Categories: Business
Cybercriminals are more likely to target small-and-medium businesses for their perceived (and sometimes actual) lack of cyberdefenses. In this post, we break down five must-have technologies that help prevent cyberattacks for SMBs.



(Read more...)




The post 5 technologies that help prevent cyberattacks for SMBs  appeared first on Malwarebytes Labs.

_**The intel you need to secure your business—delivered straight to your inbox**_

_From industry tips and best practices to the latest Malwarebytes product releases and how-tos, our Business newsletter is chock-full of the best of our business blog. Subscribe to our Business newsletter today._

Now more than ever, threat actors are trying to attack company networks. In fact, there were 50% more attack attempts per week on corporate networks globally in 2021 than in 2020.

Small-and-medium-sized businesses need to be on the lookout particularly, as cybercriminals are more likely to target them for their perceived (and sometimes actual) lack of cyberdefenses.

This article focuses on helping to prevent cyberattacks purely through technology; though of course, businesses need a combination of technology, people, and strategy to truly become cyber resilient. 

That being said, security experts advise against relying solely on a single technology or technique to protect business endpoints. Effective prevention requires a layered approach capable of addressing not only today’s threats, but preventing tomorrow’s as well. 

In this post, we break down five must-have technologies that help prevent cyberattacks for SMBs.

**Your level of prevention is determined by how much risk you accept to take on**

There are two extremes to prevent cyberattacks: Overly permissive prevention and absolute prevention—and where you fall on that spectrum depends on the level of risk in your organization.

Let’s start over at one end of the extreme. 

In the medical industry for example, doctors in large hospitals use a virtual machine. The machine they use operates in a virtual environment, and that virtual environment is destroyed and recreated when they log back in in another room. They can't install anything or change anything. Data is kept separate. 

Moving towards the other end of the extreme, you might find startups or smaller companies with very lax prevention. Something like, “Here's a laptop. We've provided you with the basic software, call us if you have a problem.”

What’s important to note here is that, because the risk level of every organization is different, there's no “one-size-fits-all” approach to prevent cyberattacks. Your level of prevention will vary drastically depending on industry, company size, and so on.

Having said that, the average small-to-medium-sized business falls somewhere in the middle of these two extremes. At a medium level of risk, you want to find that perfect balance between too strict and too permissive.   

Remember the maxim: The cyberattacks you cannot prevent, you need to mitigate. For mitigation, we assume your business uses (outsources) endpoint detection and response—but you still need the right technology to prevent cyberattacks in the first place. Especially ransomware. 

Read Our Defender's Guide to Ransomware Resilience!

The question for any IT leader then is: What can I prevent, without slowing down my business?

**5 technologies that help prevent cyber attacks for SMBs (ranked in order of importance)**

(Note: these aren’t hard-and-fast rankings, just a good rule of thumb. They may look different for your individual business—for example, you might put 2FA first before anything else and that’s totally OK.)

**1\. Endpoint protection**

Before anything else, endpoint protection should be the first thing you set out to pair with your EDR.

Through a combination of web protection, application hardening, and more, EP provides businesses with full attack chain protection against both known and unknown malware, ransomware, and zero-hour threats. Multi-stage attack protection provides the ability to stop an attacker at every step.

Read our “Endpoint Protection Buyers Guide” for details of the core requirements to help you navigate your enterprise endpoint protection solution analysis, which provides a solution questionnaire to help you with your evaluation process.

**Read more: What is endpoint protection?****2. Vulnerability assessment AND patch management (tied) **

Hold on a sec, you’re telling me vulnerability assessment and patch management are preventative? Don’t both of these mitigate being compromised, since the vulnerability is already technically present?

Well, sure—but the only surefire way to prevent a vulnerability from being exploited is through patching it. Therefore, the process of finding vulnerabilities (and categorizing them by severity) so that you can then systematically patch them before they can be exploited, are two vital preventative measures.

And no, you don’t want to do either of these things manually if you can help it. A vulnerability assessment platform can automatically find and score vulnerabilities with the Common Vulnerability Scoring System (CVSS), while a patch management platform can help you patch those vulnerabilities automatically.

**Read more: Vulnerability response for SMBs: The Malwarebytes approach****3. DNS filtering**

The next technology you need to prevent cyberattacks is a DNS filter. But first, a little bit about what DNS (domain name system) is. 

Every time a customer types in your web address, their computer makes a request to a DNS server. The DNS server, in turn, tells the computer where to go. If all goes well, then voila, your customer is at your website. 

A DNS filter prevents you from accessing unsafe websites—including those posing a strong malware risk. But which web-based cyberthreats in particular does DNS filtering stop, you ask? There are three big ones:

*   **Phishing**: If you have a DNS filter, as soon as someone in your business clicks a link to a malicious website, they’re prevented from visiting it. 
    

*   **DDoS attacks**: Being able to continuously monitor DNS activity is a great way to catch the warning signs of a DNS DDoS attack—and with a DNS filter, you can do exactly that.
    
*   **Machine-in-the-middle attacks**: A good DNS filter uses DNS encryption, which secures the connection between your computer and the DNS resolver. That way, cybercriminals cannot sit between you and feed you spoofed DNS entries.
    

**Read more: 3 ways DNS filtering can save SMBs from cyberattacks****4. Cloud scanning**

No matter what cloud storage service you use, you likely store a lot of data: A mid-sized company can easily have over 40TB of data stored in the form of millions of files. 

Needless to say, it can be difficult to monitor and control all the activity in and out of cloud storage repositories, making it easy for malware to hide in the noise as it makes its way to the cloud. That’s where cloud storage scanning comes in.

