Technology tuck-in enhances industry's broadest XDR security platform.

**DALLAS****,** **Feb. 22, 2023** **/PRNewswire/ --** Trend Micro Incorporated (TYO: 4704; TSE: 4704), a global cybersecurity leader, has announced the signing of a definitive agreement to acquire Anlyz, a leading provider of security operations center (SOC) technology. The acquisition will extend Trend's orchestration, automation and integration capabilities and will enable enterprises and Managed Security Service Providers (MSSPs) to improve operational efficiencies, cost effectiveness and security outcomes.

The deal encompasses intellectual property, industry expertise and more than 40 technical employees all focused on bolstering Trend's security platform strategy. With this acquisition, the company will expand its engineering team of over 3000, adding a new research & development center in Bangalore, India.

Managed Security Service Providers (MSSPs) will be empowered to grow their strategic SOC services while minimizing the complexity of the underlying security stack by reducing the number of technology vendors needed. Trend's enterprise customers will benefit from a comprehensive extended detection and response (XDR) and incident response orchestration platform that can maximize analyst productivity and help relieve resource constraints.

Gartner research stated, "As buyers, both end customers and service providers, continue to consolidate vendors/providers, buyers will seek best-of-suite and integrated solutions over best-of- breed point solutions. Preferred technology vendors will be those that ease integration with other IT and security technology and tools within the environment, supporting efforts toward use-case-based outcomes."\[1\]

"We are happy to welcome the Anlyz team into the Trend family – together we are increasing SOC effectiveness and reducing both the technology and resources burdens," said Kevin Simzer, Chief Operating Officer at Trend Micro. "Due to market pressure, we see organizations moving past security point-solution experiments in preference for platform breadth that allows for vendor consolidation, maximized return on investments and efficiencies."

Trend Micro and Anlyz have been technology alliance partners since 2021 and share more than 30 joint customers that are positioned to move forward quickly to capitalize on the opportunities ahead.

\[1\] Gartner®, Emerging Trends: Future of Security Services, Shawn Eftink, John Collins, November 2021 GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

Eventus TechSol is one of the many MSSPs powering joint customers delivering measurable "XDR Powered SOC" improvements for clients. "We have reduced the mean-time-to-detect and mean-time-to-respond ratio, down from weeks to hours for incidents," said Jay Thakker, Practice Head at the company. "We use playbooks for log enrichment and automated response as well as threat intelligence and threat hunting capabilities provided by the platform to proactively hunt for known and behavioral attacks."

Anlyz has primarily focused on security orchestration and case management delivering powerful SOAR capabilities for MSSPs to manage the incident response process across multiple clients. It also offers intelligent log aggregation enabling data ingestion and enrichment across a range of data sources and security solutions, using a high performance, scalable architecture. Trend will leverage Anlyz's SOAR solution and rich set of product connectors to broaden its platform and enable additional integration and automation options across customers' IT ecosystems.

Trend's MSSP channel customers will benefit from:

*   An anchor technology platform to manage the SOC function for their clients
*   A reduced requirement to architect individual custom solutions for their customers, thanks to an integrated core stack and multi-tenant view out of the box
*   Visibility, analysis, and automation across Trend, third-party products, and customer instances, making it easier to manage XDR across multiple customers
*   A scalable, flexible, and feature-rich platform to appeal to all types of customers no matter the size and complexity of their IT environment

**Notice Regarding Forward-Looking Statements**

Certain statements included in this press release that are not historical facts are forward-looking statements. Forward-looking statements are sometimes accompanied by words such as "believe," "may," "will," "estimate," "continue," "anticipate," "intend," "expect," "should," "would," "plan," "predict," "potential," "seem," "seek," "future," "outlook" and similar expressions that predict or indicate future events or trends or that are not statements of historical matters. These forward-looking statements include, but are not limited to, statements concerning the future plans or prospects for the acquisition. These statements are based on our current expectations and beliefs and are subject to a number of factors and uncertainties that could cause actual results to differ materially from those described in the forward-looking statements. Although we believe that the expectations reflected in our forward-looking statements are reasonable, we do not know whether our expectations will prove correct. You are cautioned not to place undue reliance on these forward-looking statements, which speak only as of the date hereof, even if subsequently made available by us on our website or otherwise. We do not undertake any obligation to update, amend or clarify these forward-looking statements, whether as a result of new information, future events or otherwise, except as may be required under applicable securities laws.

**About Trend Micro**

Trend Micro, a global cybersecurity leader, helps make the world safe for exchanging digital information. Fueled by decades of security expertise, global threat research, and continuous innovation, Trend Micro's cybersecurity platform protects hundreds of thousands of organizations and millions of individuals across clouds, networks, devices, and endpoints. As a leader in cloud and enterprise cybersecurity, the platform delivers a powerful range of advanced threat defense techniques optimized for environments like AWS, Microsoft, and Google, and central visibility for better, faster detection and response. With 7,000 employees across 65 countries, Trend Micro enables organizations to simplify and secure their connected world. www.TrendMicro.com.  

The Gartner Report(s) described herein, (the "Gartner Report(s)") represent(s) data, research opinion or viewpoints published, as part of a syndicated subscription service, by Gartner, Inc. ("Gartner"), and are not representations of fact. Each Gartner Report speaks as of its original publication date (and not as of the date of this Prospectus) and the opinions expressed in the Gartner Report(s) are subject to change without notice.

