A Reflected Cross-site scripting (XSS) issue was discovered in dotCMS Core through 22.06. This occurs in the admin portal when the configuration has XSS_PROTECTION_ENABLED=false.

** Zero-Day Advisory**

**Fortinet Discovers dotCMS Multiple Cross-Site Scripting Vulnerability**

**Summary**

Fortinet's FortiGuard Labs had discovered a Cross-Site Scripting (XSS) vulnerability in dotCMS Admin Portal.

dotCMS is an open source content management system (CMS) written in Java for managing content and content driven sites and applications.

The vulnerability is caused by insufficient input sanitization in dotCMS Core. Upon successful exploitation, it allows attackers to launch client-side script execution in the browser's process context.  

**Solutions**

FortiGuard Labs released the following FortiGate IPS signature which covers this specific vulnerability:

**dotCMS.Portal.Multiple.XSS**  
Released Aug 02, 2022

Users should always enable XSS Prevention feature on dotCMS

**Additional Information**

The vulnerability affected dotCMS Core.  

**Timeline**

Fortinet reported the vulnerability to dotCMS on 10 June, 2022.

dotCMS confirmed the vulnerability on 25th  June, 2022 and concluded it as a no-fix issue. 

**Acknowledgement**

This vulnerability was discovered by Nguyen Thanh Nguyen of Fortinet's FortiGuard Labs.

**IPS Subscription**

Fortinet customers who subscribe to Fortinet's intrusion prevention (IPS) service should be protected against this vulnerability with the appropriate configuration parameters in place. Fortinet's IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by FortiGuard Labs, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle.

CVE-2022-37431: Fortiguard

A Tehran-linked hack of a NATO member marks a significant escalation against the backdrop of US-Iran nuclear talks.

In mid-July, a cyberattack on the Albanian government knocked out state websites and public services for hours. With Russia’s war raging in Ukraine, the Kremlin might seem like the likeliest suspect. But research published on Thursday by the threat intelligence firm Mandiant attributes the attack to Iran. And while Tehran’s espionage operations and digital meddling have shown up all over the world, Mandiant researchers say that a disruptive attack from Iran on a NATO member is a noteworthy escalation.

The digital attacks targeting Albania on July 17 came ahead of the “World Summit of Free Iran,” a conference scheduled to convene in the town of Manëz in western Albania on July 23 and 24. The summit was affiliated with the Iranian opposition group Mujahideen-e-Khalq, or the People’s Mojahedin Organization of Iran (often abbreviated MEK, PMOI, or MKO). The conference was postponed the day before it was set to begin because of reported, unspecified “terrorist” threats.

Mandiant researchers say that attackers deployed ransomware from the Roadsweep family and may have also utilized a previously unknown backdoor, dubbed Chimneysweep, as well as a new strain of the Zeroclear wiper. Past use of similar malware, the timing of the attacks, other clues from the Roadsweep ransomware note, and activity from actors claiming responsibility for the attacks on Telegram all point to Iran, Mandiant says.

“This is an aggressive escalatory step that we have to recognize,” says John Hultquist, Mandiant’s vice president of intelligence. “Iranian espionage happens all the time all over the world. The difference here is this isn’t espionage. These are disruptive attacks, which affect the lives of everyday Albanians who live within the NATO alliance. And it was essentially a coercive attack to force the hand of the government."

Iran has conducted aggressive hacking campaigns in the Middle East and particularly in Israel, and its state-backed hackers have penetrated and probed manufacturing, supply, and critical infrastructure organizations. In November 2021, the US and Australian governments warned that Iranian hackers were actively working to gain access to an array of networks related to transportation, health care, and public health entities, among others. “These Iranian government-sponsored APT actors can leverage this access for follow-on operations, such as data exfiltration or encryption, ransomware, and extortion,” the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency wrote at the time.

Tehran has limited how far its attacks have gone, though, largely keeping to data exfiltration and reconnaissance on the global stage. The country has, however, participated in influence operations, disinformation campaigns, and efforts to meddle in foreign elections, including targeting the US.

“We’ve become used to seeing Iran being aggressive in the Middle East where that activity just has never stopped, but outside of the Middle East they’ve been far more restrained,” Hultquist says. “I’m concerned that they may be more willing to leverage their capability outside of the region. And they clearly have no qualms about targeting NATO states, which suggests to me that whatever deterrents we believe exist between us and them may not exist at all.”

