**LONDON, United Kingdom— March 7, 2023 —** ManageEngine, the enterprise IT management division of Zoho Corporation, today announced that it has added a security and risk posture management dashboard to Log360, its unified security information and event management (SIEM) solution with integrated DLP and CASB capabilities. Enterprises can leverage this new feature to implement proactive security strategies and prevent cyberattacks before they occur.

Establishing a proactive security strategy relies largely on assessing the risks of network platforms continuously. Risk assessment and management, if done right, strengthens enterprise security and thereby prevents hackers from intruding in the network. Compliance regulations across regions require enterprises of all industries and sizes to follow security best practices to harden their network infrastructures. AD is often a primary target for adversaries. Continuously assessing AD risks and enhancing its security posture are essential to preventing cyberattacks from happening.

**Pre-empt Intrusions with Log360's Security and Risk Posture Management**

Stolen or compromised credentials are a common attack vector. Once an account within an organisation is compromised, attackers can get hold of other user accounts, move laterally through the network, and access sensitive data. This is where AD security hardening can help an organisation ward off security threats related to sensitive data. 

"With the introduction of more regional compliance mandates, aligning security and compliance is more crucial than ever and has become an important conversation in board meetings. Security and risk posture management—a proactive security strategy—is an integral part of many compliance requirements," said Manikandan Thangaraj, vice president of ManageEngine.

"ManageEngine has augmented its unified SIEM solution with security and risk posture management that allows enterprises to gain visibility into the current risk posture of their network resources. This helps identify critical loopholes and vulnerabilities that, if exploited, can cause significant damage. Furthermore, the feature helps curb account compromise and misconfigurations, two of the most commonly used techniques for launching an attack," Thangaraj said.

**Highlights of ManageEngine** **Log360's Security and Risk Posture Management**

*   Visibility into AD infrastructure compliance with Microsoft security baselines
*   Accurate detection of weak and risky AD infrastructure configurations and comprehensive security and risk posture calculations
*   Continuous assessments along with AD security posture recommendations to fix loopholes and reduce the risk of being attacked
*   A continuous risk assessment and management dashboard that helps you meet stringent compliance requirements with ease

Log360 also has extensive machine learning-based user and entity behaviour analytics that actively monitor user behaviour and identity compromise. By combining all these features, Log360 offers comprehensive protection against account compromise and identity theft and facilitates quick action against potential breaches.

**About Log360**

Log360 is a unified SIEM solution with integrated DLP and CASB capabilities that detects, prioritizes, investigates, and responds to security threats. It combines threat intelligence, machine learning-based anomaly detection, and rule-based attack detection techniques to detect sophisticated attacks and offers an incident management console for effectively remediating detected threats. Log360 provides holistic security visibility across on-premises, cloud, and hybrid networks with its intuitive and advanced security analytics and monitoring capabilities. For more information about Log360, visit manageengine.com/log-management/.

**About ManageEngine**

ManageEngine is the enterprise IT management division of Zoho Corporation. Established and emerging enterprises—including 9 of every 10 Fortune 100 organisations—rely on ManageEngine's real-time IT management tools to ensure optimal performance of their IT infrastructure, including networks, servers, applications, endpoints and more. ManageEngine has offices worldwide, including the United States, the United Arab Emirates, the Netherlands, India, Colombia, Mexico, Brazil, Singapore, Japan, China and Australia, as well as 200+ global partners to help organisations tightly align their business and IT. For more information, please visit manageengine.com, follow the company blog and get connected on LinkedIn, Facebook and Twitter.

ManageEngine Launches Security and Risk Posture Management in its SIEM Solution

More than 4% of employees have put sensitive corporate data into the large language model, raising concerns that its popularity may result in massive leaks of proprietary information.

Employees are submitting sensitive business data and privacy-protected information to large language models (LLMs) such as ChatGPT, raising concerns that artificial intelligence (AI) services could be incorporating the data into their models, and that information could be retrieved at a later date if proper data security isn't in place for the service.

In a recent report, data security service Cyberhaven detected and blocked requests to input data into ChatGPT from 4.2% of the 1.6 million workers at its client companies because of the risk of leaking confidential information, client data, source code, or regulated information to the LLM. 

In one case, an executive cut and pasted the firm's 2023 strategy document into ChatGPT and asked it to create a PowerPoint deck. In another case, a doctor input his patient's name and their medical condition and asked ChatGPT to craft a letter to the patient's insurance company.

And as more employees use ChatGPT and other AI-based services as productivity tools, the risk will grow, says Howard Ting, CEO of Cyberhaven.

"There was this big migration of data from on-prem to cloud, and the next big shift is going to be the migration of data into these generative apps," he says. "And how that plays out \[remains to be seen\] — I think, we're in pregame; we're not even in the first inning."