Most cloud storage apps already have malware-scanning capabilities. However, businesses use multiple different cloud storage repositories, and due to lack of integration options, they are unable to get a centralized view of all of their scan results, across multiple repositories, in a single pane of glass.

To better prevent cyberattacks, look for a cloud scanning service that uses multiple anti-malware engines, using a combination of signatures, heuristics and machine learning to increase detection rates. Also, look for one that provides a comprehensive view to monitor the health of all your enterprise data.

**Read more: Cloud-based malware is on the rise. How can you secure your business?****5. 2FA**

Two-factor authentication (2FA) is a cost-effective option for SMBs. 2FA adds an extra layer of protection by asking users to provide two forms of identification to prove their validity.

According to Robert Zamani, Regional Vice President, Americas Solutions Engineering at Malwarebytes, 2FA is relatively quick and easy to implement.

“2FA is simple." says Zamani. "You roll a device quickly, you enroll a device—that's something they have, which is usually a smartphone—something they know, which is a password—and then you enforce password minimum.”

**Read more: Understanding the basics of two-factor authentication****Bonus: Cyber insurance **

OK, it’s not a technology, but hear me out.

Let’s say your business has just suffered a data breach and it’s time to dig deep in your pockets to pay all the resulting expenses. Without cyber insurance, you can expect to pay a dizzying amount of cash.

In 2022 alone, the average cost of a data breach for businesses under 1,000 employees was close to $3 million—and these costs are coming from activities that cyber insurers typically cover, such as detecting and responding to the breach.

So when it comes to preventing having to pay huge out of pocket costs in the event that you’re hit with a cyberattack, cyber insurance is a must. The harsh truth is that if you don’t have cyber insurance and are hit with ransomware with no way to recover files, you will likely go out of business—especially if you're a small-and-medium-sized business. 

**Read more: 4 ways businesses can save money on cyber insurance ****A “Matryoshka approach” to cyber prevention**

Let’s recap. 

Relying solely on a single technology or technique to protect your businesses’ endpoints is a fool's errand. 

At the same time, we have to understand that each business has different needs when it comes to prevention: Your level of risk is the chief decider of what tech you ultimately employ to prevent cyberattacks. Depending on your industry and company size, you could justifiably use all of these technologies and more—or none of them.

However, most SMBs will find themselves in the middle of the risk-prevention spectrum. To that end, the following are strongly recommended: Endpoint protection, VPM, DNS filtering, cloud storage scanning, and 2FA (and cyber insurance!). 

Of course, you can't prevent 100% of threats. Therefore, you need an EDR solution to detect and respond to what _does_ get through. That is to say, you should pair any preventative technology with an EDR solution, and a good EDR can seamlessly integrate with all of the preventative technologies listed here.

Want to see what effective prevention and response look like in action? See below for a live demonstration of Malwarebytes Endpoint Detection and Response (EDR):

TAKE ME TO a LIVE DEMO OF EDR!

5 technologies that help prevent cyberattacks for SMBs 

Yurii Shchyhol gives WIRED a rare interview about running the country’s Derzhspetszviazok and the state of the online conflict with Russia.

Yurii Shchyhol doesn’t have a lot of time to spare.

The head of the Derzhspetszviazok, Ukraine’s version of the US Cybersecurity and Infrastructure Security Agency, can be forgiven for working speedily. His country is under attack—and with it, the world order. “This is the first time ever in history that we’ve had such a full-fledged cyberwar happening right now in Ukraine,” says Shchyhol, who’s tasked with keeping Ukraine’s cyber territory safe in the same way president Volodymyr Zelensky oversees the country’s physical armed forces.

Skirmishes on the internet against Russian hackers weren’t new to Shchyhol, nor to the people he oversees as part of of the Derzhspetszviazok, also known as the State Service of Special Communications and Information Protection. Before invading Ukraine on February 24, Russia had been testing the defenses of Ukraine’s cybersecurity. Mostly it was persistent, low-level attacks, but one larger attack was launched on January 14, when Russia targeted more than 20 Ukrainian government institutions. The attack, designed to disrupt government-linked websites, leeched out into the wider Ukrainian internet. “We also identified that around 90 websites were not accessible as a result of that attack,” says Shchyhol. “The goal of the Russian hackers was to sow panic among the Ukrainian population, and to demonstrate to the outside world that Ukraine is a weak state that couldn’t handle the attacks,” he says. This is why the Derzhspetszviazok rushed to relaunch the sites affected. “The longest it took us for one site was close to one week,” he says. “No data was lost, and the outcome of this attack was more psychological warfare.”

When Russian soldiers began intruding into Ukraine’s physical territory, the attacks in cyberspace stepped up. For a full month, Russia targeted communications nodes, media, logistics, and railways, says Shchyhol. “At that time, there were lots of civilians—noncombatant Ukrainians fleeing to safer places,” he adds. “That’s why the goal of those attacks was to disrupt the work of communications lines, and railways in particular.”

We’re now in the third stage of Russia’s cyberwar against Ukraine, says Shchyhol—one that’s ongoing and perpetrated “mostly against civilian infrastructure: utilities and companies that render services to civilians, since they failed to destroy in the second phase our communication lines and our ability to keep people abreast of what’s going on.” Russia’s digital war playbook is similar to its physical warfare strategy, says the cybersecurity chief. “Our attitude remains the same,” he says. “We treat them as criminals trying to destroy our country, invading it on the land but also trying to disrupt and destroy our lifestyle in cyberspace. And our job is to help defend our country.”