SOURCE Trend Micro Incorporated

Trend Micro Acquires SOC Technology Expert Anlyz

Attackers are now using multiple types of distributed denial-of-service (DDoS) attacks to take down sites. Here are some ways to defend and protect.

Distributed denial-of-service (DDoS) attacks occur when an individual device, known as a bot, or a network of devices, known as a botnet, is infected with malware. These bots or botnets flood websites with increased traffic volumes over a period of hours or even days in an attempt to take services offline. Recently, hacktivist groups have begun leveraging DDoS attacks to extort site owners for financial, competitive advantage, or political reasons. This can represent a serious threat for enterprise businesses.

Planning and preparation are key to developing an effective DDoS defense. But first you need to understand how these attacks work.

**DDoS Attack Types**

New DDoS attack vectors emerge every day thanks to innovative artificial intelligence (AI) technology and a growing cybercrime ecosystem. But in general, there are three main types of DDoS attacks, each of which encompasses a variety of cyberattacks. The first is known as a volumetric attack, which primarily focuses on bandwidth and is designed to overwhelm the network layer with traffic. For example, domain name server (DNS) amplification attacks leverage open DNS servers to flood a target with DNS response traffic.

Another type of DDoS is a protocol attack, which exploits weaknesses in Layers 3 and 4 of the protocol stack, targeting critical resources. For example, synchronization packet floods (SYN) will consume all available server resources as a way to make servers unavailable.

Finally, a resource layer attack disrupts data transmission between hosts by targeting web application packets. For example, SQL injection attacks will insert malicious code into strings. These strings are subsequently passed to a SQL server to be parsed and executed.

And while these categories can cover a broad range of DDoS attacks, security teams also need to be aware that cybercriminals can compromise their networks by using multiple attack types from different categories.

**Protecting Against, Responding to DDoS Attacks**

When websites or servers go down, companies risk losing sales and customers, incurring high recovery costs and damaging their reputations. In some regions and industry sectors, they may even be subject to penalties and fines. Here are four ways to respond to DDoS attacks.

**1\. Evaluate Your Risks and Make Sure You're Protected**

The first step is to identify the publicly exposed applications within your organization. Make sure you note typical application behavior patterns so you can identify anomalies and respond accordingly. Because DDoS attacks typically spike during peak business seasons, such as the holidays, organizations should look for scalable DDoS protection services with advanced mitigation capabilities. Specific service features include traffic monitoring; adaptive real-time tuning; DDoS protection telemetry, monitoring, and alerting; and access to a rapid response team.

**2\. Get Prepared With a DDoS Response Strategy**

One proactive measure that all companies should take is to develop a rapid response strategy. Start by forming a DDoS rapid response team that knows how to identify, mitigate, and monitor attacks. This team should also be able to work with internal stakeholders and customers.

**3\. Identify Potential Weaknesses**

Use attack simulations to understand how your services will respond in the event of an attack. These simulations should confirm that your services or applications will be able to function normally without disrupting users' experiences, and they should happen during off-business hours or within a staging environment to minimize business impact. When conducting an attack simulation, make sure you identify potential technology and process gaps to inform your DDoS response strategy.

**4\. Respond, Learn, Adapt In the Face of Attacks**

In the event of an actual DDoS attack, contact an established DDoS response team or other technical professionals to conduct your attack investigation and post-attack analysis. This retrospective analysis is especially critical as it can help to clarify whether service or user disruptions were due to a lack of scalable architecture. Focus your evaluation on which applications or services experienced the greatest disruptions, as well as the effectiveness of your DDoS response strategy.

Of course, DDoS attacks are just one type of emerging cyberthreat. For more information on ongoing cybersecurity developments and best practices, check out Microsoft Security Insider.

4 Tips to Guard Against DDoS Attacks

In affected versions of Octopus Deploy it is possible to upload a zipbomb file as a task which results in Denial of Service

Summary

Zipbomb resource exhaustion in Octopus Server (CVE-2022-2883)

Advisory Number

2023-01

Discovery Date

05 Nov 2022

Patch Release Date

06 Feb 2023

Advisory Release Date

14 Feb 2023

Product

Octopus Server

Operating System

Linux and Microsoft Windows

Severity

Medium

CVE ID

CVE-2022-2883

Customers who have downloaded and installed any of the Octopus Server versions listed below ("Details") are affected.

Please upgrade your Octopus Server immediately to fix this vulnerability.

Customers who have upgraded Octopus Server to version 2022.4.8423 or higher are not affected.

**Severity**

Octopus Deploy has given this vulnerability a medium rating. This rating was given according to the Octopus Deploy severity levels, which ranks vulnerabilities as critical, high, medium, or low severity.

This is our assessment and you should evaluate its applicability to your own environment.

