The evolving tactics increase the threat of ransomware operators, but there are steps organizations can take to protect themselves.

Cybercriminals are becoming more strategic and professional about ransomware. They increasingly are emulating how legitimate businesses operate, including leveraging a growing cybercrime-as-a-service supply chain.

This article describes four key ransomware trends and provides advice on how to avoid falling victim to these new attacks. 

**1\. IABs on the Rise**

Cybercrime is becoming more profitable, as evidenced by the growth of initial access brokers (IABs) that specialize in breaching companies, stealing credentials, and selling that access to other attackers. IABs are the first link in the cybercrime-as-a-service kill chain, a shadow economy of off-the-shelf services that any would-be criminal can purchase to construct sophisticated tool chains to execute almost any digital offense imaginable.

IABs' top customers are ransomware operators, who are willing to pay for access to ready-made victims while they focus their own efforts on extortion and improving their malware.

In 2021, there were more than 1,300 IAB listings on major cybercrime forums monitored by the KELA Cyber Intelligence Center, with nearly half coming from 10 IABs. In most cases, the price for access was between $1,000 and $10,000, with an average sale price of $4,600. Of all of the offerings available, VPN credentials and domain administrator access were among the most valuable.

**2\. Fileless Attacks Fly Under the Radar**

Cybercriminals are taking a cue from advanced persistent threat (APT) and nation-state attackers by employing living-off-the-land (LotL) and fileless techniques to improve their chances of evading detection to successfully deploy ransomware.

These attacks leverage legitimate, publicly available software tools often found in a target's environment. For example, 91% of DarkSide ransomware attacks involved legitimate tools, with only 9% using malware, according to a report by Picus Security. Other attacks have been discovered that were 100% fileless.

This way, threat actors evade detection by avoiding "known bad" indicators, such as process names or file hashes. Application-allow lists, which permit the usage of trusted applications, also fail to restrict malicious users, especially for ubiquitous apps. 

**3\. Ransomware Groups Targeting Low-Profile Targets**

The high-profile Colonial Pipeline ransomware attack in May 2021 affected critical infrastructure so severely that it triggered an international and top government response.

Such headline-grabbing attacks prompt scrutiny and concerted efforts by law enforcement and defense agencies to act against ransomware operators, leading to the disruption of criminal operations, as well as arrests and prosecutions. Most criminals would rather keep their activities under the radar. Given the number of potential targets, operators can afford to be opportunistic while minimizing the risk to their own operations. Ransomware actors have become far more selective in their targeting of victims, enabled by the detailed and granular firmographics supplied by IABs.

**4\. Insiders Are Tempted With a Piece of the Pie**

Ransomware operators also have discovered that they can enlist rogue employees to help them gain access. The conversion rate may be low, but the payoff can be worth the effort.

A survey by Hitachi ID taken between Dec. 7, 2021, and Jan. 4, 2022, found that 65% of respondents said their employees had been approached by threat actors to help provide initial access. Insiders who take the bait have different reasons for being willing to betray their companies, although dissatisfaction with their employer is the most common motivator.

Whatever the reason, the offers made by ransomware groups can be tempting. In the Hitachi ID survey, 57% of the employees contacted were offered less than $500,000, 28% were offered between $500,000 and $1 million, and 11% were offered more than $1 million.

**Practical Steps to Improving Protection**

The evolving tactics discussed here increase the threat of ransomware operators, but there are steps organizations can take to protect themselves:

*   **Follow zero-trust best practices,** such as multifactor authentication (MFA) and least-privilege access, to limit the impact of compromised credentials and increase the chance of detecting anomalous activity.
*   **Focus on mitigating insider threats,** a practice that can help limit malicious actions not only by employees but also by external actors (who, after all, appear to be insiders once they've gained access).
*   **Conduct regular threat hunting,** which can help detect fileless attacks and threat actors working to evade your defenses early.  
    

Attackers are always looking for new ways to infiltrate organizations' systems, and the new ploys we're seeing certainly add to the advantages cybercriminals have over organizations that are unprepared for attacks. However, organizations are far from helpless. By taking the practical and proven steps outlined in this article, organizations can make life very tough for IABs and ransomware groups, despite their new array of tactics.

How to Dodge New Ransomware Tactics

Protection mechanism failure in firmware for some Intel(R) SSD DC Products may allow a privileged user to potentially enable information disclosure via local access.