With Iran claiming that it now has the ability to produce nuclear warheads, and representatives from the country meeting with US officials in Vienna about a possible revival of the 2015 nuclear deal between the countries, any signal about Iran’s possible intentions and risk tolerance when it comes to dealing with NATO are significant.

An Attack on Albanian Government Suggests New Iranian Aggression

BlackBasta lined up behind LockBit as the second most prevalent ransomware in July, a number of new gangs appeared, and an old one reappeared
The post Ransomware review: July 2022 appeared first on Malwarebytes Labs.

Malwarebytes Threat Intelligence builds a monthly picture of ransomware activity by monitoring the information published by ransomware gangs on their Dark Web leak sites. This information represents victims who were successfully attacked but opted not to pay a ransom.

In July, LockBit maintained the place it has occupied all year as the most active ransomware variant. Notably, BlackBasta, a relatively new ransomware variant that first appeared in April, took the place occupied by Conti for much of the year as the second most active variant. BlackBasta has been strongly linked to the gang behind Conti and may be the closest thing it has to a successor.

Two other gangs linked to Conti, Hive and KaraKurt, were also very active during July, ensuring that the gang behind “the costliest strain of ransomware ever documented” by the FBI continues to cast a long shadow, despite the retirement of the Conti “brand”.

The international picture followed a familiar pattern, with the USA suffering the largest number of attacks by far, distantly followed by a collection of the largest European economies. Services remained the sector most afflicted, suffering almost a quarter of all attacks.

Known ransomware attacks by group, July 2022

Known ransomware attacks by country, July 2022

Known ransomware attacks by industry sector, July 2022

**LockBit**

We wrote extensively about LockBit, and the appearance of LockBit 3.0, in last month’s ransomware review. Part of the gang’s success seems to have come from simply avoiding the attention-seeking pitfalls of other gangs. We wrote “…while some ransomware gangs seem to want to tell the world what they think, and how great they are, LockBit seems to care more about what its users think.”

Perhaps we spoke to soon. In July LockBit responded to an interview request by Red Hot Cyber in which it trotted out it’s version of the careworn old nonsense that criminal hackers help security, saying “we are ordinary pentesters and make this world safer”. Thanks to the gang’s threats and ruthless exploitation “companies can learn a security lesson and close vulnerabilities”, apparently. Whatever helps you sleep at night, we suppose.

The interview did contain some useful information too though, revealing that between 10%-50% of LockBit victims pay the ransom. The numbers we report each month are victims who appear on leak sites because they have _not_ paid the ransom, so this tidbit helps us understand the true scale of the ransomware problem.

The interviewee also confirmed the suspected relationship between LockBit 3.0 (also known as LockBit Black) and DarkSide/BlackMatter ransomware, revealing that the LockBit gang paid for DarkSide source code and based the latest version of its ransomware on it. If DarkSide sounds familiar, you may recall that it was the ransomware used in the infamous Colonial Pipeline attack. The DarkSide gang disappeared shortly after the attack “due to the pressure from the US”, only to reemerge as BlackMatter in July, before disappearing again in October 2021, again due to pressure from “authorities”.

**BlackBasta**

BlackBasta was the second most prolific ransomware variant behind LockBit in July, and it has occupied either the second or third place in our list ever since May, having only emerged the month before.

It burst into existence in April with 11 known victims. Being able to hit so many victims in its first month led some to speculate that it must be the work of an established gang that had a network of experienced affiliates in place, ready to work. It has since been linked to the gang behind the recently retired Conti ransomware, with which it enjoys an eye-catching overlap.

Known Conti and BlackBasta attacks in the last six months

As we reported in May and June, Conti hatched a scheme to fake its own death this year, after its support for Russia’s invasion of Ukraine caused ransom payments to dry up. Members of the gang were alleged dispersed to other “brands” owned by the Conti gang, as well as other gangs it had a relationship with.

Apparent beneficiaries included operators of three of the five most prevalent ransomware variants in July: BlackBasta, Hive, and the resurgent KaraKurt.

**REvil returns**

July was also notable for the reappearance of REvil, aka Sodinokibi, perhaps the most notorious name in ransomware. A single victim appeared on the gang’s Tor leak site in July, the first since April.

A new victim appeared on the REvil leak site for the first time in months

While many other groups were far more active, the group’s reputation ensures that any sign of life demands to be taken seriously.

