The company continues to downplay the severity of the Follina vulnerability, which remains present in all supported versions of Windows.

Researchers warned last weekend that a flaw in Microsoft's Support Diagnostic Tool could be exploited using malicious Word documents to remotely take control of target devices. Microsoft released guidance on Monday, including temporary defense measures. By Tuesday, the United States Cybersecurity and Infrastructure Security Agency had warned that “a remote, unauthenticated attacker could exploit this vulnerability,” known as Follina, “to take control of an affected system.” But Microsoft would not say when or whether a patch is coming for the vulnerability, even though the company acknowledged that the flaw was being actively exploited by attackers in the wild. And the company still had no comment about the possibility of a patch when asked by WIRED yesterday.

The Follina vulnerability in a Windows support tool can be easily exploited by a specially crafted Word document. The lure is outfitted with a remote template that can retrieve a malicious HTML file and ultimately allow an attacker to execute Powershell commands within Windows. Researchers note that they would describe the bug as a “zero-day,” or previously unknown vulnerability, but Microsoft has not classified it as such.

“After public knowledge of the exploit grew, we began seeing an immediate response from a variety of attackers beginning to use it,” says Tom Hegel, senior threat researcher at security firm SentinelOne. He adds that while attackers have primarily been observed exploiting the flaw through malicious documents thus far, researchers have discovered other methods as well, including the manipulation of HTML content in network traffic.

 “While the malicious document approach is highly concerning, the less documented methods by which the exploit can be triggered are troubling until patched,” Hegel says. “I would expect opportunistic and targeted threat actors to use this vulnerability in a variety of ways when the option is available—it’s just too easy.” 

The vulnerability is present in all supported versions of Windows and can be exploited through Microsoft Office 365, Office 2013 through 2019, Office 2021, and Office ProPlus. Microsoft's main proposed mitigation involves disabling a specific protocol within Support Diagnostic Tool and using Microsoft Defender Antivirus to monitor for and block exploitation. 

But incident responders say that more action is needed, given how easy it is to exploit the vulnerability and how much malicious activity is being detected. 

“We are seeing a variety of APT actors incorporate this technique into longer infection chains that utilize the Follina vulnerability," says Michael Raggi, a staff threat researcher at the security firm Proofpoint who focuses on Chinese government-backed hackers. "For instance, on May 30, 2022, we observed Chinese APT actor TA413 send a malicious URL in an email which impersonated the Central Tibetan Administration. Different actors are slotting in the Follina-related files at different stages of their infection chain, depending on their preexisting toolkit and deployed tactics.”

Researchers have also seen malicious documents exploiting Follina with targets in Russia, India, the Philippines, Belarus, and Nepal. An undergraduate researcher first noticed the flaw in August 2020, but it was first reported to Microsoft on April 21. Researchers also noted that Follina hacks are particularly useful to attackers because they can stem from malicious documents without relying on Macros, the much-abused Office document feature that Microsoft has worked to rein in.

“Proofpoint has identified a variety of actors incorporating the Follina vulnerability within phishing campaigns," says Sherrod DeGrippo, Proofpoint's vice president of threat research.

With all this real-world exploitation, the question is whether the guidance Microsoft has published so far is adequate and proportionate to the risk. 

“Security teams could view Microsoft’s nonchalant approach as a sign that this is ‘just another vulnerability,’ which it most certainly is not,” says Jake Williams, director of cyber threat intelligence at the security firm Scythe. “It’s not clear why Microsoft continues to downplay this vulnerability, especially while it’s being actively exploited in the wild.”

An Actively Exploited Microsoft Zero-Day Flaw Still Has No Patch

If you want your IT and security administrators to get buried in trivial workloads and productivity bottlenecks, having poor network object management is a great way to accomplish that.

With needs around data privacy and application management changing rapidly, many businesses have yet to master the implementation of new security standards. The challenge becomes more complex when managing objects within a multivendor security network. Each vendor has its own management platform, which often forces network security admins to define objects multiple times, resulting in a counter-effect.

First, this can be an inefficient use of valuable resources and cause workload bottlenecks. Second, it creates naming inconsistency and introduces myriad unexpected errors, leading to security flaws and connectivity problems. This raises the question: Are businesses doing enough to ensure their network objects are synchronized in legacy and greenfield environments?

**What Is Network Object Management, and Why Should We Talk About It?**

If you want your IT and security administrators to get buried in trivial workloads and productivity bottlenecks, having poor network object management is a great way to achieve it. Inconsistent or incorrect naming of network objects can introduce a seemingly limitless number of problems for your organization, from connectivity woes to gaps in network security that you can't see. In this regard, poor network object management could actually be one of the biggest "insider threats" to an organization's overall cybersecurity efforts; if object names are incorrectly paired with a particular security policy due to inconsistent naming, everything will look fine on paper until a breach occurs, and even then it might be difficult to find the vulnerability.

This is why intelligent and proactive network object management is so crucial to a multicloud strategy. On a basic level, organizations might only need to name things such as servers, IP addresses, and groups of similar objects to which fairly simple security rules might be applied. But as an organization grows, it tends to end up with more network objects than it can count, sometimes running into the tens of thousands. Even a team of dedicated IT and security professionals wouldn't be able to monitor and update such a large number of objects, and mistakes due to avoidable human error would go through the roof. It's easy to see how things could go wrong with a manual or legacy approach to naming network objects — and they do.

**Why Network Object Management Is More Important With a Multicloud Approach**

For network security policies to work effectively, so-called "objects" on the network, such as servers or groups of IP addresses, need to be named so they can be included in the policies applicable to them. One of the biggest challenges that emerges with multicloud solutions is that businesses typically end up using network traffic-filtering solutions from multiple cloud vendors. Each solution will usually have its own vendor-specific platform, forcing network and security administrators to define the objects on their network multiple times. Not only does this waste a lot of time that could be spent elsewhere in the business, but it can lead to costly errors and security gaps.

Furthermore, this opens the door to another problem — that is, name duplication. On a small scale, this is quite easily rectified by a team that knows what to look for. But for bigger organizations, name duplication can spiral into a much larger problem. It's not uncommon for two copies of the same name to end up with two distinctly separate definitions.

For instance, let's say we have a group of database servers containing three IP addresses that we name "DB1" and the relevant security policy is applied. Then somebody takes the "DB1" name and uses it to define data servers in another network environment, this time containing only two IP addresses. In this example, the security policy rule using the name "DB1" would look fine to even a well-trained eye because the names and definitions it contained would seem identical. But we're now in a situation where one of these groups would apply to two IP addresses rather than three, and that will cause more problems the more the definition is used.

