Expedited software patching and updating recognized as one of the most important processes to protect against system compromise from cyberattacks.

South Bend, IN (September 27, 2022) – Aunalytics, a leading data management and analytics company delivering managed IT and data platform services for mid-sized and enterprise businesses, today initiated its Security Patching Platform, Co-managed Patching as a Service to complement the company’s Advanced Security solution suite. Windows OS and supported 3rd party patch management allow for tighter security in the defense against cyberattacks and the new offering ensures active remediation.

According to a 2022 Data Breach Investigations Report by Verizon, around 70 percent of successful cyberattacks exploited known vulnerabilities with available patches, making it important to update operating systems and applications regularly to prevent such attacks. Now, Aunalytics’ new technology as a service includes the tools, structure, strategy and intelligence for managing patch deployment and is a complete solution with best practices, templates, libraries, and built-in alert thresholds.

Lack of security patching leads to vulnerabilities within an organization’s information systems, internal controls, or system processes, which can then be exploited by cybercriminals. Using a collection of tools, cyber attackers use the vulnerability to gain unauthorized access to corporate systems and data. Identifying and resolving vulnerabilities is very important since a successful exploit can lead to a full-scale system breach.

Workstation and server application patching ensures that organizations have baseline protection against the latest security vulnerabilities, preventing such attacks before they occur. However, patching can be difficult to manage and update in real-time as software fixes are published on an ongoing basis. Setting up and coordinating manual patching across an organization can be extremely cumbersome, taking days to organize, schedule, and execute across an entire company.

McKinsey cites good patch management as a top proactive maintenance measure that can help organizations prevent cyberattacks. However, knowing the priority level for patch installment can be confusing and lead to poor patch management as a result. Enlisting the help of a partner to employ security patching best-practices can add true value to many organizations. Aunalytics patch detection, download, and installment methods are developed considering each client's security and uptime requirements and prioritized in order of threat potential. Aunalytics’ experienced security patching team proactively monitors for updates, eliminating worry for end users and server administrators.

As part of the new service, users gain access to comprehensive security solutions with customized alerting and vulnerability prioritization, leveraging proprietary solutions and processes. The platform facilitates collaboration between IT and security teams and includes the following capabilities:

• Inventory and performance management and proactive alerting  
• Patch deployment control strategy, prioritization, planning  
• Patch vetting and blacklisting intelligence  
• Windows Operating System patch management  
• Supported 3rd Party Patch Management  
• Anti-Malware  
• DNS-based Malware Protection  
• Device Encryption Management  
• Innovative management tool library

“Security patch exploits can have extremely damaging effects on an organization, decreasing revenues or causing reputational damage, making it imperative to have security patching in place,” said Chris Nicholson, Vice President of Managed IT Services. “Aunalytics’ Security Patching Platform services allow for the rapid resolution of these concerns to maintain the highest levels of cyber-resiliency.”

**About Aunalytics**  
Aunalytics is a leading data management and analytics company delivering Insights-as-a-Service for mid-sized businesses and enterprises. Selected for the prestigious Inc. 5000 list for two consecutive years as one of the nation’s fastest growing companies, Aunalytics offers managed IT services and managed analytics services, private cloud services, and a private cloud-native data platform for data management and analytics. The platform is built for universal data access, advanced analytics and AI -- unifying distributed data silos into a single source of truth for highly accurate, actionable business information. Its DaybreakTM industry intelligent data mart combined with the power of the Aunalytics data platform provides industry-specific data models with built-in queries and AI for accurate mission-critical insights. To solve the talent gap that so many mid-sized businesses and enterprises located in secondary markets face, through its side-by-side digital transformation model, Aunalytics provides the technical talent needed for data management and analytics success in addition to its innovative technologies and tools. To learn more contact us at +1 855-799-DATA or visit Aunalytics at http://www.aunalytics.com or on Twitter and LinkedIn.

Aunalytics Launches Security Patching Platform as a Service

Companies collaborate to strengthen organizations' first line of security defense – end users.

ATLANTA, Sept. 27, 2022 /PRNewswire/ -- Veristor Systems, Inc., a trusted provider of transformative business technology solutions, and SANS Security Awareness, the global leader in providing security awareness training, today announce that Veristor has become a certified provider of SANS Security Awareness' comprehensive suite of products to enable a data-driven approach to cybersecurity training for an organization's end users.

"Researchers from Stanford University found that as much as 88% of all data breaches are caused by an employee mistake," said Daniel Martin, Principal Security Consultant, vCISO, Veristor. "This shows that end users are the most critical vulnerability gap in today's enterprise. Yet if properly trained, they can also be the most resilient security defense – a human firewall. Together with the experts from SANS Security Awareness we are helping customers guard their environments with an army of well-trained employees. With proven training to spot and act when suspicious activity arises, users can take an active role in preventing the growing wave of cyberattacks."

The SANS Security Awareness suite of dynamic multilingual computer-based training, games, phishing simulations, and engagement materials teach vital security behaviors to effectively manage human cyber risk. With different training styles to match different corporate cultures, employee comprehension levels, and learning preferences, SANS Security Awareness training equips workforces to recognize and prevent current cyberattacks, including work-from-home threats. The platform delivers valuable metrics to measure the effectiveness of each program, and customization features to tailor training to meet specific organizational needs."