REvil is responsible for two of the most significant ransomware attacks in history: The 2021 attack on JBS, the world’s largest meat processing company, and an enormous, cascading supply-chain attack against Kaseya VSA and its customers a month later. The attack on Kaseya was ultimately resolved when the company announced that it had acquired the decryption key needed to free the victims, without paying REvil its $70 million ransom demand. The source of the key was later revealed to have been the FBI, which had successfully infiltrated the group’s infrastructure.

Since then REvil has led a stop-start existence. Under pressure from US law enforcement, the gang went dark in July 2021. It reappeared a few months later before being forced offline when its infrastructure was hijacked by a multi-country law enforcement operation in October.

In January, in a highly unusual move, eight of its members were arrested in Russia by the FSB. However, even that wasn’t enough to keep the gang down for long. It’s infrastructure sparked back into life in April before going dark again, only for it to reappear in July.

**New gangs appear**

Last month also saw a glut of new ransomware gangs appear. The newcomers in our list are BianLian, Yanluowang, 0mega, Cheers, and RedAlert. With 11 known victims, the debut of BianLian is comparable in size to the appearance of BlackBasta in April, so we will be watching it closely in August.

The leak site of the new BianLian ransomware showed 11 victims in July

Yanluowang leak site

0mega leak site

Cheers leak site

RedAlert leak site

Ransomware review: July 2022

Categories: Threat Intelligence
Tags: conti

Tags: lockbit

Tags: ransomware

BlackBasta lined up behind LockBit as the second most prevalent ransomware in July, a number of new gangs appeared, and an old one reappeared



(Read more...)




The post Ransomware review: July 2022 appeared first on Malwarebytes Labs.

Malwarebytes Threat Intelligence builds a monthly picture of ransomware activity by monitoring the information published by ransomware gangs on their Dark Web leak sites. This information represents victims who were successfully attacked but opted not to pay a ransom.

In July, LockBit maintained the place it has occupied all year as the most active ransomware variant. Notably, BlackBasta, a relatively new ransomware variant that first appeared in April, took the place occupied by Conti for much of the year as the second most active variant. BlackBasta has been strongly linked to the gang behind Conti and may be the closest thing it has to a successor.

Two other gangs linked to Conti, Hive and KaraKurt, were also very active during July, ensuring that the gang behind “the costliest strain of ransomware ever documented” by the FBI continues to cast a long shadow, despite the retirement of the Conti "brand".

The international picture followed a familiar pattern, with the USA suffering the largest number of attacks by far, distantly followed by a collection of the largest European economies. Services remained the sector most afflicted, suffering almost a quarter of all attacks.

Known ransomware attacks by group, July 2022

Known ransomware attacks by country, July 2022

Known ransomware attacks by industry sector, July 2022

**LockBit**

We wrote extensively about LockBit, and the appearance of LockBit 3.0, in last month's ransomware review. Part of the gang's success seems to have come from simply avoiding the attention-seeking pitfalls of other gangs. We wrote "...while some ransomware gangs seem to want to tell the world what they think, and how great they are, LockBit seems to care more about what its users think."

Perhaps we spoke to soon. In July LockBit responded to an interview request by Red Hot Cyber in which it trotted out it's version of the careworn old nonsense that criminal hackers help security, saying "we are ordinary pentesters and make this world safer". Thanks to the gang's threats and ruthless exploitation "companies can learn a security lesson and close vulnerabilities", apparently. Whatever helps you sleep at night, we suppose.

The interview did contain some useful information too though, revealing that between 10%-50% of LockBit victims pay the ransom. The numbers we report each month are victims who appear on leak sites because they have _not_ paid the ransom, so this tidbit helps us understand the true scale of the ransomware problem.

The interviewee also confirmed the suspected relationship between LockBit 3.0 (also known as LockBit Black) and DarkSide/BlackMatter ransomware, revealing that the LockBit gang paid for DarkSide source code and based the latest version of its ransomware on it. If DarkSide sounds familiar, you may recall that it was the ransomware used in the infamous Colonial Pipeline attack. The DarkSide gang disappeared shortly after the attack "due to the pressure from the US", only to reemerge as BlackMatter in July, before disappearing again in October 2021, again due to pressure from "authorities".