**Details**

In affected versions of Octopus Deploy it is possible to upload a zipbomb file as a task which results in Denial of Service

The versions of Octopus Server affected by this vulnerability are:

*   All 0.x.x, 1.x.x, 2.x.x, 3.x.x, 4.x.x versions
*   All 2018.x.x, 2019.x.x, 2020.x.x, 2021.x.x versions
*   All 2022.1.x, 2022.2.x versions
*   All 2022.3.x versions before 2022.3.11043
*   All 2022.4.x versions before 2022.4.8401

**Fix**

To address this vulnerability, we have released Octopus Server version:

*   2022.3.11043
*   2022.4.8401

The latest versions of Octopus Deploy products can be downloaded from https://octopus.com/downloads and previous versions can be downloaded from https://octopus.com/downloads/previous

**What You Need to Do**

Octopus Deploy recommends that you upgrade to the latest version (2022.4.8423). You can download the latest version of Octopus Server from https://octopus.com/downloads

**If you can't upgrade to the latest version (2022.4.8423):**

If you have feature version...

...then upgrade to this version

0.x.x, 1.x.x, 2.x.x, 3.x.x, 4.x.x

2022.3.11043 or greater

2018.x, 2019.x, 2020.x, 2021.x

2022.3.11043 or greater

2022.1.x, 2022.2.x

2022.3.11043 or greater

2022.3.x

2022.3.11043 or greater

2022.4.x

2022.4.8401 or greater

**Mitigation**

There is no known mitigation for CVE-2022-2883, it is important to upgrade to a fixed version as soon as possible.

**Support**

If you have any questions or concerns regarding this advisory, please contact our support team https://octopus.com/support.

**Exploitation and Public Announcements**

The Octopus Deploy security team is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

**Source**

This vulnerability was found by Bartłomiej Górkiewicz

CVE-2022-2883: Security Advisory 2023-02

Making the option available only to paid subscribers — while also claiming SMS authentication is broken — doesn't make sense, some say. Is it a cash grab?

Twitter's sudden decision to disable SMS-based two-factor authentication (2FA) for all users except subscribers of its paid Twitter Blue service has infuriated security experts and further tarnished the social media giant's already somewhat dubious reputation for protecting users of its services.

Twitter, on Feb. 15, announced that in 30 days it would disable text-message based — or SMS-based — 2FA for all but paying Twitter Blue subscribers. "After 20 March 2023, we will no longer permit non-Twitter Blue subscribers to use text messages as a 2FA method," the company said. "At that time, accounts with text message 2FA still enabled will have it disabled."

Several analysts view the move as ill-conceived and weakening protections for the millions of users that currently use the two-factor option when accessing their Twitter accounts. Even those who agree with Twitter's view about text message-based authentication mechanisms being somewhat susceptible to attack still perceive it as offering magnitudes more protection than not having a second factor at all.

**Twitter's Ill-Conceived Move**

"The optics are certainly bad," says Richard Stiennon, chief research analyst at IT-Harvest. "This move seems to put a price on better security for Twitter which is the poster child for account takeover attacks dating back to 2008 when a script kiddie in California ran John the Ripper against celebrity accounts to guess their passwords."

The company urged users that still want to enable 2FA for their Twitter accounts to consider using an authentication app or security key/token as their second factor. Authentication apps are mobile apps that generate a one-time password or key that users can use in addition to their password when accessing an account on which they have enabled two-factor authentication. Examples include Google Authenticator, Microsoft Authenticator, and LastPass Authenticator. 

Security keys are usually a physical device — like a USB dongle — that users can use to verify their identity when logging in to an account. "These methods require you to have physical possession of the authentication method and are a great way to ensure your account is secure," Twitter said.

"Using an authenticator app is better \[than text-based 2FA\]," Steinnon notes, "but there will never be a large number of users unless Twitter makes such an app a requirement and makes it available for free."

**Raising Questions About Text-Based 2FA**

The social media company's brief statement announcing its decision to stop SMS authentication alluded to concerns over the security of the process as the main motivation: "While historically a popular form of 2FA, unfortunately we have seen phone-number based 2FA be used — and abused — by bad actors."

The widespread use of mobile devices for SMS-based 2FA authentication, for instance, has driven an increase in so called SIM-swapping attacks, where a threat actor transfers another individual's phone number to their SIM card so they can intercept the SMS authentication messages used for 2FA. Concerns over weaknesses in mobile networks allowing attackers to intercept SMS messages and use it to break into 2FA protected accounts have persisted for years, as have calls to replace it with stronger token and app based token generators.

Nonetheless, Stiennon and others dismiss that explanation as not being enough reason to disable the option for anyone that wants to use it. "For highly targeted attacks, it is true that SMS can be intercepted by determined attackers," he says, noting that such attacks are rare.

**An Attempt to Raise Revenue?**

John Pescatore, director of emerging security trends at the SANS Institute, says Twitter's move is somewhat akin to a bank insisting that users of a free checking account only enter their PIN — and not their ATM card as well — to use an ATM machine. "While SMS messaging as 2FA is less secure than tokens, trusted apps, or other phishing-resistant forms, it is still so much more secure than reusable passwords," he says.

"The only justification for what they are doing is an attempt to raise revenue," Pesactore tells Dark Reading. Otherwise, why would they allow a supposedly less secure authentication only be available to their paid subscribers, he points out.