%PDF-1.7 %���� 1 0 obj <>/Metadata 511 0 R/ViewerPreferences 512 0 R>> endobj 2 0 obj <> endobj 3 0 obj <>/ExtGState<>/Font<>/ProcSet\[/PDF/Text/ImageB/ImageC/ImageI\] >>/Annots\[ 19 0 R 20 0 R 23 0 R 24 0 R 25 0 R 26 0 R 27 0 R 28 0 R 29 0 R\] /MediaBox\[ 0 0 612 792\] /Contents 4 0 R/Group<>/Tabs/S/StructParents 0>> endobj 4 0 obj <> stream x��\[�n�H}7��#9XQ�{3(v��"�:�g��yPd�c �2�� ?�߸U�"EI�I�-/&d�"Y��}��5/�w7��2x�z8^.'�?�������ë߲����n6Y��g���/K��s6���Q���$��������\_�GI�࿔)hfc�<\`F��";>��O�����4H�?�e�8p7O���r���y� N�wo�AR �7��r~\_��|����$� Ț%B���i+#�,�\[p�LSk�@M'��Z�%'���������X\`���5L)x�L\`����W��0?hɴ�O,n /K������>D&�y40�W��Ï�kwt dxO��ӈ����y|��}ڌ�NZ�4��Y�:�AW�|FX{�� ���U�'�j�/#�+��3� O#�ߣgΣ�2�Id鶏��y���m�ÏW�@������~�����e݄�1�\_�-�zJ�r)��t� @\*��ls� ���(��Œ�V�ǋ��Dem�����4H:G�H6�jx��Aub����/c����o�U/�|�����b�qq�ļ��!������w�c߬�B+�� x�.�\*ϗM�:���\*\*���-A\]B��P���ix�w�B�S'T��^�l�Y��\`U����� ��\*������V�p�ᝳi~�:�a.��Pw���Ɣ�Z6�2�� �1\_6���l���{8��p��q ����&��~��n�0� ����#M{\]�������!٫�ɾ8SC!�&r�c V�3s�6 ��ڄ�v��$z4\` (�$��h �X�����.���T%#<���F�T�%�7��7

CVE-2021-33081

**Woburn, MA, September 20, 2022 —** With the latest version of Kaspersky EDR Optimum, users can access an advanced automated detection mechanism and tailored incident response recommendations. The updated solution also ensures protection from damaged to crucial OS files, and provides information on file reputation from Kaspersky’s Threat Intelligence portal.

To help IT security workers deal with increased attack surfaces and complexities, Kaspersky presents the new edition of Endpoint Detection and Response Optimum. The updated version gives users the opportunity to gain highly sought-after skills in incident investigation and response, and helps them tackle their responsibilities under conditions of limited time and attention.

Kaspersky Endpoint Detection and Response Optimum provides information to get up to speed quickly. In addition to the previously available YouTube video instructions, the product now offers a Guided Response section in the alert card where IT security specialists can see the recommended steps for investigation and response.

In addition, Kaspersky Endpoint Detection and Response Optimum contains integrated "quality of life" improvements such as Threat Intelligence file reputation in the alert card. When a response is performed, a special check will help avoid making a mistake and blocking a crucial OS file, which can lead to ruining the whole infrastructure.

File reputation from Kaspersky Threat Intelligence Portal is available directly in the console allowing users to understand what files are harmless, malicious or suspicious, and also gives users insight into known or new threats in a faster and easier way. It also shows information such as which regions or countries the file was observed most frequently, and provides a link to the threat intelligence portal with additional information about the file.

“When our team was working on the Kaspersky Endpoint Detection and Response Optimum enhancements, one of the goals was to make all the solutions’ capabilities accessible for all types of our users, even for those who are making their first steps in investigation and response,” said Pavel Petrov, senior product manager at Kaspersky. “We believe the new features will allow our customers not only to ensure the protection of their company against multiple types of threats, but also increase the EDR expertise of the internal IT security team.”

During the last year, Kaspersky Endpoint Detection and Response was repeatedly recognized for its outstanding protective capacity. The product has shown superb results according to various independent evaluations including SE-labs, IDC, Radicati and others.

More information about Kaspersky Endpoint Detection and Response Optimum is available via this link.