Ukraine’s defense of its cyber assets has surprised some, who feared Russia’s much-hyped hacker army could quickly wipe out the country digitally—just as many in the international community worried Russia’s ground invasion was a foregone conclusion. But Vladimir Putin has already played his hand when it comes to cyberattacks, says Shchyhol, and Ukraine learned lessons. A 2017 attack launched by Russia using the NotPetya virus decimated the country—and broke out into the wider world, causing chaos wherever it spread. “Afterward, there was a couple of years when they were quiet,” says Shchyhol. “We recognized that’s because they were getting themselves prepared for more active attacks against our country, so we used that pause time to get ourselves prepared for the potential attacks.” Ukraine’s success in repelling the worst of Russia’s cyberattacks in 2022 demonstrates well how much the country analyzed and learned from previous skirmishes, says the cyber chief.

One thing that helped Ukraine learn Russia’s cyber MO was creating a database of attributed Russian attacks that were specified to particular hacker groups. Shchyhol says the Derzhspetszviazok learned that most groups were sponsored by either Russia’s intelligence service—the FSB, Russia’s post-Soviet successor to the KGB—or the Russian army. Shchyhol refutes the term “hacktivist” when used in relation to Russia. “A hacktivist is a person who does it from the generosity of his heart, free of charge,” he says. “These guys are sponsored by the state and receive a mandate to perpetrate crimes.” Knowing who was behind the attacks helped, Shchyhol says. “By virtue of realizing who is attacking us, it allowed us to be better and more successfully get prepared to repel those attacks,” he says.

The database Shchyhol and his institution developed helped Ukraine repel an attack against a Ukrainian energy-generating company Russia launched earlier this year. “They used the same virus for that that they used back in 2017,” he says. Back then, Russia used the Industroyer virus; the country deployed an updated version, called Industroyer 2, earlier this year. “Since we were ready for this type of attack, we were successful in repelling it, and thus prevented damage being caused to this company,” Shchyhol says. This prevented power blackouts for 2 million people, he adds.

Ukraine’s cybersecurity lead admits that at least one Ukrainian database has been wiped as a result of Russia’s reported widespread use of wiper malware: the government’s motor insurance policy bureau, responsible for issuing coverage for Ukrainian drivers. “For two weeks, this bureau wasn’t able to issue the insurance policies to their clients,” says Shchyhol. But the bureau—like many in Ukraine—was warned about the risks and had a backup that enabled it to return to normal operations relatively quickly.

“The efficiency of any cyber combat efforts should be judged not by the fact that we make it impossible for the attackers to attack us,” says Shchyhol. “The real test of how well we perform is the \[speed\] with which services can be relaunched, and the fact no important data is stolen by perpetrators.”

Ukraine’s defenses have also been bolstered by covering fire in the cyberwarfare field by pro-Ukraine hacktivists—here, he’s more willing to use the term. “I’m talking not only about the Ukrainian IT Army,” a Telegram group set up at the start of the invasion that had at its peak more than 300,000 subscribers, “but other hacktivists worldwide that joined the effort at the beginning of the invasion.” Shchyhol says that those hacktivists have provided much-needed help—even if there’s little proof that the hacktivist army made any meaningful impact. Indeed, one recent academic analysis compared their work to breaking into a disused shopping center in a small city and spray-painting “Putin sux” on the walls.

“Being a military person, I believe anything that weakens our enemy is good for us,” he says. But Shchyhol is keen to make it clear that’s his personal opinion—wanting to avoid any suggestion of collusion or organization by the Ukrainian state. “They are a self-organized community, operating by setting their own goals,” he says. “There is no coordination of their activities coming from the government of Ukraine, and no sponsoring of their activities. We, as the government of Ukraine, are not giving them any direct order to target, for instance, infrastructure.” Even if they were to do so, Shchyhol says, Russia and its infrastructure would be lawful targets because of “all the crimes they perpetrated here.”

But rather than targeting key infrastructure for offensive attacks from hacktivists, Shchyhol suggests that targeted moves by IT businesses can cause as much damage. In July, he called for international companies servicing Russia to withdraw from the country. “Our enemy currently employs tactics like hordes did back in the Middle Ages,” he says. “Trying to attack territory and modify countries to how they want them to look using blunt force. In order for them to continue using this blunt force, they rely on continuous access to modern technologies.”

Without that access, Shchyhol says, “they will be thrown back to the Middle Ages. Any technology that comes into Russian hands, they’ll immediately try to use it for military purposes.” He estimates that 95 percent of tech companies his agency, Ukraine’s vice-president, and other government officials have approached have already withdrawn from the Russian market. Those that have include Cisco, HP, IBM, and Dell.

As for companies that haven’t, Shchyhol has a simple message. “The whole civilized world needs to recognize that the threat goes beyond Ukraine,” he says. “Cyberspace has no boundaries. If there’s any attack perpetrated against the cyberspace of one country, by default it’s affecting and attacking other countries as well.”

Ukraine’s Cyberwar Chief Sounds Like He’s Winning

Incorrect Access Control issue in Yellowfin Business Intelligence 7.3 allows remote attackers to escalate privilege via MIAdminStyles.i4 Admin UI.

Sorry, something went wrong. Reload?

Sorry, we cannot display this file.

Sorry, this file is invalid so it cannot be displayed.

CVE-2020-19586: CVE-2020-19586/Stored XSS in MIAdminStyles.i4 through privileges escalation.pdf at main · Deepak983/CVE-2020-19586

Cross Site Scripting (XSS) vulnerability in configMap parameters in Yellowfin Business Intelligence 7.3 allows remote attackers to run arbitrary code via MIAdminStyles.i4 Admin UI.

