DSM is now the third acquisition by Thrive in Florida in the past six months.

FOXBOROUGH, Mass., June 24, 2022 /PRNewswire/ -- Thrive, a premier provider of NextGen Managed Services, announces today that it has acquired DSM, a Florida-based provider of managed IT services to State, Local, and Education (SLED) government agencies. The acquisition will enable DSM's existing government and corporate clients to benefit from Thrive's next-generation managed cybersecurity, global Cloud footprint, and Microsoft collaboration services while strengthening Thrive's offering to SLED agencies across the US.

Founded in 1986, DSM has been helping clients achieve their IT goals by providing innovative solutions for data protection, disaster recovery, and managed cloud services bolstered by their CJIS compliant data centers. Focusing on data assurance, DSM offers clients the ability to survive and recover quickly from a data breach or ransomware attack, ensuring business continuity. DSM's expert team of highly qualified professionals develop flexible and cost-effective solutions that address the challenges of customers that serve commercial, government, and CJIS-bound agencies.

"DSM is a leader in the SLED space with significant traction in the state of Florida. With this partnership, they'll be able to augment their Cloud-based service offerings via Thrive's SOC and comprehensive suite of cybersecurity services," said Rob Stephenson, Thrive's CEO. "DSM's talented engineers and experienced management team will help to greatly enhance our rapidly growing Florida presence, as well as position the SLED vertical to go national under their leadership."

"For over three decades, DSM's primary objective for our clients has been to optimize their digital transformation and their journey to the Cloud," said David Robinson, CEO and Founder of DSM. "We are delighted to be the newest members of the Thrive family as their dedication to providing a personalized IT path towards customer satisfaction complements our commitment to total IT peace of mind for our clients."

Robinson and Greg Madden, DSM's COO, will assume senior leadership roles and helm the newly established Thrive SLED group as a special unit focusing on existing government business in Florida, Alabama, and Massachusetts. In addition, Robinson and Madden will assist in Thrive's expansion of state and local contracts up and down the East Coast.

DSM is now the third acquisition by Thrive in Florida in the last six months and builds upon its established presence in the Southeast region. Thrive is a security-first MSP that delivers comprehensive managed services and unmatched expertise to drive secure digital transformation for small to mid-sized enterprises across multiple industries. For more information on Thrive, visit thrivenextgen.com.

**About Thrive**

Thrive is a leading provider of NextGen managed services designed to drive business outcomes through secure application enablement and optimization. The company's Thrive5 Methodology utilizes a unique combination of its Application Performance Platform and strategic services to ensure each business application achieves peak performance, scale, uptime, and the highest level of security. For more information, thrivenextgen.com.

Thrive: LinkedIn, Twitter, Facebook, YouTube and Instagram

**About DSM**

DSM redefines our client's business outcomes that they consider possible from their IT infrastructure ensuring that their data is protected and available when and where they need it, saving time and money. As our clients embark on their journey to trusted data availability, DSM guides them, allowing them to focus on their core business, rather than the technology that runs it.

Thrive Acquires DSM

Researchers describe discovery of ‘mega’ zero-day

Researchers describe discovery of ‘mega’ zero-day

Oracle has patched a remote code execution (RCE) vulnerability impacting Oracle Fusion Middleware and various other Oracle systems.

Security researchers ‘Peterjson’ and ‘Jang’ reported a pair of severe flaws to Oracle that can be chained to achieve RCE, which they dubbed the ‘Miracle Exploit’.

The researchers said they privately told Oracle about a serious vulnerability they discovered in Oracle Access Manager, tracked as CVE-2021–35587. The CVSS 9.8 bug is described as an “easily exploitable” flaw that allows unauthenticated attackers with network access via HTTP for application takeover.

**Accidental discovery**

Jang said the flaw was discovered by accident when the duo were “building a PoC \[proof of concept exploit code\] for another mega 0-day”.

While working with the Zero Day Initiative (ZDI), this research led to the discovery of CVE-2022–21445. This ‘mega’ bug, issued a severity score of 9.8, was found in the Oracle Application Development Framework (ADF) Faces architecture, a component of Oracle Fusion Middleware.

Catch up on the latest vulnerability-related security news and analysis

The deserialization of trusted data issue can be chained with CVE-2022–21497 (CVSS 8.1), a takeover flaw in Oracle Web Services Manager, to achieve pre-authentication RCE.

CVE-2022–21445 impacts a variety of products and services based on Fusion Middleware, various Oracle systems, and even Oracle’s cloud infrastructure. Unauthenticated attackers with network access, via HTTP, can abuse the vulnerability chain.

“One more thing to note, any website was developed by ADF Faces framework are affected,” Peterjson said.