New Kaspersky EDR Optimum Further Simplifies Protection Against Evasive Threats

Focused on bringing ease of use to IT security automation, ThreatQ TDR Orchestrator addresses industry needs for simpler implementation and more efficient operations.

**London, UK, September 20, 2022** — ThreatQuotient™, a leading security operations platform innovator, today announced a new version of ThreatQ TDR Orchestrator, the industry’s first solution for a simplified, data-driven approach to security operations. Built on the ThreatQ Platform, the continued innovation of ThreatQ TDR Orchestrator includes enhanced automation, analysis, and reporting capabilities that accelerate threat detection and response across disparate systems.

The latest research from ThreatQuotient, planned for full release later in 2022, shows signs that adoption of security automation is advancing, as budgets in this area are increasing for 98% of companies. The data also indicates that organisations have become more confident in automation itself, with over 88% of companies having some level of trust in automation outcomes compared to only 59% in the year prior. However, 98% say they have experienced problems during implementation. To support organisations with security automation solutions that are easier to use, cheaper than traditional automation tools and learn over time, ThreatQuotient has prioritised the development of ThreatQ TDR Orchestrator to enable more efficient and effective operations that can be directly measured by time savings and FTEs gained, improved risk management, and greater confidence when detecting and responding to an event.

The latest version of ThreatQ TDR Orchestrator offers the following benefits:

*   **Prioritise automation on the most important events/alerts** with context from threat intelligence and other internal and external sources. A feedback loop captures results to improve the automation flow over time.

*   **Playbooks are easier to maintain** as a result of Smart Collections which are used to abstract automation logic. Atomic Automation allows for immediate action when a complex response is not needed; and Automation Packs for vulnerability prioritisation, indicator enrichment, XDR, and more use cases coming soon, help users get started with common use cases quickly.

*   **Less training is required up front** as a result of a no-code user interface which also delivers a lower total cost of ownership over time, and enables users to rely less on their organisation’s technical resources which can be a bottleneck (e.g. waiting for internal developers to work through their backlog and write the playbook automations requested).

“Leveraging automation to do the heavy lifting and cut through the noise is vital to helping cybersecurity teams thrive under pressure. ThreatQuotient continues to innovate in a way that drives meaningful operational benefits to customers,” says Leon Ward, Vice President of Product Management at ThreatQuotient. “Many process-based SOAR platforms are designed such that only security engineers and analysts have the skills necessary to use them directly; making these traditional platforms hard to implement and maintain which drives higher costs over time. This ThreatQ TDR Orchestrator release reinforces the need for no-code solutions that empower operators to adapt to dynamic threat landscapes faster, and focus their energy on security operations workflows that provide critical business context.”

In an environment where security operations employee turnover is high, ThreatQuotient’s platform is well suited for increasing the number of people who know how to develop and maintain automation playbooks. ThreatQ’s data-driven approach means that anyone with business context can understand and maintain workflows, making teams more nimble and resilient. Additionally, Atomic Automation works at the "atomic" or lowest level, allowing an analyst to automate a single action or string of a few simple actions without needing a complex playbook. This enables analysts to pull data or push actions without actually needing to pivot from UI to UI for each of the products involved.

To learn more about ThreatQ TDR Orchestrator, register for ThreatQuotient’s upcoming webinar, ThreatQ Cyber Forum on ROI, taking place live on Wednesday 21st September at 10:00 am GMT. For a first-hand look at how ThreatQ, ThreatQ TDR Orchestrator, and ThreatQ Investigations can support your organisation’s security goals, register for the ThreatQ Online Experience, a unique interactive tour.

**About ThreatQuotient**

ThreatQuotient improves security operations by fusing together disparate data sources, tools and teams to accelerate threat detection and response. ThreatQuotient’s data-driven security operations platform helps teams prioritise, automate and collaborate on security incidents; enables more focused decision making; and maximises limited resources by integrating existing processes and technologies into a unified workspace. The result is reduced noise, clear priority threats, and the ability to automate processes with high fidelity data. ThreatQuotient’s industry leading data management, orchestration and automation capabilities support multiple use cases, including incident response, threat hunting, spear phishing, alert triage and vulnerability prioritisation, and can also serve as a threat intelligence platform. ThreatQuotient is headquartered in Northern Virginia with international operations based out of Europe, MENA and APAC. For more information, visit www.threatquotient.com.

