additions to the Cato SASE Cloud. Cato has long used machine learning for offline analysis to solve problems at scale, such as OS detection, client classification, and automatic application identification. ChatGPT is also used in various ways, including automatically generating descriptions of threats for Cato's threat catalog. 

To learn more about Cato and its security capabilities, visit https://www.catonetworks.com/security-service-edge/.

**Supporting Quotes**

**Elad Menahem, senior director of security, Cato Networks**

"ML and AI are essential to defending against the ever-evolving, sophisticated, and evasive cyber-attacks. But that’s easier marketed than done,” says Elad Menahem, senior director of security at Cato Networks. “ML algorithms must be trained and re-trained on high-quality data to provide value. Cato’s data lake provides an enormous advantage in that area. Its convergence of rich networking data and security sources, coupled with its sheer scale, enables Cato to train algorithms in unique ways. Our current work is only the start of AI and ML innovation.” 

**Asaf Fried, Data Scientist, Cato Networks**

"Real-time ML must be continuously trained and updated to deal effectively with evasive attacks. A SASE cloud allows training on quality data at scale and continuous updates. Appliance-based solutions can’t offer either, making enterprises who rely on them for their network security an easier target."

**Supporting Resources**

*   Read Cato Blog 
*   Read about Elad Menahem
*   Read about Asaf Fried

*   For more information about Cato's news and activities, follow the company via Twitter, LinkedIn, Facebook, Instagram, and YouTube. 

**About Cato Networks**  
Cato provides the world's most robust single-vendor SASE platform, converging Cato SD-WAN and a cloud-native security service edge, Cato SSE 360, into a global cloud service. Cato SASE Cloud optimizes and secures application access for all users and locations everywhere. Using Cato, customers easily replace costly and rigid legacy MPLS with modern network architecture based on SD-WAN, secure and optimize a hybrid workforce working from anywhere, and enable seamless cloud migration. Cato enforces granular access policies, protects users against threats, and prevents sensitive data loss, all easily managed from a single pane of glass. With Cato, businesses are ready for whatever's next.

Cato Networks Revolutionizes Network Security With Real-Time, Machine Learning-Powered Protection

WordPress Social Login and Register plugin versions 7.6.4 and below suffer from an authentication bypass vulnerability.

    Description: WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) <= 7.6.4 – Authentication Bypass Affected Plugin: WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn)Plugin Slug: woocommerce-abandoned-cartAffected Versions: <= 7.6.4CVE ID: CVE-2023-2982CVSS Score: 9.8 (Critical)CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HResearcher/s: Lana Codes Fully Patched Version: 7.6.5The WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 7.6.4. This is due to insufficient encryption on the user being supplied during a login validated through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they know the email address associated with that user. This was partially patched in version 7.6.4 and fully patched in version 7.6.5.Technical AnalysisThe WordPress Social Login and Register plugin, according to its settings, provides the ability for users to login to a WordPress website using a social login through various popular social media platforms and service providers. Examining the code reveals that there is a case with custom apps, where the data is sent encrypted during the login process. The data required for login must be decrypted using the secret key at the request.[View this code snippet on the blog]  While encrypting this information would normally provide protection against manipulating the request and prevent identity spoofing, we unfortunately found that the encryption key is hardcoded in vulnerable versions of the plugin, which means that threat actors also had access to the key which was not unique per WordPress installation. This makes it possible for attackers to craft a valid request containing a properly encrypted email address which vulnerable versions of the plugin use during the login process to determine the user.Ultimately, this makes it possible for threat actors to bypass authentication and gain access to arbitrary accounts on sites running a vulnerable version of the plugin. As always, authentication bypass vulnerabilities and resulting access to high privileged user accounts, make it easy for threat actors to completely compromise a vulnerable WordPress site and further infect the victim.Disclosure TimelineMay 28, 2023 – Discovery of the Authentication Bypass vulnerability in WordPress Social Login and Register.May 30, 2023 – We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion.June 2, 2023 – The vendor confirms the inbox for handling the discussion.June 2, 2023 – We send over the full disclosure details. The vendor acknowledges the report and begins working on a fix.June 2, 2023 – Wordfence Premium, Care, and Response users receive a firewall rule to provide protection against any exploits that may target this vulnerability. Please note we delayed the firewall rule to prevent completely breaking the plugin’s core functionality.June 14, 2023 – A fully patched version of the plugin, 7.6.5, is released.July 2, 2023 – Wordfence Free users receive the same protection.ConclusionIn this blog post, we have detailed an Authentication Bypass vulnerability within the WordPress Social Login and Register plugin affecting versions 7.6.4 and earlier. This vulnerability allows threat actors to bypass authentication and gain access to the accounts of users who have abandoned their carts. The vulnerability has been fully addressed in version 7.6.5 of the plugin.We encourage WordPress users to verify that their sites are updated to the latest patched version of WordPress Social Login and Register as soon as possible.Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on June 2, 2023. Sites still using the free version of Wordfence will receive the same protection on July 2, 2023.If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence and potentially earn a spot on our leaderboard.