**BlackBasta**

BlackBasta was the second most prolific ransomware variant behind LockBit in July, and it has occupied either the second or third place in our list ever since May, having only emerged the month before.

It burst into existence in April with 11 known victims. Being able to hit so many victims in its first month led some to speculate that it must be the work of an established gang that had a network of experienced affiliates in place, ready to work. It has since been linked to the gang behind the recently retired Conti ransomware, with which it enjoys an eye-catching overlap.

Known Conti and BlackBasta attacks in the last six months

As we reported in May and June, Conti hatched a scheme to fake its own death this year, after its support for Russia's invasion of Ukraine caused ransom payments to dry up. Members of the gang were alleged dispersed to other "brands" owned by the Conti gang, as well as other gangs it had a relationship with.

Apparent beneficiaries included operators of three of the five most prevalent ransomware variants in July: BlackBasta, Hive, and the resurgent KaraKurt.

**REvil returns**

July was also notable for the reappearance of REvil, aka Sodinokibi, perhaps the most notorious name in ransomware. A single victim appeared on the gang's Tor leak site in July, the first since April.

A new victim appeared on the REvil leak site for the first time in months

While many other groups were far more active, the group's reputation ensures that any sign of life demands to be taken seriously.

REvil is responsible for two of the most significant ransomware attacks in history: The 2021 attack on JBS, the world's largest meat processing company, and an enormous, cascading supply-chain attack against Kaseya VSA and its customers a month later. The attack on Kaseya was ultimately resolved when the company announced that it had acquired the decryption key needed to free the victims, without paying REvil its $70 million ransom demand. The source of the key was later revealed to have been the FBI, which had successfully infiltrated the group's infrastructure.

Since then REvil has led a stop-start existence. Under pressure from US law enforcement, the gang went dark in July 2021. It reappeared a few months later before being forced offline when its infrastructure was hijacked by a multi-country law enforcement operation in October.

In January, in a highly unusual move, eight of its members were arrested in Russia by the FSB. However, even that wasn't enough to keep the gang down for long. It's infrastructure sparked back into life in April before going dark again, only for it to reappear in July.

**New gangs appear**

Last month also saw a glut of new ransomware gangs appear. The newcomers in our list are BianLian, Yanluowang, 0mega, Cheers, and RedAlert. With 11 known victims, the debut of BianLian is comparable in size to the appearance of BlackBasta in April, so we will be watching it closely in August.

The leak site of the new BianLian ransomware showed 11 victims in July

Yanluowang leak site

0mega leak site

Cheers leak site

RedAlert leak site

In BIG-IP Versions 15.1.x before 15.1.6.1, 14.1.x before 14.1.5, and all versions of 13.1.x, Traffic Intelligence feeds, which use HTTPS, do not verify the remote endpoint identity, allowing for potential data poisoning. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVE-2022-34865

Securing email communication has never been more critical for organizations, and it has never been more challenging to do so. Attack volumes have increased and become more sophisticated.

**The Importance of Email Security**

Email remains the primary vehicle used by cybercriminals, with 90% of cyberattacks delivered via this attack vector. Email is also the most essential and widely used business communication tool.

Securing email communication has never been more critical for organizations, and it has never been more challenging to do so. Attack volumes have not only gone up, but the attacks delivered via email have also become more sophisticated.

The work-from-home shift experienced by most of the world has made employees and organizations more vulnerable to cyberattacks delivered by email than ever before. This makes business email an irresistible target for cybercriminals.

**Email Security Is at a Crossroads**

Protecting email, while reducing cost and complexity, is a business-critical objective for organizations of all sizes, working in virtually every industry, and in all areas of the world. Workers are more frequently than ever logging on remotely from home, from hotels, from coffee shops, and sometimes even using their own personal devices. Often distracted by their environment, even the most cautious user can inadvertently open a malicious email or click on a malicious link.

Some organizations are choosing to rely on platforms such as Microsoft 365 and Google Workspace to provide the base of their email security strategy, while others are choosing to rely on more specialized products such as a secure email gateway created by cybersecurity vendors. And while most cybersecurity vendors force customers to choose only their specialized solution in order to reap its benefits, it is completely possible for these vendors to modify their existing specialized solutions to work with well-known software vendor platforms to augment and enhance those platforms’ security to the extreme benefit of their customers.