With the surging popularity of OpenAI's ChatGPT and its foundational AI model — the Generative Pre-trained Transformer or GPT-3 — as well as other LLMs, companies and security professionals have begun to worry that sensitive data ingested as training data into the models could resurface when prompted by the right queries. Some are taking action: JPMorgan restricted workers' use of ChatGPT, for example, and Amazon, Microsoft, and Wal-Mart have all issued warnings to employees to take care in using generative AI services.

    

More users are submitting sensitive data to ChatGPT. Source: Cyberhaven

And as more software firms connect their applications to ChatGPT, the LLM may be collecting far more information than users — or their companies — are aware of, putting them at legal risk, Karla Grossenbacher, a partner at law firm Seyfarth Shaw, warned in a Bloomberg Law column.

"Prudent employers will include — in employee confidentiality agreements and policies — prohibitions on employees referring to or entering confidential, proprietary, or trade secret information into AI chatbots or language models, such as ChatGPT," she wrote. "On the flip side, since ChatGPT was trained on wide swaths of online information, employees might receive and use information from the tool that is trademarked, copyrighted, or the intellectual property of another person or entity, creating legal risk for employers."

The risk is not theoretical. In a June 2021 paper, a dozen researchers from a Who's Who list of companies and universities — including Apple, Google, Harvard University, and Stanford University — found that so-called "training data extraction attacks" could successfully recover verbatim text sequences, personally identifiable information (PII), and other information in training documents from the LLM known as GPT-2. In fact, only a single document was necessary for an LLM to memorize verbatim data, the researchers stated in the paper.

**Picking the Brain of GPT**

Indeed, these training data extraction attacks are one of the key adversarial concerns among machine learning researchers. Also known as "exfiltration via machine learning inference," the attacks could gather sensitive information or steal intellectual property, according to MITRE's Adversarial Threat Landscape for Artificial-Intelligence Systems (Atlas) knowledge base.

It works like this: By querying a generative AI system in a way that it recalls specific items, an adversary could trigger the model to recall a specific piece of information, rather than generate synthetic data. A number of real-world examples exists for GPT-3, the successor to GPT-2, including an instance where GitHub's Copilot recalled a specific developer's username and coding priorities.

Beyond GPT-based offerings, other AI-based services have raised questions as to whether they pose a risk. Automated transcription service Otter.ai, for instance, transcribes audio files into text, automatically identifying speakers and allowing important words to be tagged and phrases to be highlighted. The company's housing of that information in its cloud has caused concern for journalists.

The company says it has committed to keeping user data private and put in place strong compliance controls, according to Julie Wu, senior compliance manager at Otter.ai.

"Otter has completed its SOC2 Type 2 audit and reports, and we employ technical and organizational measures to safeguard personal data," she tells Dark Reading. "Speaker identification is account bound. Adding a speaker’s name will train Otter to recognize the speaker for future conversations you record or import in your account," but not allow speakers to be identified across accounts.  

**APIs Allow Fast GPT Adoption**

The popularity of ChatGPT has caught many companies by surprise. More than 300 developers, according to the last published numbers from a year ago, are using GPT-3 to power their applications. For example, social media firm Snap and shopping platforms Instacart and Shopify are all using ChatGPT through the API to add chat functionality to their mobile applications.

Based on conversations with his company's clients, Cyberhaven's Ting expects the move to generative AI apps will only accelerate, to be used for everything from generating memos and presentations to triaging security incidents and interacting with patients.

As he says his clients have told him: "Look, right now, as a stopgap measure, I'm just blocking this app, but my board has already told me we cannot do that. Because these tools will help our users be more productive — there is a competitive advantage — and if my competitors are using these generative AI apps, and I'm not allowing my users to use it, that puts us at a disadvantage."

The good news is education could have a big impact on whether data leaks from a specific company because a small number of employees are responsible for most of the risky requests. Less than 1% of workers are responsible for 80% of the incidents of sending sensitive data to ChatGPT, says Cyberhaven's Ting.

"You know, there are two forms of education: There's the classroom education, like when you are onboarding an employee, and then there's the in-context education, when someone is actually trying to paste data," he says. "I think both are important, but I think the latter is way more effective from what we've seen."

In addition, OpenAI and other companies are working to limit the LLM's access to personal information and sensitive data: Asking for personal details or sensitive corporate information currently leads to canned statements from ChatGPT demurring from complying.

For example, when asked, "What is Apple's strategy for 2023?" ChatGPT responded: "As an AI language model, I do not have access to Apple's confidential information or future plans. Apple is a highly secretive company, and they typically do not disclose their strategies or future plans to the public until they are ready to release them."

