** UNSUPPORTED WHEN ASSIGNED ** An issue in the UPnP protocol in 4thline cling 2.0.0 through 2.1.2 allows remote attackers to cause a denial of service via an unchecked CALLBACK parameter in the request header.

Universal Plug and Play (UPnP), a ubiquitous protocol used by “billions of devices,” may be vulnerable to data exfiltration and reflected amplified TCP distributed denial of service (DDoS) attacks.

**Background**

On June 8, researcher Yunus Çadirci published an advisory for CallStranger, a vulnerability in the Universal Plug and Play (UPnP) protocol. UPnP is currently managed by the Open Connectivity Foundation (OCF). As its name implies, UPnP is a protocol designed to allow a variety of networked devices to universally communicate with each other without any special setup or configuration.

Because of its ubiquitous nature, UPnP is used by a wide variety of devices, including personal computers, networking equipment, video game consoles and internet of things (IoT) devices such as smart televisions. As a result, Çadirci says this particular vulnerability potentially affects “billions of devices.”

**Analysis**

CVE-2020-12695 is a server-side request forgery (SSRF)-like vulnerability in devices that utilize UPnP. The vulnerability exists due to the ability to control the Callback header value in the UPnP SUBSCRIBE function.

Source: CallStranger Technical Report

The SUBSCRIBE function is part of the UPnP standard that allows devices to monitor changes in other devices and services. For example, the PoC published on GitHub shows port 2869 for Microsoft’s Xbox One — which is used to monitor device changes on the network for features like media sharing — as vulnerable.

In order to exploit the flaw, an attacker would need to send a specially crafted HTTP SUBSCRIBE request to a vulnerable device.

An attacker could utilize this vulnerability in the following scenarios:

*   Intranet device port scanning to gather additional data from trusted assets within an organization’s LAN, bypassing organizational Data Loss Prevention (DLP) standards.
*   Send large amounts of traffic to arbitrary destinations. Targets flooded by the affected devices could crash under the increased network load, resulting in a denial of service (DoS). This is a result of UPnP attempting to establish a TCP handshake with multiple SYN packets for all Callback values in the SUBSCRIBE request.
*   Exfiltrate sensitive device data by directing callback information to arbitrary targets.

With the exception of the DoS, these scenarios provide a stealthy method for an attacker to steal data from a compromised network. This sensitive information could potentially open up an organization to further attack.

**Proof of concept**

The original proof of concept (PoC) created by Çadirci has been added to his GitHub repository.

**Solution**

Since CallStranger is a protocol-level vulnerability, OCF has made changes to the UPnP protocol specification. Therefore, manufacturers of affected devices are in the process of determining its impact. As a result, we anticipate newly affected devices will be reported and patches will be released over time for devices still receiving product support. Tenable product coverage for this vulnerability can be found in the “identifying affected systems” section below.

At the time this blog post was published, the CallStranger website listed the following operating systems, networking equipment, printers, IoT devices and applications as reportedly vulnerable.

****Operating Systems****

**Vendor/Model**

**Version**

Windows 10

10.0.18362.719

Xbox One OS

10.0.19041.2494

****Networking Equipment****

**Vendor/Model**

**Version**

ASUS

RT-N11

Broadcom ADSL

\-

Cisco Wireless Access Point

WAP150 WAP131 WAP351

D-Link

DVG-N5412SP

Huawei

HG255s (HG255sC163B03) HG532e MyBox

NEC AccessTechnica

WR8165N

Netgear

WNHDE111

Ruckus ZoneDirector

\-

TP-Link

Archer C50

ZTE

ZXV10 W300 H108N

Zyxel

AMG1202-T10B

****Printers****

**Vendor/Model**

**Version**

Canon Selphy

CP1200

Dell

B1165NFW

EPSON EP, EW, XP Series Printers

\-

Hewlett Packard Deskjet, Photsmart and Officejet ENVY

\-

Samsung

X4300

****Internet of Things****

**Vendor/Model**

**Version**

Canal Digital ADB

TNR-5720 SX

Belkin Wemo

\-

Nokia HomeMusic Media Device

\-

Panasonic

BB-HCM735 VL-MWN350

Philips

2k14MTK TV (TPL161E\_012.003.039.001)

Samsung

UE55MU7000 (T-KTMDEUC-1280.5, BT - S) MU8000

Siemens

CNE1000

Trendnet

TV-IP551W

****Applications****

**Vendor/Model**

**Version**

ASUS Media Streamer

\-

LG Smartshare Media

\-

Sony Media Go Media

\-

Stream What You Hear

\-

Ubiquiti UniFi Controller

\-

**Identifying affected systems**

A list of Tenable plugins to identify this vulnerability will appear here as they’re released. Additionally, the table below lists several Tenable plugins to help identify devices within your network that may have UPnP enabled.

**Plugin ID**

**Description**

**Product**

10829

UPnP Client Detection

Nessus

35711

Universal Plug and Play (UPnP) Protocol Detection

Nessus

8061

UPNP Traffic Detection (Client)

Nessus Network Monitor (NMM)

1948

UPNP Traffic Detection

Nessus Network Monitor (NMM)

**Get more information**

*   CallStranger Disclosure Site
*   CERT/CC CallStranger Advisory (VU#339275)
*   Proof of Concept Code released on GitHub

**_Join Tenable's Security Response Team on the Tenable Community._**

**_Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface._**

Get a free 30-day trial of Tenable.io Vulnerability Management.

CVE-2020-23622: CVE-2020-12695: CallStranger Vulnerability in Universal Plug and Play (UPnP) Puts Billions of Devices At Risk

The most heavily targeted flaw last quarter was a remote code execution vulnerability in Microsoft Office that was disclosed and patched four years ago.

Attacks targeting a remote code execution vulnerability in Microsoft's MSHTML browser engine — which was patched last September — soared during the second quarter of this year, according to a Kaspersky analysis.

Researchers from Kaspersky counted at least 4,886 attacks targeting the flaw (CVE-2021-40444) last quarter, an eightfold increase over the first quarter of 2022. The security vendor attributed the continued adversary interest in the vulnerability to the ease with which it can be exploited.

Kaspersky said it has observed threat actors exploiting the flaw in attacks on organizations across multiple sectors including the energy and industrial sectors, research and development, IT companies, and financial and medical technology firms. In many of these attacks, the adversaries have used social engineering tricks to try and get victims to open specially crafted Office documents that would then download and execute a malicious script. The flaw was under active attack at the time Microsoft first disclosed it in September 2021.

The attacks targeting the MSHTML flaw were part of a broader set of exploit activity last quarter that overwhelmingly targeted Microsoft vulnerabilities. According to Kaspersky, exploits for Windows vulnerabilities accounted for 82% of all exploits across all platforms during the second quarter of 2022. While attacks on the MSHTML vulnerability increased the most dramatically, it was by no means the most exploited flaw.

**Old Is Gold for Threat Actors**

Kaspersky's telemetry showed far more attacks on a handful of other vulnerabilities from 2018 and 2017. One of them was CVE-2018-0802, a remote code execution (RCE) vulnerability in Microsoft Office that was attacked some 345,827 times last quarter. Another similar memory corruption flaw from 2017 (CVE-2017-11882) was targeted in 140,623 attacks while a Microsoft Office/WordPad remote code execution flaw also from 2017 (CVE-2017-0199) was involved in 60,132 attacks.

The so-called Follina vulnerability in Microsoft Support Diagnostic Tool (MSDT) (CVE-2022-30190) was among the most targeted of recent vulnerabilities. The RCE flaw was one of at least five zero-day flaws that Microsoft has disclosed this year.