With some groups requiring even greater specialized training, in addition to addressing core human behavior risk topics, SANS Security Awareness also offers secure development and coding techniques, understanding NERC CIP compliance requirements, and handling Industrial Control Systems (ICS) incidents.

"We are very pleased to be partnering with the cybersecurity experts at Veristor to provide the SANS Security Awareness program to their customers," said Brad Stilling, Director of Global Sales for SANS Security Awareness. "Regular awareness training is an essential activity for organizations looking to ensure security and compliance. When employees feel informed and empowered to recognize and address cyber risks, they can protect the organization. With SANS Security Awareness, Veristor customers are now better positioned to detect and prevent cyber-attacks."

For organizations starting their awareness training journey, Veristor delivers a SANS Human Risk Insight assessment to identify program cost reductions, eliminate unneeded staff training, and create risk metrics to baseline and benchmark an organization's human cyber risk. Request a pre-assessment consultation here.

The SANS Security Awareness training solutions are now offered as a part of Veristor's suite of security solutions that are designed to solve business challenges through the intelligent application of next-generation security technology. For more information visit: https://veristor.com/it-security/.

**About Veristor Systems, Inc.**

Veristor, which recently announced a merger with Anexinet, is a leading provider of transformative business technology solutions that helps its customers accelerate the time-to-value for the software, infrastructure and systems they deploy. We do this by harnessing deep expertise in today's most advanced data center, security, networking, hybrid cloud, and big data technologies and guiding businesses to the right solutions for their most pressing challenges. And with a full suite of design, deployment, support, and managed service offerings, we work shoulder-to-shoulder with our customers at every step of their technology journey to make technology truly work for them. IT's just who we are. Learn more at veristor.com.

**About SANS Security Awareness**

SANS Security Awareness provides organizations with a complete and comprehensive security awareness solution, enabling them to easily and effectively manage their human cybersecurity risk. SANS Security Awareness has worked with over 1,300 organizations and trained over 6.5 million people around the world. The SANS Security Awareness program offers globally relevant, expert authored tools and training to enable individuals to shield their organization from attacks and a fleet of savvy guides and resources to work with you every step of the way. To learn more, visit www.sans.org/security-awareness-training

_SOURCE Veristor Systems, Inc._

Veristor Partners with SANS Security Awareness to Deliver Employee Security Awareness Training

Joint phishing intelligence solution provides 360-degree mobile communication defense.

LAS VEGAS, Sept. 27, 2022 /PRNewswire/ -- YouMail, the leading provider of call protection services for consumers, enterprises, and service providers, and WMC Global, a 16-year leader in mobile threat intelligence, today announced their joint cybersecurity intelligence solution that safeguards against voice and SMS phishing scams. The partnership between YouMail and WMC Global is a first-of-its-kind offering that protects brands and their customers simultaneously from vishing and smishing attacks.

Mobile phones are the center of consumers' digital lives with 97% of Americans owning smart phones and threat actors knowingly targeting them with spam and scam SMS and voice calls. The combination of YouMail voice & vishing protection and WMC Global SMS & smishing protection services act as two sides of the mobile fraud disruption coin, enabling enterprises plagued by threat actors impersonating them and phishing consumers to mitigate these risks and improve their effectiveness at preventing fraud and serving their customers.

YouMail Protective Services, the enterprise services division of YouMail, classifies, monitors and disrupts threat actors using voice to target consumers for both impersonated brands and voice service providers that are unwillingly serving as the conduits for these phone-based attacks.

"With this marriage of voice and SMS protection, enterprises like banks now have a powerful weapon against threat actors using mobile phishing attacks against their customers," said Alex Quilici, CEO of YouMail. "Our specialized voice protection, coupled with WMC Global's suite of anti-phishing SMS safeguards, solves a complicated industry issue that affects brand reputation and millions of mobile users."

Focusing on threat actor phishing kits, compromised credential recovery, mobile number investigations and takedowns, and consumer text message analysis, WMC Global's Anti-Phishing Suite analyzes, classifies, and disarms mobile threats before a victim's personal data is exploited.

"Partnering with YouMail to develop this joint offering was the next logical step in our fight against unwanted messaging and malicious phishing attacks on consumers' mobile devices," said Ian Matthews, CEO of WMC Global. "Our specific combination of services effectively helps telecoms uncover unlawful calls and texts made on their networks, prevents brand impersonation, and protects their customers from potential identity theft."

Learn more at https://www.youmailps.com and https://www.wmcglobal.com

**About YouMail, Inc.**

YouMail protects consumers, enterprises, and service providers from harmful phone calls. YouMail protects over 11 million registered consumers with app-based call protection services in the US and the UK, with the YouMail, Another Number, and Hullo Mail apps. YouMail protects consumer-facing enterprises by detecting and helping to shut down imposter traffic that can lead to financial or brand damage while working with voice service providers to mitigate unlawful communications in their networks. YouMail also operates the YouMail Robocall Index™, the nation's definitive source on telephone network activity and attacks. YouMail, Inc. is privately funded and based in Irvine, California. For more information, follow YouMail on Twitter and LinkedIn.