Employees Are Feeding Sensitive Biz Data to ChatGPT, Raising Security Fears

**LONDON, UK / March 7, 2023** - Egress, a cybersecurity company that provides intelligent email security, today released its **Email Security Risk Report 2023**. The report uncovers findings that demonstrate the prevalence of inbound and outbound email security incidents in Microsoft 365, with 92% of organizations falling victim to successful phishing attacks in the last 12 months, while 91% of organizations admit they have experienced email data loss. Not surprisingly, 99% of cybersecurity leaders confess to being stressed about email security. Specifically, 98% are frustrated with their Secure Email Gateway (SEG), with 53% conceding that too many phishing attacks bypass it.  

“The growing sophistication of phishing emails is a major threat to organizations and needs to be urgently addressed,” said Jack Chapman, VP of Threat Intelligence, Egress. “The signature-based detection used by Microsoft 365 and secure email gateways (SEGs) can filter out many phishing emails with known malicious attachments and links, but cybercriminals want to stay one step ahead. They are evolving their payloads and increasingly turning to text-based attacks that utilize social engineering tactics and attacks from a known or trusted source, such as a compromised supply chain email address.”

“Unfortunately, phishing attacks will only become more advanced in the future, as cybercriminals use AI-powered technologies, such as chatbots, to automate and improve their attacks, such as adding video and voice capabilities to text-based phishing.”

**Email Security Risks Report 2023: Key findings**

The report investigates both inbound phishing attacks and outbound data loss and exfiltration, highlighting the importance of a holistic approach to email security. Interestingly, 71% of surveyed cybersecurity leaders view inbound and outbound email security as a unified issue to tackle, recognizing their interconnected nature. The survey goes on to examine the technical controls and security awareness and training (SA&T) programs in place to reduce email security risk.

**Organizations continue to fall victim to phishing attacks**

Customer and employee churn were top of the list of negative impacts following an inbound email security incident.

*   86% of surveyed organizations were negatively impacted by phishing emails.
*   54% of organizations suffered financial losses from customer churn following a successful phishing attack.
*   40% of incidents resulted in employees exiting the organization.
*   85% of cybersecurity leaders say a successful account takeover (ATO) attack started with a phishing email. 
*   The top three types of phishing attacks that organizations fell victim to:

*   Phishing involving malicious URL or malware attachment.
*   Social engineering.
*   Supply chain compromise.

**Risky behavior and mistakes lead to costly data loss**

People making mistakes or taking risks in the name of getting the job done are far more common than malicious insiders, the survey found:

*   91% of the cybersecurity leaders surveyed said data has been leaked externally by email, with the three top causes for these incidents:

*   Reckless or risky employee behavior, such as transferring data to personal accounts for remote work.
*   Human error, including employees emailing confidential information to incorrect recipients.
*   Malicious or self-serving data exfiltration, such as taking data to a new job.

*   49% suffered financial losses from customer churn following a data loss incident.
*   48% of incidents resulted in employees exiting the organization.

**Cybersecurity leaders confess a dissatisfaction with SEG technologies**

The survey found dissatisfaction with many of the traditional SEG technologies in place to stop email security threats, with 98% of cybersecurity leaders frustrated with their SEG:

*   58% - It isn’t effective in stopping employees from accidentally emailing the wrong person or with the wrong attachment.
*   53% - Too many phishing emails end up in employees’ inboxes.
*   50% - It takes a lot of administrative time to manage.

**Is traditional security awareness and training (SA&T) effective at changing behavior?**

While 98% of the surveyed organizations carry out some kind of security awareness and training (SA&T), 96% aired a concern or limitation with their SA&T programs:

*   59% say it’s necessary for compliance with regulations or cyber insurance.
*   46% say employees skip through it as fast as possible.
*   37% admit they are not confident people remember what they’re taught.
*   29% say employees find training annoying.

**How to defend against inbound and outbound email security threats**

The report highlights that people need real-time teachable moments thatalertthem to threats and engage them at the point of risk to tangibly reduce the number of security incidents that occur.

Data throughout the report highlights that advanced email security is a necessity for everyday business. Despite investments in traditional email security and SA&T, surveyed organizations remain highly vulnerable to phishing attacks, human error, and data exfiltration. Egress recommends the only way to change the situation is to use intelligent email security solutions that augment traditional SEGs and Microsoft 365, offering the defense-in-depth required with a layered security approach. New integrated cloud email security solutions (ICES) use intelligent technology to deliver behavior-based security and are proven to provide additional security and controls that stop advanced phishing threats and detect the anomalies in human behavior that lead to data loss and data exfiltration within Microsoft 365.

To read **Egress Email Security Risk Report 2023:** _Inbound and outbound email security threats in Microsoft 365,_ including all its analysis and findings please visit https://egress.co/ufxkz.

**About Egress**

Egress makes digital communication safer for everyone. As advanced and persistent cybersecurity threats continue to evolve, we recognize that people get hacked, make mistakes, and break the rules. Egress's Intelligent Cloud Email Security suite uses patented self-learning technology to detect sophisticated inbound and outbound threats, and protect against data loss, resulting in the reduction of human activated risk. 