**Best Practices**

It's always good to have a set of maintenance guidelines that can help you achieve a higher standard of cyber hygiene. To help you get there, below are some general best practices that can serve as your cleanup checklist for network object management.

*   Remove duplicate objects.
*   Delete expired and unused rules and objects.
*   Break up long rule sections into readable chunks.
*   Enforce object naming conventions.
*   Delete old and unused policies.
*   Document rules, objects and policy revisions.

**The Takeaway**

Network object management might not be big or exciting, but it's fundamental to the safe and secure running of multicloud network environments. If a business achieves 100% accuracy in its approach to network object management, perhaps by leveraging automation and monitoring tools, there's very little reason it can't go on to achieve 100% network performance and efficiency.

Why Network Object Management Is Critical for Managing Multicloud Network Security

The cybercriminal group is distancing itself from its previous branding by shifting  tactics and tools once again in an aim to continue to profit from its nefarious activity.

The cybercriminal group is distancing itself from its previous branding by shifting tactics and tools once again in an aim to continue to profit from its nefarious activity.

Evil Corp has shifted tactics once again, this time pivoting to LockBit ransomware after U.S. sanctions have made it difficult for the cybercriminal group to reap financial gain from its activity, researchers have found.

Researchers from Mandiant Intelligence have been tracking a “financially motivated threat cluster” they’re calling UNC2165 that has numerous overlaps with Evil Corp and is highly likely the latest incarnation of the group.

UNC2165 is using a combination of the FakeUpdates infection chain to gain access to target networks followed by the LockBit ransomware, researchers wrote in a report published Thursday. The activity appears to represent “another evolution in Evil Corp affiliated actors’ operations,” they wrote.

“Numerous reports have highlighted the progression of linked activity including development of new ransomware families and a reduced reliance on Dridex to enable intrusions,” researchers wrote. “Despite these apparent efforts to obscure attribution, UNC2165 has notable similarities to operations publicly attributed to Evil Corp.”

The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) sanctioned Evil Corp in December 2019 in a widespread crackdown on the dangerous and prolific cybercriminal group best known for spreading the aforementioned info-stealing Dridex malware and later its own WastedLocker ransomware.

The sanctions basically forbid any U.S. entity from doing business or being associated with Evil Corp, effectively preventing ransomware negotiation firms from facilitating ransom payments for the group–obviously limiting its ability to profit from criminal activity.

****Shapeshifting Cybercriminals****

Evil Corp took a brief hiatus after the sanctions and a subsequent indictment of its leaders, but since has cloaked itself through clever rebranding to continue its nefarious activity.

Indeed, its latest pivot is not the first time the group used a different identity to try to skirt sanctions against it. About a year ago, Evil Corp tried to mask itself by using previously unknown ransomware called PayloadBin, which researchers determined was likely a rebrand of its own ransomware, WastedLocker, according to reports.

Before that the group resurfaced briefly soon after the OFAC sanctions were levied with new tactics to try to hide its activity, leveraging the oft-used threat tool HTML redirectors–or code that uses meta refresh tags to redirect users to another website–to drop payloads through malicious Excel files.

****Most Recent Incarnation****

The latest activity from Evil Corp “almost exclusively” gains access to victims’ networks on the back of a group tracked as UNC1543, to which the use of FakeUpdates has been linked, according to Mandiant. In the months prior to the government’s indictments of Evil Corp, this method was used as the initial infection vector for Dridex and the BitPaymer and DoppelPaymer ransomware.

Evil Corp also is deploying other ransomware—specifically Hades–in its activity as UNC2165, researchers said. “Hades has code and functional similarities to other ransomware believed to be associated with Evil Corp-affiliated threat actors,” they said.

The use of other ransomware is indeed a “natural evolution” for this emerging criminal group to distance itself from Evil Corp, researchers said.

However, LockBit more than Hades especially is a natural fit because of its RaaS model and rise to prominence in recent years, they said. Indeed, LockBit has taken down some big-name targets in its own right, such as Accenture and Bangkok Air, in the last year.

“Using this RaaS would allow UNC2165 to blend in with other affiliates,” researchers wrote. “Additionally, the frequent code updates and rebranding of HADES required development resources and it is plausible that UNC2165 saw the use of LOCKBIT as a more cost-effective choice.”

****The Move Makes Sense****

Since ransomware operators see their operations as any other business leaders would, it makes sense that they also have to evolve with the times to stay ahead in the market and maintain profit just like anyone else, noted a security professional.

“For cybercriminals, it’s a similar concept,” observed James McQuiggan, security awareness advocate at security firm KnowBe4, said in an email to Threatpost. “They need to continually develop their applications and encryption to avoid detection and make money via extortion using various methods.”

Given this perspective, it’s not surprising that Evil Corp is leveraging other ransomware to continue to stay relevant and, more importantly, get paid, he said. And with Evil Corp cloaking itself in the  activity of other ransomware groups, targets likely will pay an extortion fee, as they would not be aware of the government sanctions against the true perpetrators of the crime, McQuiggan said.

Evil Corp Pivots LockBit to Dodge U.S. Sanctions

Microsoft on Thursday said it took steps to disable malicious activity stemming from abuse of OneDrive by a previously undocumented threat actor it tracks under the chemical element-themed moniker Polonium.
In addition to removing the offending accounts created by the Lebanon-based activity group, the tech giant's Threat Intelligence Center (MSTIC) said it suspended over 20 malicious OneDrive

Microsoft on Thursday said it took steps to disable malicious activity stemming from abuse of OneDrive by a previously undocumented threat actor it tracks under the chemical element-themed moniker Polonium.

In addition to removing the offending accounts created by the Lebanon-based activity group, the tech giant's Threat Intelligence Center (MSTIC) said it suspended over 20 malicious OneDrive applications created and that it notified affected organizations.

"The observed activity was coordinated with other actors affiliated with Iran's Ministry of Intelligence and Security (MOIS), based primarily on victim overlap and commonality of tools and techniques," MSTIC assessed with "moderate confidence."

The adversarial collective is believed to have breached more than 20 organizations based in Israel and one intergovernmental organization with operations in Lebanon since February 2022.

Targets of interest included entities in the manufacturing, IT, transportation, defense, government, agriculture, financial, and healthcare sectors, with one cloud service provider compromised to target a downstream aviation company and law firm in what's a case of a supply chain attack.

In a vast majority of the cases, initial access is believed to have been obtained by exploiting a path traversal flaw in Fortinet appliances (CVE-2018-13379), abusing it to drop custom PowerShell implants like CreepySnail that establish connections to a command-and-control (C2) server for follow-on actions.