**Disclosure and patches**

After testing Oracle services and domains, the vulnerability report was submitted to the vendor on October 25, 2021. In the same month, Oracle confirmed receipt of the report and said it was investigating. However, it took the best part of six months for a patch to be issued.

Both issues have been resolved in Oracle’s April round of patches. Oracle is one of many technology vendors, alongside Microsoft and Adobe, that releases a monthly patch update to tackle bugs in its software.

Companies utilizing vulnerable Oracle software are urged to apply the patch immediately.

Other vendors potentially impacted by the pre-auth RCE were notified via their respective bug bounty programs. Peterjson told The Stack that companies have been informed if they have not applied Oracle’s fix, and that he believes the number of exposed instances is “huge”.

“Why \[did\] we hack some Oracle’s sites? Because we want to demonstrate the impact to Oracle and let them know this vulnerability is super dangerous, it affects Oracle system\[s\] and Oracle’s customers,” Peterjson commented.

“That’s why we want Oracle take an action ASAP. But as you can see, 6 months for Oracle to patch it, I don’t know why, but we have to accept it and follow Oracle’s policy.”

The Daily Swig has reached out to Oracle and we will update this story if and when we hear back.

YOU MIGHT ALSO LIKE Splunk patches critical vulnerability while users push for legacy updates

Oracle patches ‘miracle exploit’ impacting Middleware Fusion, cloud services

If you use a mix of Apple, Android, and Windows gadgets, you're in luck: The security tool is now available to any Microsoft 365 subscriber.

Microsoft Defender, the company’s security app, is now available to any individual who has a subscription to Microsoft 365, the online productivity suite that includes Word, Excel, and more. Different from the previously released Microsoft Defender software that was built exclusively into Windows computers, this version is available on Windows, Android, macOS, and iOS devices.

Owners of Windows computers without Microsoft 365 don’t need to sweat; Microsoft is still preinstalling software on Windows to protect against viruses and other malware. That software is now simply branded as Windows Security. Beyond accessing a security dashboard where all your connected devices are visible, there’s not a lot of extra incentive for Windows owners to download the new Microsoft Defender app.

Microsoft is extending protection options to Mac and smartphone owners who use Microsoft 365. Not all devices receive the same protections, however. For example, on the Mac, anti-malware protection is provided by Microsoft Defender, while web protection is not.

On the other hand, iPhones and Android devices are able to use web protection from Microsoft Defender. The web protection runs a virtual private network on your smartphone in the background and tries to intervene if any dangerous hyperlinks appear. Microsoft claims that the data from your browsing history is stored on-device and not shared with the company. Learn even more about VPNs and boosting your digital privacy with WIRED senior writer and reviewer Scott Gilbertson’s guide to the best VPNs. In addition to web protection, the anti-malware protection from Microsoft Defender is supported for Android phones.

The new Microsoft Defender app is designed to be used specifically by consumers—as in families and individuals. Although the names are similar, Microsoft Defender for Endpoint is a separate security suite for businesses. Microsoft has guidance on its website to help you understand the Endpoint version and how to switch between accounts.

If you aren’t a Microsoft 365 subscriber but want to get Microsoft Defender, a personal plan costs $70 a year, and a family plan for up to six people costs $100 a year. With a subscription to Microsoft 365, you get OneDrive cloud storage access, in addition to both online and downloadable versions of popular software like Microsoft Word, Excel, and Powerpoint. (Check out this article from WIRED contributor David Nield if you’re on the hunt for a free version of Microsoft Word.)

So who will benefit from the new Microsoft Defender? The features offered are slim at the moment, and it might not be as involved as software from Norton or McAfee, but that may be a good thing considering Defender is more lightweight than either of those options. Keeping that in mind, the large quantity of devices tracked from a single dashboard could be a boon for family leaders trying to keep an eye on the whole crew’s security across multiple devices.

Subscribers to the Microsoft 365 individual plan can get Microsoft Defender to protect five devices at once. For those on the family plan, you can simultaneously shield up to 30 devices. The suite will send you alerts whenever Grandma downloads malware onto her computer (again) or the teens on their smartphones click a malicious link.

Searching for even more strategies to beef up your digital security? WIRED has helpful advice on everything from password protecting your files to keeping those spicy pics private. You wouldn’t leave your front door unlocked while running errands, and with so much of our lives experienced online, taking protective measures on your computer and smartphone makes just as much sense.

How to Use Microsoft Defender on All Your Devices

Plus: Microsoft details Russia’s Ukraine hacking campaign, Meta’s election integrity efforts dwindle, and more.