**About WMC Global**

WMC Global is a market leader in digital threat intelligence, enhanced by a team of threat hunters that are experts at understanding SMS phishing and the toolkits that criminals devise to make their attacks possible. WMC Global is the most trusted digital compliance firm in North America, having partnered with all Tier 1 mobile carriers for the past 16 years. The WMC Global portfolio is at the forefront of fighting malicious text messages, eradicating phishing attacks, stopping cyber criminals from targeting large brands, financial institutions, and governments, and monitoring consumer experiences for industry compliance. WMC Global provides its partners with proprietary data feeds of phishing attacks (including live phishing kits), threat response and takedown services, automated partner due diligence, and customer experience monitoring. WMC Global headquarters are located in Fairfax, VA, with offices in London, UK and Sydney, AU. For more information, follow WMC Global on Twitter and LinkedIn.

YouMail, Inc. and WMC Global Partner to Deliver Voice and SMS Phishing Disruption Services

The chip giant has developed new features and services to make it tougher for malicious hackers and insiders to access sensitive data from applications in the cloud.

INTEL INNOVATION 2022 -- San Jose, Calif. — Intel has announced new hardware and software features for Project Amber, a confidential computing service that interlaces hardware and software to attest and certify the trustworthiness of data, at its Innovation developer summit this week.

The enhancements include features to protect data from the time it leaves the system and is in transit, in use, or at rest in storage.

"This is a fundamental technology that Intel has been developing for years. The place where it's going to be the most important is in AI/ML models ... to make sure when you're running a model on the edge, it's not being pilfered, it's not being stolen, it's not being manipulated," said Intel CTO Greg Lavender during his Wednesday keynote.

Data is traveling farther when outside the data center, with multiple stopovers, until it reaches cloud services or completes a round trip to enterprise infrastructure. Information from sources like sensors are added as data moves along a telecom network, with stopovers and artificial intelligence (AI) chips ensuring only relevant data moves ahead.

Project Amber uses hardware and software techniques to verify that the packets of data and its origin device are trustworthy. That layer of trust between devices and waypoints when data is in transit is a form of assurance that a company's infrastructure and execution environment are secure, says Anil Rao, Microsoft vice president for systems architecture and engineering in the office of CTO.

"Gone are the days where the central hubs are simply the data movers," Rao says. "They're not simple data movers. They're intelligent data movers."

The confidential computing offering is important for an enterprise mixing its own datasets with information from third parties to strengthen AI learning models. Project Amber provides a way to ensure that data is coming from trusted sources, Rao says.

**Secure Enclaves**

Project Amber adds a stronger lockdown mechanism to protect data while it is being processed. The Trust Domain Execution (TDX) instructions, which are on the company's upcoming 4th Generation Xeon Scalable processor, can secure an entire virtual machine as a trusted enclave.

The data is locked down so even hypervisors — which manage and monitor virtual machines — can't peek into the confidential computing environment.

"Your application will still do a virtual machine entry and exit call, but during those calls the data is still encrypted," Rao says.

Today's computing environment in the cloud is built around virtual machines, and applications don't run directly off processors, says Steve Leibson, principal analyst at Tirias Research.

"When we ran on processors, we didn't need attestation because nobody was going to alter a Xeon. But a virtual machine — that's just software. You can alter it," Leibson says. "Attestation is trying to provide the same sort of rigidity to software machines as silicon does for hardware processors."

TDX is bigger in scope than Secure Guard Extensions (SGX), which is a secure area in the memory in which to push, run, and operate code. SGX, a common feature on Intel chips, is also a part of Project Amber.

Intel's Rao compares the scope of TDX and SGX to hotel rooms. If TDX was a trusted boundary in the form of a secure hotel room, SGX was a secure locker inside the hotel room.

Project Amber allows data to enter secure enclaves after matching numerical codes issued by Amber engines. If the codes match, data can enter the secure enclave; if not, entry is denied because data could have been altered, modified, or hacked in transit.

"It's almost like you're giving somebody your VIN number and saying, 'Is this the authentic VIN number for my car or has someone done something hanky-panky with that thing?'" Rao says.

Intel will also provide customers the ability to define their own policies to create a trusted execution environment.

"You may want to process everything in an East Coast data center versus a West Coast," Rao says. "What Amber says is that here is exactly what it is — your code did not pass the policy."

**Protection in the Clouds**

Amber will support multiple cloud service providers, but Intel didn't provide specific details.

"We want to make it multicloud so you don't need to have a different attestation mechanism as an enterprise when you go to different clouds," Rao says.

There are hundreds of millions of processors from Intel in data centers around the world, and bad actors have an established ability to break into servers and steal secrets, Tirias' Leibson says.

"It's a cat-and-mouse game, and Intel is constantly trying to develop new ways to prevent the bad guys from breaking into the servers and stealing secrets," Leibson says. "And it goes all the way from script kiddies, to teenagers who are just hacking around, to state-sponsored sites."

At some point, one has to think about protecting data in use, in motion, and in storage. Project Amber was thus inevitable, especially with computing moving farther away from homegrown infrastructure to the cloud, Leibson says.

Project Amber is still in the pilot phase as Intel gears the technology for computing models adopted by verticals. The chipmaker is working with research company Leidos to use Project Amber in the healthcare sector, which has many types of devices and sensors spread over large geographies and requires attestation to ensure systems receive only trustworthy data.

Intel Hardens Confidential Computing With Project Amber Updates

REDWOOD CITY, Calif., Sept. 27, 2022 /PRNewswire/ -- Delinea, a leading provider of Privileged Access Management (PAM) solutions for seamless security, today announced the latest release of DevOps Secrets Vault, its high-speed vault for DevOps and DevSecOps teams. New enhancements include development support on the most recent Mac computers, and improved secrets management usability through automation, intended to reduce development time and increase visibility.