Attack chains mounted by the actor have involved the use of custom tools that leverage legitimate cloud services such as OneDrive and Dropbox accounts for C2 using malicious tools dubbed CreepyDrive and CreepyBox with its victims.

"The implant provides basic functionality of allowing the threat actor to upload stolen files and download files to run," the researchers said.

This is not the first time Iranian threat actors have taken advantage of cloud services. In October 2021, Cybereason disclosed an attack campaign staged by a group called MalKamak that used Dropbox for C2 communications in an attempt to stay under the radar.

Additionally, MSTIC noted that multiple victims that were compromised by Polonium were previously targeted by another Iranian group called MuddyWater (aka Mercury), which has been characterized by the U.S. Cyber Command as a "subordinate element" within MOIS.

The victim overlaps lend credence to earlier reports that MuddyWater is a "conglomerate" of multiple teams along the lines of Winnti (China) and the Lazarus Group (North Korea).

To counter such threats, customers are advised to enable multi-factor authentication as well as review and audit partner relationships to minimize any unnecessary permissions.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Blocks Iran-linked Lebanese Hackers Targeting Israeli Companies

By Waqas
The U.S. Department of Justice (DoJ) confirmed seizing three domains used by cybercriminals to sell stolen personal data…
This is a post from HackRead.com Read the original post: FBI Seizes WeLeakInfo, IPStress and OVH-Booter Cybercrime Portals

The U.S. Department of Justice (DoJ) confirmed seizing three domains used by cybercriminals to sell stolen personal data and facilitate DDoS-for-hire service.

It has been just a couple of months since the authorities seized the infamous cybercrime portal Raidforums and arrested its alleged owner Diogo Santos Coelho. Now, in a press release, the DoJ and the FBI announced the seizure of three domains- weleakinfo.to, ipstress.in, and ovh-booter.com that the cybercriminals used for trading stolen personal information and offering DDoS for hire service.

The seizure results from an international investigation into sites/domains that allowed users to purchase access to stolen data and target victim networks with Distributed Denial-of-Service attacks (DDoS attacks).

Seizure notice on weleakinfo.to, ipstress.in, and ovh-booter.com domains

The District of Columbia’s attorney Matthew M. Graves and the FBI Washington Field Office’s Criminal and Cyber Division’s Special Agent in charge, Wayne A. Jacobs, made the announcement.

**Details of Seized Domains**

According to the DoJ press release issued on May 31st, 2022, the Weleakinfo website offered visitors a searchable database containing stolen information collected from over 10,000 data breaches. Moreover, it allowed users to trade hacked personal data, which the agency referred to as website trafficking in stolen private data.

The site also sold subscriptions to enable users to access the results of these data breaches. Subscriptions provided unlimited searches and access and were offered for 1 day, 1 week, 1 month, 3 months, and even for a lifetime.

The other two domains offered DDoS-for-hire services to their clients. Visitors of these domains will find a seizure banner notifying them that federal authorities have seized the domains after issuing a seizure warrant. The seized domains are currently in the U.S. federal government’s control, and their operations stand suspended.

WeLeakInfo’s prices

**What Data Was Available for Trading?**

The database comprised 7 billion indexed records, including names, usernames, email I.D.s, passwords for online accounts, and phone numbers.

> “Today, the FBI and the Department stopped two distressingly common threats: websites trafficking in stolen personal information and sites which attack and disrupt legitimate internet businesses.”
> 
> U.S. Attorney Matthew Graves

Special Agent Charles Jacobs noted that the seizure of these websites is a “prime example” of the extensiveness of actions the FBI and other intelligence agencies are undertaking to disrupt “malicious cyber activity.”

The investigation involved the DoJ’s Computer Crime and Intellectual Property Section, the FBI, the U.S. Attorney’s Office for the District of Columbia, the National Police Corps of the Netherlands, and Belgium’s Federal Police.

**More Cybercrime News**

1.  Feds seize WeLeakInfo.com for selling stolen databases
2.  21 WeLeakInfo customers arrested for buying breached data
3.  179 Dark Web vendors arrested, 500kg worth of drugs seized
4.  Domain, server of DoubleVPN used by ransomware gangs seized
5.  Russia seizes Trump Dumps, Ferum, and SkyFraud carding forums

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

FBI Seizes WeLeakInfo, IPStress and OVH-Booter Cybercrime Portals

Dell PowerStore versions 2.0.0.x, 2.0.1.x and 2.1.0.x contains an open port vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to information disclosure and arbitrary code execution.

**Vaikutus**

Critical

**Tiedot**

**Proprietary Code CVEs**

**Description**

**CVSS Base Score**

**CVSS Vector String**

CVE-2022-22556

Dell PowerStore contains an Uncontrolled Resource Consumption Vulnerability in PowerStore User Interface. A remote unauthenticated attacker may potentially exploit this vulnerability, leading to the Denial of Service.

3.7

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

CVE-2022-22557

Dell PowerStore contains Plain-Text Password Storage Vulnerability in version 2.0.0.x. and 2.0.1.x. A locally authenticated attacker may potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account.

7.5

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE-2022-26866

Dell PowerStore contains a Stored Cross-Site Scripting Vulnerability, an authenticated attacker may potentially exploit this vulnerability, leading to the storage of malicious HTML or JavaScript codes in a trusted application data store. When a victim user accesses the data store through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable web application. Exploitation may lead to information disclosure, session theft, or client-side request forgery.

5.5

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

CVE-2022-26867

Dell PowerStore contains formula injection vulnerability in which it supports the option to export data to either a CSV or an XLSX file. The data is taken as is, without any validation or sanitization. It may allow a malicious, authenticated user to inject payloads that might get interpreted as formulas by the corresponding spreadsheet application that is being used to open the CSV/XLSX file.

5.9

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L

CVE-2022-26868

Dell PowerStore versions 2.0.0.x, 2.0.1.x and 2.1.0.x are vulnerable to a command injection flaw. An authenticated attacker may potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker.

6.4

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE-2022-26869

Dell PowerStore versions 2.0.0.x, 2.0.1.x and 2.1.0.x contain an open port vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability, leading to information disclosure, arbitrary code execution.

9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2022-26870

Dell PowerStore versions 2.1.0.x contain an Authentication bypass vulnerability. A remote unauthenticated attacker may  potentially exploit this vulnerability when both Remote Secure Credential and External SSH are enabled. An attacker would gain “service” account access upon successful exploit.