The United States Supreme Court yesterday struck down _Roe v. Wade_, the monumental 1973 decision that guaranteed the right to abortion in the US for 49 years and, as Maryn McKenna writes for WIRED, “revolutionized life for women.” Now, all of that is in peril. 

It is impossible to overstate the profound consequences of the court's decision. In addition to the life\-and\-death dangers now facing people who become pregnant, the end of _Roe_ and the rise of criminalized abortion stand to usher in a privacy nightmare that civil liberties advocates have warned about for decades. 

As we reported in May after a draft of the Supreme Court's decision was leaked to Politico, the criminalization of abortion in states across the US requires that people adopt a comprehensive digital privacy strategy to protect themselves from the surveillance state. This can include steps like switching to an end-to-end encrypted app like Signal, limiting your data footprint by using search engines like DuckDuckGo instead of Google, locking down your privacy settings on your phone, and using a browser extension to block web trackers. For more details on securing your digital privacy, we recommend guides from the Digital Defense Fund and the Electronic Frontier Foundation.

If you plan to protest against the Supreme Court's decision, check out our guide on how to protest safely. And if you're seeking information about receiving an abortion in post-_Roe_ America, we have a list of resources for that as well.

In other stories this week, we explained how to password-protect any file and dove into lingering security risks related to Microsoft's now defunct Internet Explorer browser. We got a look at Brave's new Goggles tool for its privacy-focused search engine, which lets you create custom search filters. We explored the ways in which the US intelligence community is using artificial intelligence. And we detailed a new type of spyware that Google and Lookout researchers say has been used to target people in multiple countries.

But that's not all. We've rounded up here the big security news from the past week that we haven't been able to cover ourselves. Click on the headlines to read the full stories. And stay safe out there.

Microsoft this week released a report diving into Russia's cyber efforts in its ongoing war against Ukraine. Researchers found that Russia has launched at least 48 attacks against Ukrainian entities. While some efforts have been successful, researchers found that rapidly deployed digital defenses have fended off many of these attacks, including a failed Russian military effort to deploy “wiper” malware against Ukrainian government computers. Vladimir Putin isn't limiting Russian hackers to targets in Ukraine, however. Microsoft researchers identified Russian “network intrusion efforts” against 128 organizations in 42 countries outside Ukraine. Moscow frequently targets the governments of NATO countries, and researchers say that Russian attacks have been successful 29 percent of the time. In a quarter of the successful attacks, Russian hackers have pilfered internal data from victims' networks. Microsoft also warns that Russia is carrying out global “cyber influence operations," at least some of which push propaganda encouraging people to not get vaccinated for Covid-19.

Despite political misinformation remaining rampant on Meta's platforms ahead of the midterm elections in November, CEO Mark Zuckerberg has reportedly shifted his attention from election-related issues to focus on the metaverse. According to multiple sources who spoke to _The_ _New York Times_, Facebook's “core election team … has been dispersed,” and just 60 people now focus on election integrity issues full-time. Company spokesperson Tom Reynolds disputed that figure, claiming that “hundreds" of people at Meta are focusing on election-related work.

Another day, another cryptocurrency company hack that nets criminals staggering amounts of money. The latest known attack, against California-based Web3 firm Harmony, targeted the blockchain bridge, an application used to transfer cryptocurrencies from one blockchain to another. The company says the hackers stole approximately $100 million in digital assets. Bridges are a known weak point in the crypto ecosystem. In late March, hackers believed to be part of North Korea's Lazarus Group made off with $540 million worth of cryptocurrency thanks to a bridge attack.

We've all been there: On your way home after a boozy night on the town, you realize you've misplaced a USB drive containing the names, addresses, birthdays, and tax-related information of every person in your city. Never happened to you? Well, a contractor in Amagasaki, Japan, wasn't so lucky. _The Guardian_ reports that the unnamed contractor lost a USB drive with the sensitive personal data of all 460,000 Amagasaki residents after a night of drinking at a restaurant. While the mistake is surely embarrassing, it hopefully won't lead to privacy breaches: According to city officials, the data was encrypted and they've found no evidence of leaks. Cheers!

The Post-Roe Privacy Nightmare Has Arrived

Hello everyone! This will be an episode about the Microsoft vulnerabilities that were released on June Patch Tuesday and also between May and June Patch Tuesdays. Alternative video link (for Russia): https://vk.com/video-149273431_456239094 On June Patch Tuesday, June 14, 56 vulnerabilities were released. Between May and June Patch Tuesdays, 38 vulnerabilities were released. This gives us 94 […]

Hello everyone! This will be an episode about the Microsoft vulnerabilities that were released on June Patch Tuesday and also between May and June Patch Tuesdays.