**Meeting Today's Email Security Needs**

Today's agile organizations desire — and should require — simplicity and effective results from their security tools. And with continual pressure for security leaders to justify their investments in new security technology, email security solutions should be diverse, cost effective, and deliver a quick return. This is all coming at a time when complexity for virtually every security team is increasing. System noise is increasing, the business and compliance needs of organizations are growing more diverse and complicated, and the risk cyberattacks pose is continually on the rise.

Gateway-less email security solutions stand poised to meet these customer needs. These solutions augment the security of software platforms like Microsoft 365 and Google Workspace by reinspecting emails that have already passed through the platform's email gateway and been scanned by its email security tool. These gateway-less email security solutions use routing rules to inspect emails after they have been scanned by the platform's detection engine but before they are delivered to users' inboxes. This helps stop the threats that may have been missed by Microsoft 365, Google Workspace, or other software platform security tools.

Gateway-less email security solutions deliver world-class protection, keeping email communication secure while augmenting the protection of incumbent email providers.

**The Benefits of Gateway-less Email Security**

Gateway-less solutions are growing in popularity due to their ease of deployment, ability to augment rather than replace software platform security, and appeal to organizations of all sizes. Cybersecurity analysts are now recommending gateway-less solutions as a viable email security option.

Gateway-less email security solutions stand behind security solutions organization are already using, helping to reduce the cost and complexity of email security deployments, which can be especially beneficial for smaller organizations with less complex email environments. Gateway-less solutions run entirely in the cloud with little to no infrastructure cost and require little to no security policy customization. This benefits both smaller organizations with lean IT departments and less resources, as well as larger organizations that are looking to cut costs, reduce resource use, and allow critical IT staff to focus on other areas of the enterprise.

When evaluating gateway-less email security solutions, organizations should seek out products that:

*   Deploy in a matter of minutes
*   Block even the most sophisticated email attacks with AI-powered detection
*   Enhance and extend the security of software platforms like Microsoft 365 and Google Workspace
*   Optimize protections with a quality best-practice, out-of-the-box security policy
*   Simplify email security with effortless administration
*   Allow users to easily see what threats have been blocked and why
*   Can be adjusted with the click of a button to meet user and admin needs
*   Defend against social engineering attacks
*   Remediate malicious emails with a single click

**The Bottom Line**

As the work-from-home shift transitions into a much more acceptable, prevalent, and permanent hybrid working environment, some organizations are choosing to stay with a traditional email security gateway, while others are moving toward gateway-less email solutions that augment the security of software platforms like Microsoft 365 and Google Workspace. Organizations that do so should seek out a gateway-less email security partner with advanced detection capabilities, access to long-standing threat intelligence based on long-running market and industry experience, and the ablity to deliver best-in-class efficacy that is difficult to match via a tried-and true solution platform that can reduce complexity, reduce organization risk, and bring email and collaboration security under one roof through a single pane of glass.

**About the Author**

    

Thom Bailey leads the Strategy & Evangelism team at Mimecast, the authority in email security, targeted threat protection, and data governance. With over 20 years in product marketing and product management experience, Thom's passion has been one of understanding the intersection of IT operations and security.

How Email Security Is Evolving

A global network of inauthentic news sites present themselves as independent news outlets, offering content favoring China's government and articles critical of the US.

A fake-news influence campaign based in China is leveraging at least 72 inauthentic news sites to push content strategically aligned with the political interests of the People's Republic of China (PRC) across the globe and in multiple languages.  

The sites are linked to a Chinese public-relations firm called Shanghai Haixun Technology, according to a report from Mandiant, which dubbed the campaign "HaiEnergy." To disseminate the content, the effort makes use of various social-media accounts with hundreds of thousands of followers. 

The purpose of the campaign is to target global audiences with messaging intended to improve the international image of China — and to discredit critics of its policies. According to the new Mandiant report, the campaign narratives include promoting the reform of Hong Kong's electoral system — giving the mainland government more control over choosing candidates — and criticizing the United States and its allies.

At the start of the month, several of the sites published articles critical of US House Speaker Nancy Pelosi's recently concluded trip to Taiwan, warning her to "stay away from Taiwan."

The content also attempts to discredit outspoken government opponents, including German anthropologist Adrian Zenz, who is known for his research on China's autonomous Xinjiang territory in the northwest, where there has been a reported genocide against the Uyghur population.

This was done via website articles and social-media posts, featuring what Mandiant suspects to be "at least three fabricated letters, based on obvious grammatical errors and typos."