A transparency report that Twitter released in December 2021 showed at that time that some 2.4% of active Twitter accounts had enabled 2FA. Of that, 74.4% used SMS authentication, 28.9% used an authentication app, and 0.5% had a security key. Based on those numbers (the most recent), only a relatively small proportion of Twitter's active accounts would appear directly impacted by Twitter's recent decision — though, of course, adoption could have increased since 2021. Still, some see it as another indication of what they perceive as Twitter's cavalier attitude toward user security. Earlier this year, after all, an apparent API endpoint compromise at Twitter allowed an attacker to steal data on some 200 million Twitter users and put it up for sale on an underground forum.

"Twitter has a consistently poor record around security," Pescatore notes. Last year, for instance, the Federal Trade Commission assessed a $150 million civil penalty over the company not taking steps required of them to fix problems that caused privacy violations dating back years, he says. Those violations had to do with Twitter using phone numbers and email addresses that it collects for 2FA to deliver targeted advertising instead. 

"Under new ownership, this year they first tried to increase revenue by giving verified identity status to anyone willing to pay $8," Pescatore adds.

**Coming Under the Microscope**

As if the company's security challenges were not bad enough, Elon Musk's controversial leadership of Twitter has also put the company's every move under the microscope.

"As with anything to do with Twitter nowadays, the broader context for their decisions invites a lot of controversy from all over the political spectrum," says Fernando Montenegro, an analyst with Omdia.

With the latest move, there's a general understanding that SMS 2FA is less resistant to some attacks than the authenticator apps or security keys. So getting users to move towards "better" MFA is a good thing for potentially improving resilience against these attacks, he adds. "It's also a decision that saves Twitter money, as they will no longer be sending MFA SMS messages to accounts that are not subscribers," Montenegro says.

The key question here is whether people use SMS because it's easier to set it up or just because they don't know about alternatives, he points out. "If the former, and Twitter doesn't make the process easier, then security is likely to suffer. If the latter, then their decision can actually result in more people knowing about other options for MFA and turning those on."

Analysts Slam Twitter's Decision to Disable SMS-Based 2FA

By Waqas
Threat actors have hacked two data centers in Asia and accessed login credentials of top technology giants, including Apple, Uber, Microsoft, Samsung, Alibaba, etc., and leaked them on a hacker forum.
This is a post from HackRead.com Read the original post: Login Details of Tech Giants Leaked in Two Data Center Hacks

The leaked data includes email addresses, password hashes, names, phone numbers, and more.

Hackers obtained login credentials for several mainstream corporate giants, including Microsoft, Samsung, Uber and Apple, etc. and gained remote access to the entities’ surveillance cameras after attacking two data centers in Asia.

A screenshot from the leaked data shows login credentials for Samsung, Amazon, Uber, Alibaba and more. (Credit: Hackread.com)

This was **revealed** by the cyber security firm Resecurity. The company originally identified the data breach in September 2021; however, details of it were only revealed to the media now as on February 20th, 2023, hackers leaked the stolen login credentials online.

It is worth noting that these credentials were leaked on Breachforums by a threat actor going by the handle of “Minimalman.” For your information, Breachforums is a hacker and cybercrime forum that surfaced as an alternative to the popular and **now-seized Raidforums**.

According to Resecurity, hackers accessed two of the largest data center operators in Asia that were being used by several mainstream companies and technology giants. From there, the hackers could obtain customer support logins for high-profile companies, including Amazon and Apple, BMW, Microsoft, Alibaba, Walmart, Goldman Sachs, etc.

As seen by Hackread.com on the hacker forum, the threat actors managed to obtain and leak credentials from over 2,000 firms and a Chinese foreign-exchange platform.

The data centers have been identified as Shanghai-based GDS Holdings and Singapore-based ST Telemedia Global. Both data centers reportedly forced all customers to change their passwords in January 2023.

**Dangers**

The dangers of hackers obtaining login credentials of tech giants such as Apple, Amazon, Microsoft, Samsung and others are numerous and severe. Firstly, such credentials allow hackers to access sensitive customer data, including payment information and personal details, which can lead to **identity theft and financial fraud**.

Secondly, hackers can use these credentials to gain access to the company’s networks, potentially compromising intellectual property and trade secrets. Additionally, with access to company accounts, hackers can launch cyber attacks against other organizations, amplifying the damage caused by their actions.

Furthermore, a breach of a tech giant’s login credentials can have far-reaching consequences, impacting not only the company and its customers but the wider economy and society as a whole. For instance, if a company like Amazon were to suffer a significant data breach, it could lead to a loss of consumer trust, which could in turn affect the confidence of investors and the stock market.

Moreover, a successful hack of a tech giant’s credentials could inspire copycat attacks, leading to an escalation in cybercrime and potentially destabilizing the digital infrastructure that underpins much of our daily lives.

To mitigate these risks, tech giants must remain vigilant in their cybersecurity measures, ensuring that their systems are regularly updated and that their employees are trained to detect and prevent security breaches.

Companies must also invest in advanced technologies such as machine learning and artificial intelligence to detect and respond to cyber threats in real time. Finally, companies must ensure that they comply with industry standards and regulations related to cybersecurity, such as the General Data Protection Regulation (**GDPR**), to protect the privacy and security of their customers.