7.0

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H

 

**Third-Party Component**

**CVEs**

**More Information**

NVMe SSD

CVE-2021-0148

Intel-SA-00535

Axios

CVE-2020-28168

See NVD (http://nvd.nist.gov/) for individual scores of each CVE.

bind-libs  
bind-libs-lite  
bind-utils  
bind-license

CVE-2021-25215

glib2

CVE-2021-27219

gupnp

CVE-2021-33516

java-1.8.0-openjdk

CVE-2021-2369

CVE-2021-2388

CVE-2021-2341

libldb

CVE-2021-20277

libwbclient

CVE-2021-20254

Lo-dash

CVE-2021-23337

CVE-2020-28500

CVE-2020-8203

Log4j

CVE-2021-45105

CVE-2021-44832

CVE-2022-23307

nettle

CVE-2021-20305

nss  
nss-sysinit  
nss-tools

CVE-2020-25648

openldap

CVE-2020-25692

pillow

CVE-2021-28675

CVE-2021-28676

CVE-2021-25288

CVE-2021-25287

CVE-2021-28677

CVE-2021-28678

postgres

CVE-2021-20229

CVE-2021-32027

CVE-2021-3393

postgres-libs

CVE-2021-32027

postgresql-libs

CVE-2019-10208

CVE-2020-25694

CVE-2020-25695

samba-common  
samba-client-libs  
samba-common-libs libwbclient

CVE-2021-20254

screen version

CVE-2021-26937

urllib3

CVE-2021-33503

xterm

CVE-2021-27135

**Proprietary Code CVEs**

**Description**

**CVSS Base Score**

**CVSS Vector String**

CVE-2022-22556

Dell PowerStore contains an Uncontrolled Resource Consumption Vulnerability in PowerStore User Interface. A remote unauthenticated attacker may potentially exploit this vulnerability, leading to the Denial of Service.

3.7

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

CVE-2022-22557

Dell PowerStore contains Plain-Text Password Storage Vulnerability in version 2.0.0.x. and 2.0.1.x. A locally authenticated attacker may potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account.

7.5

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE-2022-26866

Dell PowerStore contains a Stored Cross-Site Scripting Vulnerability, an authenticated attacker may potentially exploit this vulnerability, leading to the storage of malicious HTML or JavaScript codes in a trusted application data store. When a victim user accesses the data store through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable web application. Exploitation may lead to information disclosure, session theft, or client-side request forgery.

5.5

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

CVE-2022-26867

Dell PowerStore contains formula injection vulnerability in which it supports the option to export data to either a CSV or an XLSX file. The data is taken as is, without any validation or sanitization. It may allow a malicious, authenticated user to inject payloads that might get interpreted as formulas by the corresponding spreadsheet application that is being used to open the CSV/XLSX file.

5.9

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L

CVE-2022-26868

Dell PowerStore versions 2.0.0.x, 2.0.1.x and 2.1.0.x are vulnerable to a command injection flaw. An authenticated attacker may potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker.

6.4

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE-2022-26869

Dell PowerStore versions 2.0.0.x, 2.0.1.x and 2.1.0.x contain an open port vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability, leading to information disclosure, arbitrary code execution.

9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2022-26870

Dell PowerStore versions 2.1.0.x contain an Authentication bypass vulnerability. A remote unauthenticated attacker may  potentially exploit this vulnerability when both Remote Secure Credential and External SSH are enabled. An attacker would gain “service” account access upon successful exploit.

7.0

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H

 

**Third-Party Component**

**CVEs**

**More Information**

NVMe SSD

CVE-2021-0148

Intel-SA-00535

Axios

CVE-2020-28168

See NVD (http://nvd.nist.gov/) for individual scores of each CVE.

bind-libs  
bind-libs-lite  
bind-utils  
bind-license

CVE-2021-25215

glib2

CVE-2021-27219

gupnp

CVE-2021-33516

java-1.8.0-openjdk

CVE-2021-2369

CVE-2021-2388

CVE-2021-2341

libldb

CVE-2021-20277

libwbclient

CVE-2021-20254

Lo-dash

CVE-2021-23337

CVE-2020-28500

CVE-2020-8203

Log4j

CVE-2021-45105

CVE-2021-44832

CVE-2022-23307

nettle

CVE-2021-20305

nss  
nss-sysinit  
nss-tools

CVE-2020-25648

openldap

CVE-2020-25692

pillow

CVE-2021-28675

CVE-2021-28676

CVE-2021-25288

CVE-2021-25287

CVE-2021-28677

CVE-2021-28678

postgres

CVE-2021-20229

CVE-2021-32027

CVE-2021-3393

postgres-libs

CVE-2021-32027

postgresql-libs

CVE-2019-10208

CVE-2020-25694

CVE-2020-25695

samba-common  
samba-client-libs  
samba-common-libs libwbclient

CVE-2021-20254

screen version

CVE-2021-26937

urllib3

CVE-2021-33503

xterm

CVE-2021-27135

Dell Technologies suosittelee, että kaikki asiakkaat ottavat huomioon sekä CVSS-peruspistemäärän että kaikki asiaankuuluvat väliaikaiset ja ympäristöön liittyvät pisteet, jotka voivat vaikuttaa tietyn tietoturvahaavoittuvuuden mahdolliseen vakavuuteen.

**Tuotteet, joihin asia vaikuttaa ja tilanteen korjaaminen**

**CVEs Addressed**

**Products**

**Affected Versions**

**Updated Versions**

**Link to Update**

CVE-2022-22557

PowerStore T OS  
PowerStore X OS

PowerStore T OS versions 2.0.0.x and 2.0.1.x  
\*PowerStore T OS versions 1.0.x.x are not affected.

PowerStore X OS versions 2.0.0.x and 2.0.1.x  
\*PowerStore X OS versions 1.0.x.x are not affected.