WordPress Social Login And Register 7.6.4 Authentication Bypass

New LLM-based projects typically become successful in a short period of time, but the security posture of these generative AI projects are very low, making them extremely unsafe to use.

There is a lot of interest in integrating generative AI and other artificial intelligence applications into existing software products and platforms. However, from a security standpoint these AI projects are fairly new and immature, exposing organizations using these applications to various security risks, according to recent analysis by software supply chain security company Rezilion.

Since ChatGPT’s debut earlier this year, more than 30,000 open source projects now use GPT 3.5 on GitHub, which highlights a serious software supply chain concern: How secure are these projects that are being integrated left and right?

Rezilion’s team of researchers attempted to answer that question by analyzing the 50 most popular Large Language Model (LLM)-based projects on GitHub – where popularity was determined by how many stars the project has. The project's security posture was measured by the OpenSSF Scorecard score. The Scorecard tool, from the Open Source Security Foundation, assesses the project repository on various factors, such as the number of vulnerabilities it has, how frequently the code is being maintained, its dependencies, and the presence of binary files, to calculate the score. The higher the number, the more secure the code.

The researchers mapped the project’s popularity (size of the bubble, y-axis) and security posture (x-axis). None of the projects analyzed scored higher than 6.1 – the average score was 4.6 out of 10 – indicating a high level of security risk associated with these projects, Rezilion said. In fact, Auto-GPT, the most popular project (with almost 140,000 stars), is less than 3 months old and has the third-lowest score of 3.7, making it an extremely risky project from a security perspective.

When organizations are considering which open source projects to integrate into their codebases or which ones to work with, they consider factors such as whether the project is stable, currently supported, actively maintained, and the number of people actively working on the project. Organizations have to consider several types of risks, such as trust boundary risks, data management risks, and inherent model risks.

"When a project is new, there are more risks around the stability of the project, and it’s too soon to tell whether the project will keep evolving and remain maintained,” the researchers wrote in their analysis. “Most projects experience strong growth in their early years before hitting a peak in community activity as the project reaches full maturity, then the level of engagement tends to stabilize and remain consistent.”

The age of the project was relevant, Rezilion researchers said, noting that most of the projects in the analysis were between 2 and 6 months old. When the researchers looked at both the age of the project and Scorecard score, the age-score combination that was the most common was projects that are 2 months old and have a Scorecard score of 4.5 to 5.

"Newly-established LLM projects achieve rapid success and witness exponential growth in terms of popularity,” the researchers said. “However, their Scorecard scores remain relatively low.”

Development and security teams need to understand the risks associated with adopting any new technologies and make a practice of evaluating them prior to use.

Open Source LLM Projects Likely Insecure, Risky to Use

By Waqas
The research mainly aimed at examining VPNs, firewalls, access points, routers, and other remote server management appliances used by top government agencies in the United States.
This is a post from HackRead.com Read the original post: Exposed Interfaces in US Federal Networks: A Breach Waiting to Happen

**Cybersecurity researchers at Censys referred to publicly-accessible exposed interfaces as “low-hanging fruit” for cybercriminals, as they can easily gain unauthorized access to crucial assets.**

Researchers at Censys, an attack surface management company, have discovered hundreds of devices linked to federal networks that have remotely accessible management interfaces. These interfaces can allow for the controlling and configuring of federal agency networks through the public internet.