1.  **Sydney Data Center Targeted By FinFisher Spyware**
2.  **Hackers attack National Data Center with watering hole attack**
3.  **Hyperconverged Infrastructure (HCI) is Changing Data Centers**
4.  **Top sites affected after OVH data center catches disastrous fire**

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Login Details of Tech Giants Leaked in Two Data Center Hacks

This advisory ties together older research on a contact file handling flaw on Microsoft Windows as well as recent research discovered that uses the same methodologies.

[-] Microsoft Windows Contact file / Remote Code Execution (Resurrected 2022)  / CVE-2022-44666

[+] John Page (aka hyp3rlinx)  
[+] twitter.com/hyp3rlinx  
[+] ISR: ApparitionSec

Back in 2018 I discovered three related Windows remote code execution vulnerabilities affecting both VCF and Contact files.  
They were purchased by Trend Micro Zero Day Initiative (@thezdi) from me and received candidate identifiers ZDI-CAN-6920 and ZDI-CAN-7591.  
Microsoft as usual denied a fix and it was subsequently dropped as a zero day on January 10, 2019 in coordination with the ZDI program.

Almost five years passed, until researcher j00sean resurrected the flaws to add additional protocol vectors LDAP etc.  
Microsoft finally decided to patch and assign CVE-2022-44666 even though the vulnerabilities are exactly the same.

Old 2019 advisories:  
=====================  
1) Windows VCF RCE  
http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-VCF-FILE-INSUFFICIENT-WARNING-REMOTE-CODE-EXECUTION.txt

2) Windows Contact HTML injection  
http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-CONTACT-FILE-HTML-INJECTION-MAILTO-LINK-ARBITRARY-CODE-EXECUTION.txt

3) Windows Contact RCE  
http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-CONTACT-FILE-INSUFFECIENT-UI-WARNING-WEBSITE-LINK-ARBITRARY-CODE-EXECUTION.txt

Circa 2022 updated:  
=====================  
https://github.com/j00sean/CVE-2022-44666#readme  
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-44666

Additional References:  
=======================  
https://www.zerodayinitiative.com/advisories/ZDI-19-013/  
https://www.zdnet.com/article/poc-for-windows-vcf-zero-day-published-online/  
https://thehackernews.com/2019/01/vcard-windows-hacking.html  
https://twitter.com/hyp3rlinx/status/1083528552253919232  
https://seclists.org/bugtraq/2019/Jan/43  
https://vimeo.com/312824315  
https://www.exploit-db.com/exploits/46167  
https://www.rapid7.com/db/modules/exploit/windows/fileformat/microsoft_windows_contact/

Special thanks to j00sean for his work and resurrecting this vulnerability from the dead and helping deal with M$

hyp3rlinx

Microsoft Windows Contact File Remote Code Execution

Twitter is disabling SMS-based two-factor authentication. Switch to these alternatives to keep your account safe.

The latest bizarre move of Elon Musk’s Twitter ownership weakens the security of millions of accounts. On February 17, Twitter announced plans to stop people using SMS-based two-factor authentication to secure their accounts—unless they start paying for a Twitter Blue subscription. However, there are more secure, free, and easier ways to continue protecting your Twitter account with two-factor authentication.

Two-factor authentication, also known as 2FA or multi-factor authentication, is one of the most effective ways to protect your online accounts from being hacked. When logging in to a website, app, or service, 2FA requires you to sign in using your username and password, then verify that the login is authentic using another piece of information. Most commonly, this involves entering a temporary code that’s generated or sent to you in real time.

This second piece of information helps to prove that the person logging in is actually you. While billions of passwords have been compromised online, the 2FA code is often delivered to or created by the device that’s in your pocket. Having any kind of two-factor authentication turned on is better than none. However, it isn’t entirely foolproof. For years, security researchers have warned that SMS-based two-factor authentication isn’t as secure as other 2FA options.

That’s because SIM-swapping attacks, where phone numbers are compromised by attackers, let criminals access 2FA messages and break into accounts. Put simply: Using another 2FA option, even if it is slightly less convenient, is your best option.

In its announcement, Twitter said people have 30 days to turn off SMS-based 2FA and move to another option. It said the system had been abused by “bad actors” in the past. On March 20, Twitter will “disable” using text messages for two-factor authentication—unless you pay for the privilege. People have already started seeing pop-ups telling them to “remove text message two-factor authentication” before this date. 

However, Twitter’s announcement has baffled, confused, and angered security researchers. They say removing SMS-based 2FA just for people who don’t pay for Twitter Blue doesn’t make any sense and will weaken people’s security if they do not move to another 2FA option. Here’s what you should do to keep your account secure.

Use an Authenticator App or Security Key

Instead of turning 2FA off on your Twitter account, there are two better options: authenticator apps and security keys. They both work using the same principles as SMS-based 2FA. To enable either of these alternatives you will need to visit Twitter, open its **Settings and privacy**, then **Security and account access**, **Security**, and finally **Two-factor authentication**. (Or just click here if you are logged in). Here you will get the option to use two-factor authentication via an app or using security keys.

Instead of sending your six-digit authentication code via SMS message, authenticator apps are constantly generating the codes themselves and are synced with the services you use. Authenticator apps list all the websites you have registered with them and display the codes you need to enter to log in. These codes refresh every 30 seconds. Each time you need to log in to a website or app, you visit the authenticator app after entering your username and password to get the authentication code instead of waiting for a text message. (It’s particularly helpful if your phone doesn’t have connectivity for some reason.)