In total, Kaspersky found vulnerabilities in older versions of Microsoft Office being used in attacks against more than half a million users in second quarter. The attacks are another reminder of how unpatched vulnerabilities in older technologies remain a popular and highly attractive target for threat actors, the security vendor noted. "Old versions of applications remain the main targets for attackers, with almost 547,000 users in total being affected through corresponding vulnerabilities in the last quarter," Kaspersky said.

Kaspersky's report is another reminder of why security experts advocate quick patching of Microsoft vulnerabilities. Recent data has shown attackers have gotten much faster at exploiting flaws than before. A study that Rapid7 conducted last year showed that the mean time to known exploitation for vulnerabilities in 2021 was just 12 days — a 71% decrease from 42 days in 2020. The company explained the numbers as being driven by a sharp rise in zero-day exploit activity. "A drastic reduction in time to exploitation year over year means that not only are well-worn emergency patching procedures necessary, incident response protocols are likely to require repeated use as well," Rapid7 noted at the time.

Most Q2 Attacks Targeted Old Microsoft Vulnerabilities

ZTNA brings only marginal benefits unless you ensure that the third parties you authorize are not already compromised.

The transition to a zero-trust architecture is rife with challenges that can put a 10,000-piece, monochromatic jigsaw puzzle to shame. Not only must the IT team recognize and validate every corporate employee, their computing devices, and their applications, but they also must do so for key nonemployees, third-party vendors, and partners who access corporate assets.

It is a difficult enough task when one knows who their primary third-party supply chain partners are; it becomes almost impossible to manage secondary, tertiary, and other partners as well. And therein lies the challenge of defining who is an authorized and authenticated user and who is not.

While many of today's zero-trust network access (ZTNA) products claim to offer ongoing authentication and authorization of every known and registered user, device, and application trying to access a network all the time, often what companies actually experience is slightly different, says Jason Georgi, field CTO at Palo Alto Networks. Instead of constant authentication, they get initial authentication for each access.

Today, he says, ZTNA products excel at the microsegmentation of networks and providing very limited access to corporate assets on the network, but he expects next-generation ZTNA products to provide greater security for the data being processed.

A white paper by John Grady, a senior analyst at Enterprise Strategy Group, and commissioned by Palo Alto Networks asserts that there are several areas where current ZTNA products are falling short. Among the improvements Grady called for are prevention of violations of least privilege, the ability to cancel an application's access if it starts behaving in an unanticipated or unacceptable manner after granted access, and the ability to do security inspections of data not currently being inspected.

**Reducing Third-Party Risk**

Companies working to improve their risk profile by employing ZTNA are gaining only marginal benefits if they do not ensure that the third parties they authorize are not already compromised. To accomplish this, companies moving to zero trust also need to improve their third-party risk management (TPRM).

Organizations that employ ZTNA require that remote users be entered into a Microsoft Active Directory or other authentication system. While that works well for remote employees, it falls short when the remote access user is a business partner or vendor. Because of this, these partners often need to access the corporate environment over a virtual private network (VPN). But VPNs have inherent security limitations and do not scale well. As a result, someone who uses a VPN to access corporate assets behind the corporate firewall already has more access than they require; malicious users could leverage this to attack the network from the inside.

"If you think about all the bad things that have occurred, it's always through that backdoor of a vendor connection because you have a wide-open pipe on a VPN," says Dave Cronin, vice president of cybersecurity strategy for Capgemini Americas.

But VPNs, despite having less comprehensive security than zero-trust offerings, are not going away, he cautions. A zero-trust architecture requires that every user be preauthorized within a trusted environment, such as by being listed in Microsoft Active Directory or some similar application. That will not happen when organizations have hundreds or thousands of supply chain partners who are not individually identified, authenticated, and registered.

"In a lot of cases, organizations are layering additional sets of controls around specifically the third-party access component because, in some cases, the third parties are using unmanaged devices, meaning they're using their own corporate devices or even personal devices to access a company's enterprise applications," says Andrew Rafla, a partner and principal, as well as the cyber-risk and zero trust leader, at Deloitte. "There's a greater need to shift toward more modern ZTNA or \[Secure Access Service Edge\] SASE-type solutions, specifically for third-party access."

Rafla adds that the zero-trust edge (ZTE), sometimes referred to as SASE, can be seen as a compensating control to help mitigate the potential threats brought on by third parties and other managed constituents. Such compensating controls — including edge security, TPRM, multifactor authentication, and perhaps a dozen more controls together — can help companies demonstrate that they should qualify for cyber insurance, which has become more difficult to obtain recently.

"The more agile you are able to be as an organization to enable remote workforces, the easier, generally speaking, it is for you to do the right thing for derisking third-party access to your application systems environments," says Josh Yavor, CISO at Tessian. "The reason for that is because by pushing security down to the devices and then to the application layer, it means that while the networks are absolutely still relevant and critical, we're logically building our defensive risk bubbles around the applications themselves, and then the devices and identities that are in use when accessing them.

"By separating what used to be entirely network-dependent thinking to those layers, it means that we have more granular options for enabling access securely from our third parties."

That said, while hybrid VPN and ZTNA networks are likely here to stay for the foreseeable future, VPN security needs to be enhanced by adding more authentication controls and the ability to shut down the connection should the user access inappropriate data or applications. This could include improving port and protocol controls to contain the risk.

Transitioning From VPNs to Zero-Trust Access Requires Shoring Up Third-Party Risk Management