**Shocking Details Emerge about Federal Network Devices**

According to a blog post from the Censys Research Team, published on June 26, an examination of the attack surfaces of approximately fifty sub-organizations within the federal civilian executive branch (FCEB) revealed 13,000 different hosts spread across 100 autonomous systems.

Further probing uncovered that services running on a subset of 1,300 FCEB hosts, accessible through IPv4 addresses, had hundreds of devices with publicly accessible management interfaces. This revelation falls within the scope of CISA’s BOD 23-02 (Binding Operational Directive).

**What is BOD 23-02?**

CISA’s BOD 23-02 helps federal agencies eliminate risks associated with remotely accessible management interfaces. It requires federal civilian agencies to remove certain networked management interfaces from the internet and mandates them to implement Zero Trust Architecture capabilities to enforce access control to internet-exposed interfaces within fourteen days of discovery.

**What are the Dangers of Internet-Exposed Interfaces?**

Researchers at Censys referred to publicly-accessible interfaces as “low-hanging fruit” for cybercriminals, as they can easily gain unauthorized access to crucial assets. CISA notes that threat actors are taking a keen interest in targeting certain classes of devices, especially those supporting network infrastructures, as it helps them evade detection.

After compromising these devices, attackers can obtain full access to the network. Misconfigurations, insufficient or outdated security measures, and unpatched software make devices vulnerable to exploitation. If the device management interface is directly connected to or accessible from a public-facing internet, it will be far more damaging for the organization.

**Which Devices Are Impacted?**

Researchers mainly examined VPNs, firewalls, access points, routers, and other remote server management appliances. They found around 250 different web interfaces for hosts exposing network appliances, all using SSH and TELNET remote protocols.

Most of the impacted devices were Cisco network appliances with a publicly accessible Adaptive Security Device Manager interface, whereas they also discovered enterprise Cradlepoint router interfaces revealing wireless network details. Other impacted products include Fortinet FortiGuard, SonicWall, and other popular firewalls.

A screenshot shared by Censys shows a publicly accessible Cradlepoint router web interface belonging to a Federal Civilian Executive Branch (FCEB) organization.

In addition, researchers observed exposed remote access protocols, including NetBIOS, FTP, SNMP, and SMB, out-of-band remote server management devices like Lantronix SLC console server, physical Barracuda Email Security Gateway appliances, Nessus vulnerability scanning servers, HTTP services that exposed directory listings, managed file transfer protocols such as GoAnywhere, MOVEit, and SolarWinds Serv-U, and over 150 end-of-life software.

Fifteen of the remote access protocols, which already contain multiple known vulnerabilities exploitable by threat actors, were running on FCEB’s exposed hosts. The report highlights the need for federal agencies to be more proactive in safeguarding their digital assets and improving security mechanisms across all systems to make devices CISA’s BOD 23-02 compliant.

**RELATED ARTICLES**

1.  Avast found backdoor in US Federal Agency Network
2.  Fed Agency securing communication for Trump got hacked
3.  SolarWinds Hack – US Blames Russian Intel Agency Hackers
4.  Iranian Hackers Accessed Domain Controller of US Fed Network
5.  US and China Exposed Most Databases Among 308k Found in 2021

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Exposed Interfaces in US Federal Networks: A Breach Waiting to Happen

Cequence's latest updates to its Unified API Protection platform help organizations reduce the time needed to create API security testing plans.

API security company Cequence Security has updated its API protection platform with generative AI and no-code security automation to help organizations with security testing and reporting, the company said.