Alternative video link (for Russia): https://vk.com/video-149273431\_456239094

On June Patch Tuesday, June 14, 56 vulnerabilities were released. Between May and June Patch Tuesdays, 38 vulnerabilities were released. This gives us 94 vulnerabilities in the report.

    $ cat comments_links.txt 
    Qualys|June 2022 Patch Tuesday Microsoft Releases 55 Vulnerabilities with 3 Critical; Adobe Releases 6 Advisories, 46 Vulnerabilities with 40 Critical|https://blog.qualys.com/vulnerabilities-threat-research/2022/06/14/june-2022-patch-tuesday
    ZDI|THE JUNE 2022 SECURITY UPDATE REVIEW|https://www.zerodayinitiative.com/blog/2022/6/14/the-june-2022-security-update-review
    
    $ python3.8 vulristics.py --report-type "ms_patch_tuesday_extended" --mspt-year 2022 --mspt-month "June" --mspt-comments-links-path "comments_links.txt"  --rewrite-flag "True"
    ...
    Creating Patch Tuesday profile...
    MS PT Year: 2022
    MS PT Month: June
    MS PT Date: 2022-06-14
    MS PT CVEs found: 56
    Ext MS PT Date from: 2022-05-11
    Ext MS PT Date to: 2022-06-13
    Ext MS PT CVEs found: 38
    ALL MS PT CVEs: 94
    ...

*   Urgent: 1
*   Critical: 1
*   High: 32
*   Medium: 55
*   Low: 4

The urgent one is **Remote Code Execution** in Microsoft Windows Support Diagnostic Tool (MSDT) (CVE-2022-30190). Also known as “Follina”. It was observed being exploited in the wild at the end of May. MSDT is an application that is used to automatically collect diagnostic information and send it to Microsoft when something goes wrong with Windows. The tool can be called up from other applications (Microsoft Word being the most popular example) through the special MSDT URL protocol. Attackers who successfully exploit this vulnerability can execute arbitrary code with the privileges of the calling app to install programs, view, change, or delete data, and even create new Windows accounts as allowed by the compromised user’s rights. And now dozens of repositories with exploits for this vulnerability are available on Github. Therefore criticality is indeed Urgent. Vulristics prioritizes this correctly. While Microsoft had provided mitigation guidance in an advisory on May 30, patches were not released until June 14.

The critical vulnerability is **Remote Code Execution** in Windows Network File System (CVE-2022-30136). A vulnerability can be exploited by an unauthenticated attacker using a specially crafted call to a NFS service. Microsoft rated this as “Exploitation More Likely” according to its Exploitability Index. This bug looks very similar to CVE-2022-26937 – an NFS bug patched last month. The only difference between the patches is that this month’s update fixes a bug in NFSV4.1, whereas last month’s bug only affected versions NSFV2.0 and NSFV3.0. Microsoft has provided mitigation guidance to disable NFS v4.1, which should only be done if the May updates fixing previous NFS versions have been applied. The criticality of this vulnerability was increased by the advertisement of an exploit for this CVE in the github repository. Could this be a scam? Of course, but maybe it’s not.

There were 7 High-level **Remote Code Executions** in Windows LDAP (CVE-2022-30153, CVE-2022-30161, CVE-2022-30139, CVE-2022-30141, CVE-2022-30143, CVE-2022-30146, CVE-2022-30149). For three of them (CVE-2022-30139, CVE-2022-30141 and CVE-2022-30143) vulnerability only exists if the “MaxReceiveBuffer” LDAP policy is configured to a higher value than the default value (i.e. a higher maximum number of threads LDAP requests can contain per processor). A system with the default value for the policy would not be affected. For two of them (CVE-2022-30139 and CVE-2022-30141), no user interaction is required, however an attacker must “prepare the target environment to improve exploit reliability”.

Well, I would like to finish on patches that break servers. This time there were such problems too. This month’s Windows Server updates are causing a wide range of issues, including VPN and RDP connectivity problems on servers with Routing and Remote Access Service (RRAS) enabled. The vast majority of reports related to these problems coming in since Patch Tuesday have a common theme: losing Remote Desktop and VPN connectivity to servers with Routing and Remote Access Service (RRAS) enabled where the June Windows Server Updates have been installed. It is not clear what is causing these issues, maybe a fix for “Windows Network Address Translation (NAT) Denial of Service Vulnerability” tracked as CVE-2022-30152 that may have introduced bugs into RRAS connectivity. “We are aware of the issue and working to provide a resolution. Customers experiencing this issue can temporarily disable the NAT feature on their RRAS server,” a Microsoft spokesperson told. So let’s wait for new patches.

