Combined company creates world-class security operations platform to offer customers unmatched visibility and detection to defend against threats.

TAMPA, Fla., June 01, 2022 (GLOBE NEWSWIRE) -- ReliaQuest, a force multiplier of security operations, today announced that it has entered into an agreement to acquire Digital Shadows, a company that delivers threat intelligence for security teams, for $160 million. The acquisition combines ReliaQuest’s ability to extend detection and response across cloud, network, and endpoint environments with Digital Shadows' digital risk and threat intelligence technology. This gives security operations teams the ability to detect and respond to threats with real-time internal and external visibility.  

“Combining the internal visibility provided by ReliaQuest with the external threat intelligence and digital risk monitoring brought by Digital Shadows creates an end-to-end picture for enterprises around the world,” said Alastair Paterson, co-founder and CEO at Digital Shadows. “The complementary technical capability, shared cultural values, and geographic synergies offered by the combined companies make this a great opportunity for our customers and our partners.”

Security teams are stretched between investigating and responding to threats they can see while working to increase visibility across both security and business applications where they have limited visibility to detect and respond. The ability to extend and automate detection and response across both security and business applications is critical to a successful security program.

ReliaQuest and Digital Shadows will make security operations more effective by integrating the digital risk and threat intelligence that security leaders care about into a security operations platform that increases visibility, reduces complexity, and manages risk. The new offerings will drive down response time, provide context around threats and allow for an end-to-end view, all while decreasing the cost of visibility. Security operation teams can leverage automation with confidence to free up time to focus on the specific areas that matter the most.

“Alastair Paterson and James Chappell built a world-class team, technology, and culture in Digital Shadows and I am looking forward to our organizations working together to make security possible for organizations all over the world,” said Brian Murphy, founder and CEO at ReliaQuest. “The combination of ReliaQuest and Digital Shadows makes a lot of sense for our customers, our partners, and both of our teams. We have a responsibility and opportunity to leverage our collective expertise to continue to tackle what I believe to be the largest technical challenge of our generation, cybersecurity.”

ReliaQuest’s GreyMatter is a cloud native platform built on an Open XDR architecture, and delivered as a service, extending detection and response across a customer’s network, cloud, and endpoint for both security and business applications. Digital Shadows’ platform was built with today’s overloaded security analyst at heart, who demanded a more relevant and actionable approach to threat intelligence. The addition of Digital Shadows to ReliaQuest’s GreyMatter platform provides an important outside-in perspective to ReliaQuest’s already robust detection and response capability.

The transaction has received the approval of both companies’ Board of Directors and is subject only to customary closing requirements and regulatory approvals.

For more information about ReliaQuest, please visit our website.

**About ReliaQuest**  
ReliaQuest, the force multiplier of security operations, increases visibility, reduces complexity, and manages risk with its cloud native security operations platform, GreyMatter. ReliaQuest GreyMatter is built on an XDR architecture and delivered as a service anywhere in the world, any time of the day, by bringing together telemetry from tools and applications across cloud, on-premises and hybrid cloud architectures.

Hundreds of Fortune 1000 organizations trust ReliaQuest to operationalize security investments, ensuring teams focus on the right problems while closing visibility and capability gaps to proactively manage risk and accelerate initiatives for the business. ReliaQuest is a private company headquartered in Tampa, Fla., with multiple global locations. For more information, visit www.reliaquest.com.

**About Digital Shadows**  
Digital Shadows provides threat intelligence that delivers for every security team. Our platform was built with today’s overloaded security analyst at heart, who demanded a more relevant and actionable approach to threat intelligence. SearchLight focuses on digital risks that organizations care about, using a proven threat model that adapts to the organization risk profile and appetite. This approach delivers a low noise solution, allowing security teams to work faster and with less resources than ever before. To sign up for our free weekly threat intel digest or learn more about our platform, visit www.digitalshadows.com.

ReliaQuest to Acquire Digital Shadows

Password management solution delivers proactive, seamless approach to protecting privacy and login credentials for consumers and businesses; Password Management market expected to reach $3 billion by 2026.

**SAN FRANCISCO, June 1, 2022** — Lookout, Inc., a leading provider of endpoint and cloud security solutions, today announced it has acquired SaferPass, an innovative Password Management company that provides secure online identity solutions for both consumers and businesses. By adding Password Management technology to its suite of security solutions, Lookout is expanding on its mission to deliver proactive protection and safeguard customer data for individuals and businesses.

Whether shopping online, banking, or connecting to corporate applications and email, usernames and passwords have become the standard form of authentication to validate a user’s identity and enable access to sensitive information. Passwords can be difficult to use and incredibly insecure, especially in cases where a user has many accounts. On average, people have more than 100 accounts with an associated password to remember. In addition, human-generated passwords are often algorithmically weak; according to the Verizon Data Breach Investigations Report, 81% of data breaches leveraged weak, stolen or reused employee passwords, and every time a password is reused, it opens the door to a potential data breach. Additionally, nearly 64% of people reuse the same passwords across their online accounts. If login credentials are compromised, the consequences can be serious – including personal identity theft or stolen corporate information.