IDC estimates that up to 50% of enterprises’ revenues are enabled over application programming interfaces (APIs), making API security a top priority for CISOs, stated Cequence Security in a blog post about the new capabilities. With generative AI, security teams working with Cequence’s Unified API Protection (UAP) platform can generate API Security Test Plans using plain English, the company said. UAP's Intelligent Mode automatically associates the appropriate APIs with the right test cases, given the functionality of that API.

Cequence gave an example in its blog: Security analysts can say, “Generate a test plan for my Payments API to ensure PCI data compliance,” and the platform will automatically inspect the Payment API endpoints and the payload characteristics to associate the appropriate test cases that would verify that the endpoints are performing as expected.

This functionality reduces the time needed to create a test plan to minutes, rather than months, according to the company.

Security analysts can also use low-code/no-code tools within Cequence to link together multiple third-party connections to implement the equivalent of an API security orchestration and response workflow, the company said. It provided an example of how analysts can create a workflow to log a JIRA ticket when sensitive data exposure is detected from a shadow API, automatically geofence access to the API to internal applications only, and then send an email to the relevant developer or business owner alerting them to the issue.

Other updates to the platform include adding new test cases for the latest OWASP API Top 10 2023 to the test catalog and the ability to run API tests outside of CI/CD pipelines and test directly against staging and production servers.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Cequence Security Adds Generative AI to API Security

Organizations are largely deluded about their own security postures, according to an analysis, with the average SIEM failing to detect a whopping 76% of attacker TTPs.

Despite enterprises' best efforts to shore up their security information and event management (SIEM) postures, most platform implementations have massive gaps in coverage, including missing more than three-quarters of the common techniques that threat actors use to use to deploy ransomware, steal sensitive data, and execute other cyberattacks.

Researchers from CardinalOps analyzed data from production SIEM platforms from companies such as Splunk, Microsoft Sentinel, IBM QRadar, and Sumo Logic, and found that they have detections for just 24% of all MITRE ATT&CK techniques. That means that adversaries can execute about 150 different techniques that can bypass SIEM detection, while only about 50 techniques are spotted, the researchers said.

This is despite the fact that current SIEM systems actually do take in sufficient data to cover potentially 94% of all these techniques, CardinalOps revealed as part of the company's "Third Annual Report on the State of SIEM Detection Risk," released today.

Moreover, organizations are largely deluded about their own security postures and "are often unaware of the gap between the theoretical security they assume they have and the actual security they have in practice," the researchers wrote in the report. This creates "a false impression of their detection posture."

MITRE ATT&CK is a global knowledge base of adversary tactics and techniques based on real-world observations that's aimed at helping organizations detect and mitigate cyberattacks. The report's data is the result of analysis of more than 4,000 detection rules, nearly 1 million log sources and hundreds of unique log source types used in SIEM across a range of diverse industry verticals — including banking and financial services, insurance, manufacturing, energy, and media and telecommunications.

**A Lack of SIEM Fine-Tuning to Blame for Detection Fails**

The key issue contributing to the current state of SIEM efficacy (or lack thereof) seems to be that even though resources exist for organizations to use knowledge, automation, and other processes to detect adversaries and potential attacks on their environments, they still largely rely on manual and other "error-prone" processes for developing new detections, the researchers noted. This makes it difficult to reduce their backlogs and act quickly to fill gaps in detection.

Indeed, SIEMs themselves "are not magic" and rely on the organizations deploying them to do so correctly and efficiently, notes Mike Parkin, senior technical engineer at Vulcan Cyber, a security-as-a-service provider of enterprise cyber-risk remediation.

"Like most tools, they require fine-tuning to deliver the best results for the environment they’re deployed in," he says. "These report results imply that many organizations have gotten the basics working but haven’t done the fine-tuning necessary to take their detection, response, and risk management strategies to the next level."

In addition to the need to scale detection-engineering processes to develop more detections faster, one key issue that seems to be tripping up detection in enterprise SIEM deployments is that on average, they have 12% of rules that are broken, which means they will never file an alert when something is amiss, according to the report.

"This commonly occurs due to ongoing changes in the IT infrastructure, vendor log format changes, and logical or accidental errors in writing a rule," the researchers noted in the report. "Adversaries can exploit gaps created by broken detections to successfully breach organizations."