There are multiple, free two-factor authentication apps to pick from, although they all offer the same essential service and can be used across platforms. The big players have their own apps:There’s Google’s Authenticator App and Microsoft Authenticator. Alternatively, various password managers that you may already use, such as 1Password, have their own authenticator services. There’s also Twilio’s Authy App. And if you have an iPhone, you can use Apple’s built-in generator. 

Each has pros and cons that you should consider before picking one. For instance, you may be heavily locked into Microsoft’s or Google’s ecosystems and want to use their apps. Google’s is relatively basic but doesn’t sync elsewhere; Microsoft’s app offers password management services. However, the Microsoft and Authy apps appear to collect more user analytics data than Google’s. Whatever app you pick, it’s possible to switch to another authenticator.

Setting up an authentication app on Twitter, and anywhere else, is simple. For Twitter, you need to visit its 2FA page. Then open your authentication app, select the option to add a new account, then scan the QR Twitter shows you. Enter the six-digit code on your app and you’re done.

Alternatively, instead of an authenticator app, you can use a security key. The keys are physical pieces of hardware that you either plug into your computer when logging in or connect to your phone. They’re the most secure method of 2FA as an attacker physically needs the key to log in to your account—whereas an attacker always has the possibility of trying to trick you into handing over a generated six-digit authentication code.

Once you’ve set up an authenticator app or hardware key for Twitter, you’ll also want to make a note of Twitter’s backup code for your account. The backup code can be used to log in to Twitter if you can’t access your 2FA options, such as losing your phone or security key. (The first time you set up 2FA on Twitter it will provide you with a backup code, although this can be regenerated online.) You should save this in a safe place, such as your password manager.

How to Protect Yourself from Twitter’s 2FA Crackdown

New research shows that 57 vulnerabilities that threat actors are currently using in ransomware attacks enable everything from initial access to data theft.

Many vulnerabilities that ransomware operators used in 2022 attacks were years old and paved the way for the attackers to establish persistence and move laterally in order to execute their missions.

The vulnerabilities, in products from Microsoft, Oracle, VMware, F5, SonicWall, and several other vendors, present a clear and present danger to organizations that haven't remediated them yet, a new report from Ivanti revealed this week.

**Old Vulns Still Popular**

Ivanti's report is based on an analysis of data from its own threat intelligence team and from those at Securin, Cyber Security Works, and Cyware. It offers an in-depth look at vulnerabilities that bad actors commonly exploited in ransomware attacks in 2022.

Ivanti's analysis showed that ransomware operators exploited a total of 344 unique vulnerabilities in attacks last year—an increase of 56 compared to 2021. Of this, a startling 76% of the flaws were from 2019 or before. The oldest vulnerabilities in the set were in fact three remote code execution (RCE) bugs from 2012 in Oracle's products: CVE-2012-1710 in Oracle Fusion middleware and CVE-2012-1723 and CVE-2012-4681 in the Java Runtime Environment.

Srinivas Mukkamala, Ivanti’s chief product officer, says that while the data shows ransomware operators weaponized new vulnerabilities faster than ever last year, many continued to rely on old vulnerabilities that remain unpatched on enterprise systems. 

"Older flaws being exploited is a by-product of the complexity and time-consuming nature of patches," Mukkamala says. "This is why organizations need to take a risk-based vulnerability management approach to prioritize patches so that they can remediate vulnerabilities that pose the most risk to their organization."

**The Biggest Threats**

Among the vulnerabilities that Ivanti identified as presenting the greatest danger were 57 that the company described as offering threat actors capabilities for executing their entire mission. These were vulnerabilities that allow an attacker to gain initial access, achieve persistence, escalate privileges, evade defenses, access credentials, discover assets they might be looking for, move laterally, collect data, and execute the final mission.

The three Oracle bugs from 2012 were among 25 vulnerabilities in this category that were from 2019 or older. Exploits against three of them (CVE-2017-18362, CVE-2017-6884, and CVE-2020-36195) in products from ConnectWise, Zyxel, and QNAP, respectively, are not currently being detected by scanners, Ivanti said.

A plurality (11) of the vulnerabilities in the list that offered a complete exploit chain stemmed from improper input validation. Other common causes for vulnerabilities included path traversal issues, OS command injection, out-of-bounds write errors, and SQL injection. 

**Widely Prevalent Flaws Are Most Popular**

Ransomware actors also tended to prefer flaws that exist across multiple products. One of the most popular among them was CVE-2018-3639, a type of speculative side-channel vulnerability that Intel disclosed in 2018. The vulnerability exists in 345 products from 26 vendors, Mukkamala says. Other examples include CVE-2021-4428, the infamous Log4Shell flaw, which at least six ransomware groups are currently exploiting. The flaw is among those that Ivanti found trending among threat actors as recently as December 2022. It exists in at least 176 products from 21 vendors including Oracle, Red Hat, Apache, Novell, and Amazon.