Used by the world’s biggest brands, Egress is private equity backed and has offices in London, New York, and Boston.

99% of Cybersecurity Leaders Are Stressed About Email Security

Third annual report identifies top security gaps and challenges for organizations operating in the cloud.

**SANTA** **CLARA,** **Calif.****,** **March** **7,** **2023** **/PRNewswire/** **\--** Palo Alto Networks (NASDAQ: PANW), the global cybersecurity leader, today published its 2023 State of Cloud-Native Security Report. The report surveyed more than 2,500 C-level executives around the world to better understand their cloud adoption strategies, and how those strategies are working.

With organizations of all sizes moving more of their operations to the cloud, a majority are struggling to automate cloud security and mitigate risks. It's one reason why many companies are trying to improve security earlier in the development process, and looking for fewer vendors that can offer more security capabilities.

**Cloud Use Has Grown, Along With Security Concerns -** The expansion of hybrid work during the pandemic drove organizations to expand their use of clouds by more than 25%. As a result, DevOps teams are being pressed to deliver production code at warp speed — making application security more complex, and putting pressure on security organizations to keep pace.

**Most Organizations are Slow to Detect and Respond to Threats** \- 90% of organizations we surveyed said they cannot detect, contain and resolve cyber threats within an hour. Bad actors are working just as fast as developers to take advantage of organizations' vulnerabilities. What could go wrong often does go wrong and any cloud asset that is inadvertently exposed to the internet can be compromised within minutes. Detecting threats in real-time represents the new frontier of cloud security.

**Teams Don't Understand Their Security Responsibilities** - When asked about the challenges of moving to the cloud, respondents' top concerns remained unchanged from our 2020 report: struggles with comprehensive security, compliance, and technical complexity. A large majority (78%) of organizations said they have distributed responsibility for cloud security to individual teams, but almost half (47%) said a majority of their workforce does not understand their security responsibilities.

**A Greater Need for Code-to-Cloud Security -** As more applications are being built in the cloud using off-the-shelf software, there's a risk that any vulnerability in the development process could compromise an entire application later on. That's why more companies are encouraging a deeper level of engagement between application developers and security tools and teams — with 81% of respondents saying they have embedded security professionals inside their DevOps teams.

"With three out of four organizations deploying new or updated code to production weekly, and almost 40% committing new code daily, no one can afford to overlook the security of cloud workloads," said Ankur Shah, senior vice president, Prisma Cloud, Palo Alto Networks. "As cloud adoption and expansion continues, organizations need to adopt a platform approach that secures applications from code to cloud across multicloud environments."

**Moving Towards Consolidation** \- Three quarters of the leaders we surveyed say they struggle to identify which security tools are necessary to achieve their objectives. This has led many of them to implement numerous single point solutions — with the average organization using more than 30 security tools, including six to 10 dedicated to cloud security.

The sheer number of security tools makes it difficult for leaders to have in-depth visibility into their entire cloud portfolio. 76% of survey respondents reported that using multiple security tools creates blind spots that affect their ability to prioritize risk and prevent threats. And 80% said they would benefit from a centralized security solution that sits across all of their cloud accounts and services.

**A Clear Path Forward -** Despite the upheaval caused by the pandemic, organizations have mostly been able to succeed in their cloud expansions — and organizations that made cloud infrastructure a strategic focus across the business were generally more successful. This makes cloud security a clear enabler of business outcomes.

Of course better security does not guarantee success. But having security under control — consolidating tools and vendors and using proven DevSecOps and security automation strategies — lets development teams do their jobs better and gives organizations the tools they need to succeed.

**About the Survey**

This survey was administered online by Palo Alto Networks, and data was gathered from November 21, 2022, to December 14, 2022. Respondents were surveyed from across the globe, spanning the U.S., Australia, Germany, the UK, Singapore and Japan. Over half are from enterprise-sized organizations (over $1B in annual revenue), and respondents were gathered from both ends of the organizational spectrum between executive leadership and more practitioner-level roles in order to understand sentiments broadly across companies.

**Additional Resources**

*   Read more about the 2023 State of Cloud-Native Security Report in this blog.
*   Watch the State of Cloud-Native Security Report Webinar on demand.
*   Find out more about Prisma Cloud here.
*   Follow Palo Alto Networks on Twitter, LinkedIn, Facebook and Instagram.

**About Palo Alto Networks**

Palo Alto Networks is the world's cybersecurity leader. We innovate to outpace cyberthreats, so organizations can embrace technology with confidence. We provide next-gen cybersecurity to thousands of customers globally, across all sectors. Our best-in-class cybersecurity platforms and services are backed by industry-leading threat intelligence and strengthened by state-of-the-art automation. Whether deploying our products to enable the Zero Trust Enterprise, responding to a security incident, or partnering to deliver better security outcomes through a world-class partner ecosystem, we're committed to helping ensure each day is safer than the one before. It's what makes us the cybersecurity partner of choice.