**Why MITRE ATT&CK Matters**

MITRE ATT&CK, created in 2013, has now "become the standard framework for understanding adversary playbooks and behavior," the researchers noted. And as threat intelligence has advanced, so has the wealth of knowledge the framework provides, currently describing more than 500 techniques and sub-techniques used by threat groups such as APT28, the Lazarus Group, FIN7, and Lapsus$.

"The biggest innovation introduced by MITRE ATT&CK is that it extends the traditional intrusion kill chain model to go beyond static indicators of compromise (like IP addresses, which attackers can change constantly) to catalog all known adversary playbooks and behaviors (TTPs)," the CardinalOps researchers wrote.

Organizations clearly see the value in using MITRE ATT&CK to help them in their security efforts, with 89% currently using the knowledge base to reduce risk for security-operations use cases — such as determining priorities for detection engineering, applying threat intelligence to alert triage, and gaining a better understanding of adversary TTPs, the researchers noted, citing Enterprise Strategy Group (ESG) research.

However, using the framework to support SIEM efforts and using it well appear to be two very different scenarios, the report found.

**Closing the SIEM Gap**

There are steps that organizations can take to help close the gap between what a SIEM is capable of in terms of cyberattack detection, and how they currently are using it, researchers and security experts said.

One key strategy would be to scale SIEM detection-engineering processes to develop more detections faster using automation, something that companies already use widely to great effect in "multiple areas of the SOC, such as anomaly detection and incident response," but not so much in detection, they noted in the report.

"The detection-engineering function remains stubbornly manual and typically dependent on 'ninjas' with specialized expertise," the researchers wrote.

Indeed, having a focus on automation is critical to achieving goals with limited human and financial resources, agrees one security expert.

"This includes expanding automated detection to include Internet of things (IoT) and operational technology (OT) attack vectors, as well as having plans already in place for automated threat remediation," says John Gallagher, vice president of Viakoo Labs at Viakoo.

One key challenge that organizations continue to face is that the current attack surface — which now includes large numbers of vulnerable network-connected devices as well as the typical enterprise network — has grown well past what the IT organization is currently capable of supporting or managing, Gallagher says.

"To defend and maintain the integrity of those assets requires IT working closely with other parts of the organization to ensure those assets are visible, operational, and secure," he says.

Indeed, Parkin observes, until organizations can get a clear picture of their threat surfaces, manage their risk, and prioritize events to focus on what matters most, there will be problems.

"We have the tools to make it happen," he says. "But it can be a challenge to get them deployed and configured for best effect."

Most Enterprise SIEMs Blind to MITRE ATT&CK Tactics

WordPress LearnDash LMS version 4.6.0 suffers from an insecure direct object reference vulnerability.