CVE-2020-19587

Cyber spies are using legitimate apps for DLL sideloading, deploying an updated range of malware, including the new "Logdatter" info-stealer.

A threat group previously associated with the notorious ShadowPad remote access Trojan (RAT) has been observed using old and outdated versions of popular software packages to load malware on systems belonging to multiple target government and defense organizations in Asia.

The reason for using outdated versions of legitimate software is because they allow the attackers to use a well-known method called dynamic link library (DLL) sideloading to execute their malicious payloads on a target system. Most current versions of the same products protect against the attack vector, which basically involves adversaries disguising a malicious DLL file as a legitimate one and putting it in a directory where the application would automatically load and run the file.

Researchers from Broadcom's Software's Symantec Threat Hunter team observed the ShadowPad\-related threat group using the tactic in a cyber-espionage campaign. The group's targets have so far included a prime minister's office, government organizations linked to the finance sector, government-owned defense and aerospace firms, and state-owned telecom, IT, and media companies. The security vendor's analysis showed the campaign has been ongoing since at least early 2021, with intelligence being the primary focus.

**A Well-Known Cyberattack Tactic, but Successful**

"The use of legitimate applications to facilitate DLL sideloading appears to be a growing trend among espionage actors operating in the region," Symantec said in a report this week. It's an attractive tactic because anti-malware tools often don't spot the malicious activity because attackers used old applications for side loading.

"Aside from the age of the applications, the other commonality is that they were all relatively well-known names and thus may appear innocuous." says Alan Neville, threat intelligence analyst with Symantec's threat hunter team.  

The fact that the group behind the current campaign in Asia is using the tactic despite it being well-understood suggests the technique is yielding some success, Symantec said.

Neville says his company has not recently observed threat actors use the tactic in the US or elsewhere. "The technique is mostly used by attackers focusing on Asian organizations," he adds.

Neville says that in most of the attacks in the latest campaign, threat actors used the legitimate PsExec Windows utility for executing programs on remote systems to carry out the sideloading and deploy malware. In each case, the attackers had already previously compromised the systems on which it installed the old, legitimate apps.

"\[The programs\] were installed on each compromised computer the attackers wanted to run malware on. In some cases, it could be multiple computers on the same victim network," Neville says. In other instances, Symantec also observed them deploying multiple legitimate application on a single machine to load their malware, he adds.

"They used quite an array of software, including security software, graphics software, and Web browsers," he notes. In some cases, Symantec researchers also observed the attacker using legitimate system files from the legacy Windows XP OS to enable the attack.  

**Logdatter, Range of Malicious Payloads**

One of the malicious payloads is a new information stealer dubbed Logdatter, which allows the attackers to log keystrokes, take screenshots, query SQL databases, inject arbitrary code, and download files, among other things. Other payloads that the threat actor is using in its Asian campaign include a PlugX-based Trojan, two RATs dubbed Trochilus and Quasar, and several legitimate dual-use tools. These include Ladon, a penetration testing framework, FScan, and NBTscan for scanning victim environments.

Neville says Symantec has been unable to determine with certainty how the threat actors might be gaining initial access on a target environment. But phishing and opportunity targeting of unpatched systems are likely vectors.

"Alternatively, a software supply chain attack is not outside the remit of these attackers as actors with access to ShadowPad are known to have launched supply chain attacks in the past," Neville notes. Once the threat actors have gained access to an environment, they have tended to use a range of scanning tools such as NBTScan, TCPing, FastReverseProxy, and Fscan to look for other systems to target.

To defend against these kinds of attacks, organizations need to implement mechanisms for auditing and controlling what software might be running on their network. They should also consider implementing a policy of only allowing whitelisted applications to run in the environment and prioritize patching of vulnerabilities in public-facing applications. 

"We'd also recommend taking immediate action to clean machines that exhibit any indicators of compromise," Neville advises, "... including cycling credentials and following your own organization's internal process to perform a thorough investigation."

ShadowPad Threat Actors Return With Fresh Government Strikes, Updated Tools

Under certain conditions SAP BusinessObjects Business Intelligence Platform Central Management Console (CMC) - version 430, allows an attacker to access certain unencrypted sensitive parameters which would otherwise be restricted.

CVE-2022-39014

Under certain conditions, the application SAP BusinessObjects Business Intelligence Platform (Version Management System) - versions 420, 430, exposes sensitive information to an actor over the network with high privileges that is not explicitly authorized to have access to that information, leading to a high impact on Confidentiality.

CVE-2022-35295

Red Hat Security Advisory 2022-6460-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: kernel security, bug fix, and enhancement update  
Advisory ID:       RHSA-2022:6460-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6460  
Issue date:        2022-09-13  
CVE Names:         CVE-2022-21123 CVE-2022-21125 CVE-2022-21166   
=====================================================================

1. Summary:

An update for kernel is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder (v. 8) - aarch64, ppc64le, x86_64  
Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

The kernel packages contain the Linux kernel, the core of any Linux  
operating system.