SaferPass delivers a robust, innovative solution for identity and password management to both consumers and businesses, enabling users to securely manage their passwords, banking and other sensitive information across devices. The SaferPass solution provides an encrypted digital vault that stores secure login information used to access services through mobile apps and web browsers. In addition to keeping a user’s identity, credentials and sensitive data safe, the product helps create strong, unique passwords through a password generator tool that ensures the individual is not using the same password in multiple places and that their password has not been compromised in a previous breach.

According to Mordor Intelligence, the Password Management market on its own, was valued at over $1.2 billion in 2020 and is expected to reach over $3 billion by 2026.

“We are pleased to welcome the SaferPass team to Lookout, and excited to combine our respective solutions to deliver better value to consumers and businesses alike,” said Jim Dolce, Lookout CEO. “Today, every password owned by an employee is a potential access point to organizations both small and large. At the same time, large scale data breaches have leaked billions of consumer emails and passwords on the dark web, putting individuals at risk of identity theft and financial fraud. The SaferPass team shares our vision for providing seamless security solutions that address all access points and protect personal and corporate data wherever it may reside. This is an exciting next step in Lookout’s evolution.”

The acquisition of SaferPass broadens the Lookout portfolio of security solutions and expands the opportunity for its carrier ecosystem and channel partners – it also expands Lookout’s footprint in Central Europe through its new location in Bratislava, Slovakia. SaferPass will now operate under the Lookout brand and leadership and the SaferPass team will be fully integrated into the Lookout organization. The financial terms of this transaction have not been disclosed.

****Additional Resources****

*   To learn more about Lookout for SMBs and Consumers, visit: https://protection.lookout.com/
*   To learn more about the Lookout Security Platform, visit: https://www.lookout.com/products/platform
*   Sign up for a free trial of Lookout.

Follow the Lookout blog and join the conversation on LinkedIn and Twitter.

Lookout Acquires SaferPass To Address The Rising Threat Of Identity Theft

Edge technology widens the attack surface by bringing data analysis closer to where it's collected. Now is the time for public and private sector groups to establish guidelines and identify security best-practices frameworks.

Edge technology widens the attack surface by bringing data analysis closer to where it's collected. Now is the time for public and private sector groups to establish guidelines and identify security best-practices frameworks.

Source: NicoElNino via Alamy Stock Photo

The federal government's IT modernization efforts have focused on centralizing cloud computing technologies. As more agencies improve those capabilities, they're starting to think about how computing at the edge can improve their data-driven decisions.

However, as edge computing continues to grow given emerging technologies, such as 5G, there's one area being neglected: security. With edge computing, we're on the cusp of repeating the familiar mistake of not thinking through the security implications of new technologies.

Now is the time to change that. By identifying gaps and vulnerabilities that edge technology could create prior to its implementation, the public sector can ensure the edge isn't creating new security risks.

**Edge Security-Related Challenges**

Data is now the core foundation of any business. Yet managing the unprecedented growth of data in cloud-based operations has placed a massive strain on Internet communications, causing latency and inefficiency. Edge technology eliminates those latency and performance issues by bringing the data analysis closer to where it's collected — on mobile devices or sensors — so it can be processed more quickly.

With data being processed closer to the end user, there is an array of unrecognized security concerns that government agencies can address to securely implement this new technology.

As exciting as the possibilities associated with the edge can be, we know adversaries see opportunities to engage in pernicious or malevolent behavior with emerging technology. It's critical we recognize that edge technology widens the attack surface by generating and analyzing data outside of the traditional IT perimeter.

**Shift of Security Mindset**

This requires IT and security leaders to shift their mindset when it comes to securing edge technology. But with the security of edge computing not well-defined, federal agencies should ensure they consider the following steps when implementing edge technology.

*   **Clarifying roles and responsibilities.** Federal agencies need to work in coordination with technology vendors to determine the responsibilities for securing the edge. With an array of different agencies and vendors playing a role in edge technology, there's currently a lack of understanding around the role each party plays regarding security. To determine this, there needs to be a framework developed between the government and the technology community that offers best practices for how they can share the responsibility of securing edge technology to close unrecognized security gaps.

*   **Applicability and gap analysis of current security products and services**. Government organizations need to ask vendors how their products and services address edge-based computing security before implementing them. Questions should range from the security of edge-based products to how these products and services are monitored and remediated. Without an understanding of the security practices already implemented into edge technology, you can't ensure that proper protocols are in place to defend against unprotected areas. Being proactive is key.

*   **Best practices and standardized compliance frameworks.** Identify the best practices for edge computing technology and live by them. Start by working off existing standards and compliance-based frameworks. Then, align with certified organizations such as the Cloud Security Alliance (CSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the National Institute of Standards and Technology (NIST) to ensure the organization is best equipped to meet the security and compliance considerations for mission-critical information and national security systems.