    Description: LearnDash LMS <= 4.6.0 – Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary User Password Change Affected Plugin: LearnDash LMSPlugin Slug: sfwd-lmsAffected Versions: <= 4.6.0CVE ID: CVE-2023-3105CVSS Score: 8.8 (High)CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HResearcher/s: Lana Codes Fully Patched Version: 4.6.0.1The LearnDash LMS plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 4.6.0. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for attackers with existing account access at any level, to change user passwords and potentially take over administrator accounts.Technical AnalysisThe LearnDash LMS plugin provides the shortcode ‘[ld_reset_password]‘ to embed a password reset form into a page on a WordPress site. The form allows users to submit their username or email address to receive an email with a password reset link containing a user activation key.Examining the code reveals that the plugin checks that the user activation key belongs to the given user with the learndash_reset_password_verification() function only when displaying the new password form, where the new password can be entered.[View this code snippet on the blog]  However, there is no user activation key check when processing this form. This makes it possible for any authenticated user who has accessed the password reset form via the link sent in the email to modify the password of another user by changing the value of the username hidden input field.[View this code snippet on the blog]  As with any Arbitrary User Password Change that leads to a Privilege Escalation vulnerability, this can be used for complete site compromise. Once an attacker has gained administrative user access to a WordPress site they can then manipulate anything on the targeted site as a normal administrator would. This includes the ability to upload plugin and theme files, which can be malicious zip files containing backdoors, and modifying posts and pages which can be leveraged to redirect site users to other malicious sites.Disclosure TimelineJune 5, 2023 – Discovery of the Arbitrary User Password Change vulnerability in LearnDash LMS.June 5, 2023 – We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion.June 5, 2023 – The vendor confirms the inbox for handling the discussion.June 5, 2023 – We send over the full disclosure details. The vendor acknowledges the report and begins working on a fix.June 5, 2023 – Wordfence Premium, Care, and Response users receive a firewall rule to provide protection against any exploits that may target this vulnerability.June 6, 2023 – A fully patched version of the plugin, 4.6.0.1, is released.July 5, 2023 – Wordfence Free users receive the same protection.ConclusionIn this blog post, we have detailed an Arbitrary User Password Change vulnerability within the LearnDash LMS plugin affecting versions 4.6.0 and earlier. This vulnerability allows threat actors to easily take over websites by resetting the password of any user, including administrators. The vulnerability has been fully addressed in version 4.6.0.1 of the plugin. We encourage WordPress users to verify that their sites are updated to the latest patched version of LearnDash LMS.Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on June 5, 2023. Sites still using the free version of Wordfence will receive the same protection on July 5, 2023.If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence and potentially earn a spot on our leaderboard.

WordPress LearnDash LMS 4.6.0 Insecure Direct Object Reference

As the business environment becomes increasingly connected, organizations’ attack surfaces continue to expand, making it challenging to map and secure both known and unknown assets. In particular, unknown assets present security challenges related to shadow IT, misconfigurations, ineffective scan coverage, among others. 
Given attack surface sprawl and evolving threats, many organizations are

As the business environment becomes increasingly connected, organizations' attack surfaces continue to expand, making it challenging to map and secure both known and unknown assets. In particular, unknown assets present security challenges related to shadow IT, misconfigurations, ineffective scan coverage, among others.

Given attack surface sprawl and evolving threats, many organizations are embracing **attack surface management (ASM)** tools to discover and address critical exposures.

Asset discovery is an important capability to have, and one that's helping to drive the adoption of attack surface management tools and services. That said, asset discovery is only one aspect of effective attack surface management. Making the attack surface as impenetrable as possible takes offensive security that goes far beyond the discovery phase.

**Why Asset Discovery Isn't Enough**

Given the complexity and ever-expanding scale of the digital infrastructure at most companies, cataloging all the known devices and assets is laborious, and discovering all the unknown ones takes deep sleuthing. Building a complete inventory ensures that all devices and assets are subject to the same security measures and that no vulnerabilities are lurking in the shadows. It's an important and complex step.

However, asset discovery alone is not a solution.

Discover, prioritize, and effectively remediate vulnerabilities with data-driven **Offensive Security Vision Report 2023**. Get actionable insights based on 300,000+ findings from pentest engagements. Prioritize your defense strategy.

Asset discovery helps security teams gain a comprehensive view of the full attack surface, often referred to as attack surface mapping. What it does not do is help security teams identify weaknesses and vulnerabilities in the attack surface. Most importantly, asset discovery does not support remediation of any of those issues, which means the attack surface remains at risk of being compromised by sophisticated threat actors.

Source: NetSPI Attack Surface Management Platform Home Screen

Asset discovery improves visibility. For attack surface management to effectively improve an organization's offensive security program, it must incorporate vulnerability prioritization and remediation as well.

There are many different approaches to vulnerability remediation, with some being more effective than others.

**How to Prioritize Vulnerability Remediation**

Vulnerability remediation requires multiple phases. The first phase involves finding every weakness in the attack surface – including identifying both known and unknown assets and associated vulnerabilities. Next a vulnerability list is created and ranked by severity so security teams can remediate the most urgent risks first.