At Palo Alto Networks, we're committed to bringing together the very best people in service of our mission, so we're also proud to be the cybersecurity workplace of choice, recognized among Newsweek's Most Loved Workplaces (2021 and 2022), Comparably Best Companies for Diversity (2021), and HRC Best Places for LGBTQ Equality (2022). For more information, visit www.paloaltonetworks.com.

_Palo Alto Networks, Prisma, and the Palo Alto Networks logo are registered trademarks of Palo Alto Networks, Inc. in_ the United States _and in jurisdictions throughout the world. All other trademarks, trade names, or service marks used or mentioned herein belong to their respective owners. Any unreleased services or features (and any services or features not generally available to customers) referenced in this or other press releases or public statements are not currently available (or are not yet generally available to customers) and may not be delivered when expected or at all. Customers who purchase Palo Alto Networks applications should make their purchase decisions based on services and features currently generally available._

SOURCE Palo Alto Networks, Inc.

Palo Alto Survey Reveals 90% of Organizations Cannot Resolve Cyberthreats Within an Hour

**REDWOOD CITY, Calif.****,** **March 7, 2023** **/PRNewswire/ --** Delinea, a leading provider of Privileged Access Management (PAM) solutions for seamless security, today announced new features for its Privilege Manager and DevOps Secrets Vault products. Updates to both products make it more seamless to implement the controls frequently required to secure or renew cyber insurance policies.

Enhancements to Privilege Manager, Delinea's solution for managing privileged access on workstations, focus on policies for Windows Store applications and updates for MacOS Ventura. The latest version of DevOps Secrets Vault, Delinea's high-speed vault for DevOps and DevSecOps teams, makes it easier for developers to install the Command Line Interface (CLI) in their favorite coding console while also providing their own encryption keys.

According to a recent Delinea survey, almost 80% of respondents indicate that they have already used their cyber insurance policies, and only 40% met PAM requirements when they applied for their policies. Credentials hard-coded in applications are a vulnerability that can be exploited, potentially leading to claims that may not be supported when less than 50% of survey respondents' policies cover data recovery. Furthermore, the survey revealed that ransomware attacks often start on workstations, and over 70% of policies will not cover ransomware payments.

**Stronger privilege controls on Windows and Macs**

The latest version of Privilege Manager allows administrators to build policies for applications installed from the Windows Store and other Universal Windows Platform applications, defining which applications are not allowed to run. Enhancements to the native MacOS agent ensure that users on MacOS Ventura have consistent application controls. Both updates make installing ransomware on Windows and Mac workstations more difficult, including those running the latest operating systems from Microsoft and Apple. Other updates include enhancements to the UI that highlight the number of workstations impacted by policy changes and management of certificate credentials.

**Streamlined credential management in the most popular coding consoles**

New CLI installers for DevOps Secrets Vault allow developers to run a native command in their environment to install and begin dynamically injecting credentials into their applications. CLI installers are supported for several of the most popular coding consoles – HomeBrew, PowerShell, Aqua, Curl, Snap, and Scoop. Enhancements to the Command Line Interface allow developers to configure and use their own encryption keys to provide even stronger security. Additional enhancements include new flags to the rest API and CLI for more easily searching objects, and an improved "break glass" security function.

"Our customers increasingly approach us with more stringent cyber insurance requirements, often necessitating more modern Privileged Access Management controls," said Phil Calvin, Chief Product Officer at Delinea. "We continuously focus on making it less complicated to implement privileged access policies, and these two product releases make PAM more seamless for both workstations and coded credentials."

Organizations can start a free trial of the latest versions of Privilege Manager at https://delinea.com/products/privilege-manager and DevOps Secrets Vault at https://delinea.com/products/devops-secrets-management-vault.

**About Delinea**

Delinea is a leading provider of privileged access management (PAM) solutions that make security seamless for the modern, hybrid enterprise. Our solutions empower organizations to secure critical data, devices, code, and cloud infrastructure to help reduce risk, ensure compliance, and simplify security. Delinea removes complexity and defines the boundaries of access for thousands of customers worldwide. Our customers range from small businesses to the world's largest financial institutions, intelligence agencies, and critical infrastructure companies. Learn more about Delinea on LinkedIn, Twitter, and YouTube.

Delinea Adds New features for its Privilege Manager and DevOps Secrets Vault

The BackupWordPress plugin for WordPress is vulnerable to information disclosure in versions up to, and including 3.12. This is due to missing authorization on the heartbeat_received() function that triggers on WordPress heartbeat. This makes it possible for authenticated attackers, with subscriber-level permissions and above to retrieve back-up paths that can subsequently be used to download the back-up.

This record contains material this is subject to copyright.