**The Future of Edge Security**

Luckily, the future of the edge isn't dark. But the government needs a plan to address the inevitable security threat landscape. Both private and public sector organizations can help make this possible by drafting frameworks, identifying best practices, and coming together to share that intelligence. These are the steps necessary to create an industrywide method. Through combined support of private and public sector organizations — such as the CSA — government agencies can start to unpack and prepare for security challenges of the edge _before_ its implementation  

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Security at the Edge: Why It's Complicated

**Woburn, MA – June 1, 2022 —** The new release of Kaspersky’s Threat Intelligence (TI) Portal unifies all vendors’ TI services, sources and cyber-reconnaissance capabilities in a single and convenient interface. The updated portal supports real-time search across various threat intelligence resources, including Kaspersky’s databases, Dark Web and Surface Web. New features include the visualization of cyber-investigations and extended opportunities for analysis of complex malicious objects.

Threat intelligence, which provides insights on the threat landscape and allows organizations to anticipate risks, has become one of the most evolving and in-demand specialties as confirmed by IT security leaders’ surveys and market predictions. However, the diverse set of TI capabilities and the variety of available sources and services have made it difficult for security specialists to assemble a unified threat intelligence solution which matches their needs.

The renewed Kaspersky Threat Intelligence Portal\[1\] is a single pane of glass for threat intelligence. In addition to cyberthreat data, it also delivers validated information from external sources and new features that facilitate incident investigation as well as detection and attribution of previously unseen malicious objects.

**Unified search across all threat intelligence resources**

Kaspersky TI Portal now supports search across different sources\[2\], all in a single UI, making access to valuable insights easily accessible. Through real-time master search customers are able to get information across Kaspersky’s databases, including APT, crimeware, ICS and Digital Footprint Intelligence reports and actor profiles as well as across Dark Web, Surface Web and validated OSINT IoCs sources\[3\].

New **Dark Web search** offers instant access to insights from a comprehensive range of deep and dark web sources allowing organizations to get tailored evidence of planned attacks, discussions around vulnerabilities and successful data breaches in order to reduce the attack surface, secure online brand value and take appropriate actions.

To offer security practitioners a reliable source of information about global security events that can potentially or are already threatening company’s assets, brand or organization, Kaspersky TI Portal introduces **Surface Web search**. The service allows investigators to search for security-related news, discussions or other content across a validated range of relevant open web sources, such as theme-based newswires, blogs or forums.

**Better visibility for in-depth investigation**

Graphical visualization is an extremely useful tool for researchers when they are looking for indicators and try to find connections between them. The **Research Graph** introduced in Kaspersky TI Portal is designed to explore data stored inside the portal, discover threat commonalities and generate new related IoCs. It provides a clear picture of the relationship between web addresses, domains, IP addresses, files and other context encountered during investigations. It also allows for an in-depth view of information without losing the context of the conducted investigation.

**Complex threat analysis**

Kaspersky TI Portal delivers a unified interface for complex file analysis via a merged “Threat Analysis” tab that leads to Cloud Sandbox and Threat Attribution Engine (TAE), which now runs completely in the cloud. The tab offers access to the results of Dynamic, Static, Anti-Virus and Attribution analysis for objects considered suspicious, offering enriched Threat Intelligence within a single place and providing a powerful tool for faster detection of previously unseen malicious objects.

_“We see that customers are looking for a consolidated threat intelligence offering that can_ _deliver_ _a holistic and global perspective on the threat landscape as well as fit their specific needs,”_ comments Anatoly Simonenko, head of technology solutions product management at Kaspersky. “_Our renewed Threat Intelligence Portal meets these requirements as it unifies our unique and broad knowledge about threats with external threat data and allows companies to customize our offering by choosing services and sources that are most beneficial for their existing IT security function.”_

More information about Kaspersky Threat Intelligence Portal is available via this link

**About Kaspersky  
**

Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 240,000 corporate clients protect what matters most to them. Learn more at usa.kaspersky.com.

Enhanced Threat Intelligence Portal Provides Consolidated Access to Kaspersky Threat Intelligence Expertise

Vectra offers a free of charge security assessment for your cloud tenant.

SAN JOSE, Calif. , June 1, 2022 /PRNewswire/ -- Vectra AI, a leader in AI-driven threat detection and response for hybrid and multi-cloud enterprises, today announced the launch of Vectra Protect, a posture management tool designed to discover and mitigate security risks in Microsoft 365 (M365). Vectra Protect combines 50,000+ hours of expert research and development with automation to analyze an organization's M365 security posture and provide customized implementation plans to remediate risk. To ensure all organizations, regardless of security staffing or resources, can have access to the solution, Vectra is extending a free sign-up for an Azure Active Directory scan until September 30, 2022.