ThreatQuotient Enhances Data-Driven Automation Capabilities With New ThreatQ TDR Orchestrator Features

The balance of deploying secure applications vs. time to market continues to be the biggest risk to organizations.

AUSTIN, Texas, Sept. 20, 2022 /PRNewswire/ — Invicti Security™, an application security leader for over 15 years, today released a new white paper, "Automated Application Security Testing for Faster Development," from independent industry analyst firm Enterprise Strategy Group (ESG). The report covers how Invicti customers are cost-effectively incorporating security into their development processes to secure their applications.

Organizations have been challenged in adapting their application security strategies and solutions as they undergo digital transformation for faster development cycles. As organizations migrate workloads to the cloud, they speed up development but also increase the risk of security vulnerabilities as application development and security teams clash on priorities. In fact, an earlier ESG study found that 48% of developers push vulnerable code in order to meet deadlines.

Traditional application security solutions haven't worked well to scale with modern development because they are costly to deploy and manage, they raise too many alerts and false positives, and they don't work in modern development workflows.

_Download the report to **view the full findings and insights.**_

**Join Invicti Chief Product Officer Sonali Shah and on October 13 for a live webinar to discuss the report findings and insights. Register here.**

The report describes how:

*   With the move to the cloud, organizations need a seamless solution that gives them protection and coverage for all of their applications, not just certain business-critical applications. Otherwise, simple coding mistakes can leave them vulnerable to attacks that could compromise company or customer data.
*   A leading television service network serving 26 million viewers has deployed Invicti to help them deliver secure applications on time, enabling them to innovate while protecting information collected online, particularly the personally identifiable information (PII) of viewers and staff, as well as its own company data and intellectual property.
*   A global travel and vacations company uses Invicti to cost-effectively automate security testing for applications across its portfolio of companies, enabling developers to fix security issues within their workflows.
*   Invicti customers also reported time and cost savings with fewer security incidents and teams working more efficiently with security integrated with developer workflows.

"With the increasing speed of development, companies need fast, seamless security solutions that integrate extremely well with developer workflows and tools, so they can bridge the gap between developer and security team priorities and needs," said Sonali Shah, Chief Product Officer at Invicti. "Dynamic application security testing (DAST) is the best-positioned tool to reduce the risk of pushing out vulnerable web applications without burdening developer teams or slowing them down."

"The development lifecycle is an intricate process that requires many pieces and technologies to be successful. Adding security as an afterthought to this process is proven to create points of exposure for organizations," said Melinda Marks, Senior Analyst at ESG. "With Invicti's approach to application security, security experts can help developers infuse secure practices into their development processes so that security enables innovation instead of slowing things down or blocking it."

**About Invicti Security**

Invicti Security – which acquired and combined respective DAST leaders Acunetix and Netsparker – is transforming the way web applications are secured. An AppSec leader for more than 15 years, Invicti enables organizations in every industry to continuously scan and secure all of their web applications and APIs at the speed of innovation. Invicti provides a comprehensive view of an organization's entire web application portfolio, and powerful automation and integrations enable customers to achieve broad coverage of thousands of applications. Invicti is headquartered in Austin, Texas, and serves more than 3,600 organizations of all sizes in more than 70 countries. For more information, visit our website or follow us on LinkedIn.

Invicti Security and ESG Report on How Companies are Shifting for Higher Quality, Secure Application Code

A threat cluster linked to the Russian nation-state actor tracked as Sandworm has continued its targeting of Ukraine with commodity malware by masquerading as telecom providers, new findings show.
Recorded Future said it discovered new infrastructure belonging to UAC-0113 that mimics operators like Datagroup and EuroTransTelecom to deliver payloads such as Colibri loader and Warzone RAT.
The

A threat cluster linked to the Russian nation-state actor tracked as Sandworm has continued its targeting of Ukraine with commodity malware by masquerading as telecom providers, new findings show.

Recorded Future said it discovered new infrastructure belonging to UAC-0113 that mimics operators like Datagroup and EuroTransTelecom to deliver payloads such as Colibri loader and Warzone RAT.

The attacks are said to be an expansion of the same campaign that previously distributed DCRat (or DarkCrystal RAT) using phishing emails with legal aid-themed lures against providers of telecommunications in Ukraine.

Sandworm is a destructive Russian threat group that's best known for carrying out attacks such as the 2015 and 2016 targeting of Ukrainian electrical grid and 2017's NotPetya attacks. It's confirmed to be Unit 74455 of Russia's GRU military intelligence agency.