**Copyright 2012-2023 Defiant Inc.**

**License:** Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you, include a hyperlink to this vulnerability record, and reproduce Defiant's copyright designation and this license in any such copy. **Read more.**

**Copyright 1999-2023 The MITRE Corporation**

**License:** CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy. **Read more.**

Have information to add, or spot any errors? Contact us at wfi-community@wordfence.com so we can make any appropriate adjustments.

CVE-2022-4931: BackupWordPress <= 3.12 - Missing Authorization to Authenticated (Subscriber+) Information Disclosure — Wordfence Intelligence Community Edition

The Plus Addons for Elementor plugin for WordPress is vulnerable to privilege escalation in versions up to, and including 4.1.9 (pro) and 2.0.6 (free). The plugin adds a registration form to the Elementor page builders functionality. As part of the registration form, users can choose which role to set as the default for users upon registration. This field is not hidden for lower-level users so any user with access to the Elementor page builder, such as contributors, can set the default role to administrator. Since contributors can not publish posts, only author+ users can elevate privileges without interaction via a site administrator (to approve a post).

**Description**

The Plus Addons for Elementor plugin for WordPress is vulnerable to privilege escalation in versions up to, and including 4.1.9 (pro) and 2.0.6 (free). The plugin adds a registration form to the Elementor page builders functionality. As part of the registration form, users can choose which role to set as the default for users upon registration. This field is not hidden for lower-level users so any user with access to the Elementor page builder, such as contributors, can set the default role to administrator. Since contributors can not publish posts, only author+ users can elevate privileges without interaction via a site administrator (to approve a post).

**References**

*   plugins.trac.wordpress.org

**Share**

**2 affected software packages**

Software Type

Plugin

Software Slug

the-plus-addons-for-elementor-page-builder (view on wordpress.org)

Patched?

Yes

Remediation

Update to version 2.0.7, or a newer patched version

Affected Version

*   <= 2.0.6

Patched Version

*   2.0.7

Software Type

Plugin

Software Slug

theplus\_elementor\_addon

Patched?

Yes

Remediation

Update to version 4.1.10, or a newer patched version

Affected Version

*   <= 4.1.9

Patched Version

*   4.1.10

This record contains material this is subject to copyright.

**Copyright 2012-2023 Defiant Inc.**

**License:** Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you, include a hyperlink to this vulnerability record, and reproduce Defiant's copyright designation and this license in any such copy. **Read more.**

**Copyright 1999-2023 The MITRE Corporation**

**License:** CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy. **Read more.**

Have information to add, or spot any errors? Contact us at wfi-community@wordfence.com so we can make any appropriate adjustments.

All the threat data shared in this database is powered by **Wordfence Intelligence**.  
Interested in integrating this data into your platform or network?  
Contact us now to discuss API access to our Wordfence Intelligence Data Feeds.

Inquire Now

Want to get notified of the latest vulnerabilities that may affect your WordPress site?  
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence Community Edition WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation

CVE-2021-4331: The Plus Addons for Elementor PRO <= 4.1.9 & The Plus Addons for Elementor <= 2.0.6 - Authenticated (Contributor+) Privilege Escalation — Wordfence Intelligence Community Edition

The WP Statistics plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 13.1.1. This is due to missing or incorrect nonce validation on the view() function. This makes it possible for unauthenticated attackers to activate and deactivate arbitrary plugins, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

**Cross-Site Request Forgery (CSRF)**

CVE

CVE-2021-4333

CVSS

6.5 (Medium)

Publicly Published

September 11, 2021

Last Updated

March 7, 2023

Researcher

Ramuel Gall  

**Description**

The WP Statistics plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 13.1.1. This is due to missing or incorrect nonce validation on the view() function. This makes it possible for unauthenticated attackers to activate and deactivate arbitrary plugins, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

**References**

*   plugins.trac.wordpress.org

**Share**

**1 affected software package**

Software Type

Plugin

Software Slug

wp-statistics (view on wordpress.org)

Patched?

Yes

Remediation

Update to version 13.1.2, or a newer patched version

Affected Version

*   <= 13.1.1

Patched Version

*   13.1.2

This record contains material this is subject to copyright.

**Copyright 2012-2023 Defiant Inc.**

**License:** Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you, include a hyperlink to this vulnerability record, and reproduce Defiant's copyright designation and this license in any such copy. **Read more.**

**Copyright 1999-2023 The MITRE Corporation**

**License:** CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy. **Read more.**

Have information to add, or spot any errors? Contact us at wfi-community@wordfence.com so we can make any appropriate adjustments.

All the threat data shared in this database is powered by **Wordfence Intelligence**.  
Interested in integrating this data into your platform or network?  
Contact us now to discuss API access to our Wordfence Intelligence Data Feeds.