According to a 2022 Crowdstrike report, 80% of cyber attacks involve stolen credentials, and in late 2021 Gartner listed managing machine identities as one of the top five cybersecurity and risk trends. Delinea strives to reduce the risk of using hardcoded credentials in applications and services by instead dynamically injecting secure credentials with Just-in-Time access from DevOps Secrets Vault.

Expanded Support for developers on Macs

With added support for the M1 chip, developers coding on the latest Macs can now benefit from using DevOps Secrets Vault's command line interface (CLI) and the DSV Engine (an agent supporting database dynamic secrets) as part of their toolset. Building upon its focus on seamless usability, Delinea continues to reduce friction that commonly arises when securing sensitive secrets and credentials, especially in fast-paced DevOps environments.

Continual interface improvements reduce friction for DevOps teams

Both the CLI and graphical interface receive continual usability and flexibility enhancements, allowing developers to work seamlessly in their preferred interface with their preferred tools while helping organizations decrease the risk of compromised credentials.

New features added to both interfaces include:

Expanded support for Security Information and Event Management (SIEM) functionality

A certified Ansible plugin for use on Ansible Automation Hub

Enhanced authentication methods

"The exponential growth of machine identities as applications are modernized and architected as micro-services continues to place organizations at increased risk," said Jason Michell, SVP of Engineering at Delinea. "Delinea's ongoing focus on making security seamless for developers is reflected in these recent enhancements, enabling them to use DevOps Secrets Vault to dynamically insert credentials in their code, in line with security best practices."

Organizations can try DevOps Secrets Vault for free at https://delinea.com/products/devops-secrets-management-vault.

**About Delinea**

Delinea is a leading provider of privileged access management (PAM) solutions that make security seamless for the modern, hybrid enterprise. Our solutions empower organizations to secure critical data, devices, code, and cloud infrastructure to help reduce risk, ensure compliance, and simplify security. Delinea removes complexity and defines the boundaries of access for thousands of customers worldwide. Our customers range from small businesses to the world's largest financial institutions, intelligence agencies, and critical infrastructure companies. Learn more about Delinea on LinkedIn, Twitter, and YouTube.

Latest Delinea Update Streamlines DevOps Security

Combination of two companies to help SAP customers streamline audit, compliance and control processes.

DALLAS, Sept. 27, 2022 /PRNewswire/ -- Pathlock, the leading provider of application security and controls automation for critical business applications, today announced the acquisition of Grey Monarch, a UK-based specialist SAP Partner dedicated to SAP Process Automation. The acquisition will strengthen Pathlock's vision of providing the industry's most complete 360-degree platform for application security and controls automation for the SAP ecosystem.

Since 2008, Grey Monarch has developed expertise in SAP Security, Segregation of Duties, SAP Licence Optimization, SAP Background Processing Automation and Secure Managed File Transfer. With this acquisition, the SAP community will benefit from the very best SAP Process Automation advice, implementation skills, and software and training capabilities, improving levels of security, enhancing their users' experience and streamlining audit, compliance and control procedures.

"It's now more imperative than ever for organizations to utilize a holistic view of user access and privileges so they can be managed, monitored and controlled to ensure the maximum protection of data, business processes and intellectual property," said David Lloyd, Director and Co-Founder, Grey Monarch. "Combining Grey Monarch's capabilities with the Pathlock family of expertise, resources and product portfolio will provide our customers, existing and new, with an unsurpassed visibility into their business applications."

"We're thrilled to complete the acquisition of Grey Monarch," said Piyush Pandey, CEO of Pathlock. "We continue to see a strong demand for our globally recognized application security and controls automation solutions, and know that with Grey Monarch's specialization in SAP process automation we can continue to enable our global customers to revolutionize the way they secure their sensitive financial and customer data."

In May 2022, Pathlock announced a $200M capital raise sponsored by Vertica Capital Partners alongside a merger with Appsian and Security Weaver and the acquisition of Belgium-based CSI Tools and Germany-based SAST SOLUTIONS. The company has successfully doubled in size in terms of revenue and employees and is now servicing over 1,400 customers across all major industries on a global scale with offices across the United States, Belgium, the UK, Germany, Israel and India.

**About Pathlock**

Pathlock is the leader in application security and controls automation. With Pathlock, enterprises can manage all aspects of access governance via a single platform, across applications, including user provisioning, ongoing User Access Reviews, segregation of duties, control testing, and audit preparation. Today, many of the world's most respected, global 2000 companies rely on Pathlock to protect their critical digital assets from financial, operational, regulatory and security threats, ensure corporate compliance and improve performance. Our customers have saved millions in employee productivity, labor costs, audit fees and data loss prevention.

Pathlock Expands SAP Capabilities with Acquisition of Grey Monarch

By Waqas
Hackers are actively using encrypted chat apps like Signal and Telegram to share stolen data belonging to the Iranian government, tutorials on how to hack, and use VPNs and Tor to bypass censorship.
This is a post from HackRead.com Read the original post: Hackers turn to Signal, Telegram and Dark Web to assist Iranian protestors

Anonymous hackers, **as exclusively reported by Hackread.com**, waged a series of cyber attacks against the Iranian government in support of protestors. Now, Check Point Research has identified multiple hacker groups using Signal, Telegram, and Dark Web to support anti-government protestors in Iran. Their main objective is to bypass government restrictions.