PowerStore T OS Upgrade 2.1.0.0-1561821

PowerStore T OS Upgrade 2.1.0.1-1602345

PowerStore T OS Upgrade 2.1.1.0-1649887

PowerStore X OS Upgrade 2.1.1.0-1649887

https://www.dell.com/support/home/?app=drivers

CVE-2022-22556

PowerStore T OS  
PowerStore X OS

PowerStore T OS versions before PowerStore T OS Upgrade 2.1.0.0-1561821

PowerStore X OS versions before PowerStore X OS Upgrade 2.1.1.0-1649887

PowerStore T OS Upgrade 2.1.0.0-1561821

PowerStore T OS Upgrade 2.1.0.1-1602345

PowerStore T OS Upgrade 2.1.1.0-1649887

PowerStore X OS”  
PowerStore X OS Upgrade 2.1.1.0-1649887

CVE-2021-0148

CVE-2020-28168

CVE-2021-25215

CVE-2021-27219

CVE-2021-33516

CVE-2021-2369

CVE-2021-2388

CVE-2021-2341

CVE-2021-20277

CVE-2021-20254

CVE-2021-23337

CVE-2020-28500

CVE-2020-8203

CVE-2020-25692

CVE-2021-28675

CVE-2021-28676

CVE-2021-25288

CVE-2021-25287

CVE-2021-28677

CVE-2021-28678

CVE-2021-20229

CVE-2021-32027

CVE-2021-3393

CVE-2019-10208

CVE-2020-25694

CVE-2020-25695

CVE-2021-20254

CVE-2021-26937

CVE-2021-33503

CVE-2021-27135

CVE-2022-26867

PowerStore T OS  
PowerStore X OS

PowerStore T OS versions before PowerStore T OS Upgrade 2.1.1.0-1649887

PowerStore X OS versions before PowerStore X OS Upgrade 2.1.1.0-1649887

PowerStore T OS Upgrade 2.1.1.0-1649887

PowerStore X OS Upgrade 2.1.1.0-1649887

CVE-2022-26867

CVE-2021-45105

CVE-2021-44832

CVE-2022-23307

CVE-2022-26868

PowerStore T OS  
PowerStore X OS

PowerStore T OS versions 2.0.0.x, 2.0.1.x and 2.1.0.x  
\*PowerStore T OS versions 1.0.x.x are not affected.

PowerStore X OS versions 2.0.0.x, 2.0.1.x and 2.1.0.x  
\*PowerStore X OS versions 1.0.x.x are not affected.

PowerStore T OS Upgrade 2.1.1.0-1649887

PowerStore X OS Upgrade 2.1.1.0-1649887

CVE-2022-26869

CVE-2022-26870

PowerStore T OS

PowerStore T OS versions 2.1.0.x  
\*PowerStore T OS 1.0.x.x, 2.0.0.x, 2.0.1.x are not affected

PowerStore T OS Upgrade 2.1.1.0-1649887  
 

**CVEs Addressed**

**Products**

**Affected Versions**

**Updated Versions**

**Link to Update**

CVE-2022-22557

PowerStore T OS  
PowerStore X OS

PowerStore T OS versions 2.0.0.x and 2.0.1.x  
\*PowerStore T OS versions 1.0.x.x are not affected.

PowerStore X OS versions 2.0.0.x and 2.0.1.x  
\*PowerStore X OS versions 1.0.x.x are not affected.

PowerStore T OS Upgrade 2.1.0.0-1561821

PowerStore T OS Upgrade 2.1.0.1-1602345

PowerStore T OS Upgrade 2.1.1.0-1649887

PowerStore X OS Upgrade 2.1.1.0-1649887

https://www.dell.com/support/home/?app=drivers

CVE-2022-22556

PowerStore T OS  
PowerStore X OS

PowerStore T OS versions before PowerStore T OS Upgrade 2.1.0.0-1561821

PowerStore X OS versions before PowerStore X OS Upgrade 2.1.1.0-1649887

PowerStore T OS Upgrade 2.1.0.0-1561821

PowerStore T OS Upgrade 2.1.0.1-1602345

PowerStore T OS Upgrade 2.1.1.0-1649887

PowerStore X OS”  
PowerStore X OS Upgrade 2.1.1.0-1649887

CVE-2021-0148

CVE-2020-28168

CVE-2021-25215

CVE-2021-27219

CVE-2021-33516

CVE-2021-2369

CVE-2021-2388

CVE-2021-2341

CVE-2021-20277

CVE-2021-20254

CVE-2021-23337

CVE-2020-28500

CVE-2020-8203

CVE-2020-25692

CVE-2021-28675

CVE-2021-28676

CVE-2021-25288

CVE-2021-25287

CVE-2021-28677

CVE-2021-28678

CVE-2021-20229

CVE-2021-32027

CVE-2021-3393

CVE-2019-10208

CVE-2020-25694

CVE-2020-25695

CVE-2021-20254

CVE-2021-26937

CVE-2021-33503

CVE-2021-27135

CVE-2022-26867

PowerStore T OS  
PowerStore X OS

PowerStore T OS versions before PowerStore T OS Upgrade 2.1.1.0-1649887

PowerStore X OS versions before PowerStore X OS Upgrade 2.1.1.0-1649887

PowerStore T OS Upgrade 2.1.1.0-1649887

PowerStore X OS Upgrade 2.1.1.0-1649887

CVE-2022-26867

CVE-2021-45105

CVE-2021-44832

CVE-2022-23307

CVE-2022-26868

PowerStore T OS  
PowerStore X OS

PowerStore T OS versions 2.0.0.x, 2.0.1.x and 2.1.0.x  
\*PowerStore T OS versions 1.0.x.x are not affected.

PowerStore X OS versions 2.0.0.x, 2.0.1.x and 2.1.0.x  
\*PowerStore X OS versions 1.0.x.x are not affected.

PowerStore T OS Upgrade 2.1.1.0-1649887

PowerStore X OS Upgrade 2.1.1.0-1649887

CVE-2022-26869

CVE-2022-26870

PowerStore T OS

PowerStore T OS versions 2.1.0.x  
\*PowerStore T OS 1.0.x.x, 2.0.0.x, 2.0.1.x are not affected

PowerStore T OS Upgrade 2.1.1.0-1649887  
 

**Versiohistoria****Asiaan liittyvät tiedot**

Dell Security Advisories and Notices  
Dell Vulnerability Response Policy  
CVSS Scoring Guide