The adversarial collective, also known as Voodoo Bear, sought to damage high-voltage electrical substations, computers and networking equipment for the third time in Ukraine earlier this April through a new variant of a piece of malware known as Industroyer.

Russia's invasion of Ukraine has also had the group unleash numerous other attacks, including leveraging the Follina vulnerability (CVE-2022-30190) in the Microsoft Windows Support Diagnostic Tool (MSDT) to breach media entities in the Eastern European nation.

In addition, it was uncovered as the mastermind behind a new modular botnet called Cyclops Blink that enslaved internet-connected firewall devices and routers from WatchGuard and ASUS.

The U.S. government, for its part, has announced up to $10 million in rewards for information on six hackers associated with the APT group for participating in malicious cyber activities against critical infrastructure in the country.

"A transition from DarkCrystal RAT to Colibri Loader and Warzone RAT demonstrates UAC-0113's broadening but continuing use of publicly available commodity malware," Recorded Future said.

The attacks entail the fraudulent domains hosting a web page purportedly about "Odesa Regional Military Administration," while an encoded ISO image payload is stealthily deployed via a technique referred to as HTML smuggling.

HTML smuggling, as the name goes, is an evasive malware delivery technique that leverages legitimate HTML and JavaScript features to distribute malware and get around conventional security controls.

Recorded Future also said it identified points of similarities with another HTML dropper attachment put to use by the APT29 threat actor in a campaign aimed at Western diplomatic missions between May and June 2022.

Embedded within the ISO file, which was created on August 5, 2022, are three files, including an LNK file that tricks the victim into activating the infection sequence, resulting in the deployment of both Colibri loader and Warzone RAT to the target machine.

The execution of the LNK file also launches an innocuous decoy document – an application for Ukrainian citizens to request for monetary compensation and fuel discounts – in an attempt to conceal the malicious operations.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Russian Sandworm Hackers Impersonate Ukrainian Telecoms to Distribute Malware

Categories: Business
EDR, MDR, and XDR can alleviate challenges most small business cybersecurity teams face, such as alert fatigue and limited resources. Let’s dive into the basics of three common detection and response solutions.



(Read more...)




The post EDR vs MDR vs XDR – What’s the Difference? appeared first on Malwarebytes Labs.

Cyberattacks are rapidly evolving, leaving businesses and their IT security teams to handle immense workloads.

Keeping up with today’s cyberthreats not only involves staying up to date in an ever-changing threat landscape, it also involves managing complex security infrastructure and technologies. Detection and response tools are designed to help security teams monitor, evaluate, and respond to potential threat actor activity.

EDR, MDR, and XDR can alleviate challenges most small business cybersecurity teams face, such as alert fatigue and limited resources.

Although detection and response tools share similar purposes, they are not all equal. Every threat detection and response capability has its own advantages when it comes to addressing the needs of your business and catching threats that have thwarted traditional security layers.

Let’s dive into the basics of three common detection and response solutions.

**Endpoint Detection and Response (EDR)**

Endpoint detection and response (EDR) solutions cover all endpoint monitoring and activity through threat hunting, data analysis, and remediation to stop a range of cyberattacks. These attacks include malware, ransomware, brute force, and zero-day intrusions.

**Managed Detection and Response (MDR)**

Managed detection and response (MDR) is a service that offers a suite of outsourced capabilities to deliver round-the-clock, 24/7/365 monitoring and detection, proactive threat hunting, prioritization of alerts, correlated data analysis, managed threat investigation, and remediation. MDR is popularly thought of as an in-house Security Operations Center (SOC) alternative. It blends a human element of highly-skilled experts with threat intelligence technologies.

**Extended Detection and Response (XDR)**

Extended detection and response (XDR) is a proactive cybersecurity solution that provides improved, unified visibility over endpoints, networks, and the cloud through aggregating siloed data across an organization’s security stack.

**What is the difference between EDR vs MDR vs XDR?**

Today’s industry-leading detection and response technologies rely on threat intelligence data pulled from different sources. This threat intel data varies in readability and usefulness depending on the tool and its intended audience, your security team, decision-makers, or key stakeholders. Not all businesses have the cybersecurity resources to interpret copious amounts of data, investigate alerts, and act on threats.