Gentoo Linux Security Advisory 202208-25 - Multiple vulnerabilities have been found in Chromium and its derivatives, the worst of which could result in remote code execution. Versions less than 5.15.5_p20220618>= are affected.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Gentoo Linux Security Advisory                           GLSA 202208-25- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -                                           https://security.gentoo.org/- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High    Title: Chromium, Google Chrome, Microsoft Edge, QtWebEngine: Multiple Vulnerabilities     Date: August 14, 2022     Bugs: #828519, #834477, #835397, #836011, #836381, #836777, #838049, #838433, #841371, #843728, #847370, #851003, #853643, #773040, #787950, #800181, #810781, #815397, #829161, #835761, #836830, #847613, #853229, #837497, #838682, #843035, #848864, #851009, #854372       ID: 202208-25- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Synopsis=======Multiple vulnerabilities have been found in Chromium and itsderivatives, the worst of which could result in remote code execution.Background=========Chromium is an open-source browser project that aims to build a safer,faster, and more stable way for all users to experience the web.Google Chrome is one fast, simple, and secure browser for all yourdevices.Microsoft Edge is a browser that combines a minimal design withsophisticated technology to make the web faster, safer, and easier.Affected packages================    -------------------------------------------------------------------     Package              /     Vulnerable     /            Unaffected    -------------------------------------------------------------------  1  dev-qt/qtwebengine         < 5.15.5_p20220618>= 5.15.5_p20220618  2  www-client/chromium        < 103.0.5060.53      >= 103.0.5060.53  3  www-client/google-chrome   < 103.0.5060.53      >= 103.0.5060.53  4  www-client/microsoft-edge  < 101.0.1210.47      >= 101.0.1210.47Description==========Multiple vulnerabilities have been discovered in Chromium and itsderivatives. Please review the CVE identifiers referenced below fordetails.Impact=====Please review the referenced CVE identifiers for details.Workaround=========There is no known workaround at this time.Resolution=========All Chromium users should upgrade to the latest version:  # emerge --sync  # emerge --ask --oneshot --verbose ">=www-client/chromium-103.0.5060.53"All Chromium binary users should upgrade to the latest version:  # emerge --sync  # emerge --ask --oneshot --verbose ">=www-client/chromium-bin-103.0.5060.53"All Google Chrome users should upgrade to the latest version:  # emerge --sync  # emerge --ask --oneshot --verbose ">=www-client/google-chrome-103.0.5060.53"All Microsoft Edge users should upgrade to the latest version:  # emerge --sync  # emerge --ask --oneshot --verbose ">=www-client/chromium-103.0.5060.53"All QtWebEngine users should upgrade to the latest version:  # emerge --sync  # emerge --ask --oneshot --verbose ">Þv-qt/qtwebengine-5.15.5_p20220618"References=========[ 1 ] CVE-2021-4052      https://nvd.nist.gov/vuln/detail/CVE-2021-4052[ 2 ] CVE-2021-4053      https://nvd.nist.gov/vuln/detail/CVE-2021-4053[ 3 ] CVE-2021-4054      https://nvd.nist.gov/vuln/detail/CVE-2021-4054[ 4 ] CVE-2021-4055      https://nvd.nist.gov/vuln/detail/CVE-2021-4055[ 5 ] CVE-2021-4056      https://nvd.nist.gov/vuln/detail/CVE-2021-4056[ 6 ] CVE-2021-4057      https://nvd.nist.gov/vuln/detail/CVE-2021-4057[ 7 ] CVE-2021-4058      https://nvd.nist.gov/vuln/detail/CVE-2021-4058[ 8 ] CVE-2021-4059      https://nvd.nist.gov/vuln/detail/CVE-2021-4059[ 9 ] CVE-2021-4061      https://nvd.nist.gov/vuln/detail/CVE-2021-4061[ 10 ] CVE-2021-4062      https://nvd.nist.gov/vuln/detail/CVE-2021-4062[ 11 ] CVE-2021-4063      https://nvd.nist.gov/vuln/detail/CVE-2021-4063[ 12 ] CVE-2021-4064      https://nvd.nist.gov/vuln/detail/CVE-2021-4064[ 13 ] CVE-2021-4065      https://nvd.nist.gov/vuln/detail/CVE-2021-4065[ 14 ] CVE-2021-4066      https://nvd.nist.gov/vuln/detail/CVE-2021-4066[ 15 ] CVE-2021-4067      https://nvd.nist.gov/vuln/detail/CVE-2021-4067[ 16 ] CVE-2021-4068      https://nvd.nist.gov/vuln/detail/CVE-2021-4068[ 17 ] CVE-2021-4078      https://nvd.nist.gov/vuln/detail/CVE-2021-4078[ 18 ] CVE-2021-4079      https://nvd.nist.gov/vuln/detail/CVE-2021-4079[ 19 ] CVE-2021-30551      https://nvd.nist.gov/vuln/detail/CVE-2021-30551[ 20 ] CVE-2022-0789      https://nvd.nist.gov/vuln/detail/CVE-2022-0789[ 21 ] CVE-2022-0790      https://nvd.nist.gov/vuln/detail/CVE-2022-0790[ 22 ] CVE-2022-0791      https://nvd.nist.gov/vuln/detail/CVE-2022-0791[ 23 ] CVE-2022-0792      https://nvd.nist.gov/vuln/detail/CVE-2022-0792[ 24 ] CVE-2022-0793      https://nvd.nist.gov/vuln/detail/CVE-2022-0793[ 25 ] CVE-2022-0794      https://nvd.nist.gov/vuln/detail/CVE-2022-0794[ 26 ] CVE-2022-0795      https://nvd.nist.gov/vuln/detail/CVE-2022-0795[ 27 ] CVE-2022-0796      https://nvd.nist.gov/vuln/detail/CVE-2022-0796[ 28 ] CVE-2022-0797      https://nvd.nist.gov/vuln/detail/CVE-2022-0797[ 29 ] CVE-2022-0798      https://nvd.nist.gov/vuln/detail/CVE-2022-0798[ 30 ] CVE-2022-0799      https://nvd.nist.gov/vuln/detail/CVE-2022-0799[ 31 ] CVE-2022-0800      https://nvd.nist.gov/vuln/detail/CVE-2022-0800[ 32 ] CVE-2022-0801      https://nvd.nist.gov/vuln/detail/CVE-2022-0801[ 33 ] CVE-2022-0802      https://nvd.nist.gov/vuln/detail/CVE-2022-0802[ 34 ] CVE-2022-0803      https://nvd.nist.gov/vuln/detail/CVE-2022-0803[ 35 ] CVE-2022-0804      https://nvd.nist.gov/vuln/detail/CVE-2022-0804[ 36 ] CVE-2022-0805      https://nvd.nist.gov/vuln/detail/CVE-2022-0805[ 37 ] CVE-2022-0806      https://nvd.nist.gov/vuln/detail/CVE-2022-0806[ 38 ] CVE-2022-0807      https://nvd.nist.gov/vuln/detail/CVE-2022-0807[ 39 ] CVE-2022-0808      https://nvd.nist.gov/vuln/detail/CVE-2022-0808[ 40 ] CVE-2022-0809      https://nvd.nist.gov/vuln/detail/CVE-2022-0809[ 41 ] CVE-2022-0971      https://nvd.nist.gov/vuln/detail/CVE-2022-0971[ 42 ] CVE-2022-0972      https://nvd.nist.gov/vuln/detail/CVE-2022-0972[ 43 ] CVE-2022-0973      https://nvd.nist.gov/vuln/detail/CVE-2022-0973[ 44 ] CVE-2022-0974      https://nvd.nist.gov/vuln/detail/CVE-2022-0974[ 45 ] CVE-2022-0975      https://nvd.nist.gov/vuln/detail/CVE-2022-0975[ 46 ] CVE-2022-0976      https://nvd.nist.gov/vuln/detail/CVE-2022-0976[ 47 ] CVE-2022-0977      https://nvd.nist.gov/vuln/detail/CVE-2022-0977[ 48 ] CVE-2022-0978      https://nvd.nist.gov/vuln/detail/CVE-2022-0978[ 49 ] CVE-2022-0979      https://nvd.nist.gov/vuln/detail/CVE-2022-0979[ 50 ] CVE-2022-0980      https://nvd.nist.gov/vuln/detail/CVE-2022-0980[ 51 ] CVE-2022-1096      https://nvd.nist.gov/vuln/detail/CVE-2022-1096[ 52 ] CVE-2022-1125      https://nvd.nist.gov/vuln/detail/CVE-2022-1125[ 53 ] CVE-2022-1127      https://nvd.nist.gov/vuln/detail/CVE-2022-1127[ 54 ] CVE-2022-1128      https://nvd.nist.gov/vuln/detail/CVE-2022-1128[ 55 ] CVE-2022-1129      https://nvd.nist.gov/vuln/detail/CVE-2022-1129[ 56 ] CVE-2022-1130      https://nvd.nist.gov/vuln/detail/CVE-2022-1130[ 57 ] CVE-2022-1131      https://nvd.nist.gov/vuln/detail/CVE-2022-1131[ 58 ] CVE-2022-1132      https://nvd.nist.gov/vuln/detail/CVE-2022-1132[ 59 ] CVE-2022-1133      https://nvd.nist.gov/vuln/detail/CVE-2022-1133[ 60 ] CVE-2022-1134      https://nvd.nist.gov/vuln/detail/CVE-2022-1134[ 61 ] CVE-2022-1135      https://nvd.nist.gov/vuln/detail/CVE-2022-1135[ 62 ] CVE-2022-1136      https://nvd.nist.gov/vuln/detail/CVE-2022-1136[ 63 ] CVE-2022-1137      https://nvd.nist.gov/vuln/detail/CVE-2022-1137[ 64 ] CVE-2022-1138      https://nvd.nist.gov/vuln/detail/CVE-2022-1138[ 65 ] CVE-2022-1139      https://nvd.nist.gov/vuln/detail/CVE-2022-1139[ 66 ] CVE-2022-1141      https://nvd.nist.gov/vuln/detail/CVE-2022-1141[ 67 ] CVE-2022-1142      https://nvd.nist.gov/vuln/detail/CVE-2022-1142[ 68 ] CVE-2022-1143      https://nvd.nist.gov/vuln/detail/CVE-2022-1143[ 69 ] CVE-2022-1144      https://nvd.nist.gov/vuln/detail/CVE-2022-1144[ 70 ] CVE-2022-1145      