This observation comes just days after anti-government protests erupted in Iran after Mahsa Amini’s death. It is worth noting that on September 16th, 2022, a 22-year-old Iranian woman named **Mahsa Amini** died in Tehran, Iran, under Police custody. Amini was arrested for failure to follow government-mandated forms of the Hijab.

According to researchers at Check Point, hacker groups are supporting the current situation of unrest in Iran by aiding anti-regime protestors by sharing open VPN servers to help them evade government censorship and internet status reports. They also teach protestors and activities about hacking guides.

**More on Hackread.com**

1.  Anti-surveillance mask enables you to pass as someone else
2.  How to use Signal messenger face blur tool on Android & iOS
3.  SnoopSnitch — An App That Detects Govt’s Stingray Mobile Trackers
4.  Twitter Goes on Tor with New Dark Web Domain to Evade Censorship
5.  How to download and use Tor browser + Best Dark Web Search Engines

**Telegram groups**

Telegram groups boast a few hundred to thousands of members, such as the Official Atlas Intelligence Group (AIG) channel has 900 members and is involved in data leaking and selling. This group obtains official contact numbers, emails, and sensitive location maps of the regime and sells or leaks them online.

Additionally, they try to upsell IRGC’s private information. Similarly, the ARVIN Telegram group has 5000 members. This group covers protests in Iran and informs people about them with videos and reports from the streets.

RedBlue is another Telegram group identified by Check Point, which boasts 4000 members. This group focuses more on hacking guides and conversations. Another Telegram group has around 12,000 members.

Moreover, Signal and Tor Project are also used as potential platforms to offer proxies to Iranian citizens so that they can access the internet and avoid government censorship.

**VPNs**

According to Check Point’s **report**, some groups offer a list of VPNs and proxies to help people bypass censorship in Iran, whereas others help protestors access social media websites. Hacker groups allow Iranian citizens to communicate and share the news with each other and discuss what the government wants to avoid.

> “What we see are groups from the Telegram, dark web and also ‘regular’ web helping the protestors to bypass the restrictions and censorship that are currently in place by the Iranian Regime, as a way to deal with the protests. We began seeing these groups emerge roughly a day after the protests began.”

1.  Iran’s Top Tier Airline Mahan Air Hit by Cyberattack
2.  Hackers disrupt Iran’s prison computers; leak live footage
3.  Iranian Gas Stations Crippled After Suffering Cyberattack
4.  US seizes official website of Iranian state-owned Press TV
5.  Hacker leaks 150 million user records from Iranian Raychat app

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Hackers turn to Signal, Telegram and Dark Web to assist Iranian protestors

A memory corruption vulnerability exists in the libpthread linuxthreads functionality of uClibC 0.9.33.2 and uClibC-ng 1.0.40. Thread allocation can lead to memory corruption. An attacker can create threads to trigger this vulnerability.

**SUMMARY**

A memory corruption vulnerability exists in the libpthread linuxthreads functionality of uClibC 0.9.33.2 and uClibC-ng 1.0.40. Thread allocation can lead to memory corruption. An attacker can create threads to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

uClibC 0.9.33.2  
uClibC-ng 1.0.40  
Anker Eufy Homebase 2 2.1.8.8h

**PRODUCT URLS**

uClibC-ng - https://uclibc-ng.org Eufy Homebase 2 - https://us.eufylife.com/products/t88411d1 uClibC - https://www.uclibc.org/

**CVSSv3 SCORE**

8.1 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

**DETAILS**

uClibC and uClibC-ng are both standalone replacements for glibc. uClibC and uClibC-ng are significantly smaller and easily portable to various architectures and embedded environments.

Libpthread is an extremely common library in a very large subset of unix-based devices, providing lightweight threading for processes. Libpthread built with uClibC using the linuxthreads.old implementation, or with uClibC-ng using the linuxthreads implementation, are both vulnerable to a memory corruption that occurs when a large number of threads are created. Both of these libraries have been used extensively in the Buildroot project with the uClibC option of linuxthreads(stable/old) and the uClibC-ng option of linuxthreads for threading implementation within the Buildroot menuconfig.

When a call to pthread_create occurs, pthread_handle_create is called during the initialization of the thread.

    static int pthread_handle_create(pthread_t *thread, const pthread_attr_t *attr,
                     void * (*start_routine)(void *), void *arg,
                     sigset_t * mask, int father_pid,
                     int report_events,
                     td_thr_events_t *event_maskp)
    {
      size_t sseg;
      int pid;
      pthread_descr new_thread;
      char * new_thread_bottom;
      char * new_thread_top;
      pthread_t new_thread_id;
      char *guardaddr = NULL;
      size_t guardsize = 0;
      int pagesize = getpagesize();
      int saved_errno = 0;
    
      /* First check whether we have to change the policy and if yes, whether
         we can  do this.  Normally this should be done by examining the
         return value of the sched_setscheduler call in pthread_start_thread
         but this is hard to implement.  FIXME  */
      if (attr != NULL && attr->__schedpolicy != SCHED_OTHER && geteuid () != 0)
        return EPERM;
      /* Find a free segment for the thread, and allocate a stack if needed */
      for (sseg = 2; ; sseg++)                                                         [1]
        {
          if (sseg >= PTHREAD_THREADS_MAX)
        return EAGAIN;
          if (__pthread_handles[sseg].h_descr != NULL)
        continue;
          if (pthread_allocate_stack(attr, thread_segment(sseg), pagesize,               [2]
                                     &new_thread, &new_thread_bottom,
                                     &guardaddr, &guardsize) == 0)     
          break;
          ...
    