One letter was observed being used by a Twitter account belonging to a suspected inauthentic persona "Jonas Drosten" (@Jonas\_drosten), who posted a tweet containing images of three letters. The tweet, and one of the letters, alleges that Adrian received "financial support from US Senator Marco Rubio and former White House Chief Strategist Steve Bannon."  

The Uyghur ethnic minority community has in the past been a target of multiple other disinformation efforts.

**Outsourcing Fake News Efforts**

Mandiant researchers were not able to determine whether Shanghai Haixun Technology is aware of the fakeness of the HaiEnergy effort, but the researchers found evidence that the campaign has leveraged services and infrastructure belonging to the PR firm to host and distribute content.  

The campaign's use of third-party infrastructure allows the operators behind the campaign to obfuscate their identities while distributing content. And the use of a PR firm in this campaign may also be suggestive of recent trends noted by Meta (PDF) regarding the increased outsourcing of influence operations to third parties.

The Mandiant report also notes that actors that use PR firms may also do so to lower the barrier to entry for such activity to actors with limited experience in such areas.

"The campaign does not appear to be particularly sophisticated, as evidenced at least in part by the seeming lack of substantial engagement outside of inauthentic amplification of its content," says Ryan Serabian, senior analyst at Mandiant.  

For instance, some of the social-media accounts outright note that they've been commissioned to promote content, and their bios suggest that they were willing to do "paid promos."

Serabian explains that social-media platforms, governments, and other organizations increasingly look to root out inauthentic information activity, so he expects that actors will adapt new tactics and strategies, like contracting PR firms, to continue to achieve their aims.

"As we've highlighted, such actors might seek to leverage PR firms to distribute content, and they may also become more inventive in the types of content they distribute, such as by way of using technology like artificial intelligence-generated 'deepfake' images and videos," he says.  

This particular operation follows the efforts of Russian operatives, and those allied with Russian interests, which unleashed a deluge of disinformation and fake news to try and sow fear and confusion in Ukraine following the invasion of that nation.

Massive China-Linked Disinformation Campaign Taps PR Firm for Help

Users can identify risks across five domains, work on multiple projects, and take advantage of exclusive community benefits.

EVERGREEN, Colo., Aug. 4, 2022 /PRNewswire/ — Phylum, The Software Supply Chain Security Company, announces the release of its free Phylum Community Edition to expand the standard in supply chain security risk analysis to everyone.

Users can quickly understand valuable risk insights based on our unique approach to defending the software supply chain.

The free Phylum Community Edition allows any user to identify open-source risks across five domains with deductive analysis that is integrated into every stage of a build. Available immediately, users can:

— Sign up for a free, individual account here  
— Work on up to five projects at a time  
— Join the Phylum slack community to collaborate with other developers and security professionals  
— Get exclusive access to future beta features  
— Contribute feedback to the product  
— Access community support  

"We're excited to get Phylum in the hands of security engineers and developers around the world. Supply chain attacks are just getting started, and users need the ability to identify risk across the entire OSS supply chain attack surface. With the Phylum Community Edition, users can quickly understand valuable risk insights based on our unique approach to defending the software supply chain," said Peter Morgan, co-founder and president of Phylum.

**The Phylum Risk Framework  
**  
Phylum's proactive approach to analyzing the risk inherent within the software supply chain is built from years of research and observation.

Instead of taking a retrospective approach by analyzing incidents after they occur, Phylum starts by consuming all available information about open-source packages and structuring the data in a consistent format for analysis. Layers of analytics, heuristics, and ML models then comb through the data to find risk indicators. Deductive analysis is then applied to account for the entire context around each indicator, and identified risks are prioritized based on the risk tolerance criteria set by the organization.

This allows Phylum to effectively surface and prioritize meaningful issues before an incident occurs, in a manner that does not overwhelm security teams. These risks can then be addressed before leading to compromise, outages, service degradation at runtime or legal liability.

"Given the large volume of components involved in the development of modern software, surfacing meaningful findings becomes critically important — as does accurately prioritizing issues. Phylum defines the attack surface and conducts the deductive analysis, and users define risk tolerance based on project needs. This combination results in a significantly reduced attack surface, and categorized risk prioritized by business objective," said Brad Crawford, vice president of product at Phylum and co-author of the MITRE ATT&CK Framework.