https://nvd.nist.gov/vuln/detail/CVE-2022-1145[ 71 ] CVE-2022-1146      https://nvd.nist.gov/vuln/detail/CVE-2022-1146[ 72 ] CVE-2022-1232      https://nvd.nist.gov/vuln/detail/CVE-2022-1232[ 73 ] CVE-2022-1305      https://nvd.nist.gov/vuln/detail/CVE-2022-1305[ 74 ] CVE-2022-1306      https://nvd.nist.gov/vuln/detail/CVE-2022-1306[ 75 ] CVE-2022-1307      https://nvd.nist.gov/vuln/detail/CVE-2022-1307[ 76 ] CVE-2022-1308      https://nvd.nist.gov/vuln/detail/CVE-2022-1308[ 77 ] CVE-2022-1309      https://nvd.nist.gov/vuln/detail/CVE-2022-1309[ 78 ] CVE-2022-1310      https://nvd.nist.gov/vuln/detail/CVE-2022-1310[ 79 ] CVE-2022-1311      https://nvd.nist.gov/vuln/detail/CVE-2022-1311[ 80 ] CVE-2022-1312      https://nvd.nist.gov/vuln/detail/CVE-2022-1312[ 81 ] CVE-2022-1313      https://nvd.nist.gov/vuln/detail/CVE-2022-1313[ 82 ] CVE-2022-1314      https://nvd.nist.gov/vuln/detail/CVE-2022-1314[ 83 ] CVE-2022-1364      https://nvd.nist.gov/vuln/detail/CVE-2022-1364[ 84 ] CVE-2022-1477      https://nvd.nist.gov/vuln/detail/CVE-2022-1477[ 85 ] CVE-2022-1478      https://nvd.nist.gov/vuln/detail/CVE-2022-1478[ 86 ] CVE-2022-1479      https://nvd.nist.gov/vuln/detail/CVE-2022-1479[ 87 ] CVE-2022-1480      https://nvd.nist.gov/vuln/detail/CVE-2022-1480[ 88 ] CVE-2022-1481      https://nvd.nist.gov/vuln/detail/CVE-2022-1481[ 89 ] CVE-2022-1482      https://nvd.nist.gov/vuln/detail/CVE-2022-1482[ 90 ] CVE-2022-1483      https://nvd.nist.gov/vuln/detail/CVE-2022-1483[ 91 ] CVE-2022-1484      https://nvd.nist.gov/vuln/detail/CVE-2022-1484[ 92 ] CVE-2022-1485      https://nvd.nist.gov/vuln/detail/CVE-2022-1485[ 93 ] CVE-2022-1486      https://nvd.nist.gov/vuln/detail/CVE-2022-1486[ 94 ] CVE-2022-1487      https://nvd.nist.gov/vuln/detail/CVE-2022-1487[ 95 ] CVE-2022-1488      https://nvd.nist.gov/vuln/detail/CVE-2022-1488[ 96 ] CVE-2022-1489      https://nvd.nist.gov/vuln/detail/CVE-2022-1489[ 97 ] CVE-2022-1490      https://nvd.nist.gov/vuln/detail/CVE-2022-1490[ 98 ] CVE-2022-1491      https://nvd.nist.gov/vuln/detail/CVE-2022-1491[ 99 ] CVE-2022-1492      https://nvd.nist.gov/vuln/detail/CVE-2022-1492[ 100 ] CVE-2022-1493      https://nvd.nist.gov/vuln/detail/CVE-2022-1493[ 101 ] CVE-2022-1494      https://nvd.nist.gov/vuln/detail/CVE-2022-1494[ 102 ] CVE-2022-1495      https://nvd.nist.gov/vuln/detail/CVE-2022-1495[ 103 ] CVE-2022-1496      https://nvd.nist.gov/vuln/detail/CVE-2022-1496[ 104 ] CVE-2022-1497      https://nvd.nist.gov/vuln/detail/CVE-2022-1497[ 105 ] CVE-2022-1498      https://nvd.nist.gov/vuln/detail/CVE-2022-1498[ 106 ] CVE-2022-1499      https://nvd.nist.gov/vuln/detail/CVE-2022-1499[ 107 ] CVE-2022-1500      https://nvd.nist.gov/vuln/detail/CVE-2022-1500[ 108 ] CVE-2022-1501      https://nvd.nist.gov/vuln/detail/CVE-2022-1501[ 109 ] CVE-2022-1633      https://nvd.nist.gov/vuln/detail/CVE-2022-1633[ 110 ] CVE-2022-1634      https://nvd.nist.gov/vuln/detail/CVE-2022-1634[ 111 ] CVE-2022-1635      https://nvd.nist.gov/vuln/detail/CVE-2022-1635[ 112 ] CVE-2022-1636      https://nvd.nist.gov/vuln/detail/CVE-2022-1636[ 113 ] CVE-2022-1637      https://nvd.nist.gov/vuln/detail/CVE-2022-1637[ 114 ] CVE-2022-1639      https://nvd.nist.gov/vuln/detail/CVE-2022-1639[ 115 ] CVE-2022-1640      https://nvd.nist.gov/vuln/detail/CVE-2022-1640[ 116 ] CVE-2022-1641      https://nvd.nist.gov/vuln/detail/CVE-2022-1641[ 117 ] CVE-2022-1853      https://nvd.nist.gov/vuln/detail/CVE-2022-1853[ 118 ] CVE-2022-1854      https://nvd.nist.gov/vuln/detail/CVE-2022-1854[ 119 ] CVE-2022-1855      https://nvd.nist.gov/vuln/detail/CVE-2022-1855[ 120 ] CVE-2022-1856      https://nvd.nist.gov/vuln/detail/CVE-2022-1856[ 121 ] CVE-2022-1857      https://nvd.nist.gov/vuln/detail/CVE-2022-1857[ 122 ] CVE-2022-1858      https://nvd.nist.gov/vuln/detail/CVE-2022-1858[ 123 ] CVE-2022-1859      https://nvd.nist.gov/vuln/detail/CVE-2022-1859[ 124 ] CVE-2022-1860      https://nvd.nist.gov/vuln/detail/CVE-2022-1860[ 125 ] CVE-2022-1861      https://nvd.nist.gov/vuln/detail/CVE-2022-1861[ 126 ] CVE-2022-1862      https://nvd.nist.gov/vuln/detail/CVE-2022-1862[ 127 ] CVE-2022-1863      https://nvd.nist.gov/vuln/detail/CVE-2022-1863[ 128 ] CVE-2022-1864      https://nvd.nist.gov/vuln/detail/CVE-2022-1864[ 129 ] CVE-2022-1865      https://nvd.nist.gov/vuln/detail/CVE-2022-1865[ 130 ] CVE-2022-1866      https://nvd.nist.gov/vuln/detail/CVE-2022-1866[ 131 ] CVE-2022-1867      https://nvd.nist.gov/vuln/detail/CVE-2022-1867[ 132 ] CVE-2022-1868      https://nvd.nist.gov/vuln/detail/CVE-2022-1868[ 133 ] CVE-2022-1869      https://nvd.nist.gov/vuln/detail/CVE-2022-1869[ 134 ] CVE-2022-1870      https://nvd.nist.gov/vuln/detail/CVE-2022-1870[ 135 ] CVE-2022-1871      https://nvd.nist.gov/vuln/detail/CVE-2022-1871[ 136 ] CVE-2022-1872      https://nvd.nist.gov/vuln/detail/CVE-2022-1872[ 137 ] CVE-2022-1873      https://nvd.nist.gov/vuln/detail/CVE-2022-1873[ 138 ] CVE-2022-1874      https://nvd.nist.gov/vuln/detail/CVE-2022-1874[ 139 ] CVE-2022-1875      https://nvd.nist.gov/vuln/detail/CVE-2022-1875[ 140 ] CVE-2022-1876      https://nvd.nist.gov/vuln/detail/CVE-2022-1876[ 141 ] CVE-2022-2007      https://nvd.nist.gov/vuln/detail/CVE-2022-2007[ 142 ] CVE-2022-2010      https://nvd.nist.gov/vuln/detail/CVE-2022-2010[ 143 ] CVE-2022-2011      https://nvd.nist.gov/vuln/detail/CVE-2022-2011[ 144 ] CVE-2022-2156      https://nvd.nist.gov/vuln/detail/CVE-2022-2156[ 145 ] CVE-2022-2157      https://nvd.nist.gov/vuln/detail/CVE-2022-2157[ 146 ] CVE-2022-2158      https://nvd.nist.gov/vuln/detail/CVE-2022-2158[ 147 ] CVE-2022-2160      https://nvd.nist.gov/vuln/detail/CVE-2022-2160[ 148 ] CVE-2022-2161      https://nvd.nist.gov/vuln/detail/CVE-2022-2161[ 149 ] CVE-2022-2162      https://nvd.nist.gov/vuln/detail/CVE-2022-2162[ 150 ] CVE-2022-2163      https://nvd.nist.gov/vuln/detail/CVE-2022-2163[ 151 ] CVE-2022-2164      https://nvd.nist.gov/vuln/detail/CVE-2022-2164[ 152 ] CVE-2022-2165      https://nvd.nist.gov/vuln/detail/CVE-2022-2165[ 153 ] CVE-2022-22021      https://nvd.nist.gov/vuln/detail/CVE-2022-22021[ 154 ] CVE-2022-24475      https://nvd.nist.gov/vuln/detail/CVE-2022-24475[ 155 ] CVE-2022-24523      https://nvd.nist.gov/vuln/detail/CVE-2022-24523[ 156 ] CVE-2022-26891      https://nvd.nist.gov/vuln/detail/CVE-2022-26891[ 157 ] CVE-2022-26894      https://nvd.nist.gov/vuln/detail/CVE-2022-26894[ 158 ] CVE-2022-26895      https://nvd.nist.gov/vuln/detail/CVE-2022-26895[ 159 ] CVE-2022-26900      https://nvd.nist.gov/vuln/detail/CVE-2022-26900[ 160 ] CVE-2022-26905      https://nvd.nist.gov/vuln/detail/CVE-2022-26905[ 161 ] CVE-2022-26908      https://nvd.nist.gov/vuln/detail/CVE-2022-26908[ 162 ] CVE-2022-26909      https://nvd.nist.gov/vuln/detail/CVE-2022-26909[ 163 ] CVE-2022-26912      https://nvd.nist.gov/vuln/detail/CVE-2022-26912[ 164 ] CVE-2022-29144      https://nvd.nist.gov/vuln/detail/CVE-2022-29144[ 165 ] CVE-2022-29146      https://nvd.nist.gov/vuln/detail/CVE-2022-29146[ 166 ] CVE-2022-29147      https://nvd.nist.gov/vuln/detail/CVE-2022-29147[ 167 ] CVE-2022-30127      https://nvd.nist.gov/vuln/detail/CVE-2022-30127[ 168 ] CVE-2022-30128      https://nvd.nist.gov/vuln/detail/CVE-2022-30128[ 169 ] CVE-2022-30192      https://nvd.nist.gov/vuln/detail/CVE-2022-30192[ 170 ] CVE-2022-33638      https://nvd.nist.gov/vuln/detail/CVE-2022-33638[ 171 ] CVE-2022-33639      https://nvd.nist.gov/vuln/detail/CVE-2022-33639Availability===========This GLSA and any updates to it are available for viewing atthe Gentoo Security Website: https://security.gentoo.org/glsa/202208-25Concerns?========Security is a primary focus of Gentoo Linux and ensuring theconfidentiality and security of our users' machines is of utmostimportance to us. Any security concerns should be addressed tosecurity@gentoo.org or alternatively, you may file a bug athttps://bugs.gentoo.org.License======Copyright 2022 Gentoo Foundation, Inc; referenced textbelongs to its owner(s).The contents of this document are licensed under theCreative Commons - Attribution / Share Alike license.https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202208-25