With the accelerated use of M365 collaboration tools, which now have over 270 million users, cyber attackers are actively targeting access management tools like Azure AD to enter other SaaS tools and enterprise network assets. They then establish a foothold to launch ransomware attacks, steal intellectual property and gain unauthorized access to sensitive user data. With its scanning engine, Vectra Protect combines insights from the M365 Graph API with PowerShell module data to provide a truly holistic view into the integrity of every identity in an organization's M365 environment. As the only scan designed to uncover identity security issues in M365, Vectra Protect provides organizations with:

*   **Quick, actionable remediation insights:** With its multi-stage methodology, the scan provides organizations with actionable results within hours. Rather than hindering the security team with more alerts, the scan creates a comprehensive risk mitigation map that provides a path to implementation with clear guidance on risk and operational impact.
*   **Tailored cloud support:** Organizations can gain insight into the severity of vulnerabilities, material changes to their configuration state, the operational impact of the required solution, and the steps for remediation aligned to their applicable industry standards and regulatory requirements.
*   **Configuration correction and compliance:** Vectra Protect delves deep into the configuration complexities of M365, highlighting misconfigurations with clear context to guide companies to complete risk resolution and provide security teams with the proof they need to show their policies are effective and compliant.
*   **Confidence in collaboration:** By understanding areas where risks and configuration issues persist, organizations can fulfill the promises of cloud technology without creating unmanaged risk. Organizations can gain efficiencies in implementing and using SaaS tools like M365 by eliminating default settings and aligning operations, information technology, security, and audit teams on security priorities.

"Azure AD has become a large attack vector as cybercriminals look to exploit the lack of security controls and solutions currently available for the tool," said Aaron Turner, CTO of SaaS Protect at Vectra AI. "Organizations must understand that Microsoft's default security settings are not specifically tailored to their business operations or industry, which introduces waves of unnecessary risk. Combining this with the constant changes in M365, both internally and externally, leaves a host of potential vulnerabilities and configuration issues that organizations are responsible for correcting. Vectra Protect helps unravel this complexity to deliver the visibility and assurance organizations need to protect these essential business tools."

The free Vectra Protect for Azure AD scan, a value up to $50,000, will be readily available to any M365 customer operating in any M365 environment\*. The scan focuses on a common foothold for unauthorized access and risk: access management in the active directory. Turner will be showcasing the technology and enumerating how to protect the M365 tenant and hunt for threats during RSAC 2022 in San Francisco, CA. You can register for his session here.

For more details about Vectra Protect for Azure AD and to request a free scan, please visit: https://www.vectra.ai/azure-ad-scan

\*Exclusions apply.

**About Vectra AI  
**Vectra® is a leader in cyber threat detection and response for hybrid and multi-cloud enterprises. The Vectra platform uses AI to detect threats at speed across public cloud, identity, SaaS applications, and data centers. Only Vectra optimizes AI to detect attacker methods—the TTPs at the heart of all attacks—rather than simplistically alerting on "different". The resulting high-fidelity threat signal and clear context enables cybersecurity teams to respond to threats sooner and to stop attacks in progress faster. Organizations worldwide rely on Vectra for cybersecurity resilience in the face of dangerous cyber threats and to prevent ransomware, supply chain compromise, identity takeovers, and other cyberattacks from impacting their businesses. For more information, visit vectra.ai.

Help Organizations to Mitigate Risk in Microsoft 365 with 'Vectra Protect'

AI and ML are important SecOps tools, but human involvement is still required.

Artificial intelligence (AI) can be used to enhance the efficiency and scale of SecOps teams, but it will not solve all your cybersecurity needs without the need for some human involvement — at least, not today.

Most commercial AI successes have been associated with supervised machine learning (ML) techniques specifically tuned for prediction tasks that yield business value. These use cases for ML, such as spoken language understanding for your smart-home assistant and object recognition for self-driving cars, make use of vast amounts of labeled data and computation required to train complex deep learning models. They also focus on solving problems that barely change. This is in contrast to cybersecurity, where we rarely have the millions of examples of malicious activity needed to train deep learning models, and we face intelligent adversaries that frequently change their tactics to try to outmaneuver our latest detection capabilities, including those using ML.

In addition, the digital exhaust from human behavior in enterprise environments is extremely hard to predict. Anomalies in these systems are common and very rarely represent malicious threat actor behavior. It is therefore unreasonable to expect that unsupervised anomaly detection can be used to learn about an enterprise environment’s normal behavior and be able to generate meaningful alerts about malicious activity without creating false alarms on unusual but benign events.

Finally, the degree of data imbalance in threat detection is unlike many other use cases for ML. Imagine for a moment that you are a midsize to large enterprise collecting 1 billion potentially security-relevant telemetry events per day and expect to find one incident worth seriously investigating. Nobody wants to lose the ransomware lottery and have their business grind to a halt with the potential for even worse reputational damage by missing that one security incident. However, if you build an ML-based threat detector processing each event by itself that is 99.9% accurate, you would be searching for that one true positive in a sea of 1 million false positives. Conquering this data imbalance requires significant expertise and a multipronged detection strategy.