The Phylum Risk Framework is the standard in software supply chain security, defined by the following categories: Malicious Code, Software Vulnerabilities, Authorship Risk, Reputation, License Misuse and Engineering Risk.

Get the Phylum Community Edition here.

Phylum will be at Black Hat 2022 in Innovation City booth# IC53. To meet up at the event, request a meeting here.

About Phylum  
Phylum is the Software Supply Chain Company, on a mission to secure the universe of code. Developers and security professionals use Phylum to identify open-source risks across five domains using deductive analysis that is integrated into every stage of a build. The company is built by a team of career security researchers and developers with decades of experience in the US Intelligence Community and commercial sectors. Learn more at https://phylum.io, read The Phylum Research Blog, and follow us on LinkedIn and Twitter.

SOURCE: Phylum

Phylum Releases a Free Community Edition to Make Software Supply Chain Security More Accessible

It's a myth that consuming and processing alerts qualifies as security. Today's technology allows better detection and prevention, rather than accepting the low bar for protection set by ingrained incident response reactions.

You've probably seen ads for identity protection. They're everywhere, probably because almost half of all US citizens were victims of identity theft between 2020 and 2022. Although these ads claim to protect your identity, if you listen closely, what the service provides is an alert once your identity has been — or is in the process of being — stolen.

While these alerts can be immeasurably valuable, that's a very generous interpretation of "protection." If you entrusted me with protecting your valuables, and all I could do was let you know they had been stolen, you wouldn't be happy with my performance.

This same myth of protection has become accepted in the cybersecurity industry: the myth that an alert produced every time something is believed to be malicious or suspicious qualifies as security. This low bar for protection is what enterprises and consumers have been taught to accept. It's what security professionals have been taught to work with. The entire ecosystem is designed around the idea that consuming and responding to alerts is synonymous with protection.

Rather than protecting the enterprise, these voluminous alerts are putting enterprise security at risk. Security teams are drowning in alerts and saddled with excessive false positives. They are stretched beyond capacity due to working in a highly reactive, "always on" mode. According to Deep Instinct's Voice of SecOps survey, the industry is reaching a tipping point: Nearly 90% of cybersecurity professionals polled say they are stressed in their role, while 40% believe their existing security solution stack is inadequate and nearly half (46%) of the respondents have thought about quitting the industry.  

Now more than ever, we must redefine protection and lean into prevention. However, before we look ahead to how, let's quickly look at how we got here: a two-prong issue stemming from both the mindset of early cybersecurity groups and the technology available at the time.

**We Must Stop Living in the Past**

The ILoveYou virus hit within my first week in the National Security Incident Response Center, causing billions of dollars in damage. Back in the early 2000s, we dealt with ILoveYou like we did with any disaster. We built a response team, gathered data, worked to stop the damage, and made recommendations for the next time. This mindset was built into every Computer Emergency (or Incident) Response Team that popped up in the 2000s, from inside the Pentagon to Carnegie Mellon. A respond-to-an-event ecosystem was created.

The technologies and intelligence available then lacked the context, precision, and speed needed to get in front of these threats. Practitioners focused on what they could do: process data after an event as quickly as possible. This is where new technologies can be impactful. There was a lot of excitement when endpoint detection and response (EDR) was able to respond within minutes of an intruder entering a network. While that's a commendable response time, you wouldn't want someone inside your house poking around for minutes before you responded. On top of that, the people responsible for responding are now being buried by an avalanche of false alarms.

Many accept that false-positive detection rates of 30% to 50% are inevitable, so we train artificial intelligence to consume and attempt to make sense of those alerts for us. Cybersecurity must evolve beyond making ineffective processes faster. It's time to redefine protection and lean from response toward prevention. What if detection were accurate and fast enough to make a difference _before_ an alert was generated?

We can give defenders the ability to see deeply into network sessions to expose the techniques that hackers employ. We can expose those techniques quickly enough to make a difference so that entire categories of attacks are stopped before they begin, and minor evasions such as changing IP addresses are no longer effective. The detection accuracy is so good that false positives are a thing of the past. It's time to develop and introduce automated preventive controls into an industry that is overly optimized for response.

True protection is no longer a myth. The technology exists today to make this a reality. With ransomware on the rise, defenders are rightly being asked to focus on resilience and recovery. The reality is that defenders will add this focus on resilience and recovery as another task or project on top of their already overwhelming days spent chasing incidents and being buried in false alarms, all while considering quitting the business. We can retrain and reskill our cyber workforce to be stewards of true protection, giving them time and space to do their jobs and make a difference. This is the future of cybersecurity — and that future begins now.