Security Fix(es):

* Incomplete cleanup of multi-core shared buffers (aka SBDR)  
(CVE-2022-21123)

* Incomplete cleanup of microarchitectural fill buffers (aka SBDS)  
(CVE-2022-21125)

* Incomplete cleanup in specific special register write operations (aka  
DRPW) (CVE-2022-21166)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* Bad page state in process qemu-kvm  pfn:68a74600 (BZ#2081013)

* slub corruption during  LPM of hnv interface (BZ#2081250)

* Affinity broken due to vector space exhaustion (BZ#2084646)

* 'rmmod pmt_telemetry' panics on ADL-P IOTG (BZ#2091079)

* Unable to boot RHEL-8.6 on Brazos max. config (Install is success)  
(BZ#2092241)

* kernel crash after reboot of T14/G2 AMD laptop (mt7921e module)  
(BZ#2095654)

* mt7921: free resources on pci_probe error path (BZ#2101684)

* NLM should be more defensive if underlying FS changes fl_owner  
(BZ#2102099)

* RHEL8/async-pf Guest call trace when reboot after postcopy migration with  
high stress workload (BZ#2105340)

* execve exit tracepoint not called (BZ#2106662)

* QProcess dead lock on kernel-4.18.0-358 (BZ#2107643)

* KVM fix guest FPU uABI size to kvm_xsave (BZ#2107652)

* KVM selftests fail to compile (BZ#2107655)

* Some monitor have no display with AMD W6400 when boot into OS.  
(BZ#2109826)

* Percpu counter usage is gradually getting increasing during podman  
container recreation. (BZ#2110039)

* multipath failed to recover after EEH hit on flavafish adapter on  
Denali(qla2xxx/flavafish/RHEL8.6/Denali) (BZ#2110768)

* soft lockups under heavy I/O load to ahci connected SSDs (BZ#2110772)

* trouble re-assigning MACs to VFs, ice stricter than other drivers  
(BZ#2111936)

* Intel MPI 2019.0 - mpirun stuck on latest kernel (BZ#2112030)

* Multicast packets are not received by all VFs on the same port even  
though they have the same VLAN (BZ#2117026)

* Hyper-V 2019 Dynamic Memory Problem hv_balloon (BZ#2117050)

* kernel BUG at kernel/sched/deadline.c:1561! (BZ#2117410)

* ALSA (sound) driver - update Intel SOF kcontrol code (BZ#2117732)

* bridge over bond over ice ports has no connection (BZ#2118580)

* Fix max VLANs available for VF (BZ#2118581)

* offline selftest failed (BZ#2118582)

* INTEL NVMUpdate utility ver 3.20 is failing to update firmware on  
E810-XXVDA4T (WPC) (BZ#2118583)

* VM configured with failover interface will coredump after been migrating  
from source host to target host(only iavf driver) (BZ#2118705)

* Fix max VLANs available for untrusted VF (BZ#2118707)

* Softlockup on infinite loop in task_get_css() for a CSS_DYING cpuset  
(BZ#2120776)

Enhancement(s):

* KVM Sapphire Rapids (SPR) AMX Instructions (BZ#2088287)

* KVM Sapphire Rapids (SPR) AMX Instructions part2 (BZ#2088288)

* ice: Driver Update (BZ#2102359)

* iavf: Driver Update (BZ#2102360)

* iommu/vt-d: Make DMAR_UNITS_SUPPORTED a config setting (BZ#2112983)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2090237 - CVE-2022-21123 hw: cpu: Incomplete cleanup of multi-core shared buffers (aka SBDR)  
2090240 - CVE-2022-21125 hw: cpu: Incomplete cleanup of microarchitectural fill buffers (aka SBDS)  
2090241 - CVE-2022-21166 hw: cpu: Incomplete cleanup in specific special register write operations (aka DRPW)

6. Package List:

Red Hat Enterprise Linux BaseOS (v. 8):

Source:  
kernel-4.18.0-372.26.1.el8_6.src.rpm

aarch64:  
bpftool-4.18.0-372.26.1.el8_6.aarch64.rpm  
bpftool-debuginfo-4.18.0-372.26.1.el8_6.aarch64.rpm  
kernel-4.18.0-372.26.1.el8_6.aarch64.rpm  
kernel-core-4.18.0-372.26.1.el8_6.aarch64.rpm  
kernel-cross-headers-4.18.0-372.26.1.el8_6.aarch64.rpm  
kernel-debug-4.18.0-372.26.1.el8_6.aarch64.rpm  
kernel-debug-core-4.18.0-372.26.1.el8_6.aarch64.rpm  
kernel-debug-debuginfo-4.18.0-372.26.1.el8_6.aarch64.rpm  
kernel-debug-devel-4.18.0-372.26.1.el8_6.aarch64.rpm  
kernel-debug-modules-4.18.0-372.26.1.el8_6.aarch64.rpm  
kernel-debug-modules-extra-4.18.0-372.26.1.el8_6.aarch64.rpm  
kernel-debuginfo-4.18.0-372.26.1.el8_6.aarch64.rpm  
kernel-debuginfo-common-aarch64-4.18.0-372.26.1.el8_6.aarch64.rpm  
kernel-devel-4.18.0-372.26.1.el8_6.aarch64.rpm  
kernel-headers-4.18.0-372.26.1.el8_6.aarch64.rpm  
kernel-modules-4.18.0-372.26.1.el8_6.aarch64.rpm  
kernel-modules-extra-4.18.0-372.26.1.el8_6.aarch64.rpm  
kernel-tools-4.18.0-372.26.1.el8_6.aarch64.rpm  
kernel-tools-debuginfo-4.18.0-372.26.1.el8_6.aarch64.rpm  
kernel-tools-libs-4.18.0-372.26.1.el8_6.aarch64.rpm  
perf-4.18.0-372.26.1.el8_6.aarch64.rpm  
perf-debuginfo-4.18.0-372.26.1.el8_6.aarch64.rpm  
python3-perf-4.18.0-372.26.1.el8_6.aarch64.rpm  
python3-perf-debuginfo-4.18.0-372.26.1.el8_6.aarch64.rpm