The full report is available here: ms\_patch\_tuesday\_june2022\_report

Hi! My name is Alexander and I am an Information Security Automation specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

Microsoft Patch Tuesday June 2022: Follina RCE, NFSV4.1 RCE, LDAP RCEs and bad patches

Hidden Talents: He was a competitive swimmer for many years. Instrument of Choice: His fingers were made for the keyboard, but he used to play the trumpet. 5 pieces of entertainment for the rest of his life: The Office, World War Z, The Matrix, Breaking Bad, The Thick of It. Favorite non-profit: RSPCA How he …
  A Man of Action: Meet Callum Carney Read More »

**Hidden Talents**: He was a competitive swimmer for many years.

**Instrument of Choice**: His fingers were made for the keyboard, but he used to play the trumpet.

**5 pieces of entertainment for the rest of his life**: The Office, World War Z, The Matrix, Breaking Bad, The Thick of It.

**Favorite non-profit**: RSPCA

**How he takes his tea**: Through his mouth

**Superpower**: Doesn’t suffer from hangovers

The first thing you should know about Callum Carney is that he doesn’t like talking about himself. Shy? Not necessarily. Quick witted and charming? Yes. However, Callum is best understood through his actions, rather than his words. Callum is just 23 years old and a budding security research prodigy. At a young age he has achieved great success finding bugs in organizations like Microsoft, Spotify, and Google. While he would never toot his own horn, Callum has made monumental contributions in protecting the cloud and has quickly gained a reputation with plenty of accolades to show for it.

Callum was a young, inquisitive boy with a high interest in computers when his Habbo account was hacked. Someone stole his coins, and he was left irritated, but curious as to how it happened (he fully admits this was his fault since his password was Callum123). This little seed of injustice would grow within him as his passion for computers expanded too. Throughout his school years, he recalls spending more time fixing other people’s computers than learning in the classroom.

Early on he stumbled upon a live stream demonstrating Cross-Site Scripting (XSS) which piqued his interest. His hacking aspirations became a reality at the first sight of a pop-up alert on screen saying, “You’ve been hacked!!!”

> **From that moment I was hooked. I’ve never actually been able to come off this rush. Security research is addictive.**

One time in a college computer class Callum was tinkering around on his laptop during a lesson. Bored, but still as curious as ever, Callum began trying to hack the lesson websites domain. He ended up finding a devastating bug and reported it under the guise of anonymity in hopes of avoiding an awkward encounter down the road. However, he forgot to update the shared URL which ended up exposing _he_ was a student at the college. At this point he was just 16. As he put it, there are bound to be small mistakes when you’re starting out, right? Unbeknownst to him, the company hosting the affected website was a subsidiary of the college. Their team replied asking for him to meet to discuss his findings. After much deliberation (even with his mother) and fears of great repercussions, he accepted the meeting. To his good fortune, he was not arrested (ethical hacking is still a gray area in the UK). Instead, the company had the foresight to take a risk. They offered him a position within the company and Callum has been a part of their team for six years now!  

When he isn’t working his day job, Callum moonlights as a security researcher. This is where his work speaks for itself. As a multi-year Microsoft Most Valuable Researcher (MVR) Callum’s reputation cannot be ignored. Whilst he didn’t set out to hunt for vulnerabilities for big tech, he is proud of his impact.

> **I see the whole community and what this space is, as the last line of defense. Inside large companies there are a lot of processes, and smart people who develop them. It’s up to us to check and make sure there is nothing left over. And it’s our job to find it. I see it as the last line for cyber security.**

When it comes to guiding the next generation of researchers, Callum strongly believes this field is for anybody, and there is no better time to get in on the action than right now.

> **The number of resources available to learn about security is always growing. In my opinion it’s great to learn by reading previously disclosed issues and getting hands-on with applications in the real world by finding vulnerabilities to report in organizations that have defined security policies.**

Callum stressed not to get demotivated if you aren’t successful immediately. Rather, he suggested that whatever you’re testing is made by humans and humans make mistakes. Keep on pushing, but don’t get burned out. Some of his favorite bugs to find are the ones where the general user is none the wiser. Take for example the time he was robbed of his coins as a kid playing Habbo. He would have liked to be the person who figured out you could steal from others, fix it, and the user would have no clue there was even a threat. The same concept applies to his larger bug bounties.