Most modern attack surface management tools take this approach to some extent. They call attention to the riskiest vulnerabilities and often outline remediation steps as well. However, the effectiveness of this process depends on the intelligence that informs it. And if the intelligence isn't sophisticated or backed with human analysis, this means vulnerabilities may get overlooked or under-prioritized. As a result, cyber criminals will have an easier path to breach the attack surface.

What differentiates quality intelligence from the rest? Context, primarily. Vulnerability and risk are complex determinations. And while automation can scan high volumes of data at once, technology alone often struggles or fails to see red flags.

Relying on a combination of technology, a comprehensive methodology, and a human offensive security team with deep experience and cross-domain expertise adds the context that automated vulnerability management tools often lack. The result is better insight into the most critical vulnerabilities, along with smarter strategies to remediate vulnerabilities as quickly, easily, and completely as possible.

Automation is a vital capability, both for asset discovery and vulnerability remediation. But the best outcomes and the strongest possible attack surface happen when expert human teams are also involved.

**Select Attack Surface Management Tools Strategically**

Getting the full benefits of attack surface management – such as stronger yet more streamlined security – requires thoughtful consideration to select the right tools and vendors.

Look first for a solution that goes beyond asset discovery to enable and improve upon vulnerability remediation. Then prioritize partners that run this process with a human operations team to find a team with tenure.

Global companies trust NetSPI's experienced team, technology, and comprehensive methodology to discover and address risky exposures before adversaries do. Learn more about NetSPI's attack surface management capabilities by **connecting with the team today**.

**Note:** This expertly contributed article is written by Brianna McGovern. Brianna is NetSPI's Product Manager of ASM and holds a degree in Industrial Engineering from Penn State University.

NetSPI is the global leader in offensive security, delivering the most comprehensive suite of penetration testing, attack surface management, and breach and attack simulation solutions. Through a combination of technology innovation and human ingenuity NetSPI helps organizations discover, prioritize, and remediate security vulnerabilities. Its global cybersecurity experts are committed to securing the world's most prominent organizations, including nine of the top 10 U.S. banks, four of the top five leading global cloud providers, four of the five largest healthcare companies, three FAANG companies, seven of the top 10 U.S. retailers & e-commerce companies, and many of the Fortune 500. NetSPI is headquartered in Minneapolis, MN, with offices across the U.S., Canada, the UK, and India.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Beyond Asset Discovery: How Attack Surface Management Prioritizes Vulnerability Remediation

The Image Map Pro – Drag-and-drop Builder for Interactive Images – Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.0.0. This is due to a missing capability check on the ajax_store_save() function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify plugin settings and inject malicious web scripts.

**Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')**

CVE

CVE-2023-3412

CVSS

6.4 (Medium)

Publicly Published

June 26, 2023

Last Updated

June 27, 2023

**Description**

The Image Map Pro – Drag-and-drop Builder for Interactive Images – Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.0.0. This is due to a missing capability check on the ajax\_store\_save() function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify plugin settings and inject malicious web scripts.

**References**

*   plugins.trac.wordpress.org

**Share**

**1 affected software package**

Software Type

Plugin

Software Slug

image-map-pro-lite (view on wordpress.org)

Patched?

No

Remediation

No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.

Affected Version

*   <= 1.0.0

This record contains material that is subject to copyright.

**Copyright 2012-2023 Defiant Inc.**

**License:** Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. **Read more.**

**Copyright 1999-2023 The MITRE Corporation**

**License:** CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy. **Read more.**

Have information to add, or spot any errors? Contact us at wfi-support@wordfence.com so we can make any appropriate adjustments.

All the threat data shared in this database is powered by **Wordfence Intelligence Enterprise**.  
Interested in integrating this data into your platform or network?  
Contact us now to discuss API access to our Wordfence Intelligence Enterprise Data Feeds.

Inquire Now

Want to get notified of the latest vulnerabilities that may affect your WordPress site?  
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation

CVE-2023-3412: Image Map Pro – Drag-and-drop Builder for Interactive Images – Lite <= 1.0.0 - Missing Authorization to Stored Cross-Site Scripting — Wordfence Intelligence

Tag

#intel