Tämän Dell Technologiesin tietoturvatiedotteen tiedot on luettava, ja niiden avulla voidaan välttää tilanteita, jotka voivat johtua tässä kuvatuista ongelmista. Dell Technologiesin tietoturvatiedotteet tuovat tärkeitä tietoturvatietoja haavoittuvuudelle alttiiden tuotteiden käyttäjien tietoon. Dell Technologies arvioi riskin perustuen asennettujen järjestelmien hajautetun joukon keskimääräisiin riskeihin, eikä se välttämättä vastaa paikallisen asennuksen ja yksittäisen ympäristön todellista riskiä. Suositus on, että kaikki käyttäjät ratkaisevat näiden tietojen sovellettavuuden yksittäisten ympäristöjen mukaan ja ryhtyvät tarvittaviin toimenpiteisiin. Tässä esitetyt tiedot annetaan "sellaisenaan" ilman minkäänlaista takuuta. Dell Technologies kiistää kaikki suorat tai epäsuorat takuut, mukaan lukien takuut soveltuvuudesta kaupankäynnin kohteeksi, sopivuudesta tiettyyn käyttötarkoitukseen, omistusoikeudesta ja loukkaamattomuudesta. Dell Technologies, sen tytäryhtiöt tai toimittajat eivät missään tilanteessa ole vastuussa mistään vahingoista, jotka johtuvat tässä asiakirjassa mainituista tiedoista tai toimenpiteistä, joihin käyttäjä päättää ryhtyä. Tämä koskee kaikkia suoria, epäsuoria, satunnaisia, välillisiä, liikevoiton menetykseen liittyviä tai erityisluontoisia vahinkoja, vaikka Dell Technologies tai sen tytäryhtiöt tai toimittajat olisivat saaneet tiedon tällaisten vahinkojen mahdollisuudesta. Jotkin osavaltiot eivät salli satunnaisten tai seuraamuksellisten vahinkojen vastuun poistamista tai rajoittamista, joten edellä mainittua rajoitusta sovelletaan vain lain sallimassa laajuudessa.

PowerStore, PowerStore 1000X, PowerStore 1000T, PowerStore 3000X, PowerStore 3000T, PowerStore 5000X, PowerStore 5000T, PowerStore 500T, PowerStore 7000X, PowerStore 7000T, PowerStore 9000X, PowerStore 9000T, Product Security Information

21 huhtik. 2022

CVE-2022-26869: DSA-2022-014: Dell EMC PowerStore Family Security Update for Multiple Vulnerabilities

Dell Unity, Dell UnityVSA, and Dell Unity XT versions prior to 5.2.0.0.5.173 contain a plain-text password storage vulnerability when certain off-array tools are run on the system. The credentials of a user with high privileges are stored in plain text. A local malicious user with high privileges may use the exposed password to gain access with the privileges of the compromised user.

Artikkelin numero: 000199050

**Yhteenveto: Dell Unity, Dell UnityVSA, and Dell Unity XT remediation is available for multiple security vulnerabilities that may be exploited by malicious users to compromise the affected system.**

*   Artikkelin sisältö
*   Juridiset tiedot
*   Artikkelin ominaisuudet
*   Arvostele tämä artikkeli

**Artikkelin sisältö**

**Vaikutus**

Critical

**Tiedot**

**Proprietary Code CVEs**

**Description**

**CVSS Base Score**

**CVSS Vector String**

CVE-2022-29084

Dell Unity, Dell UnityVSA, and Dell Unity XT versions before 5.2.0.0.5.173 do not restrict excessive authentication attempts in Unisphere GUI. A remote unauthenticated attacker may potentially exploit this vulnerability to brute-force passwords and gain access to the system as the victim. Account takeover is possible if weak passwords are used by users.

8.1

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2022-29085

Dell Unity, Dell UnityVSA, and Dell Unity XT versions before 5.2.0.0.5.173 contain a plain-text password storage vulnerability when certain off-array tools are run on the system. The credentials of a user with high privileges are stored in plain text. A local malicious user with high privileges may use the exposed password to gain access with the privileges of the compromised user.

6.4

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

 

**Third-party Component**

**CVEs**

**More Information**

aide

CVE-2021-45417

See NVD (http://nvd.nist.gov/) for individual scores for each CVE.  
 

apache2

CVE-2021-33193

CVE-2021-34798

CVE-2021-36160

CVE-2021-39275

CVE-2021-40438

CVE-2022-22719

CVE-2022-22720

CVE-2022-22721

CVE-2022-23943

Apache-tomcat

CVE-2021-25122

CVE-2021-25329

CVE-2021-30639

CVE-2021-30640

CVE-2021-33037

CVE-2021-41079

CVE-2021-42340

avahi

CVE-2021-3468

cyrus-sasl

CVE-2022-24407

Dell BSAFE™ Micro Edition Suite

CVE-2020-5359

See Dell KB DSA-2020-114: https://www.dell.com/support/kbdoc/en-us/000181098/dsa-2020-114-dell-bsafe-micro-edition-suite-multiple-security-vulnerabilities for individual scores for each CVE.

CVE-2020-5360

docker, containerd, runc

CVE-2021-30465

See NVD (http://nvd.nist.gov/) for individual scores for each CVE.

CVE-2021-32760

CVE-2021-41089

CVE-2021-41091

CVE-2021-41092

CVE-2021-41103

expat

CVE-2021-45960

CVE-2021-46143

CVE-2022-22822

CVE-2022-22823

CVE-2022-22824

CVE-2022-22825

CVE-2022-22826

CVE-2022-22827

CVE-2022-23852

CVE-2022-23990

CVE-2022-25235

CVE-2022-25236

CVE-2022-25313

CVE-2022-25314

CVE-2022-25315

glibc

CVE-2021-33574

CVE-2021-35942

json-c

CVE-2020-12762

kernel

CVE-2021-40490

libesmtp

CVE-2019-19977

net-snmp

CVE-2018-18065

CVE-2020-15862

openssl (Unisphere UI)

CVE-2022-0778

p11-kit

CVE-2020-29361

polkit

CVE-2021-4034

python3

CVE-2021-3426

CVE-2021-3733

CVE-2021-3737

sqlite3

CVE-2015-3414

CVE-2015-3415

CVE-2019-19244

CVE-2019-19317

CVE-2019-19603

CVE-2019-19645

CVE-2019-19646

CVE-2019-19880

CVE-2019-19923

CVE-2019-19924

CVE-2019-19925

CVE-2019-19926

CVE-2019-19959

CVE-2019-20218

CVE-2020-13434

CVE-2020-13435

CVE-2020-13630

CVE-2020-13631

CVE-2020-13632

CVE-2020-15358

CVE-2020-9327

tcpdump

CVE-2018-16301

tiff

CVE-2017-17095

CVE-2019-17546

CVE-2020-19131

CVE-2020-35521

CVE-2020-35522

CVE-2020-35523

CVE-2020-35524

CVE-2022-22844

ucode-intel

CVE-2020-24489

CVE-2020-24511

CVE-2020-24512

CVE-2020-24513

CVE-2021-0127

CVE-2021-0145

CVE-2021-0146

CVE-2021-33120

vim

CVE-2021-3778

CVE-2021-3796

CVE-2021-3872

CVE-2021-3927

CVE-2021-3928

CVE-2021-3984

CVE-2021-4019

CVE-2021-4193

CVE-2021-46059

CVE-2022-0319

CVE-2022-0351

CVE-2022-0361

CVE-2022-0413

xerces-s

CVE-2018-1311

**Proprietary Code CVEs**

**Description**

**CVSS Base Score**

**CVSS Vector String**

CVE-2022-29084

Dell Unity, Dell UnityVSA, and Dell Unity XT versions before 5.2.0.0.5.173 do not restrict excessive authentication attempts in Unisphere GUI. A remote unauthenticated attacker may potentially exploit this vulnerability to brute-force passwords and gain access to the system as the victim. Account takeover is possible if weak passwords are used by users.