> **Stop doubting what you’re doing or coming up with reasons not to do something. Give it a go.**

Despite not caring to share too many words about himself, he is quite witty, and quick with comebacks which brings out a sort of endearing quality about who he is deep down. Fellow researcher Wouter (@wtm\_offensi) is happy to tell us what he thinks of Callum. “_Callum and I met in person for the first time about four years ago. This was at an invite-only bug bounty event where he gave an impressive talk about some of his bug hunting findings and experiences.  During that event and the events that followed in the years after, I got to know Callum as a young yet skilled researcher who is not only great fun to be around (who doesn’t like a good sense of British humor) but also knows when to work hard to deliver high impact bugs that get the job done. After working together and sharing our insights at some undisclosed hacking event we kept in touch online to share ideas on some of our findings. Sharing information with other researchers is not always the easiest thing to do, since most of us rely on bugs as a (main) source of income, yet Callum is always willing to help think things over as a sparring partner. Nowadays we occasionally collaborate on research related to Azure, to help each other forward and make the hunt for bugs more fun. Callum always seems to be able to find targets that are exciting to work on, e.g., potential targets. I’m a big fan of the man himself and his work_.”

Like WTM, we are huge fans of Callum (@callum\_infosec) and we cannot thank him enough for his amazing research and partnership with MSRC! Thank you for your contributions that help secure Microsoft customers.

A Man of Action: Meet Callum Carney

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 17 and June 24. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics,...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

Threat Roundup for June 17 to June 24

Security is wasting time and resources patching low or no risk bugs. In this post, we examine why security practitioners need to rethink vulnerability management.

Sometimes, too much information is a mixed blessing. Security teams use multiple vulnerability scanners in an attempt to cope with a significant rise in both attack surface diversity and software vulnerabilities.

But they soon find themselves overwhelmed with results, which leads to a growing backlog of bugs that need to be fixed. This backlog has multiple negative impacts. It slows the development process because the flaws take time to patch, and ignoring them leads to an excessive amount of tech debt.

Many teams are using outdated practices and limited data, which studies find do not lead to a reduction in risk to an organization's attack surface. In fact, a recent analysis from RAND Corporation found no notable reduction of breaches in organizations with mature vulnerability management programs.

There has to be a better way to handle vulnerability management. I propose a rethink on vulnerability management.

**Too Much Noise, Too Few Signals  
**The new way forward in vulnerability management requires changing the perception that vulnerability management is simply about scanning your software for threats. Why? Because the information scanners give you lack context for any meaningful next steps that reduce risk.

Rezilion's own runtime research analysis finds, on average, only 15% of discovered vulnerabilities are loaded into memory, which makes them exploitable. That means, on average, only 15% of flaws require priority patching — or patching at all. There is more value to be had from applying risk context. Security teams must be able to glean how those gaps could be exploited and the consequences that could occur if they are not addressed.

Most significantly, vulnerabilities must be prioritized based on their severity. But I am not talking about severity based on the common vulnerability scoring system (CVSS). With traditional approaches, security teams are often spinning their wheels scanning and then remediating vulnerabilities that may not pose a serious or immediate threat simply because the scoring system deems them to be critical.

This lack of understanding on criticality can also cause added friction between security and DevOps teams, which typically spar over the need for speed and business agility while maintaining security.

**Patch What Matters  
**Rezilion conducted an analysis of 20 of the most popular container images on DockerHub along with several base operating system images from the three major cloud providers: Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). The idea was to assess how many vulnerabilities are not relevant and which ones pose a real risk.

The findings showed more than 4,347 known vulnerabilities. Of those, 75% of those rated as critical or high in severity did not load to memory and posed no risk. Of course, it would be time-consuming and nearly impossible to patch all of these at once. The takeaway is that organizations can use runtime analysis to prioritize remediation of vulnerabilities — and not be daunted by the growing backlog. A vulnerability in a package that isn't being loaded to memory can't be exploited by an attacker.

With this new approach, organizations can utilize their limited resources to remediate the vulnerabilities that _actually_ pose a real threat of exploitation and patch them accordingly. This level of knowledge and prioritization also saves development time and prevents time-to-market delays.

When a risk-based approach is implemented to prioritize vulnerability remediation, the work shifts to containing the threats that pose a significant threat. That in turn reduces overhead and the vulnerability backlog. It also shrinks the software attack surface, making it more manageable to apply patches appropriately.

**It's Time for a Change in Vulnerability Management**

It's time for a new vulnerability management strategy and it's appropriate to reiterate a few things to think about as you do. Instead of applying static, score-based, or manual policy-driven allow or block decisions, use more context and runtime visibility to make risk-based decisions that are continuous and adaptive.

We are advocating for a rethink in which security teams don't just prioritize vulnerability remediation by using CVSS severity scores alone. Instead, look to tools that allow you to concentrate on the vulnerabilities that pose the greatest risk to _your_ organization. Rezilion provides tools to see into your software environment and determine which vulnerabilities pose a risk and which do not require patching. Security teams should utilize real-time contextualized security controls to understand their true software attack surface. But in order to apply context, you need data that will help identify weak spots in order to refocus remediation efforts on the most critical risks. Otherwise, you're just wasting valuable time finding signals in the noise.