Inquire Now

Want to get notified of the latest vulnerabilities that may affect your WordPress site?  
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence Community Edition WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation

CVE-2021-4333: WP Statistics <= 13.1.1 - Cross-Site Request Forgery to Arbitrary Plugin Activation and Deactivation — Wordfence Intelligence Community Edition

The health, manufacturing, and energy sectors are the most vulnerable to ransomware.

National defense and security experts long predicted that future warfare would not be waged by firearms but with code designed to disable services people depend on for daily life.

In May 2021, security experts' worst fears came true, when a ransomware attack struck the Colonial Pipeline. Gas delivery to most of the US Northeast halted almost overnight. Although systems were eventually restored, the event still lives in infamy today and reminds us of the destructive potential cyberattacks can have when levied against critical infrastructure. Since then, similar infrastructure attacks have dominated headlines across most of the world and are increasingly carried out by non-state-sponsored actors.

In our "Q2/Q3 Ransomware Index Update," Securin (formerly Cyber Security Works) researchers mapped out the impact of ransomware on industrial control systems (ICS) deployed in critical infrastructure establishments. They identified the three most at-risk sectors: healthcare, energy, and manufacturing. Our researchers also examined 16 ransomware vulnerabilities and the bad actors who exploit them, such as Ryuk, Conti, WannaCry, and Petya. We have included a table at the end of the article with the full list of vulnerabilities and impacted vendors.

With each successful attack, ransomware groups grow bolder and target industries that can cause the most pain to exploit the crises for maximum extortion. Understanding the threat actors and their methods is the key to protecting critical industries and maintaining smooth operations.

    

Ransomware CVEs affecting ICS products yet to be included in the CISA KEVs (as on date of publishing the report).

**Healthcare**

Cybersecurity and Infrastructure Security Agency (CISA) advisories to healthcare providers come in the aftermath of ongoing attacks by ransomware groups such as Black Basta, Quantum, and MountLocker. The impact of unpatched critical vulnerabilities in this sector could be potentially life threatening.

Public health and healthcare systems are affected by the majority of vulnerabilities — nine out of the 16 identified — because they are dependent on other sectors for the continuity of their service delivery and operations. Philips Healthcare, a technology-based company that develops advanced visualization software for crucial imaging equipment, is the most affected vendor, clocking in eight vulnerabilities found in its IntelliSpace Portal 9.0. Vulnerabilities CVE-2017-0144 and CVE-2017-0147 should be patched immediately for their high ransomware family associations used in real-world attacks.

**Energy**

An attack on an energy provider can result in grid failure or inconsistent energy output to homes, commercial buildings, or other critical service providers. The energy sector is plagued by six vulnerabilities that organizations must watch, particularly those found in Schneider Electric's products.

CVE-2017-6032 and CVE-2017-6034 affect Schneider Electric's Modicon Modbus Protocol, an open communications standard that is used across critical infrastructure, which can lead to chain reaction attacks. However, vulnerabilities CVE-2019-18935 and CVE-2020-10713 found in Hitachi ABB Power Grid systems and Hitachi Energy Transformer Asset Performance Management (APM) Edge, respectively, pose just as much risk. They should be treated as serious by network security administrators.

**Manufacturing**

The critical manufacturing sector can be divided into four core subindustries: transportation equipment; machinery manufacturing; electrical equipment, appliance and component manufacturing; and primary metals manufacturing.

A quarter of the vulnerabilities included in our analysis affect vendors in the manufacturing sector, including Exacq Technologies, Sensormatic Electronics, and Schneider Electric.

**How to Stay Protected**

We encourage organizations to stay aware of vendor advisories of the products they utilize and take steps to organize vulnerability enumeration according to severity. Most of the vulnerabilities in this article take advantage of legacy setups comprising out-of-date software and, sometimes, unsupported end-of-life components. Here are key insights to keep your system and industry safe:

*   **Improper input validation** is the most prevalent weakness powering ICS ransomware CVEs. Proper input screening can prevent bad actors from infiltrating databases and locking admins out of the system.
*   **Six vulnerabilities** are missing from the CISA Known Exploited Vulnerability (KEV) catalog and should be patched: CVE-2018-5391, CVE-2018-10115, CVE-2017-6034, CVE-2017-6032, CVE-2017-7494, and CVE-2020-10713.
*   **Performing simulated** **penetration tests** of your systems can identify hidden entry points that criminals would otherwise use. Finding where you are most exposed can help set patch priorities and build defenses before attackers can leverage them.

The US economy depends on an interconnected infrastructure of energy, health, and manufacturing. Hospitals need the energy to function and render life-saving services, and oil and natural gas refineries deliver necessary fuel to power domestic manufacturing — it's a marvelous system to appreciate, but a rather precious one as well, and we should take steps to protect it.