noarch:  
kernel-abi-stablelists-4.18.0-372.26.1.el8_6.noarch.rpm  
kernel-doc-4.18.0-372.26.1.el8_6.noarch.rpm

ppc64le:  
bpftool-4.18.0-372.26.1.el8_6.ppc64le.rpm  
bpftool-debuginfo-4.18.0-372.26.1.el8_6.ppc64le.rpm  
kernel-4.18.0-372.26.1.el8_6.ppc64le.rpm  
kernel-core-4.18.0-372.26.1.el8_6.ppc64le.rpm  
kernel-cross-headers-4.18.0-372.26.1.el8_6.ppc64le.rpm  
kernel-debug-4.18.0-372.26.1.el8_6.ppc64le.rpm  
kernel-debug-core-4.18.0-372.26.1.el8_6.ppc64le.rpm  
kernel-debug-debuginfo-4.18.0-372.26.1.el8_6.ppc64le.rpm  
kernel-debug-devel-4.18.0-372.26.1.el8_6.ppc64le.rpm  
kernel-debug-modules-4.18.0-372.26.1.el8_6.ppc64le.rpm  
kernel-debug-modules-extra-4.18.0-372.26.1.el8_6.ppc64le.rpm  
kernel-debuginfo-4.18.0-372.26.1.el8_6.ppc64le.rpm  
kernel-debuginfo-common-ppc64le-4.18.0-372.26.1.el8_6.ppc64le.rpm  
kernel-devel-4.18.0-372.26.1.el8_6.ppc64le.rpm  
kernel-headers-4.18.0-372.26.1.el8_6.ppc64le.rpm  
kernel-modules-4.18.0-372.26.1.el8_6.ppc64le.rpm  
kernel-modules-extra-4.18.0-372.26.1.el8_6.ppc64le.rpm  
kernel-tools-4.18.0-372.26.1.el8_6.ppc64le.rpm  
kernel-tools-debuginfo-4.18.0-372.26.1.el8_6.ppc64le.rpm  
kernel-tools-libs-4.18.0-372.26.1.el8_6.ppc64le.rpm  
perf-4.18.0-372.26.1.el8_6.ppc64le.rpm  
perf-debuginfo-4.18.0-372.26.1.el8_6.ppc64le.rpm  
python3-perf-4.18.0-372.26.1.el8_6.ppc64le.rpm  
python3-perf-debuginfo-4.18.0-372.26.1.el8_6.ppc64le.rpm

s390x:  
bpftool-4.18.0-372.26.1.el8_6.s390x.rpm  
bpftool-debuginfo-4.18.0-372.26.1.el8_6.s390x.rpm  
kernel-4.18.0-372.26.1.el8_6.s390x.rpm  
kernel-core-4.18.0-372.26.1.el8_6.s390x.rpm  
kernel-cross-headers-4.18.0-372.26.1.el8_6.s390x.rpm  
kernel-debug-4.18.0-372.26.1.el8_6.s390x.rpm  
kernel-debug-core-4.18.0-372.26.1.el8_6.s390x.rpm  
kernel-debug-debuginfo-4.18.0-372.26.1.el8_6.s390x.rpm  
kernel-debug-devel-4.18.0-372.26.1.el8_6.s390x.rpm  
kernel-debug-modules-4.18.0-372.26.1.el8_6.s390x.rpm  
kernel-debug-modules-extra-4.18.0-372.26.1.el8_6.s390x.rpm  
kernel-debuginfo-4.18.0-372.26.1.el8_6.s390x.rpm  
kernel-debuginfo-common-s390x-4.18.0-372.26.1.el8_6.s390x.rpm  
kernel-devel-4.18.0-372.26.1.el8_6.s390x.rpm  
kernel-headers-4.18.0-372.26.1.el8_6.s390x.rpm  
kernel-modules-4.18.0-372.26.1.el8_6.s390x.rpm  
kernel-modules-extra-4.18.0-372.26.1.el8_6.s390x.rpm  
kernel-tools-4.18.0-372.26.1.el8_6.s390x.rpm  
kernel-tools-debuginfo-4.18.0-372.26.1.el8_6.s390x.rpm  
kernel-zfcpdump-4.18.0-372.26.1.el8_6.s390x.rpm  
kernel-zfcpdump-core-4.18.0-372.26.1.el8_6.s390x.rpm  
kernel-zfcpdump-debuginfo-4.18.0-372.26.1.el8_6.s390x.rpm  
kernel-zfcpdump-devel-4.18.0-372.26.1.el8_6.s390x.rpm  
kernel-zfcpdump-modules-4.18.0-372.26.1.el8_6.s390x.rpm  
kernel-zfcpdump-modules-extra-4.18.0-372.26.1.el8_6.s390x.rpm  
perf-4.18.0-372.26.1.el8_6.s390x.rpm  
perf-debuginfo-4.18.0-372.26.1.el8_6.s390x.rpm  
python3-perf-4.18.0-372.26.1.el8_6.s390x.rpm  
python3-perf-debuginfo-4.18.0-372.26.1.el8_6.s390x.rpm