Two other vulnerabilities ransomware operators favored because of their widespread prevalence are CVE-2018-5391 in the Linux kernel and CVE-2020-1472, a critical elevation of privilege flaw in Microsoft Netlogon. At least nine ransomware gangs including those behind Babuk, CryptoMix, Conti, DarkSide, and Ryuk, have used the flaw, and it continues to trend in popularity among others as well, Ivanti said.

In total, the security found that some 118 vulnerabilities that were used in ransomware attacks last year were flaws that existed across multiple products.

"Threat actors are very interested in flaws that are present in most products," Mukkamala says.

**None on the CISA List**

Notably, 131 of the 344 flaws that ransomware attackers exploited last year are not included in the US Cybersecurity and Infrastructure Security Agency's closely followed Known Exploited Vulnerabilities (KEV) database. The database lists software flaws that threat actors are actively exploiting and which CISA assesses as being especially risky. CISA requires federal agencies to address vulnerabilities listed in the database on a priority basis and usually within two weeks or so.

"It's significant that these aren't in CISA's KEV because many organizations use the KEV to prioritize patches," Mukkamala says. That shows that while KEV is a solid resource, it doesn't provide a full view of all the vulnerabilities being used in ransomware attacks, he says.

Ivanti found that 57 vulnerabilities used in ransomware attacks last year by groups such as LockBit, Conti, and BlackCat, had low- and medium-severity scores in the national vulnerability database. The danger: this could lull organizations who use the score to prioritize patching into a false sense of security, the security vendor said.

Majority of Ransomware Attacks Last Year Exploited Old Bugs

Unknown malware presents a significant cybersecurity threat and can cause serious damage to organizations and individuals alike. When left undetected, malicious code can gain access to confidential information, corrupt data, and allow attackers to gain control of systems. Find out how to avoid these circumstances and detect unknown malicious behavior efficiently. 
Challenges of new threats'

Unknown malware presents a significant cybersecurity threat and can cause serious damage to organizations and individuals alike. When left undetected, malicious code can gain access to confidential information, corrupt data, and allow attackers to gain control of systems. Find out how to avoid these circumstances and detect unknown malicious behavior efficiently.

**Challenges of new threats' detection**

While known malware families are more predictable and can be detected more easily, unknown threats can take on a variety of forms, causing a bunch of challenges for their detection:

1.  Malware developers use polymorphism, which enables them to modify the malicious code to generate unique variants of the same malware.
2.  There is malware that is still not identified and doesn't have any rulesets for detection.
3.  Some threats can be Fully UnDetectable (FUD) for some time and challenge perimeter security.
4.  The code is often encrypted, making it difficult to detect by signature-based security solutions.
5.  Malware authors may use a "low and slow" approach, which involves sending a small amount of malicious code across a network over a long time, which makes it harder to detect and block. This can be especially damaging in corporate networks, where the lack of visibility into the environment can lead to undetected malicious activity.

**Detection of new threats**

When analyzing known malware families, researchers can take advantage of existing information about the malware, such as its behavior, payloads, and known vulnerabilities, in order to detect and respond to it.

But dealing with new threats, researchers have to start from scratch, using the following guide:

**Step 1.** Use reverse engineering to analyze the code of the malware to identify its purpose and malicious nature.

**Step 2**. Use static analysis to examine the malware's code to identify its behavior, payloads, and vulnerabilities.

**Step 3.** Use dynamic analysis to observe the behavior of the malware during execution.

**Step 4.** Use sandboxing to run the malware in an isolated environment to observe its behavior without harming the system.

**Step 5.** Use heuristics to identify potentially malicious code based on observable patterns and behaviors.

**Step 6.** Analyze the results of reverse engineering, static analysis, dynamic analysis, sandboxing, and heuristics to determine if the code is malicious.

There are plenty of tools from Process Monitor and Wireshark to ANY.RUN to help you go through the first 5 steps. But how to draw a precise conclusion, what should you pay attention to while having all this data?

The answer is simple - focus on indicators of malicious behavior.

**Monitor suspicious activities for effective detection**

Different signatures are used to detect threats. In computer security terminology, a signature is a typical footprint or pattern associated with a malicious attack on a computer network or system.

Part of these signatures is behavioral ones. It's impossible to do something in the OS and leave no tracing behind. We can identify what software or script it was via their suspicious activities.

You can run a suspicious program in a sandbox to observe the behavior of the malware and identify any malicious behavior, such as:

*   abnormal file system activity,
*   suspicious process creation and termination
*   abnormal networking activity
*   reading or modifying system files
*   access system resources
*   create new users
*   connect to remote servers
*   execute other malicious commands
*   exploit known vulnerabilities in the system

Microsoft Office is launching PowerShell – looks suspicious, right? An application adds itself to the scheduled tasks – definitely pay attention to it. A svchost process runs from the temp registry – something is definitely wrong.

You can always detect any threat by its behavior, even without signatures.

Let's prove it.

**Use case #1**

Here is a sample of the stealer. What does it do? Steals user data, cookies, wallets, etc. How can we detect it? For example, it reveals itself when the application opens the Chrome browser's Login Data file.

Stealer's suspicious behavior

The activity in the network traffic also announces the threat's malicious intentions. A legitimate application would never send credentials, OS characteristics, and other sensitive data collected locally.

In the case of traffic, malware can be detected by well-known features. Agent Tesla in some cases does not encrypt data sent from an infected system like in this sample.