**About the Author**  

    

  
Liran Tancman, CEO and co-founder of Rezilion, is one of the founders of the Israeli cyber command and spent a decade in Israel's intelligence corps. In 2013, Liran co-founded CyActive, a company that built a technology capable of predicting how cyber threats could evolve and offer future-proof security. Liran served as CyActive's CEO and led it from its inception to its acquisition by PayPal in 2015. Following the acquisition, Liran headed PayPal's global Security Products Center responsible for developing cutting-edge technologies to secure PayPal's customers.

Why We're Getting Vulnerability Management Wrong

International cybersecurity authorities have published a Cybersecurity Information Sheet on making it harder to abuse PowerShell
The post Cybersecurity agencies: You don’t have to delete PowerShell to secure it appeared first on Malwarebytes Labs.

Microsoft’s PowerShell is a useful, flexible tool that is as popular with criminals as it is with admins. Cybercrooks like it becasue PowerShell is powerful, available almost everywhere, and doesn’t look out of place running on a company network.

In most places it isn’t practical to block PowerShell completely, which raises the question: How do you stop the bad stuff without disrupting the good stuff?

Cybersecurity authorities from the United States, New Zealand, and the United Kingdom have released a joint Cybersecurity Information Sheet (CIS) on PowerShell that attempts to answer that question.

The National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), the New Zealand National Cyber Security Centre (NZ NCSC), and the United Kingdom National Cyber Security Centre (NCSC-UK) hope that “these recommendations will help defenders detect and prevent abuse by threat actors, while enabling legitimate use by administrators and defenders.”

**PowerShell**

Although it’s closely associated with the world of Windows administration, PowerShell is a cross-platform (Windows, Linux, and macOS) automation and configuration tool which, by design, is optimized for dealing with structured data. Initially a Windows component only, known as Windows PowerShell, it was made open-source and cross-platform on 18 August 2016 with the introduction of PowerShell Core.

It allows system administrators and power users to perform administrative tasks via a command line—an area where Windows previously lagged behind its Unix-like rivals with their proliferation of \*sh shells.

Threat actors are equally fond of it because it allows them to “live off the land”, and for the options it provides to create fileless malware or to gain persistence on a compromised system.

**Reduce abuse**

The CIS discusses some security features available in PowerShell which can reduce abuse by threat actors.

**Remote connections**

Remote connections can be used for powerful remote management capabilities, so Windows Firewall rules on endpoints should be configured appropriately to control permitted connections. Access to endpoints with PowerShell remoting requires the requesting user account to have administrative privileges at the destination by default. The permission requirement and Windows Firewall rules are customizable for restricting connections to only trusted endpoints and networks to reduce lateral movement opportunities. Organizations can implement these rules to harden network security where feasible.

Multiple authentication methods in PowerShell permit use on non-Windows devices. PowerShell 7 permits remote connections over Secure Shell (SSH) in addition to supporting Windows Remote Management (WinRM) connections. This allows for public key authentication and makes remote management through PowerShell of machines more convenient and secure.

**AMSI integration**

The Antimalware Scan Interface (AMSI) feature, first available on Windows 10, is integrated into different Windows components. It supports scanning of in-memory and dynamic file contents using an anti-malware product registered with Windows and exposes an interface for applications to scan potentially malicious content. This feature requires AMSI-aware anti-malware products (such as Malwarebytes). Basically, AMSI works by analyzing scripts before the execution, so the anti-malware product can determine if the script is malicious or not.

**Constrained Language Mode**

Configuring AppLocker or Windows Defender Application Control (WDAC) to block actions on a Windows host will cause PowerShell to operate in Constrained Language Mode (CLM), restricting PowerShell operations unless allowed by administrator-defined policies.

**PowerShell methods to detect abuse**

Logging of PowerShell activities can record when cyber threats use PowerShell, and continuous monitoring of PowerShell logs can detect and alert on potential abuses. Deep Script Block Logging, Module Logging, and Over-the-Shoulder transcription are disabled by default. The authors recommend enabling the capabilities where feasible.

**Before you start**

If you plan on following the advice in the CIS, there are a few things you may want to consider first.

*   Execution Policies do not restrict execution of all PowerShell content.
*   AMSI bypasses are found and remediated in a constant whack-a-mole game, and most anti-malware products have different ways of accomplishing the same, or better, results. Therefor you will find that most AMSI-aware anti-malware products do not rely on AMSI alone.
*   If you are a customer of a Managed Service Provider (MSP) you may need to contact them before taking any of the actions listed above, since doing so may hinder them in their remote management.
*   Windows Remote Management/Remote Shell (WinRM/WinRS) connection limitations can become an obstacle in organizations with numerous administrators performing remote management, or that have multiple monitoring solutions connecting to the environment. By default, Microsoft Server limits the number of concurrent users connected to the WinRM/WinRS session to five and the number of shells per user to five. This can, and has often been modified by using an elevated command prompt.