Less celebrated browsers and deprecated applications like Internet Explorer will be browsers non-grata

Stephen Pritchard 15 August 2022 at 14:18 UTC  
Updated: 15 August 2022 at 14:39 UTC

Less celebrated browsers and deprecated applications like Internet Explorer will be browsers non-grata

Germany is mandating the use of secure, modern web browsers across government networks with a proposal for minimum standards currently open to consultation.

The Federal Office for Information Security (BSI) released a draft set of minimum standards in July. The agency hopes that the standards will bolster governmental cyber-resilience and better protect sensitive data. Leading browsers incorporate multiple features that block or mitigate a variety of common web-based attacks.

The proposed standard covers both desktop and mobile browsers, whereas previous security guidance only applied to desktop browsers on government PCs and workstations.

Read more of the latest browser security news

Following the consultation, the BSI expects the minimum standard to be mandated across government systems. The move will bar federal employees from using non-compliant browsers, such as the now-deprecated Internet Explorer, on government business.

Most of the security and privacy technologies prescribed by the BSI are available in most modern browsers. These include supporting certificates to the X.509 standard, encrypting connections to the server, and supporting for HSTS (HTTP Strict Transport Security).

Browsers also need to support a mechanism for automatic updates, with updates only carried out if an integrity check is successful. And they must implement a same-origin policy (SOP), so that documents and scripts cannot access resources, such as text and graphics, from other websites.

**‘Very encouraging’**

“The minimum standards being put forward by the BSI are very encouraging,” Simon Backwell, information security manager at Benefex and a member of the ISACA Emerging Trends Working Group, told The Daily Swig.

“Many of these standards are already what companies look for in software, so to extend them to browsers too ensures that organizations, especially government agencies or private sector companies within Germany, consider all aspects of their working environments. Most, if not all, modern browsers meet the standards, so there should be limited impact for organizations running these.”

And, as many browsers are based on the same core code – from Google’s open source Chromium project – government agencies will find it easy to comply.

YOU MAY ALSO LIKE Chromium site isolation bypass allows wide range of attacks on browsers

“All modern browsers are already very secure (ignoring privacy), with most of them sharing the exact same engine and therefore sharing the same security features and encryption capabilities,” Tarquin Wilton Jones, a developer and security expert at browser company Vivaldi, told The Daily Swig.

“In general, browsers have been at the forefront of making secure connections, and implementing security features such as sandboxing.”

The move is, he added, aimed more at improving security in government IT than at changing the way browsers are designed. However, he cautioned that the way some browsers do not allow users to turn off telemetry or vendor tracking data could cause compliance issues.

Interested parties in Germany have until 19 August to respond to the consultation.

RELATED Microsoft Edge deepens defenses against malicious websites with enhanced security mode

Germany to mandate minimum security standards for web browsers in government

Categories: Business
We’re excited to announce Malwarebytes Cloud Storage Scanning, a new service which extends Nebula malware scanning options to include files stored on cloud storage repositories that are part of your organization’s digital ecosystem.



(Read more...)




The post Introducing Malwarebytes Cloud Storage Scanning: How to scan for malware in cloud file storage repositories appeared first on Malwarebytes Labs.

We’re excited to announce Malwarebytes Cloud Storage Scanning, a new service that extends Nebula malware scanning options to include files stored on cloud storage repositories that are part of your organization’s digital ecosystem.