Despite these challenges, there are ways for SecOps teams to leverage the technical power of AI/ML to gain operational efficiencies. The following principles should be considered when doing so.

**1\. Symbiotic Humans and Machines Work Better Together**

Consider ML a complement to human intelligence rather than a substitute for it. In the context of complex systems, especially when combatting intelligent adversaries that adapt quickly, automation will deliver the greatest value with active learning at its core. Humans should regularly review the results of ML-based systems, provide feedback, add additional examples of new malicious behaviors, retune the models, and constantly iterate. Anyone who has ever had to face an intelligent adversary, whether it be in cyberspace or in combat, should be familiar with the OODA loop, developed by US Air Force Colonel John Boyd. It has many similarities to active learning techniques that can be exceptionally useful in ensuring that automatable decisions made in each loop are using the best insights, optimizing the utility of manual analysis performed in some loops, and scaling it to assist in processing more loops than humanly possible.

**2\. Pick The Right Tool for the Job**

You do not have to become an AI expert to make good AI-related decisions for your team, but you should be reasonably informed about the basics to ensure that you are picking the right tool for the job.

First, it is important to know the difference between anomalous and malicious behaviors because they are rarely the same and require very different techniques when it comes to detection. The former is easy to discover with unsupervised anomaly detection that does not require labeled training data, but the latter requires supervised learning that typically requires many historical examples.

Second, alerts with a high signal-to-noise ratio are critical for SecOps teams, and you need to fully understand the downstream effects of any probabilistic system that will not be 100% accurate.

Finally, while nearly every ML technique has been applied to cybersecurity, it is still important to have thousands of signatures from threat intelligence that operate like a minefield of trip wires. When constantly tuned by an expert team of security researchers, signatures provide a critical baseline for detecting known threats that needs to be a part of every security program for the foreseeable future.

**3\. Use AI Where It Can Be Most Successful**

It is ironic that many cybersecurity professionals who might trust AI to drive their car are skeptical about AI executing remedial containment actions. Automated action, after all, is one of the best ways to make your SecOps team more efficient. Automation frees the creative human mind from getting bogged down in time-consuming operational tasks — which are right in AI's wheelhouse. ML is useful in detecting advanced threats, especially when you can aggregate evidence, and it is also useful when prioritizing alerts from a variety of detectors that may come from different systems. AI can automate low-risk containment actions, such as quarantining suspicious files or requiring users to re-authenticate, which can dramatically increase your SecOps efficiency and lower your cyber-risk.

With all that said, AI/ML cannot be your only cybersecurity strategy — at least, not in 2022. When you are searching for important needles in immense haystacks, the most effective strategy still comes from pairing machine intelligence with the human intuition of expert analysts.

Distinguishing AI Hype From Reality in SecOps

Voice recognition—and data collection—have boomed in recent years. Researchers are figuring out how to protect your privacy.

Your voice reveals more about you than you realize. To the human ear, your voice can instantly give away your mood, for example—it’s easy to tell if you’re excited or upset. But machines can learn a lot more: inferring your age, gender, ethnicity, socio-economic status, health conditions, and beyond. Researchers have even been able to generate images of faces based on the information contained in individuals’ voice data.

As machines become better at understanding you through your voice, companies are cashing in. Voice recognition systems—from Siri and Alexa to those using your voice as your password—have proliferated in recent years as artificial intelligence and machine learning have unlocked the ability to understand not just what you are saying but who you are. Big Voice may be a $20 billion industry within a few years. And as the market grows, privacy-focused researchers are increasingly searching for ways to protect people from having their voice data used against them.

Vocal Threats

Both the words you say and how you say them can be used to identify you, says Emmanuel Vincent, a senior research scientist specializing in voice technologies at France’s National Institute for Research in Digital Science and Technology (Inria), but this is only the beginning. “You will also find other pieces of information about your emotions or your medical condition,” Vincent says.

“These additional pieces of information help build a more complete profile—then this would be used for all sorts of targeted advertisements,” Vincent says. As well as your voice data potentially feeding into the vast realm of data used to show you online ads, there’s also the risk that hackers could access the location where your voice data is stored and use it to impersonate you. A small number of these cloning incidents have already happened, proving the value your voice holds. Simple robocall scams have also recorded people saying “yes” to use the confirmation in payment scams.

Last year, TikTok changed its privacy policies and started collecting the voiceprints—a loose term for the data your voice contains—of people in the US alongside other biometric data, such as your faceprint. More broadly, call centers are using AI to analyze people’s “behavior and emotion” during phone calls and evaluate the “tone, pace, and pitch of every single word” to develop profiles of people and increase sales. “We’re almost in a situation where the systems to recognize who you are and link everything together exist, but the protection is not there—and it’s still quite far away from being readily usable,” says Henry Turner, who researched the security of voice systems at the University of Oxford.