Disabling PowerShell, if you do not need it, is a lot easier and safer than applying policies to make it safer to use. But looking at the options to make it more secure is certainly a good idea if you do need it.

Stay safe, everyone!

Cybersecurity agencies: You don’t have to delete PowerShell to secure it

A China-based advanced persistent threat (APT) group is possibly deploying short-lived ransomware families as a decoy to cover up the true operational and tactical objectives behind its campaigns.
The activity cluster, attributed to a hacking group dubbed Bronze Starlight by Secureworks, involves the deployment of post-intrusion ransomware such as LockFile, Atom Silo, Rook, Night Sky, Pandora,

A China-based advanced persistent threat (APT) group is possibly deploying short-lived ransomware families as a decoy to cover up the true operational and tactical objectives behind its campaigns.

The activity cluster, attributed to a hacking group dubbed **Bronze Starlight** by Secureworks, involves the deployment of post-intrusion ransomware such as LockFile, Atom Silo, Rook, Night Sky, Pandora, and LockBit 2.0.

"The ransomware could distract incident responders from identifying the threat actors' true intent and reduce the likelihood of attributing the malicious activity to a government-sponsored Chinese threat group," the researchers said in a new report. "In each case, the ransomware targets a small number of victims over a relatively brief period of time before it ceases operations, apparently permanently."

Bronze Starlight, active since mid-2021, is also tracked by Microsoft under the emerging threat cluster moniker DEV-0401, with the tech giant emphasizing its involvement in all stages of the ransomware attack cycle right from initial access to the payload deployment.

Unlike other RaaS groups that purchase access from initial access brokers (IABs) to enter a network, attacks mounted by the actor are characterized by the use of unpatched vulnerabilities affecting Exchange Server, Zoho ManageEngine ADSelfService Plus, Atlassian Confluence (including the newly disclosed flaw), and Apache Log4j.

Since August 2021, the group is said to have cycled through as many as six different ransomware strains such as LockFile (August), Atom Silo (October), Rook (November), Night Sky (December), Pandora (February 2022), and most recently LockBit 2.0 (April).

What's more, similarities have been uncovered between LockFile and Atom Silo as well as between Rook, Night Sky, and Pandora — the latter three derived from Babuk ransomware, whose source code leaked in September 2021 — indicating the work of a common actor.

"Because DEV-0401 maintains and frequently rebrands their own ransomware payloads, they can appear as different groups in payload-driven reporting and evade detections and actions against them," Microsoft noted last month.

Upon gaining a foothold inside a network, Bronze Starlight is known to rely on techniques like using Cobalt Strike and Windows Management Instrumentation (WMI) for lateral movement, although starting this month, the group has begun replacing Cobalt Strike with the Sliver framework in their attacks.

Other observed tradecraft relates to the use of HUI Loader to launch next-stage encrypted payloads such as PlugX and Cobalt Strike Beacons, the latter of which is employed to deliver the ransomware, but not before obtaining privileged Domain Administrator credentials.

"The use of HUI Loader to load Cobalt Strike Beacon, the Cobalt Strike Beacon configuration information, the C2 infrastructure, and the code overlap suggest that the same threat group is associated with these five ransomware families," the researchers explained.

It's worth pointing out that both HUI Loader and PlugX, alongside ShadowPad, are malware historically put to use by Chinese nation-state adversarial collectives, lending credence to the possibility that Bronze Starlight is more geared towards espionage than immediate monetary benefits.

On top of that, the victimology pattern spanning across the different ransomware strains shows that a majority of the targets are likely to be of more interest to Chinese government-sponsored groups focused on long-term intelligence gathering.

The key victims encompass pharmaceutical companies in Brazil and the U.S., a U.S.-based media organization with offices in China and Hong Kong, electronic component designers and manufacturers in Lithuania and Japan, a law firm in the U.S., and an aerospace and defense division of an Indian conglomerate.

To that end, the ransomware operations, besides providing a means to exfiltrate data as part of the double extortion "name-and-shame" scheme, also offer twin advantages in that it allows the threat actor to destroy forensic evidence of their malicious activities and act as a distraction from data theft.

"It is plausible that Bronze Starlight deploys ransomware as a smokescreen rather than for financial gain, with the underlying motivation of stealing intellectual property or conducting espionage," the researchers said.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#microsoft