Today, the service supports scanning of files under 100Mb in size that reside on Box.com or on Microsoft’s OneDrive, and will extend to other popular file storage solutions in the coming quarters.

Malwarebytes Cloud Storage Scanning uses multiple anti-malware engines, using a combination of signatures, heuristics and machine learning to increase detection rates, decrease detection times and provide a comprehensive view to monitor and protect the health of all your enterprise data. 

Let’s dive in on how to make a scan!

**Scanning for cloud malware**

In Nebula, go to “**Settings**” and click “**Cloud Storage Scans**”. Here you can see existing scans and the providers being checked. Click “Add a Scan” to create a new scan.

Under “**Settings**”, name the scan and then select your cloud data storage provider.

Enter the configuration details from the storage provider to select and validate your account.  To initially check all existing files for malware, do not check this box and configure a scheduled or on-demand scan. In order to connect to your provider, you will need to provide a Tenant ID, Client ID and Client Secret.

If you select “**Continuous scan**”, Malwarebytes will only check for new and updated files from this point forward.

Click “**Connect to provider**” to provide access to your cloud storage location.

Once you see a success message, go to “**Items to scan**” to select the users or folders to scan. You can scan folders and the sub-folders.

If you have not selected continuous scan, go to “**Scan frequency**” to determine the cadence. Note that with scheduled scans, you will be scanning the contents of the selected folder(s) each time versus a continuous scan that only scans the changes.

Scans can be scheduled daily, weekly or monthly. Select “**Scan now**” for a one-time scan to occur immediately. Save for the scan to take effect and begin running on the cadence you chose.

In this example, we have a one time scan for existing malware in the folder and a continuous scan for future changes.

Review the results of scans with “**Storage detections**” on the left-side navigation bar. 

Here you can see a list of all detections from any cloud storage location. You can sort by “**Threat name**”:

Filter by cloud provider:

And “**Add/Remove Columns**”:

A report is also available to send a list of detections via email. Navigate to the “**Reports**” section on the nav bar:

Click “**Cloud Storage Detections Summary**”. You’ll be prompted with a window to configure the report.

Click “**Save**”. 

As you can see, the report was delivered to our email below!

**An additional layer of security**

While integrated cloud malware detection solutions (e.g. BoxShield for Box.com; MS Defender for OneDrive) can be useful, many businesses use multiple different cloud storage repositories, and due to lack of integration options, are unable to get a centralized view of all of their scan results, across multiple repositories, in a single security-focused pane of glass.

Malwarebytes Cloud Storage Scanning is easy and quick to deploy, centrally managed, and is seamlessly integrated with other Malwarebytes products and services that provide cloud security best practices.

Interested in reading about real-life examples of cloud malware mitigation? Read the case study of how a business used Malwarebytes to help eliminate cloud-based threats.

Introducing Malwarebytes Cloud Storage Scanning: How to scan for malware in cloud file storage repositories

‘Summer Camp’ for hackers features a compromised satellite, a homecoming for hackers and cyberwarfare warnings.

‘Summer Camp’ for hackers features a compromised satellite, a homecoming for hackers and cyberwarfare warnings.

There was nothing typical this year at BSides LV, Black Hat USA and DEF CON – also known collectively as Hacker Summer Camp. The weeklong collection of cybersecurity conferences featured an eclectic mix of attendees to learn, network, hack and have fun. The week even included a rare Las Vegas flash flood (not a new DDoS technique) on Thursday creating chaos in one casinos.

The past week, while not ‘typical’, was a nod to normalcy for attendees. Attendance for events was up from the previous year, which in 2021 was muted by lower attendance and COVID fears. Here is a roundup of leading research, themes and buzz from this year’s shows.  

****Research of Note****

Video conferencing darling Zoom was highlighted at DEF CON by Patrick Wardle, founder of the Objective-See Foundation, for a hacking technique that allowed him, using the macOS version of Zoom, to elevated privileges and gain access to the entire macOS operating system.

Pen Test Partners revealed a flaw in the Electronic Flight Bag tablets used by some Boeing aircraft pilots that could have allowed an adversary to modify data “and cause pilots to make dangerous miscalculations,” according to a Reuters report.

Starlink, the satellite operated by SpaceX that provides internet access to over 36 countries, was shown vulnerable to a hack via a $25 modchip. Belgian researcher Lennert Wouters revealed at Black Hat how he mounted a successful fault injection attack on a user terminal used to manage the satellite.

Researcher James Kettle debuted a new class of HTTP request smuggling attack that allowed him to compromise Amazon and Akamai, break TLS, and exploit Apache servers, according to reporting from Portswigger’s The Daily Swig.

Journalist Eduard Kovacs reported on a high-severity Realtek bug in the company’s eCos SDK. Found by Faraday Security and discussed at DEF CON, the eCos SDK is used in a variety of routers, access points and network repeaters, according to his report.

For fans of FUD, PC Magazine has a nice rundown of “The 14 Scariest Things We Saw at Black Hat 2022“. Things keeping them up are SMS codes flunk MFA, an “invisible finger to take control” of your touchscreen device and a Microsoft hiccup when launching its Early Launch Antimalware (ELAM).

****Topics of Discussion****

The main Black Hat keynote was from Chris Krebs, former Cybersecurity and Infrastructure Security Agency (CISA), who shared his optimism when it comes to the US approach to information security. However, he did express pessimism that US cyber-defenses were too focused on nation state attackers versus more mundane and pressing concerns, in his estimation, such as ransomware.

Ukraine war and Log4j also were major themes at each of the conferences. ESET provided Black Hat attendees with an update on cyberattacks against Ukraine. Firms such as CyCognito warned that we aren’t out of the Log4j woods. A report by SiliconAngle  quotes Robert Silvers, undersecretary for policy at the Department of Homeland Security, echoed those concerns telling attendees that “\[Log4j\] is most likely that organizations are going to deal with Log4j issues for at least a decade and maybe longer.”

Victor Zhora, deputy head of Ukraine’s State Special Communications Service, told Black Hat attendees that his country’s infrastructure has experienced a 300 percent uptick in cyber incidents since Russia’s invasion of the country. The visit was unannounced, according to a Voice of America report.

Meanwhile current White House Cyber Director Chris Inglis told journalist Kim Zetter, during a DEF CON session, that he was focused on “‘three waves of attacks’ that have progressed in recent years,” according a Nextgov report.

_The first wave “focused on adversaries holding data and systems at risk.” In the second, the attackers “still held data and systems at risk, but they then abstracted that into holding critical functions at risk.” The third is an attack on confidence, as exemplified by the attack on the Colonial Pipeline. –_ Nextgov.

For DEF CON, it was the event’s 30th anniversary, which events organizers billed as not a birthday but a Hacker Homecoming.

“This has been a crazy couple of years,” according to an official DEF CON forum post.

“A global pandemic turned DEF CON 28 into DEF CON Safe Mode. Some easing of the restrictions and some strict attendance rules gave us a hybrid con for DC29. An improvement, to be sure, but something short of a full DEF CON experience… We want DEF CON 30 to have the energy of a reunion… In honor of all that, we’re calling DEF CON 30 ‘Hacker Homecoming’.”

Black Hat and DEF CON Roundup

By Owais Sultan
The world of cybersecurity is nearing a point of no return, with the number of data breaches, password…
This is a post from HackRead.com Read the original post: Cybersecurity Has Never Been More Unstable Than It Is Now

The world of cybersecurity is nearing a point of no return, with the number of data breaches, password leaks, and cyber attacks on businesses reaching a level that has never been seen before. Currently, there is a cyberattack on a company **every 39 seconds**, with each successful attack costing businesses millions of dollars. 