Hidden Meaning

Your voice is produced through a complex process involving the lungs and your voice box, throat, nose, mouth, and sinuses. More than a hundred muscles are activated when you speak, says Rébecca Kleinberger, a voice researcher at the MIT Media Lab. “It's also very much the brain,” Kleinberger says. 

Researchers are experimenting with four ways to enhance privacy for your voice, says Natalia Tomashenko, a researcher at Avignon University, France, who has been studying voice and is the first author of a research paper on the results of a voice privacy engineering challenge. None of the methods are perfect, but they are being explored as possible ways to boost privacy in the infrastructure processing your voice data.

First is obfuscation, which tries to completely hide who the speaker is. Think of a Hollywood depiction of a hacker totally distorting their voice over a phone call as they explain a devilish plot or ransom (or hacktivist collective Anonymous’s promotional videos). Simple voice-changing hardware allows anyone to quickly change the sound of their voice. More advanced speech-to-text-to-speech systems can transcribe what you’re saying and then reverse the process and say it in a new voice.

Second, Tomashenko says, researchers are looking at distributed and federated learning—where your data doesn’t leave your device but machine learning models still learn to recognize speech by sharing their training with a bigger system. Another approach involves building encrypted infrastructure to protect people’s voices from snooping. However, most efforts are focused on voice anonymization.

Anonymization attempts to keep your voice sounding human while stripping out as much of the information that could be used to identify you as possible. Speech anonymization efforts currently involve two separate strands: anonymizing the content of what someone is saying by deleting or replacing any sensitive words in files before they are saved and anonymizing the voice itself. Most voice anonymization efforts at the moment involve passing someone’s voice through experimental software that will change some of the parameters in the voice signal to make it sound different. This can involve altering the pitch, replacing segments of speech with information from other voices, and synthesizing the final output.

Does anonymization technology work? Male and female voice clips that were anonymized as part of the Voice Privacy Challenge in 2020 definitely do sound different. They’re more robotic, sound slightly pained and could—to some listeners at least—be from a different person than the original voice clips. “I think it can already guarantee a much higher level of protection than doing nothing, which is the current status,” says Vincent, who has been able to reduce how easy it is to identify people in anonymization research. However, humans aren’t the only listeners. Rita Singh, an associate professor in Carnegie Mellon University’s Language Technologies Institute, says that total de-identification of the voice signal is not possible, as machines will always have the potential to make links between attributes and individuals, even connections that aren’t clear to humans. “Is the anonymization with respect to a human listener or is it with respect to a machine listener?” says Shri Narayanan, a professor of electrical and computer engineering at the University of Southern California.

“True anonymization is not possible without completely changing the voice,” Singh says. “When you completely change the voice, then it's not the same voice.” Despite this, it is still worth developing voice-privacy technology, Singh adds, as no privacy or security system is totally secure. Fingerprints and face identification systems on iPhones have been spoofed in the past, but overall, they’re still an effective method of protecting people’s privacy.

Bye, Alexa

Your voice is increasingly being used as a way to verify your identity. For example, a growing number of banks and other companies are analyzing your voiceprints, with your permission, to replace your password. There’s also the potential for voice analysis to detect illness before other signs are obvious. But the technology to clone or fake someone’s voice is advancing quickly.

If you have a few minutes of someone’s voice recorded, or in some instances a few seconds, it’s possible to recreate that voice using machine learning—_The Simpsons’_ voice actors could be replaced by deep fake voice clones, for instance. And commercial tools for recreating voices are readily available online. “There’s definitely more work in speaker identification and producing speech to text and text to speech than there is in protecting people from any of those technologies,” Turner says.

Many of the voice anonymization techniques being developed at the moment are still a long way from being used in the real world. When they are ready to be used it’s likely that companies will have to implement tools themselves, to protect their customers' privacy—there’s currently little individuals can do to protect their own voice. Avoiding calls with call centers or companies that use voice analysis, and not using voice assistants, could limit how much your voice is recorded and reduce possible attack opportunities.

But the biggest protections may come from legal cases and protections. Europe’s GDPR covers biometric data, including people’s voices, in its privacy protections. Guidelines say people should be told how their data is being used and provide consent if they’re being identified, and that some restrictions should be placed on personalization. Meanwhile, in the US, courts in Illinois— home to some of the strongest biometric laws in the country—are increasingly inspecting cases involving people’s voice data. McDonald’s, Amazon, and Google are all facing judicial scrutiny over how they use people’s voice data. The decisions in these cases could lay down new rules for the protection of people’s voices.

The Race to Hide Your Voice

Threat actors already are exploiting vulnerability, dubbed ‘Follina’ and originally identified back in April, to target organizations in Russia and Tibet, researchers said.

Threat actors already are exploiting vulnerability, dubbed ‘Follina’ and originally identified back in April, to target organizations in Russia and Tibet, researchers said.