8.1

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2022-29085

Dell Unity, Dell UnityVSA, and Dell Unity XT versions before 5.2.0.0.5.173 contain a plain-text password storage vulnerability when certain off-array tools are run on the system. The credentials of a user with high privileges are stored in plain text. A local malicious user with high privileges may use the exposed password to gain access with the privileges of the compromised user.

6.4

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

 

**Third-party Component**

**CVEs**

**More Information**

aide

CVE-2021-45417

See NVD (http://nvd.nist.gov/) for individual scores for each CVE.  
 

apache2

CVE-2021-33193

CVE-2021-34798

CVE-2021-36160

CVE-2021-39275

CVE-2021-40438

CVE-2022-22719

CVE-2022-22720

CVE-2022-22721

CVE-2022-23943

Apache-tomcat

CVE-2021-25122

CVE-2021-25329

CVE-2021-30639

CVE-2021-30640

CVE-2021-33037

CVE-2021-41079

CVE-2021-42340

avahi

CVE-2021-3468

cyrus-sasl

CVE-2022-24407

Dell BSAFE™ Micro Edition Suite

CVE-2020-5359

See Dell KB DSA-2020-114: https://www.dell.com/support/kbdoc/en-us/000181098/dsa-2020-114-dell-bsafe-micro-edition-suite-multiple-security-vulnerabilities for individual scores for each CVE.

CVE-2020-5360

docker, containerd, runc

CVE-2021-30465

See NVD (http://nvd.nist.gov/) for individual scores for each CVE.

CVE-2021-32760

CVE-2021-41089

CVE-2021-41091

CVE-2021-41092

CVE-2021-41103

expat

CVE-2021-45960

CVE-2021-46143

CVE-2022-22822

CVE-2022-22823

CVE-2022-22824

CVE-2022-22825

CVE-2022-22826

CVE-2022-22827

CVE-2022-23852

CVE-2022-23990

CVE-2022-25235

CVE-2022-25236

CVE-2022-25313

CVE-2022-25314

CVE-2022-25315

glibc

CVE-2021-33574

CVE-2021-35942

json-c

CVE-2020-12762

kernel

CVE-2021-40490

libesmtp

CVE-2019-19977

net-snmp

CVE-2018-18065

CVE-2020-15862

openssl (Unisphere UI)

CVE-2022-0778

p11-kit

CVE-2020-29361

polkit

CVE-2021-4034

python3

CVE-2021-3426

CVE-2021-3733

CVE-2021-3737

sqlite3

CVE-2015-3414

CVE-2015-3415

CVE-2019-19244

CVE-2019-19317

CVE-2019-19603

CVE-2019-19645

CVE-2019-19646

CVE-2019-19880

CVE-2019-19923

CVE-2019-19924

CVE-2019-19925

CVE-2019-19926

CVE-2019-19959

CVE-2019-20218

CVE-2020-13434

CVE-2020-13435

CVE-2020-13630

CVE-2020-13631

CVE-2020-13632

CVE-2020-15358

CVE-2020-9327

tcpdump

CVE-2018-16301

tiff

CVE-2017-17095

CVE-2019-17546

CVE-2020-19131

CVE-2020-35521

CVE-2020-35522

CVE-2020-35523

CVE-2020-35524

CVE-2022-22844

ucode-intel

CVE-2020-24489

CVE-2020-24511

CVE-2020-24512

CVE-2020-24513

CVE-2021-0127

CVE-2021-0145

CVE-2021-0146

CVE-2021-33120

vim

CVE-2021-3778

CVE-2021-3796

CVE-2021-3872

CVE-2021-3927

CVE-2021-3928

CVE-2021-3984

CVE-2021-4019

CVE-2021-4193

CVE-2021-46059

CVE-2022-0319

CVE-2022-0351

CVE-2022-0361

CVE-2022-0413

xerces-s

CVE-2018-1311

Dell Technologies suosittelee, että kaikki asiakkaat ottavat huomioon sekä CVSS-peruspistemäärän että kaikki asiaankuuluvat väliaikaiset ja ympäristöön liittyvät pisteet, jotka voivat vaikuttaa tietyn tietoturvahaavoittuvuuden mahdolliseen vakavuuteen.

**Tuotteet, joihin asia vaikuttaa ja tilanteen korjaaminen****Versiohistoria**

**Revision**

**Date**

**More Informatio**n

1.0

2022-04-29

Initial Release

**Asiaan liittyvät tiedot**

Dell Security Advisories and Notices  
Dell Vulnerability Response Policy  
CVSS Scoring Guide

**Juridiset tiedot**

Tämän Dell Technologiesin tietoturvatiedotteen tiedot on luettava, ja niiden avulla voidaan välttää tilanteita, jotka voivat johtua tässä kuvatuista ongelmista. Dell Technologiesin tietoturvatiedotteet tuovat tärkeitä tietoturvatietoja haavoittuvuudelle alttiiden tuotteiden käyttäjien tietoon. Dell Technologies arvioi riskin perustuen asennettujen järjestelmien hajautetun joukon keskimääräisiin riskeihin, eikä se välttämättä vastaa paikallisen asennuksen ja yksittäisen ympäristön todellista riskiä. Suositus on, että kaikki käyttäjät ratkaisevat näiden tietojen sovellettavuuden yksittäisten ympäristöjen mukaan ja ryhtyvät tarvittaviin toimenpiteisiin. Tässä esitetyt tiedot annetaan "sellaisenaan" ilman minkäänlaista takuuta. Dell Technologies kiistää kaikki suorat tai epäsuorat takuut, mukaan lukien takuut soveltuvuudesta kaupankäynnin kohteeksi, sopivuudesta tiettyyn käyttötarkoitukseen, omistusoikeudesta ja loukkaamattomuudesta. Dell Technologies, sen tytäryhtiöt tai toimittajat eivät missään tilanteessa ole vastuussa mistään vahingoista, jotka johtuvat tässä asiakirjassa mainituista tiedoista tai toimenpiteistä, joihin käyttäjä päättää ryhtyä. Tämä koskee kaikkia suoria, epäsuoria, satunnaisia, välillisiä, liikevoiton menetykseen liittyviä tai erityisluontoisia vahinkoja, vaikka Dell Technologies tai sen tytäryhtiöt tai toimittajat olisivat saaneet tiedon tällaisten vahinkojen mahdollisuudesta. Jotkin osavaltiot eivät salli satunnaisten tai seuraamuksellisten vahinkojen vastuun poistamista tai rajoittamista, joten edellä mainittua rajoitusta sovelletaan vain lain sallimassa laajuudessa.