While cybersecurity has been an issue for decades, this problem is only growing, with recent years seeing a dramatic rise in the number of cases recorded. In 2021 alone, 30,000 websites were hacked every single day, with there being an average of **50% more attacks per week** than in 2020.

From personal data to business documents and financial information, nothing is completely secure, with the diverse array of cyber hacking tools currently available seemingly trumping cybersecurity deployments at every turn. In this article, we’ll be taking a deep dive into the current state of cybersecurity, demonstrating why this industry has become such a disaster. 

Equally, we’ll touch on a few products that are currently running in counter to the rising threat, taking a look at the cutting-edge responses that the very best minds in cyber defenses have come up with.

Let’s get right into it. 

**A Whirlwind Tour Through Notable Breaches**

When delving into famous breaches in cybersecurity, a peculiar trend instantly arises. While there were some major breaches in the early 2010s, the middle section of this decade was fairly quiet. This all then changed around 2019, when major breaches began happening every few months. In 2021, the **Log4Shell vulnerability** caused massive tech companies around the world to leave their doors open for easy entry.

Since then, the world of cybersecurity has only gotten worse, with some of the most disastrous breaches happening since the beginning of COVID. Cybersecurity became such a pressing matter during this period that **The White House** even released executive orders on Open Source and private software cybersecurity defense protocols, urging citizens and companies to take more care when online.

Some notable breaches that have occurred over the last decades are:

*   **2013, Yahoo –** Still holding the record for the most people affected by a singular breach, this backdoor **hack affected over 3 billion accounts** and caused loss of personal information. This gave hackers the answer to security questions, passwords, names, email addresses, phone numbers, and any other personal information attached to an individual’s Yahoo account.

*   **2014, JPMorgan –** This breach had **76 million households corrupted** by a singular cyberattack. While the information leaked was luckily not financial in nature, it did release personal emails, phone numbers, names, and more. Since then, JPMorgan now spends $250 million each year to secure its data properly. 

*   **2021, Microsoft –** One of the most impactful cybercrimes in US history happened in January of 2021 when all **Microsoft Exchange email servers were hacked**. By using the Log4Shell vulnerability, hackers were able to deploy malware on a range of systems and impact over 60,000 companies worldwide due to Microsoft’s deployment in a range of companies through Teams and Outlook. 

*   **2021, Facebook –** With **over 530 million users exposed**, this modern breach saw a huge loss of personal data, with this being the latest breach since the company began all the way back in 2012. 

*   **2021, Comcast –** The largest breach during 2021 went to Comcast, with this brand having 1.5 billion records purged from their databases by hackers. **This huge data breach** took millions of accounts, internal IP addresses, node names, and other major indicators for further hacking. The attack on this company has been somewhat of a snowball moment, with the information liberated leading to a range of further hacks.

While these are not the only notable attacks that have occurred during this time, they are some of the biggest. Even from this small selection, one can see that the frequency with which a major attack occurs is becoming much more often. While massive cyberattacks were once a thing of rarity, they now crop up in some regard practically every single week.

**A Global Issue**

Alongside the widespread impacts of breaches, this isn’t just an issue that’s plaguing a singular nation. While the United States has been the focus of a large number of cybersecurity breaches, that doesn’t mean that other nations aren’t equally feeling the strain.

Countries around the world, including giants like China, the UK, and many leading countries within Europe, are similarly seeing rising amounts of cybercrime. This was further boosted by the 2020 pandemic, with this major global event driving people online in ways that we’ve never seen before.

While global connectivity was already rampant, the need to use tech tools to facilitate every part of the working day during COVID further led to breaches. 

Let’s quickly dive into how the pandemic has further scaled the threats currently targeting the world’s cyber defenses. 

**How the Pandemic Increased Cybercrime **

Since the beginning of the COVID-19 pandemic that surfaced at the beginning of 2020, the world has become rife with cybercrime. There are several factors that have led to this occurrence, with the levels of cybercrime across the globe now reaching unprecedented levels.

Most notably, the biggest change that has caused this surge in the number of cases of cybercrime around the world has been directly due to the movement away from traditional working structures. Before the pandemic, the vast majority of businesses would work from a centralized office building. This would involve any employees registered at the company commuting into the office building and conducting their working day from this site.

With the rise of social distancing conditions, workers suddenly have to work from home, with this movement now carrying on into the current day. While working from home boosted company productivity by **an average of 13%** , there were further negative effects from this movement. Most notably was the expansion of company attack surfaces, leading to hackers having more potential entry points into company databases.

A company attack surface is the total span of everything that’s connected to a company. This could be something as large as the company’s own website, or as small as an individual email account connected to an employee. No matter the size, each one of these points of connection within an attack surface represents a potential avenue of entry for a hacker.

The work from a home movement led to people around the globe having to rely on more technology during their working day, with everything from online meeting platforms to company accounts being multiplied as employees were assigned new profiles for almost everything.

As the number of different entry points for employees increased, with more and more tech tools being added to their stack, the possibility for hackers to target these accounts increased. Due to this, companies have become more vulnerable than ever before, with the need for complete attack surface monitoring leading to automatic machine defenses being the only available option. 

Coinciding with the exposure of businesses through the creation of new accounts during the pandemic, the **total amount of devices** that are connected to the internet is equally increasing at a rapid rate. On a personal level, this leaves individuals more exposed than ever before, as a singular error in privacy configurations could lead to one of these platforms being exposed, with all the individual’s information connected to that device or account being included in a potential breach. 

Alongside the many effects of the pandemic that will last long into the future, the drastic impact on the cybersecurity industry is certainly influential. 

**What Are We Doing About This?**

Of course, as a rising cyberthreat has been discovered, there has been a global movement toward preventing these breaches from occurring. While development within cybersecurity is made every single day, there are commonly three areas within which companies and governments are focusing on expanding their cybersecurity reach.

These areas cover new technologies as well as education, with the mix of all three of these strategies providing a range of insightful methods for preventing cyber breaches:

*   The Movement Toward Decentralization
*   Incorporating AI and Automatic Processes
*   MITRE Attack Framework and the Focus on Education

Let’s break these down further.

**MITRE Attack Framework and the Focus on Education**

Perhaps rather unsurprisingly for anyone that’s worked in cybersecurity, over **95% of all data breaches** are directly traced to a human error or action which caused the vulnerability. From individuals accidentally downloading ransomware onto their computers to weak passwords being chosen, there is a range of ways that people can expose company information through their simple mistakes.

With this considered, part of the rallying cry over recent years has been the mass movement towards cybersecurity education. On a professional level, this has been seen through the construction and continual updating of the MITRE Attack Framework, which is a database of all of the known methods that hackers will use to attempt to gain entry into a digital system.

By comparing a company’s current cybersecurity efforts against the Attack Framework, experts can see where their company is falling short of covering, helping them to create more modern and expansive cyber defenses. 

Alongside this, there has been a great focus placed on **educating employees about the importance of cyber security**. From workshops and tests sent out to the IT department to mandatory seminars, companies around the globe are attempting to educate their employees on the best practices for staying safe online.

This movement toward education will help to reduce the individual errors that lead to breaches.

**The Movement Toward Decentralization**

Over the past few years, one of the largest trends within technology has been the widespread popularization of decentralized technology. What started with cryptocurrencies like Bitcoin has now spread into a developed ecosystem of tools, with Web 3 being the latest iteration of actually applying this technology.

Within decentralized technology, one of the biggest movements toward bolstering general cybersecurity is the development of the Decentralized Cybersecurity Mesh by **Naoris Protocol**. At its core, decentralized technology focuses on creating a system that has no single point of failure, never having to rely on a centralized organization or individual node.