x86_64:  
bpftool-4.18.0-372.26.1.el8_6.x86_64.rpm  
bpftool-debuginfo-4.18.0-372.26.1.el8_6.x86_64.rpm  
kernel-4.18.0-372.26.1.el8_6.x86_64.rpm  
kernel-core-4.18.0-372.26.1.el8_6.x86_64.rpm  
kernel-cross-headers-4.18.0-372.26.1.el8_6.x86_64.rpm  
kernel-debug-4.18.0-372.26.1.el8_6.x86_64.rpm  
kernel-debug-core-4.18.0-372.26.1.el8_6.x86_64.rpm  
kernel-debug-debuginfo-4.18.0-372.26.1.el8_6.x86_64.rpm  
kernel-debug-devel-4.18.0-372.26.1.el8_6.x86_64.rpm  
kernel-debug-modules-4.18.0-372.26.1.el8_6.x86_64.rpm  
kernel-debug-modules-extra-4.18.0-372.26.1.el8_6.x86_64.rpm  
kernel-debuginfo-4.18.0-372.26.1.el8_6.x86_64.rpm  
kernel-debuginfo-common-x86_64-4.18.0-372.26.1.el8_6.x86_64.rpm  
kernel-devel-4.18.0-372.26.1.el8_6.x86_64.rpm  
kernel-headers-4.18.0-372.26.1.el8_6.x86_64.rpm  
kernel-modules-4.18.0-372.26.1.el8_6.x86_64.rpm  
kernel-modules-extra-4.18.0-372.26.1.el8_6.x86_64.rpm  
kernel-tools-4.18.0-372.26.1.el8_6.x86_64.rpm  
kernel-tools-debuginfo-4.18.0-372.26.1.el8_6.x86_64.rpm  
kernel-tools-libs-4.18.0-372.26.1.el8_6.x86_64.rpm  
perf-4.18.0-372.26.1.el8_6.x86_64.rpm  
perf-debuginfo-4.18.0-372.26.1.el8_6.x86_64.rpm  
python3-perf-4.18.0-372.26.1.el8_6.x86_64.rpm  
python3-perf-debuginfo-4.18.0-372.26.1.el8_6.x86_64.rpm

Red Hat CodeReady Linux Builder (v. 8):

aarch64:  
bpftool-debuginfo-4.18.0-372.26.1.el8_6.aarch64.rpm  
kernel-debug-debuginfo-4.18.0-372.26.1.el8_6.aarch64.rpm  
kernel-debuginfo-4.18.0-372.26.1.el8_6.aarch64.rpm  
kernel-debuginfo-common-aarch64-4.18.0-372.26.1.el8_6.aarch64.rpm  
kernel-tools-debuginfo-4.18.0-372.26.1.el8_6.aarch64.rpm  
kernel-tools-libs-devel-4.18.0-372.26.1.el8_6.aarch64.rpm  
perf-debuginfo-4.18.0-372.26.1.el8_6.aarch64.rpm  
python3-perf-debuginfo-4.18.0-372.26.1.el8_6.aarch64.rpm

ppc64le:  
bpftool-debuginfo-4.18.0-372.26.1.el8_6.ppc64le.rpm  
kernel-debug-debuginfo-4.18.0-372.26.1.el8_6.ppc64le.rpm  
kernel-debuginfo-4.18.0-372.26.1.el8_6.ppc64le.rpm  
kernel-debuginfo-common-ppc64le-4.18.0-372.26.1.el8_6.ppc64le.rpm  
kernel-tools-debuginfo-4.18.0-372.26.1.el8_6.ppc64le.rpm  
kernel-tools-libs-devel-4.18.0-372.26.1.el8_6.ppc64le.rpm  
perf-debuginfo-4.18.0-372.26.1.el8_6.ppc64le.rpm  
python3-perf-debuginfo-4.18.0-372.26.1.el8_6.ppc64le.rpm

x86_64:  
bpftool-debuginfo-4.18.0-372.26.1.el8_6.x86_64.rpm  
kernel-debug-debuginfo-4.18.0-372.26.1.el8_6.x86_64.rpm  
kernel-debuginfo-4.18.0-372.26.1.el8_6.x86_64.rpm  
kernel-debuginfo-common-x86_64-4.18.0-372.26.1.el8_6.x86_64.rpm  
kernel-tools-debuginfo-4.18.0-372.26.1.el8_6.x86_64.rpm  
kernel-tools-libs-devel-4.18.0-372.26.1.el8_6.x86_64.rpm  
perf-debuginfo-4.18.0-372.26.1.el8_6.x86_64.rpm  
python3-perf-debuginfo-4.18.0-372.26.1.el8_6.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-21123  
https://access.redhat.com/security/cve/CVE-2022-21125  
https://access.redhat.com/security/cve/CVE-2022-21166  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYyCB1NzjgjWX9erEAQjx1g/+KpIc2rESQgtzICCW50Ha+ZjaOZiuIgGV  
1wDzgsyj7JRxGOIhGY3edJp7sdtoT0+CoWTdjENZrNhQlQ9UhRSpJ+8vdGy5WooO  
fwwKBffteRMEl8YTO/U8fstclEKXK3MB93ZxEHgS0L3UQY/AUU5XqSzB4a4rV9RJ  
DpFQcnw3dHIrtMKHs4HMrm8+Q8ezq9UmVbl472ecnfmNXfHDhOmUGGlUrT22SX9p  
Zn/UXCiWZxIt+Vh2uTrIgs4hiSJPAqD/lGHjLQpaR26uciZnndLui2s4W91F7yN4  
ZifRDwrSAMtsRoln7Z8HL6H59tw4vHwAY1rD5ATwk9EqhRtaetE+v0hzM+BRBhri  
dpZnKUhMiUDNTUKqmpbBZjh4IuSKI6AkaQenFnMQWTp027B6o0EjhqpiEdLaA0R/  
pYewm2OKbulyoUeVhC5GOMX6g8ckGa5h2o4Fr+fkaptELQN1VniYEu88O7pRqaqR  
lW3MrcYIEowDxyiMLehgtIxjyawzfmi0fficXzCf8xEXm8fmqlrXu4lfhKV4g3WI  
Y9j8INFYc4inopUBsQM1zXWV00nCDxAvaYPhOYI0VjO11jxOCOcBheOlwS1sseOv  
Bjram7oqf2DuVSINeTAgbHMLMA4AGEcNMsOAN/mwdq6ZBpEYmCf48pvZwQscW7qv  
a685GRAjoyY=  
=4AwP  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6460-01