**Artikkelin ominaisuudet**

**Tuote, johon asia vaikuttaa**

Dell EMC Unity 300, Dell EMC Unity 300F, Dell EMC Unity 350F, Dell EMC Unity 400, Dell EMC Unity 400F, Dell EMC Unity 450F, Dell EMC Unity 500, Dell EMC Unity 500F, Dell EMC Unity 550F, Dell EMC Unity 600

**Tuote**

Product Security Information, Dell EMC Unity 600F, Dell EMC Unity 650F, Dell EMC Unity XT 680, Dell EMC Unity XT 680F, Dell EMC Unity XT 880, Dell EMC Unity XT 880F, Dell EMC UnityVSA (Virtual Storage Appliance)

**Edellinen julkaisupäivä**

29 huhtik. 2022

**Versio**

1

**Artikkelin tyyppi**

Dell Security Advisory

CVE-2022-29085: DSA-2022-021: Dell Unity, Dell UnityVSA, and Dell Unity XT Security Update for Multiple Vulnerabilities

79% of CISOs say continuous runtime vulnerability management is an essential capability to keep up with the expanding complexity of modern multi-cloud environments.

WALTHAM, Mass.--(BUSINESS WIRE)--Software intelligence company Dynatrace (NYSE: DT) announced today the findings of an independent global survey of 1,300 chief information security officers (CISOs) in large-size organizations. The research reveals that the speed and complexity created by using multicloud environments, multiple coding languages, and open source software libraries are making vulnerability management more difficult. 75% of CISOs say that despite having a multi-layered security posture, persistent coverage gaps allow vulnerabilities into production. This highlights the growing need for observability and security to converge, paving the way toward AISecDevOps practices. This will empower organizations with a more effective way of managing vulnerabilities at runtime, and the ability to detect and block attacks in real time. The complimentary report, _Observability and security must converge to enable effective vulnerability management_, is available for download.

Findings from the research include:

*   69% of CISOs say vulnerability management has become more difficult as the need to accelerate digital transformation has increased.
*   More than three-quarters (79%) of CISOs say that automatic, continuous runtime vulnerability management is key to filling the gap in the capabilities of existing security solutions. However, just 4% of organizations have real-time visibility into runtime vulnerabilities in containerized production environments.
*   Only 25% of security teams can access a fully accurate, continuously updated report of every application and code library running in production in real time.

“These findings underscore that there are always opportunities for vulnerabilities to slip past security teams, regardless of how robust their defenses might be. Both new applications and stable legacy software are prone to vulnerabilities that are more reliably detected in production. Log4Shell was the poster child for this problem, and there will undoubtedly be other scenarios like it in the future,” said Bernd Greifeneder, Chief Technology Officer at Dynatrace. “It’s also clear that most organizations still lack real-time visibility into runtime vulnerabilities. The problem stems from the growing use of cloud-native delivery practices, which enable greater business agility, but also introduce new complexity for vulnerability management, attack detection, and blocking. The rapid pace of digital transformation means that already overstretched teams are bombarded by thousands of security alerts that make it impossible to see through the noise and focus on what matters. Teams find it impossible to respond manually to every alert, and organizations are exposed to unnecessary risk by allowing vulnerabilities to escape into production.”

Additional findings include:

*   On average, organizations receive 2,027 alerts of potential application security vulnerabilities each month.
*   Less than a third (32%) of the application security vulnerability alerts organizations receive each day require action, compared to 42% last year.
*   On average, application security teams waste 28% of their time on vulnerability management tasks that could be automated.

“Organizations realize that to manage vulnerabilities in the cloud-native era effectively, security must become a shared responsibility. The convergence of observability and security is critical to providing development, operations, and security teams with the context needed to understand how their applications are connected, where the vulnerabilities lie, and which need to be prioritized. This accelerates risk management and incident response,” continued Greifeneder. “To be truly effective, organizations should look for solutions that have AI and automation capabilities at their core, enabling AISecDevOps. These solutions empower their teams to quickly identify and prioritize vulnerabilities at runtime, block attacks in real time, and remediate software flaws before they can be exploited. This means teams can stop wasting time in war rooms or chasing false positives and potential vulnerabilities that will never make it into production. Instead, they confidently deliver better, more secure software faster.”

The report is based on a global survey of 1,300 CISOs in large-size organizations with more than 1,000 employees, conducted by Coleman Parkes and commissioned by Dynatrace in April 2022. The sample included 200 respondents in the U.S., 100 each in the UK, France, Germany, Spain, Italy, the Nordics, the Middle East, Australia, and India, and 50 each in Singapore, Malaysia, Brazil, and Mexico.

**About Dynatrace**

Dynatrace (NYSE: DT) exists to make the world’s software work perfectly. Our unified software intelligence platform combines broad and deep observability and continuous runtime application security with the most advanced AIOps to provide answers and intelligent automation from data at an enormous scale. This enables innovators to modernize and automate cloud operations, deliver software faster and more securely, and ensure flawless digital experiences. That is why the world’s largest organizations trust the Dynatrace® platform to accelerate digital transformation.

Curious to see how you can simplify your cloud and maximize the impact of your digital teams? Let us show you. Sign up for a free 15-day Dynatrace trial.

Research Reveals 75% of CISOs Are Worried Too Many Application Vulnerabilities Leak Into Production, Despite a Multi-Layered Security Approach

Conti threat actors are betting chipset firmware is updated less frequently than other software — and winning big, analysts say.

Leaked communications from within the Conti threat group reveal the Moscow-backed cybercrime group has honed its firmware attack skills and is actively targeting Intel Management Engine (ME), a microcontroller inside many iterations of the modern Intel chipset, according to a new report.

The analysis, from Eclypsium, notes that Intel chipsets aren't being targeted by Conti because they have vulnerable code, but rather the group assumes firmware patching is spotty at best. In addition, firmware attacks can evade most security tools, the analysts added.

"This can leave some of the most powerful and privileged code on a device susceptible to attack," the report detailing the Conti firmware attacks said. "The recent Conti leaks mark a critical phase in the rapidly evolving role of firmware in modern attacks."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Tag

#intel