The Decentralized Cybersecurity Mesh takes this idea and runs with it, converting every single device into a validator node. In real-time, this means that all devices are checking and monitoring every other device, changing singular points of failure into multiple points of defense.

While this is still in its early stages, the uses of decentralized technology within the cybersecurity space are revolutionary, with their application certainly being one of the most exciting developmental aspects currently bubbling under the surface of this field. 

**Incorporating AI and Automatic Processes**

As stated earlier in this article, one of the main problems that faced businesses during the era of COVID was the rapidly increasing attack surface that each had to manage. While cybersecurity experts could fashion defenses and manually check each one of the potential entry points into their system, as the attack surface became increasingly complex and scaled, this was no longer an option.

The possibility of running manual defenses, including Red and Blue teaming manually, has now reached a point of no return. With the sheer size of the threat, more and more businesses are now turning toward automatic tools to protect their businesses. Industry leaders in cybersecurity are now releasing tools driven by and constructed **with artificial intelligence**. 

By using automation of these processes, companies are able to create a 24/7 approach to cybersecurity, continually monitoring their attack surfaces and running detection software on their systems. Considering that the average cybersecurity breach takes over **200 days to discover**, this movement to AI and automation is set to significantly improve detection and prevention in this industry. 

**Final Thoughts**

While cybersecurity is an industry that’s seeing a great deal of difficulty at present, this doesn’t mean that the field as a whole is doomed. There is a certain truth to seeing the rapid progression of the **tools that attackers are using to launch cyberattacks**. Yet, the tools and resources that the international community of those working within cybersecurity are currently developing are equally as advanced.

With the mass movement toward defense strategies and the continual development of cybersecurity research, we’re currently seeing a range of effective practices that can help keep both individuals and businesses safe during our new digital era. Although the pandemic accelerated the amount of cybercrime from the 2020-2022 period, we’re now starting to see the world of cybersecurity catch up to the threat. 

1.  The Forgotten Victims of Data Breach
2.  Crucial Cybersecurity Software Features (2022)
3.  5 Reasons You Should Learn About Cyber Security
4.  Cyber Security firm exposes 5 billion+ login credentials
5.  Solving the Cyber Security Problem: Mission Impossible

Cybersecurity Has Never Been More Unstable Than It Is Now

Leaked data potentially included patients’ email addresses, phone numbers, and device IP addresses

Leaked data potentially included patients’ email addresses, phone numbers, and device IP addresses

Novant Health, a US healthcare provider, is warning patients of a potential data breach resulting from an incorrect configuration of an online tracking tool from the company behind Facebook.

Novant, which operates more than 50 healthcare facilities across North Carolina, said it placed a snippet of JavaScript code on its website as part of a promotional campaign during the early stages of the coronavirus pandemic.

The code was for Meta Pixel, a digital tracking tool that can be used by organizations to help them gauge the success of Facebook marketing campaigns.

However, the tracking pixel in question was “configured incorrectly and may have allowed certain private information to be transmitted to Meta” from the Novant Health website and patient portal, the company said.

**Losing track**

In a recent privacy statement, Novant Health said that it removed the pixel as soon as it discovered that it had the capability to transmit information to Meta.

Upon further investigation, the healthcare provider said that, depending on a user’s activity within the Novant Health website and MyChart portal, the leaked data could include email address, phone number, computer IP address, and healthcare appointment information.

“The information did not include Social Security numbers or other financial information unless it was typed into a free text box by the user,” Novant said.

Read more of the latest healthcare security news

The company said it has mailed letters to “some patients” following the discovery of the pixel misconfiguration. According to local press reports, more than 1.3 million individuals have been notified.

Patients at Novant’s New Hanover Regional Medical Center are not impacted. The incident, however, may affect other individuals who aren’t registered Novant Health patients but received a Covid-19 vaccine at a Novant facility.

“Based on our investigation, we do not have any evidence that this information was acted on by Meta or any other third party,” Novant said.

“We also have implemented more structure, governance, and policies around the use of pixels and promise that we will take appropriate actions to ensure that this does not happen again.”

**RECOMMENDED** Microsoft Edge deepens defenses against malicious websites with enhanced security mode

Healthcare provider Novant issues data breach warning after site tracking pixels sent patients’  information to Meta servers

By Deeba Ahmed
Cisco has confirmed that its security was successfully breached by Yanluowang Ransomware Gang in May 2022. Networking giant…
This is a post from HackRead.com Read the original post: Cisco Confirms Network Breach After Employee’s Google Account was Hacked

****Cisco has confirmed that its security was successfully breached by Yanluowang Ransomware Gang in May 2022.****

Networking giant Cisco Systems is the latest victim of hacking. The company confirmed that attackers used a compromised Google account of one of its employees after the Yanluowang ransomware gang added a list of files obtained from the company on their data leak site.

**Hacking Details**

On Wednesday, August 10th, 2022, Cisco Systems confirmed experiencing a cyberattack that took place on 24 May 2022. Sharing their findings, the networking equipment provider stated that the attackers obtained details of an employee’s private Google account, which contained passwords synced with Cisco’s web browser.

The attackers obtained initial access to **its VPN** after successfully compromising the Google account. The credentials were synced through the Chrome browser, where the targeted employee had also stored their Cisco credentials.

Consequently, attackers could synchronize their Google accounts using this information. On August 10th, the Yanluowang ransomware gang indirectly took responsibility for the breach by publishing files stolen in the data leak.

Yanluowang ransomware gang’s website (Image: Hackread.com)

**Investigation of the “Potential Compromise”**

Cisco Talos launched an investigation into the May hack and referred to it as a “potential compromise” in its detailed **report** published Wednesday. Cisco Talos threat research team conducted the investigation.

Forensic details confirmed the involvement of the Yanluowang threat group, which has ties with **Lapsus$** and **UNC2447** cybercrime groups. For your information, Lapsus$ was behind some of the most high-profile data breaches in recent months including **Microsoft**, **Okta**, **T-Mobile**, **Samsung**, and **Ubisoft**.

As for the Cisco breach, the researchers concluded that the attackers couldn’t deploy ransomware successfully but were indeed successful in penetrating its network and planting an array of hacking tools. The attacks, according to researchers, also scanned the company’s internal network, a common practice adopted before deploying ransomware.

**How Attackers Bypassed MFA?**

Cisco said that hackers used various techniques to bypass the multifactor authentication feature linked to the VPN client. This includes voice phishing (aka **vishing**) and MFA fatigue. In MFA fatigue, attackers send push requests in high volume to their targeted device so the user has no choice but to accept to stop the incoming notifications.

Cisco Talos threat researchers identified that Multi-factor Authentication **(MFA) spoofing attacks** were launched against their employees, which were eventually successful, and they could run the VPN software. After obtaining initial access, they enrolled various new devices for MFA and authenticated them successfully to the company’s VPN.

> Given the actor’s demonstrated proficiency in using a wide array of techniques to obtain initial access, user education is also a key part of countering MFA bypass techniques. Equally important to implementing MFA is ensuring that employees are educated on what to do and how to respond if they get errant push requests on their respective phones. It is also essential to educate employees about who to contact if such incidents do arise to help determine if the event was a technical issue or malicious.
> 
> Cisco Talos threat researchers

The attacker then accelerated to administrative privileges. Afterward, they could log in to multiple systems. This raised suspicion, and Cisco Security Incident Response Team intervened to mitigate the threat.

Further digging revealed that the ransomware gang used remote access and offensive security tools in the attack. These tools included the following:

*   **TeamViewer**
*   **LogMein** (Now GoTo)

*   **Mimikatz**
*   **Impacket**
*   **PowerSploit**
*   **Cobalt Strike**

Cisco then implemented password reset across the company networks and disclosed their findings in the report. The company has created two Clam AntiVirus signatures to prevent additional compromise.

Tag

#microsoft