At [1] the segments incremented as threads are created. Threads can be created up to the PTHREAD_THREADS_MAX limit, and for each thread being created the stack will be allocated using pthread_allocate_stack at [2]. thread_segment is an inlined function that is responsible for decrementing the starting address of the stack

    static __inline__ pthread_descr thread_segment(int seg)
    {
      return (pthread_descr)(THREAD_STACK_START_ADDRESS - (seg - 1) * STACK_SIZE)
             - 1;
    }
    

In both of these code bases THREAD_STACK_START_ADDRESS is 0x40000000000m, but is a machine specific variable, and STACK_SIZE is 2 MB by default for all machines. This means that this condition is far more likely to be seen in 32-bit memory spaces. Once the pointer has been calculated it is passed on to pthread_allocate_stack.

      static int pthread_allocate_stack(const pthread_attr_t *attr,
                                      pthread_descr default_new_thread,
                                      int pagesize,
                                      pthread_descr * out_new_thread,
                                      char ** out_new_thread_bottom,
                                      char ** out_guardaddr,
                                      size_t * out_guardsize)
    {
      pthread_descr new_thread;
      char * new_thread_bottom;
      char * guardaddr;
      size_t stacksize, guardsize;
    
        ...
        else {
          stacksize = STACK_SIZE - pagesize;
          if (attr != NULL)
            stacksize = MIN(stacksize, roundup(attr->__stacksize, pagesize));
          /* Allocate space for stack and thread descriptor at default address */
          new_thread = default_new_thread;
          new_thread_bottom = (char *) (new_thread + 1) - stacksize;
          if (mmap((caddr_t)((char *)(new_thread + 1) - INITIAL_STACK_SIZE),               [3]
                   INITIAL_STACK_SIZE, PROT_READ | PROT_WRITE | PROT_EXEC,
                   MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED | MAP_GROWSDOWN,
                   -1, 0) == MAP_FAILED)     
            return -1;
    

Within pthread_allocate_stack as long as a stack hasn’t been provided (already allocated), new allocations occur using the mmap call at [3]. This call includes the flag MAP_FIXED which forces mmap to take the address provided as the required address of the allocation, instead of as a hint. As sseg is incremented, the allocation moves to lower memory addresses for each allocation, eventually overwriting loaded libraries or even the code of the application itself.

Both vulnerabilities center around an issue while creating thread stacks using mmap with the MAP_FIXED flag. The manual page of mmap has the following information on MAP_FIXED

    MAP_FIXED
                  Don't interpret addr as a hint: place the mapping at
                  exactly that address.  addr must be suitably aligned: for
                  most architectures a multiple of the page size is
                  sufficient; however, some architectures may impose
                  additional restrictions.  If the memory region specified
                  by addr and length overlaps pages of any existing
                  mapping(s), then the overlapped part of the existing
                  mapping(s) will be discarded.  If the specified address
                  cannot be used, mmap() will fail.
    

By using MAP_FIXED, creating a large number of threads will remap any memory for use by the thread. This generally will first remap libraries loaded into the memory space of an application.

The vulnerable code within the latest version of uClibC is based on the linuxthreads.old implementation. A newer implementation based on linuxthreads is also present, and aptly named linuxthreads. The linuxthreads.old implementation is present in older versions of Buildroot and presented as linuxthreads (stable/old), compared to just linuxthreads. All images built based on the stable/old implementation are vulnerable. Since uClibC-ng is a fork of the original uClibC code, it stands that the vulnerability was present at the time of the code fork,. Since that time, the code has diverged into unique codebases.uClibC-ng only has a single linuxthreads implementation within the codebase, and as such, any linuxthreads\-based implementation of libpthread is vulnerable. All new versions of Buildroot that rely upon uClibC-ng will present this vulnerable implementation as a possible option for the threading implementation in the image.

**TIMELINE**

2022-05-04 - Vendor Disclosure  
2022-05-17 - Vendor Disclosure  
2022-05-17 - Initial Vendor Contact  
2022-09-22 - Public Release

Discovered by Lilith &gt;\_&gt; of Cisco Talos.

CVE-2022-29503: TALOS-2022-1517 || Cisco Talos Intelligence Group

Categories: Business
With a few best practices, local governments can improve their cybersecurity posture and make it less likely that threat actors attack their systems. We’ll break down five best practices for local government cybersecurity in this post.



(Read more...)




The post Local government cybersecurity: 5 best practices appeared first on Malwarebytes Labs.

It seems like not a day goes by where we don’t hear about a local government cyberattack. Indeed, from 911 call centers to public schools, cyberattacks on local governments are as common as they are devastating. 

Just how often do threat actors attack local governments? A survey of 14 mainly larger US local governments found that just over half of respondents said they suffer attacks constantly, more than a quarter said hourly, and 14.3% said daily. 

Local governments continue to be a common cyberattack target for two big reasons. The first is that they handle troves of sensitive data, especially personally identifiable information (PII), and the second is that they operate on shoestring budgets with little to no cybersecurity staff or leadership buy-in. 

Now, factor in these two reasons with the sheer number of local governments out there in the United States—90,075 units—and you have a huge, vulnerable, and valuable target. Sounds like easy pickings for attackers, but it doesn’t have to be. 