By Deeba Ahmed
According to the FBI, more than half of all medical devices and Internet of Things devices used in hospitals including insulin pumps, defibrillators, pacemakers, mobile cardiac telemetry, etc. contain critical security vulnerabilities.
This is a post from HackRead.com Read the original post: FBI Warns of Drastic Implication of Unpatched/Outdated Medical Devices

The Federal Bureau of Investigation (FBI) has warned healthcare facilities of the possible risks of using outdated/unpatched medical devices and released recommendations to protect them from cyberattacks.

The agency stated that medical devices having security flaws might adversely affect the day-to-day operations of healthcare facilities as well as jeopardize patients’ safety. Using unsafe devices can also hinder data confidentiality.

Whether found in hardware design or software framework, vulnerabilities in any medical device component can lead to devastating outcomes, particularly in specific configurations.

The bureau reports that more than half of all medical devices and Internet of Things devices used in hospitals contain security vulnerabilities. These include insulin pumps, defibrillators, pacemakers, mobile cardiac telemetry, etc.

**Why Secure Medical Devices**

This issue needs utmost attention because some medical devices are used for a long time, even for thirty years or more. This allows threat actors to identify and exploit vulnerabilities, especially if the device software has reached EOL (end of life). Such “legacy devices” used in healthcare facilities contain outdated software because it becomes impossible to keep these devices well-protected in the absence of manufacturer support for updates or patches.

Another issue is the use of default configuration, which can be exploited easily, and their custom software lacks a proper vulnerability patching implementation. They might even lack security measures because these devices aren’t supposed to be exposed to security threats.

The bureau recommends that organizations not only identify vulnerabilities in medical devices but also actively secure these devices and train employees to report identified issues to help mitigate risks.

**The PATCH Act**

The FBI is concerned over the dramatic increase in vulnerabilities found in unpatched medical devices. In June 2021, the AHA requested Congress to support the long-pending legislation, the ‘Patch Act.’

In a letter written to Congress, AHA stated that it is essential to secure medical devices, and manufacturers should focus on implementing cybersecurity solutions. In 2017, the FBI discovered that flaws in medical devices leveraged the notorious WannaCry healthcare ransomware attack.

> “The pending legislation would require medical device manufacturers to monitor and identify post-market vulnerabilities in a timely manner, develop a plan for coordinated vulnerability disclosure, provide lifetime cybersecurity support of the device and provide an accounting of all software contained in the device, including third-party software.”
> 
> John Riggi – national advisor for cybersecurity – AHA

**What Organizations Can Do?**

Organizations can employ endpoint protection wherever they can and encrypt device data. Moreover, it is essential to use complex passwords for every medical device.

Another great strategy is maintaining an electronic inventory management system. It will help identify critical medical devices and conduct vulnerability scans regularly.

Lastly, they must stay in touch with device manufacturers to patch every newly discovered vulnerability timely.

1.  Importance Of Medical Alert Devices
2.  Medicine pumps & Pacemaker threat as Dr’s simulate hacked overdose
3.  Targeting Satellite? FBI Warns of Attacks on SATCOM Network Providers
4.  High severity Intel chip flaw left cars, medical and IoT devices vulnerable
5.  FBI warns of hackers mailing malicious USB drives to spread ransomware

FBI Warns of Drastic Implication of Unpatched/Outdated Medical Devices

Categories: Exploits and vulnerabilities
Categories: News
Apple has patched an actively-exploited flaw that affects a host of devices and software, including iPhones, Macs, iPads, and iPod touch.



(Read more...)




The post Important update! iPhones, Macs, and more vulnerable to zero-day bug appeared first on Malwarebytes Labs.

Posted: September 13, 2022 by

On Monday, Apple released a long list of patched vulnerabilities to its software, including a new zero-day flaw affecting Macs and iPhones. The company revealed it's aware that threat actors may have been actively exploiting this vulnerability, which is tracked as **CVE-2022-32917**.

As it's a zero-day, nothing much is said about CVE-2022-32917, only that it may allow malformed applications to execute potentially malicious code with kernel privileges. Apple says it's patched this flaw with improved bounds checks. Below is a list of products this bug affects:

*   Macs running macOS Monterey 12.6 and macOS Big Sur 11.7
*   iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

CVE-2022-32917 is the eighth zero-day flaw that Apple has addressed since the beginning of 2022. The first seven are as follows:

*   CVE-2022-32894, a flaw in the iOS Kernel, was patched in August
*   CVE-2022-32893, a flaw in WebKit, was patched in August
*   CVE-2022-22674, an Intel Graphics Driver bug, was patched in March
*   CVE-2022-22675, a bug in AppleACD, was patched in March
*   CVE-2022-22620, a WebKit bug affecting iPhones, Macs, and iPads, was patched in February
*   CVE-2022-22587, a privileged code execution flaw, was patched in January
*   CVE-2022-22594, a web browser activity tracking flaw, was patched in January

As this latest vulnerability is already being exploited, it's really important that you update your devices as soon as you can. Stay safe!

**RELATED ARTICLES**

**ABOUT THE AUTHOR**

Tag

#intel