The Myth of Protection Online — and What Comes Next

Agentless approach meets the attacker earlier to protect financial services and other large enterprises from an underserved attack vector.

**NEW YORK, NY – Aug. 3, 2022** – Deep Instinct, the first company to apply end-to-end deep learning to cybersecurity, today delivered Deep Instinct Prevention for Applications, an agentless, on-demand, antimalware solution for the enterprise that is device and operating system agnostic. This new offering revolutionizes threat protection beyond the endpoint with flexible, deploy anywhere, in-transit file scanning via API to quickly return a malicious versus benign verdict at enterprise speed. It protects any web application or cloud storage from malicious content while fully ensuring data privacy.

Until now, financial services and other industries with petabytes of data in motion each day have been at high risk from uploaded malicious content that can be detonated upon download from storage. These organizations have been relying on antiquated solutions that are slow, consume vast CPU and memory resources, and miss unknown malware, leaving this threat segment underserved.

In the wake of the pandemic, fintech transactions alone rose by 13% and their volume by 11%, indicating significant industry growth. With tens of millions of files in transit each day connected to high-value trading data, mortgage applications, insurance claims, and other sensitive information, financial institutions are at risk from unchecked malicious uploads or downloads and lack viable options to ensure infected content is not a threat to their operations or their customers. As threat actors seek alternative points of entry into enterprise environments, this risk factor will only increase. In fact, one study found that 35% of "never-before-seen" malware files were hidden in Microsoft Office and PDF files.

"As threat actors compromise points of entry beyond the endpoint, financial services institutions that exchange tens of millions of files each day are at increased risk. This was primarily created by the failure of established antivirus, network and other solutions to evolve. They are slow, can't scale or process high volumes of daily traffic or handle large file sizes, and often resort to sandboxing. As a result, they continue to miss unknown threats, and incur high infrastructure costs. "That's the worst of both worlds for an enterprise," said Guy Caspi, CEO and Co-Founder of Deep Instinct. "Deep Instinct is disrupting the cybersecurity status quo by setting a new standard for preventing malicious files, both known and unknown, before they reach storage."

Deep Instinct Prevention for Applications provides organizations an on-demand, high-speed scanning solution that prevents \>99% unknown malware hidden in files and easily scales to scan tens of millions of files per day. With very low CPU requirements, a low false-positive rate of <0.1%, near zero latency, and low processing requirements, Deep Instinct provides the most innovative solution for this underserved threat gap. A typical traditional AV solution is ineffective at preventing unknown malware, will require sandbox and cloud intelligence checks, and takes an average of 90 seconds to 3 minutes to make decisions. Traditional AV/sandbox solutions are ineffective at solving this issue as they are easily evaded and slow to respond. This increases risk and negatively affects the user experience but impacts the business by slowing down critical processes.

"Deep Instinct is addressing a major pain point of today's enterprise — their exposure to an ever-expanding number of attack vectors," said David OLeary, Field CISO – Sr. Director, Global Cybersecurity, SHI. "We look forward to bringing this truly unique solution to our enterprise customer base and helping them better protect themselves and their customers from malicious content as they exchange important files every day."

Other benefits of Deep Instinct Prevention for Applications include the following:

*   Does not rely on the cloud to provide a verdict.
*   Only the file hash ever leaves the environment, retaining full customer data privacy.
*   No customer data is used for training or updating AI models.
*   Minimal infrastructure resources, including CPU and memory usage, combined with a small footprint, ensure a low total cost of ownership.

For more product information and case studies, please visit: https://deepinstinct.com/prevention-for-applications.

**About Deep Instinct**

Deep Instinct takes a prevention-first approach to stopping ransomware and other malware using the world's first and only purpose-built, deep-learning cybersecurity framework. We predict and prevent known, unknown, and zero-day threats in <20 milliseconds, 750X faster than the fastest ransomware can encrypt. Deep Instinct has >99% zero-day accuracy and promises a <0.1% false positive rate. The Deep Instinct Prevention Platform is an essential addition to every security stack — providing complete, multilayered protection against threats across hybrid environments. For more, visit www.deepinstinct.com.

Tag

#intel