With a few best practices, local governments can improve their cybersecurity posture and make it less likely that threat actors attack their systems. We’ll break down five best practices for local government cybersecurity in this post.

****Table of Contents********1\. Take cybersecurity assessments to find and address weaknesses********2\. Adopt the fundamentals********3\. Partner up!********4\. Build a playbook for ransomware response and recovery********5\. Consider outsourcing******1\. Take cybersecurity assessments to find and address weaknesses**

Cybersecurity consultants and the professional literature agree: You should adopt cybersecurity policies such as the NIST Framework to help prevent and respond to attacks. And a key part of building out any cybersecurity policy for your local government is to develop an organizational understanding of risk to systems, people, data, and so on. 

There are tons of free cybersecurity assessments for Federal, State, Local, Tribal and Territorial (SLTT) governments that you can take to get started. After performing the assessments, you can compare your results to the criteria of NIST to identify gaps, as well as deficiencies to be improved.

1.  **Cyber Infrastructure Survey (CIS)**: A free assessment of essential cybersecurity practices in-place for critical services. Also conducted by the DHS.
2.  **Cyber Resilience Review (CRR)**: The CRR assessment evaluates your organization’s operational resilience and cybersecurity practices. Conducted free of charge by the US Department of Homeland Security (DHS)
3.  **Phishing Campaign Assessment (PCA)**: Evaluates an organization’s susceptibility and reaction to phishing emails. Conducted free of charge by the National Cybersecurity Assessments and Technical Services (NCATS) team.
4.  **Cybersecurity Evaluation Tool (CSET®)**: A stand-alone desktop application that guides asset owners evaluate their cybersecurity posture against recognized standards. Also delivered free of charge by the NCATS team.
5.  **Risk and Vulnerability Assessment (RVA)** One-on-one engagement to give organizations an actionable risk analysis report containing remediation recommendations prioritized by severity and risk.

**2\. Adopt the fundamentals  **

The unfortunate reality is that an inability to pay competitive salaries, insufficient number of staff, and lack of funds are big barriers to local government cybersecurity. However, there’s still plenty of important cybersecurity fundamentals that local governments should try to adopt to the fullest extent possible. 

Take cyber insurance, for example. Cyber insurance can prevent local governments from having to pay huge out of pocket costs in the event that they’re hit with a cyberattack. Baltimore learned this the hard way. 

(An important caveat here is that cyber insurance is becoming increasingly expensive: check out our article on 4 ways to save money on cyber insurance).

Cybersecurity best practices don’t just help you stay safe—they can also make you eligible for grant funding. In particular, local governments looking to be eligible for the State and Local Cybersecurity Grant Program must include these best practices in their cybersecurity plan:

1.  **Multi-factor authentication (MFA)**
2.  **Enhanced logging**
3.  **Data encryption for data at rest and in transit**
4.  **End use of unsupported/end of life software and hardware that are accessible from the Internet** 
5.  **Prohibit use of known/fixed/default passwords and credentials** 

In addition, only 23% of local governments have adopted the .gov domain, meaning a majority of local governments are missing out on one of the simplest ways to strengthen their cybersecurity posture. Sponsored by CISA, the Cybersecurity and Infrastructure Security Agency, the .gov domain comes with several key security benefits:

*   MFA is enforced on all accounts in the .gov registrar, and user accounts cannot use passwords that have been found in known data breaches.
*   It ‘preloads’ all new domains, which lets web browsers know to always use HTTPS to connect with any website on that domain.
*   CISA, GSA, and the National Institute of Standards and Technology (NIST) help monitor for issues in the namespace

To obtain a .gov domain or to learn more, check out some of the resources below. 

*   **https://home.dotgov.gov/registration.** 
    
*   **https://home.dotgov.gov/registration/requirements/** 
    
*   **https://home.dotgov.gov/help/** 
    

**3\. Partner up!**

Local governments may be resource-constrained, but the good news is that they don’t have to face cybersecurity alone. State governments, together with Federal, university, and even nonprofit partners, can be strong allies to local government cybersecurity.

*   **Federal partners**: Local governments are encouraged to report cyber incidents to a federal entity so they can receive relevant asset response, threat response, and threat intelligence services. Partnering with your local fusion center is a good idea as well.
    

*   **State partners**: The level of state-local cybersecurity support will vary by state, but can include assessments, exercises, and consulting services. In Michigan’s Cyber Partners Program, for example, local communities receive services from a CISO-level consultant.
    
*   **University partners**: Partnering with universities can help local governments get access to talent, technological insights, even real-time network security monitoring.
    
*   **Nonprofit partners**: Local governments involved with the Multi-State Information Sharing & Analysis Center (MS-ISAC) get free resources for cyber threat prevention, protection, response, and recovery.
    

**4\. Build a playbook for ransomware response and recovery **

For local governments especially, a ransomware attack is a matter of ‘when’ and not ‘if’. However, they might not have the budget or staff to implement and use anti-ransomware solutions such as Endpoint Detection and Response (EDR).

Fortunately, you don’t need any fancy technology to start building a solid ransomware response and recovery plan. NIST recommends that organizations follow these steps to accelerate their recovery, among others: 

*   **Develop an incident recovery plan**: Establish a plan that has a Cyber Incident Response Team (CIRT) with clearly identified roles, responsibilities, and contacts ahead of time, then regularly exercise that plan.
    