Let’s compare threat detection and response tools and the challenges they address.

**EDR vs MDR**

The difference between EDR and MDR is scale.

The needs of your organization, the number of assets and endpoint devices to protect, available resources, bandwidth, and in-house cybersecurity skill level are all factors to consider when it comes to MDR vs EDR. Addressing your business’ security challenges is crucial to understanding how much visibility your company really needs, doing so will help determine the detection and response technology best fit for your business and enhance your cybersecurity stack.

EDR has several benefits and provides holistic visibility into the attack surface of all your endpoints and can detect threats that circumvent legacy endpoint protection platforms (EPP). Endpoint Detection and Response is a staple for establishing a comprehensive security strategy and lays the groundwork for scalable cybersecurity maturity. Although fundamental, it generates a lot of alerts and endpoint telemetry data, adding to its complexity. It requires skilled cybersecurity talent who can readily handle high alert volume, interpret EDR alerts, and respond proficiently. The key takeaway is that standalone EDR products help businesses wanting to enhance their endpoint security posture but require a level of resources and advanced cybersecurity personnel.

MDR security is a managed service which merges human expertise with threat intelligence, offering advanced threat hunting, threat identification, alert prioritization, and incident response. MDR helps businesses obtain outsourced, high-skilled cybersecurity experts at an affordable cost. Regardless of size and level of expertise, your current IT team can leverage a turnkey experience with Managed Detection and Response to close the skill gap in specialized security talent. Small businesses seeking to build security maturity, handle complex threats, and relieve in-house alert fatigue, have everything to gain from Managed Detection and Response.

**MDR vs XDR**

XDR works to consolidate alerts and unify previously siloed data from a range of cybersecurity tools. Businesses struggling with an influx of alerts across multiple existing security tools have the most to benefit from XDR solutions. Providing extended visibility, the tool is centered on aggregating and correlating telemetry from various security tools and enhancing defense across the security ecosystem.

Extended Detection and Response addresses the challenges of businesses with multilayered security architecture.

**Tips for choosing a threat detection and response tool for your business**

Choosing the right detection and response tool starts with addressing your business’ security needs at scale. Simply put, your organization should consider the following questions:

• What does my company need to protect? What assets are most vulnerable to being compromised?  
• How much visibility does my organization need?  
• Does my security team have the skillset, time, and bandwidth to handle large security workloads?  
• What are the resource constraints of my organization?  
• Who will be analyzing, investigating, and responding to detected threats, alerts, and data?

**Featured articles **

What is Threat Hunting?

3 ways MDR can drive business growth for MSPs

Cyber threat hunting for SMBs: How MDR can help

What is Threat Intelligence?

What is MDR?

What is SIEM?

What is SOC?

Webinar: Malwarebytes EDR Product Demo

EDR vs MDR vs XDR – What’s the Difference?

Ubuntu Security Notice 5617-1 - It was discovered that memory contents previously stored in microarchitectural special registers after RDRAND, RDSEED, and SGX EGETKEY read operations on Intel client and Xeon E3 processors may be briefly exposed to processes on the same or different processor cores. A local attacker could use this to expose sensitive information. Julien Grall discovered that Xen incorrectly handled memory barriers on ARM-based systems. An attacker could possibly use this issue to cause a denial of service, obtain sensitive information or escalate privileges.

==========================================================================  
Ubuntu Security Notice USN-5617-1  
September 19, 2022

xen vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in Xen.

Software Description:  
- xen: Public headers and libs for Xen

Details:

It was discovered that memory contents previously stored in  
microarchitectural special registers after RDRAND, RDSEED, and SGX EGETKEY  
read operations on Intel client and Xeon E3 processors may be briefly  
exposed to processes on the same or different processor cores. A local  
attacker could use this to expose sensitive information. (CVE-2020-0543)

Julien Grall discovered that Xen incorrectly handled memory barriers on  
ARM-based systems. An attacker could possibly use this issue to cause a  
denial of service, obtain sensitive information or escalate privileges.  
(CVE-2020-11739)

Ilja Van Sprundel discovered that Xen incorrectly handled profiling of  
guests. An unprivileged attacker could use this issue to obtain sensitive  
information from other guests, cause a denial of service or possibly gain  
privileges. (CVE-2020-11740, CVE-2020-11741)