Suspicious activity in the network traffic

**Use case #2**

There are not many legitimate programs that need to stop Windows Defender or other applications to protect the OS or make an exclusion for itself. Every time you encounter this kind of behavior – that's a sign of suspicious activity.

Suspicious behavior

Does the application delete shadow copies? Looks like ransomware. Does it remove shadow copies and create a TXT/HTML file with readme text in each directory? It's one more proof of it.

If the user data is encrypted in the process, we can be sure it is ransomware. Like what happened in this malicious example. Even if we do not know the family, we can identify what kind of security threat this software poses and then act accordingly and take measures to protect working stations and the organization's network.

Ransomware suspicious behavior

We can draw conclusions about almost all kinds of malware based on the behavior observed in the sandbox. Try ANY.RUN online interactive service to monitor it - you can get the first results immediately and see all malware's action in real time. Exactly what we need to catch any suspicious activities.

Write the **"HACKERNEWS2"** promo code at support@any.run using your business email address and **get 14 days of ANY.RUN premium subscription for free**!

  
**Wrapping up**

Cybercriminals can use unknown threats to extort businesses for money and launch large-scale cyberattacks. Even if the malware family is not detected - we can always conclude the threat's functionality by considering its behavior. Using this data, you can build information security to prevent any new threats. Behavior analysis enhances your ability to respond to new and unknown threats and strengthens your organization's protection without additional costs.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

How to Detect New Threats via Suspicious Activities

Established network security players like Check Point are responding to the shift to cloud-native applications, which have exposed more vulnerabilities in open source software supply chains.

When Check Point Software acquired Israeli startup Spectral a year ago, it joined the ranks of other network security providers acknowledging the growing threat of software supply chain attacks. Spectral helped fill a critical gap in CloudGuard, Check Point's unified threat protection and network security platform for public and hybrid clouds, with its code scanning and leakage detection tools.

Spectral offers infrastructure as code (IaC) scanning, code-tampering prevention, hardcoded secrets detection source controls, and CI/CD security and source code leakage detection tools. It provided the underpinning of Check Point's Cloud-Native Application Protection Platform (CNAPP), which is now part of CloudGuard, one of four core Check Point product lines.

**Understanding the Role of CNAPP**

CNAPP is gaining a lot of attention as developers shift to cloud-native application development to support new business applications and digital transformation initiatives. Gartner describes CNAPPs as "an integrated set of security and compliance capabilities designed to help secure and protect cloud-native applications across development and production."

Developers are increasingly relying on open source code and microservices from a widely distributed and often vast community to compose their containers and serverless functions. While the source code may come from an established ecosystem, it is common for some components to have roots from unknown or obsolete sources. CNAPP enables organizations to establish DevSecOps processes where software developers take the lead in discovering potential flaws in code before deploying application runtimes into production, says Melinda Marks, a senior analyst at Enterprise Strategy Group.

"This is important for preventing security issues before you deploy your applications to the cloud because once you deploy them, they're available for the hackers," Marks says.

**Agentless Scanning and Other New Features**

After integrating Spectral's tools into CloudGuard upon completing last year's acquisition, Check Point added some critical new capabilities to the CNAPP, rolled out this month, including permissions and entitlement management, agentless scanning, and deeper risk scoring of an organization's entire environment. Check Point officials underscored the company CNAPP push last week during its annual CPX 360 event in New York.

"We significantly enriched the platform to address many important elements of the cloud-native control environment," Check Point chief product officer Dorit Dor tells Dark Reading. Check Point also announced plans to feed all data from CloudGuard to its new Horizon Events, a unified dashboard that gathers logs from the entire Check Point ecosystem. Check Point introduced Horizon Events late last year, and an early access version is now available.

For Check Point, adding CNAPP to CloudGuard was critical. Check Point's key competitors are also on the CNAPP bandwagon. Among them, Palo Alto Networks has significantly emphasized its Prisma Cloud, which recently gained added Software Composition Analysis (SCA) and Secret Scanning capabilities. In December, Palo Alto Networks acquired supply chain security tool provider Cider Security.

**Check Point Shares CNAPP Roadmap**

Dor touted Spectral's "very strong" secret scanning capabilities. She explained that developers could plug it into their CI/CD environments and implement policies as code through open policy agents.

Dor presented the roadmap for CloudGuard, noting that Check Point is looking to implement more AI. Check Point plans to improve observability and visibility to help developers identify malicious code. Also in the pipeline, Check Point is working on allowing CloudGuard to handle the entire software bill of materials (SBOM) lifecycle, ultimately enabling and enforcing them.

Check Point is also working on enhancing how CloudGuard works with network security. "Network Security has been there for a long time; we have a very mature network security solution," Dor said. "But the challenge now is to make it speak more of the language of the developers." Check Point is addressing that by integrating network security into its AWS Security framework and offering it with the AWS network security as a service. Dor noted that Check Point recently integrated CloudGuard network security with Microsoft Azure, allowing administrators to manage their Microsoft environments.

"It's a space for continuous investment," Dor said. With a direction toward multi-cloud coverage, the goal is to enable it to "support your developers natively and to support the system administration and giving you one cloud control plane."

Tag

#microsoft