Microsoft has released a workaround for a zero-day flaw that was initially flagged in April and that attackers already have used to target organizations in Russia and Tibet, researchers said.

The remote control execution (RCE) flaw, tracked as CVE-2022-3019, is associated with the Microsoft Support Diagnostic Tool (MSDT), which, ironically, itself collects information about bugs in the company’s products and reports to Microsoft Support.

If successfully exploited, attackers can install programs, view, change or delete data, or create new accounts in the context allowed by the user’s rights, the company said.

“A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word,” Microsoft explained in its guidance on the Microsoft Security Response Center. “An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application.”

Microsoft’s workaround comes some six weeks after the vulnerability was apparently first identified. Researchers from Shadow Chaser Group noticed it on April 12 in a bachelor’s thesis from August 2020—with attackers apparently targeting Russian users–and reported to Microsoft on April 21, according to research firm Recorded Future’s The Record.

A Malwarebytes Threat Intelligence analyst also spotted the flaw back in April but could not fully identify it, the company said in a post on Twitter over the weekend, retweeting the original post about the vulnerability, also made on April 12, from @h2jazi.

When the flaw was reported, Microsoft didn’t consider it an issue. It’s clear now that the company was wrong, and the vulnerability again raised the attention of researchers at  Japanese security vendor Nao Sec, who tweeted a fresh warning about it over the weekend, noting that it was being used to target users in Belarus.

In analysis over the weekend noted security researcher Kevin Beaumont dubbed the vulnerability “Follina,” explaining the zero-day code references the Italy-based area code of Follina – 0438.

****Current Workaround****

While no patch yet exists for the flaw, Microsoft is recommending that affected users disable the MSDT URL to mitigate it for now. This “prevents troubleshooters being launched as links including links throughout the operating system,” the company wrote in their advisory.

To do this, users must follow these steps: Run “:**Command Prompt** **as Administrator****“**; Back up the registry key by executing the command “reg export HKEY\_CLASSES\_ROOT\\ms-msdt _filename_“; and execute the command “reg delete HKEY\_CLASSES\_ROOT\\ms-msdt /f”.

“Troubleshooters can still be accessed using the Get Help application and in system settings as other or additional troubleshooters,” the company said.

Moreover, if the calling application is an Office app then by default, Office opens the document from the internet in Protected View and Application Guard for Office, “both of which prevent the current attack,” Microsoft said. However, Beaumont refuted that assurance in his analysis of the bug.

Microsoft also plans to update CVE-2022-3019 with further information but did not specify when it would do so, according to the advisory.

****Significant Risk****

In the meantime, the unpatched flaw poses a significant risk for a number of reasons, Beaumont and other researchers noted.

One is that it affects such a wide swathe of users, given that it exists in all currently supported Windows versions and can be exploited via Microsoft Office versions 2013 through Office 2019, Office 2021, Office 365, and Office ProPlus.

“Every organization that is dealing with content, files and in particular Office documents, which is basically everyone in the globe, is currently exposed to this threat,” Aviv Grafi, CTO and founder of security firm Votiro, wrote in an e-mail to Threatpost.

Another reason the flaw poses a major threat is its execution without action from end users, both Beaumont and Grafi said. Once the HTML is loaded from the calling application, an MSDT scheme is used to execute a PowerShell code to run a malicious payload, Grafi explained.

Since the flaw is abusing the remote template feature in Microsoft Word, it is not dependent on a typical macro-based exploit path, which are common within Office-based attacks, Beaumont said.

“What makes this vulnerability so difficult to avoid is the fact that the end user does not have to enable macros for the code to execute, making it a ‘zero-click’ remote code execution technique used through MSDT,” Grafi concurred.

****Under Active Attack****

Claire Tills, senior research engineer for security firm Tenable, compared the flaw to last year’s zero-click MSHTML bug**,** tracked as CVE-2021-40444, which was pummeled by attackers, including the Ryuk ransomware gang.

“Given the similarities between CVE-2022-30190 and CVE-2021-40444, and that researchers speculate other protocol handlers may also be vulnerable, we expect to see further developments and exploitation attempts of this issue,” she wrote in an e-mail to Threatpost.

Indeed, threat actors already have pounced on the vulnerability. On Monday, Proofpoint Threat Insight also tweeted that threat actors were using the flaw to target organizations in Tibet by impersonating the “Women Empowerments Desk” of the Central Tibetan Administration.

What’s more, the workaround that Microsoft currently offers itself has issues and won’t provide much of a fix in the long-term, especially with the bug under attack, Grafi said. He said the workaround is”not friendly for admins” because it involves “changes in the Registry of the end user’s endpoints.”

Microsoft Releases Workaround for ‘One-Click’ 0Day Under Active Attack

"Follina" vulnerability in Microsoft Support Diagnostic Tool (MSDT) affects all currently supported Windows versions and can be triggered via specially crafted Office documents.