It was discovered that Xen incorrectly handled grant tables. A malicious  
guest could possibly use this issue to cause a denial of service.  
(CVE-2020-11742, CVE-2020-11743)

Jan Beulich discovered that Xen incorrectly handled certain code paths. An  
attacker could possibly use this issue to cause a denial of service.  
(CVE-2020-15563)

Julien Grall discovered that Xen incorrectly verified memory addresses  
provided by the guest on ARM-based systems. A malicious guest administrator  
could possibly use this issue to cause a denial of service. (CVE-2020-15564)

Roger Pau Monné discovered that Xen incorrectly handled caching on x86 Intel  
systems. An attacker could possibly use this issue to cause a denial of  
service. (CVE-2020-15565)

It was discovered that Xen incorrectly handled error in event-channel port  
allocation. A malicious guest could possibly use this issue to cause a  
denial of service. (CVE-2020-15566)

Jan Beulich discovered that Xen incorrectly handled certain EPT (Extended  
Page Tables).  An attacker could possibly use this issue to cause a denial  
of service, data corruption or privilege escalation. (CVE-2020-15567)

Andrew Cooper discovered that Xen incorrectly handled PCI passthrough.  
An attacker could possibly use this issue to cause a denial of service.  
(CVE-2020-25595)

Andrew Cooper discovered that Xen incorrectly sanitized path injections.  
An attacker could possibly use this issue to cause a denial of service.  
(CVE-2020-25596)

Jan Beulich discovered that Xen incorrectly handled validation of event  
channels. An attacker could possibly use this issue to cause a denial  
of service. (CVE-2020-25597)

Julien Grall and Jan Beulich discovered that Xen incorrectly handled  
resetting event channels. An attacker could possibly use this issue to  
cause a denial of service or obtain sensitive information. (CVE-2020-25599)

Julien Grall discovered that Xen incorrectly handled event channels  
memory allocation on 32-bits domains. An attacker could possibly use this  
issue to cause a denial of service. (CVE-2020-25600)

Jan Beulich discovered that Xen incorrectly handled resetting or cleaning  
up event channels. An attacker could possibly use this issue to cause a  
denial of service. (CVE-2020-25601)

Andrew Cooper discovered that Xen incorrectly handled certain Intel  
specific MSR (Model Specific Registers). An attacker could possibly use  
this issue to cause a denial of service. (CVE-2020-25602)

Julien Grall discovered that Xen incorrectly handled accessing/allocating  
event channels. An attacker could possibly use this issue to cause a  
denial of service, obtain sensitive information of privilege escalation.  
(CVE-2020-25603)

Igor Druzhinin discovered that Xen incorrectly handled locks. An attacker  
could possibly use this issue to cause a denial of service. (CVE-2020-25604)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 20.04 LTS:  
  libxendevicemodel1              4.11.3+24-g14b62ab3e5-1ubuntu2.3  
  libxenevtchn1                   4.11.3+24-g14b62ab3e5-1ubuntu2.3  
  libxengnttab1                   4.11.3+24-g14b62ab3e5-1ubuntu2.3  
  libxenmisc4.11                  4.11.3+24-g14b62ab3e5-1ubuntu2.3  
  xen-hypervisor-4.11-amd64       4.11.3+24-g14b62ab3e5-1ubuntu2.3  
  xen-hypervisor-4.11-arm64       4.11.3+24-g14b62ab3e5-1ubuntu2.3  
  xen-hypervisor-4.11-armhf       4.11.3+24-g14b62ab3e5-1ubuntu2.3  
  xen-utils-4.11                  4.11.3+24-g14b62ab3e5-1ubuntu2.3  
  xen-utils-common                4.11.3+24-g14b62ab3e5-1ubuntu2.3  
  xenstore-utils                  4.11.3+24-g14b62ab3e5-1ubuntu2.3

After a standard system update you need to reboot your computer to make  
all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-5617-1  
  CVE-2020-0543, CVE-2020-11739, CVE-2020-11740, CVE-2020-11741,  
  CVE-2020-11742, CVE-2020-11743, CVE-2020-15563, CVE-2020-15564,  
  CVE-2020-15565, CVE-2020-15566, CVE-2020-15567, CVE-2020-25595,  
  CVE-2020-25596, CVE-2020-25597, CVE-2020-25599, CVE-2020-25600,  
  CVE-2020-25601, CVE-2020-25602, CVE-2020-25603, CVE-2020-25604

Package Information:  
  https://launchpad.net/ubuntu/+source/xen/4.11.3+24-g14b62ab3e5-1ubuntu2.3

Ubuntu Security Notice USN-5617-1

A potential unathenticated file deletion vulnerabilty on Trend Micro Mobile Security for Enterprise 9.8 SP5 could allow an attacker with access to the Management Server to delete files.