CVE ID

Impacted Vendors

CVSS v3 Score

Action

CVE-2021-44228

Exacq Technologies, a subsidiary of Johnson Controls, Inc.; Sensormatic Electronics, LLC, a subsidiary of Johnson Controls Inc.

10

Vendor patch

CVE-2020-10713

Hitachi Energy

8.2

Vendor patch

CVE-2019-18935

Hitachi ABB Power Grids

9.8

Vendor patch

CVE-2019-0708

Spacelabs

9.8

Vendor patch

CVE-2018-5391

Siemens

7.5

Vendor patch

CVE-2018-10115

Philips

7.8

Update to latest version

CVE-2017-7494

Schneider Electric

9.8

Vendor advisory

CVE-2017-6034

Schneider Electric

9.8

ICS advisory

CVE-2017-6032

Schneider Electric

5.3

ICS advisory

CVE-2017-0199

Philips

7.8

Vendor patch

CVE-2017-0148

Philips

8.1

Vendor patch

CVE-2017-0147

Philips

5.9

Vendor patch

CVE-2017-0146

Philips

8.1

Vendor patch

CVE-2017-0145

Philips

8.1

Vendor patch

CVE-2017-0144

Philips

8.1

Vendor patch

CVE-2017-0143

Baxter, Philips

8.1

Vendor patch

Ransomware's Favorite Target: Critical Infrastructure and Its Industrial Control Systems

Securin Inc. will provide tech-enabled security solutions, vulnerability
intelligence and deep domain expertise.

**ALBUQUERQUE, N.M., March 7, 2023 /PRNewswire-PRWeb/ --** Cyber Security Works Inc., a leading security company, today announced that it is rebranding as  
Securin Inc. due to the evolution of its service capabilities and offerings.  
Under the new identity, it will provide tech-enabled security solutions to  
continuously improve customers' security posture and help them gain resilience  
against evolving threats.

CSW offers flagship services such as vulnerability management and penetration  
testing to customers around the globe. In 2020, CSW became a CVE Numbering  
Authority (CNA) to help the Department of Homeland Security (DHS) and MITRE  
validate newly discovered zero-day vulnerabilities.  

In 2022, CSW acquired Securin, an automated platform with solutions such as  
attack surface management (ASM) and vulnerability intelligence (VI). Since its  
launch, Securin ASM has been providing many leading tech companies with an  
outside-in view of their expanding attack surface from an adversary's  
perspective and helping them to prioritize and remediate their most dangerous  
exposures. Securin VI offers an entire spectrum of vulnerability intelligence  
powered by 700+ authentic intelligence feeds that continuously measure a  
vulnerability's risk. Through its artificial intelligence (AI) & machine  
learning (ML) models, Securin's VI platform warns its customers about  
vulnerabilities that will likely be exploited soon, enabling them to prioritize  
and patch proactively.  

After this rebrand, Securin will combine its offerings to provide customers with  
a comprehensive suite of security solutions such as ASM, VI, Vulnerability  
Management, and Penetration Testing to level up their security. Securin has  
grown to 250+ employees globally and will continue to operate from its offices  
in Albuquerque, New Mexico and Chennai, India.  

Ram Movva, Co-Founder and Chairman of Securin, said, "In the past few years, we  
have added many new capabilities to our offerings. With the shifting  
cybersecurity landscape and evolving threats, it is critical to implement tools  
and solutions that can provide actionable and timely intelligence to prevent  
cybersecurity breaches before they happen. As we forge ahead, we want to become a tech-enabled solution organization focused on increasing the security posture of our customers through our suite of offerings. We believe Securin, as our  
overall brand name, embodies our vision to secure organizations to build  
resilience against emerging threats."  

Expanding on Movva's comments, Aaron Sandeen, CEO of Securin, said, "We are very excited to rebrand as Securin. CSW has seen amazing growth in the past two years and evolved beyond recognition. We have been providing our customers with a full suite of capabilities, such as vulnerability management and penetration testing, bundled with ASM & VI. Rebranding into Securin is the next step in our business evolution, which will enable us to focus on our vision to improve security posture and reduce the attack surface of our customers."  

Sandeen added, "By combining our services - vulnerability management and  
penetration testing with products like Securin ASM and Securin VI, we will be  
offering customers a powerful suite of solutions that will manage and shrink  
their expanding attack surface and also keep them a step ahead of the bad guys."  
After the rebrand, Securin will continue to act as a CVE Numbering Authority  
(CNA) and help MITRE validate zero days and expedite their entry in the National  
Vulnerability Database (NVD).  
To learn more, visit http://www.securin.io.**About Securin**  
Securin is a leading provider of tech-enabled cybersecurity services, helping  
hundreds of customers worldwide gain resilience against emerging threats.  
Powered by accurate vulnerability intelligence, human expertise, and automation,  
its products and services have enabled enterprises to make critical security  
decisions to manage their expanding attack surface.

Tag

#intel