Attackers are actively exploiting an unpatched and easy-to-exploit flaw in the Microsoft Support Diagnostic Tool (MSDT) in Windows that allows for remote code execution from Office documents even when macros are disabled.

The vulnerability exists in all currently supported Windows versions and can be exploited via Microsoft Office versions 2013 through Office 2019, Office 2021, Office 365, and Office ProPlus, according to security researchers that have analyzed the issue.

Attackers can exploit the zero-day flaw — dubbed "Follina" — to remotely execute arbitrary code on Windows systems. Microsoft has warned of the issue giving attackers a way to "install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights." Researchers have reported observing attacks exploiting the flaw in India and Russia going back at least one month.

**Delayed Acknowledgement?**

Microsoft on Monday assigned the flaw a CVE identifier — CVE-2022-30190 — after apparently initially describing it as a non-security issue in April when crazyman, a security researcher with APT threat hunting group Shadow Chaser Group, first reported observing a public exploit of the vulnerability. Though the company's advisory described the flaw as being publicly known and actively exploited, it did not describe the issue as a zero-day threat.

In a May 30 blog post, Microsoft recommended that organizations disable the MSDT URL protocol to mitigate the issue and said it would provide more updates later without specifying when. Microsoft said the Protected View feature in Microsoft Office and the Application Guard for Office both would prevent attacks that try to exploit the flaw.

Microsoft did not respond to a Dark Reading query on whether it had initially described the issue as a non-security issue or when it might have first learned of the flaw. Instead, a spokeswoman pointed to Microsoft's Monday advisory as the only comment the company has on the issue at this time.

MSDT is a Windows support tool that collects and sends data from a user's system to Microsoft support staff so they can analyze and diagnose issues that a user might be encountering on their system. According to Microsoft, the vulnerability is triggered when an Office app like Word calls MSDT using the URL protocol. "An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application," the company noted.

**Multiple Exploits in the Wild**

Though the security researcher with the Shadow Chaser Group first notified Microsoft Security Response Center about the bug more than a month ago, the vuln only received broad attention over the weekend when a researcher spotted a malicious Word document attempting to exploit the issue. Security researcher Kevin Beaumont analyzed the document and found that it was using the remote template feature in Word to retrieve a HTML file from a remote Web server. The retrieved file in turn used the MS-MSDT URL protocol to load code for executing a PowerShell script. Beaumont discovered the document was executing code even with macros disabled. The security researcher found at least two other malicious Word documents in the wild attempting to exploit Follina going back to April.

Significantly, Beaumont and other researchers found that the attack technique allowed threat actors a way to bypass the "Protected View" mechanism in Office that alerts users about content downloaded from the Internet and requires an additional click from them to open. According to Malwarebytes, the warning can be bypassed simply by changing the document to a Rich Text Format (RTF) file. By doing so, code can run without the user even needed to open the document via the preview tab in Explorer, Malwarebytes said.

"RTF files are a special format that allows for documents to be previewed inside of Windows Explorer," says Jerome Segura, senior director of threat intelligence at Malwarebytes. "When that happens, Explorer will call out the msdt process which is being exploited without any warning or prompts," he says. In fact, the Preview pane is a risky feature because it enables zero-click attacks, Segura says. "We recommend users to disable it within Explorer as well as email clients like Outlook."

**Potentially Widespread Impact**

Johannes Ullrich, dean of research at the SANS Institute, says by itself the vulnerability in MSDT wouldn’t be a big deal. But the fact that it can be triggered via Microsoft Office is troubling. All that a user needs to do is to open a specially crafted Word document, or in some cases just previewing it to enable remote code execution, he says. This sets the stage for potentially widespread compromises especially considering that numerous exploits have been available in the wild for a month now.

"There are multiple scripts, examples and tutorials explaining how to exploit this vulnerability. Applying these techniques is easy, Ullrich says. He points to one malicious document to exploit Follina that SANS discovered recently, which purported to contain quotes for mobile phone prices from a reseller. The exploit worked though it appears to have been compiled by a relatively unskilled threat actor. "It appears to have been created by a novice attacker as it doesn't even remove some of the comments added to the malicious document," Ullrich says.  

He recommends that organizations immediately follow Microsoft's guidance and disable the MSDT URL protocol. "This will break the link between Office and the diagnostic tool," he says. Though the vulnerability in MSDT will still be present, it can no longer be triggered when opening a malicious document, he says. SANS recommends that organizations disable the Preview Pane in Windows Explorer.

Dray Agha, ThreatOps analyst at Huntress, which did a deep dive on the vulnerability, says attackers can use Follina to escalate privileges and travel across environments to create havoc. "Hackers can go from being a low-privilege user to an admin extremely easily," Agha says. "The vulnerability can be easily triggered by users simply choosing to “preview” a specifically crafted, maliciously supplied document. It’s that simple."

Tag

#intel