This issue was resolved in 9.8 SP5 Critical Patch 2.

CVE-2022-40980

If we know a user is legitimate, then why would we want to make their user experience more challenging?

Years ago, I had to get hold of a personal document that I needed from a government office. I had brought with me all of the documentation that I was told I needed, but there was an issue — a bureaucratic technicality that rendered one of the pieces of documentation invalid in the eyes of the clerk.  

I tried to argue that if we zoomed out and looked at the big picture, it was clear that I was me and entitled to my own document. The clerk would not hear of it, though, and replied, "It should not be easy to get this document." I did not agree and quipped, "It should be easy to get this document if one is entitled to it." Unfortunately, that remark did not get me the document, and I was forced to return another day.

The reason I am sharing this story with you is because it can teach us an important lesson about balancing fraud and user experience. My example illustrates how off-base the conventional wisdom is that says making something harder for a legitimate user to get reduces risk. If a user is legitimate, and if we know they are legitimate, then why would we ever want to make their user experience more challenging?

All that does is introduce another kind of risk — the risk that the user will give up and go elsewhere to get what they need. I didn't have the option of going elsewhere when I needed my document from the government. The users of your online application, on the other hand, very much do have that option in most cases. It is worth thinking about how user experience can be balanced against the need to detect and mitigate fraud losses.

Here are five ways enterprises can improve their fraud detection capabilities in order to better balance fraud detection and user experience.

**1\. Device Intelligence**

I am often surprised by how many fraud rules focus on IP addresses. As you know, IP addresses are trivial for a fraudster to change — the minute you block them from one IP address, they move on to another. The same goes for blocking entire countries or ranges of IP addresses — it is trivial for a fraudster to bypass that. Focusing on IP addresses creates unreliable rules that generate a huge volume of false positives.

Reliable device identification, on the other hand, is entirely different. Being able to identify and track end-user sessions via their device identifiers, rather than their IP addresses, enables fraud teams to hone in on devices that are interacting with the application. This allows for fraud teams to perform a variety of checks and analyses that leverage device identification, such as looking for known fraudster devices, looking for devices that log into a relatively high number of accounts, and other methods.

**2\. Behavioral Intelligence**

It can be quite difficult to differentiate between legitimate users and fraudsters at layer 7 (the application layer) of the OSI model. Moving up to layer 8, or the user layer, however, makes that differentiation much more plausible.

In most cases, legitimate users and fraudsters behave differently within sessions. This is mainly because they have different objectives and levels of familiarity with the online application. Studying end-user behavior gives enterprises another tool they can use to more accurately differentiate between fraud and legitimate traffic.

**3\. Environmental Intelligence**

In many cases, environmental clues (the environment being where the end user is coming from) exist that can help a fraud team differentiate between fraud and legitimate traffic. Having insight into and properly leveraging these environmental clues takes some investment, though it pays huge dividends when it comes to more accurately detecting fraud.

**4\. Known Good User Identification**

As organizations get better at understanding what fraudulent traffic looks like, they also reap another benefit: They become better at identifying what good traffic and what known good users look like. In other words, if I can be reasonably confident that the session in question and the end user navigating it are both good, I can be reasonably confident that I don't need to pile on tons of friction in the form of authentication requests, multifactor authentication (MFA) challenges, or otherwise.

**5\. Session Focus**

Some teams focus somewhat myopically on transactions. That is a bit like trying to see the beauty of the ocean through a straw. True, you can see a portion of the ocean, but you miss most of it. Similarly, looking across the entirety of the end-user session, rather than at individual transactions or groups of transactions, is a great way to more accurately separate fraudulent traffic from legitimate traffic. The techniques mentioned above, along with others, all work far better with a broader, more strategic view of what is going on.

**Reduce the Friction**

Enterprises do not need to choose between effective fraud detection and ease of use. It is possible to manage and mitigate risk without introducing additional friction to your end users as they journey through your online applications. The time has come to throw out the conventional wisdom that says otherwise.

Tag

#intel