*   **Data backup and restoration strategy**: Backups are a prime target for attackers, so keep multiple copies of your data, and make sure at least one of them is online.
    

*   **Know who you’re going to contact**: Maintain an up-to-date list of internal and external stakeholders to contact in the event of an attack, which may include senior management, PR, your legal team, insurance providers, vendors, and law enforcement.
    

In our Ransomware Emergency Kit, you'll find more resources your local government needs to understand threats, prevent attacks, and defend against cybercriminals.

**5\. Consider outsourcing**

Though CISOs might be wary about having their data handled by an outside organization, many local governments rely on vendors and managed service providers (MSPs) to provide some or all of their cybersecurity operations. 

A 2020 survey of 165 municipalities found 50.9% outsourced some of their cybersecurity functions, with almost 60% citing “Lack of local skilled professionals” as a reason for outsourcing. Some of functions commonly outsourced are:

*   **All cybersecurity needs**
    
*   **24/7 monitoring of cyber threats**
    
*   **24/7 monitoring of Intrusion Prevention System (IPS)**
    
*   **Incident response** 
    
*   **Network monitoring** 
    
*   **Employee security awareness training**
    

“By working with a trusted partner or service provider, local governments can fast track to get their security stack up to par,” said David Pier, Team Lead, Corporate Solutions Engineering at Malwarebytes. “Many frameworks and security plans can take upwards of multiple years to successfully implement and audit for certification. If they can pass this work along to their partners, it circumvents the need for them to commit to a lengthy process in addition to the complexity of implementation.”

Read “Risk Considerations for Managed Service Provider Customers” from CISA for more information for local governments choosing an MSP.

****_Related_:** ******Cyber threat hunting for SMBs: How MDR can help********EDR vs MDR vs XDR – What’s the Difference?******Enhancing local government cybersecurity**

A lack of funding and staff makes local government cybersecurity tough, period. 

However, if every local government implemented these five best cybersecurity practices today, they could dramatically lessen the likelihood and fallout of an attack—and increase eligibility for the State and Local Cybersecurity Grant Program while they're at it.

Malwarebytes has ample experience providing local governments and public schools with effective, intuitive, and inclusive cyberprotection. Read the case studies below to learn more:

*   **City of Vidalia gains a ransomware and vulnerability-free zone**
*   **University of Illinois turns to Malwarebytes in the search for an endpoint remediation solution**
*   **Shaker Heights Schools uses Malwarebytes to help remediate ransomware infection**

Check out our government case studies and education pages for more information.

Local government cybersecurity: 5 best practices

By Deeba Ahmed
APT28 or Fancy Bear is linked with the Russian military intelligence unit called GRU.
This is a post from HackRead.com Read the original post: Fancy Bear Hackers Distributing Graphite Malware using PowerPoint Files

Fancy Bear, aka APT28, is a Russian state-sponsored threat actor. The group is back in action and utilizing a new code execution method that exploits mouse movement in MS PowerPoint files to distribute Graphite malware.

For your information, APT28/Fancy Bear is linked with a Russian military intelligence unit called GRU. This is the same group that was blamed for hacking MH17 flight crash investigators with a spear-phishing campaign in October 2016. In 2018, the group was accused of sending death threats to US army wives posing as ISIS.

**Campaign Details**

According to threat intelligence firm Cluster 25, Fancy Bear used mouse movements in MS PowerPoint presentations to execute a malicious PowerShell script. The group leverages the SyncAppvPublishingServer utility for this purpose.

In its technical report, Cluster25 stated that the attack starts right after the user runs the presentation mode and uses the mouse. A PowerShell script is run, and a dropper from OneDrive is downloaded and executed.

The .ppt files have two slides with instructions in French and English, while the interpretation option is available in the Zoom app. The image file is an encrypted DLL file, which is decrypted and dropped in the ‘C:\\ProgramData\\’ directory,’ it is run later through rundll32.exe, and a registry key is also created to ensure persistence.

The dropper is a harmless-looking image file that functions as a pathway for a follow-on payload. This is a Graphite malware variant. It uses the Microsoft Graph API and OneDrive to carry out C2 communications and retrieve additional payloads. Fancy Bear uses a valid OAuth2 token and a fixed client ID to access the service.

PowerShell Script

**More Fancy Bear News**

1.  Anti-theft software LoJack hijacked by Fancy Bear
2.  Republican & Conservative leaders targeted by Fancy Bear
3.  Fancy Bear Spy on VIP Hotel Guests with Leaked NSA Tool
4.  Fancy Bear’s VPNfilter malware is back with 7 new modules
5.  Hackers alter stolen emails for clandestine attacks against Putin’s critics

**Attack Method Analysis**

The attack, according to the company’s report, entails using a lure document with a template linked to the Parish-based entity OECD (Organization for Economic Co-operation and Development).

Researchers noted that these attacks are ongoing since the URLs used in the attack were active between August and September. However, they also said that hackers had started prepping for the campaign in January.

> “When opening the lure document in presentation mode and the victim hovers the mouse over a hyperlink, a malicious PowerShell script is activated to download a JPEG file (“DSC0002.jpeg”) from a Microsoft OneDrive account.”
> 
> Cluster 25

**Potential Targets**

this campaign’s potential targets include individuals and organizations in the government and defense sectors. Fancy Bear is primarily targeting entities in Eastern Europe and Europe. This indicates that Fancy Bear aims to achieve specific objectives, considering the geographic focus of the gang.

Tag

#intel