The notorious Conti ransomware gang, which last month staged an attack on Costa Rican administrative systems, has threatened to "overthrow" the new government of the country.
"We are determined to overthrow the government by means of a cyber attack, we have already shown you all the strength and power," the group said on its official website. "We have our insiders in your government. We are also

The notorious Conti ransomware gang, which last month staged an attack on Costa Rican administrative systems, has threatened to "overthrow" the new government of the country.

"We are determined to overthrow the government by means of a cyber attack, we have already shown you all the strength and power," the group said on its official website. "We have our insiders in your government. We are also working on gaining access to your other systems, you have no other options but to pay us."

In a further attempt to increase pressure, the Russian-speaking cybercrime syndicate has raised its ransom demand to $20 million in return for a decryption key to unlock their systems.

Another message posted on its dark web portal over the weekend issued a warning stating it will delete the decryption keys in a week, a move that would make it impossible for Costa Rica to recover access to the files encrypted by the ransomware.

"I appeal to every resident of Costa Rica, go to your government and organize rallies so that they would pay us as soon as possible if your current government cannot stabilize the situation? Maybe it's worth changing it?," the message read.

The devastating attack, which took place on April 19, has caused the new government to declare a state of emergency, while the group has leaked troves of data stolen from the infected systems prior to encryption.

Conti attributed the intrusion to an affiliate actor dubbed "UNC1756," mimicking the moniker threat intelligence firm Mandiant assigns to uncategorized threat groups.

Affiliates are hacking groups who rent access to already-developed ransomware tools to orchestrate intrusions into corporate networks as part of what's called a ransomware-as-a-service (RaaS) gig economy, and then split the earnings with the operators.

Linked to a threat actor known as Gold Ulrick (aka Grim Spider or UNC1878), Conti has continued to target entities across the world despite suffering a massive data leak of its own earlier this year in the wake of its public support to Russia in the country's ongoing war against Ukraine.

Microsoft's security division, which tracks the cybercriminal group under the cluster DEV-0193, called Conti the "most prolific ransomware-associated cybercriminal activity group active today."

"DEV-0193's actions and use of the cybercriminal gig economy means they often add new members and projects and utilize contractors to perform various parts of their intrusions," Microsoft Threat Intelligence Center (MSTIC) said.

"As other malware operations have shut down for various reasons, including legal actions, DEV-0193 has hired developers from these groups. Most notable are the acquisitions of developers from Emotet, Qakbot, and IcedID, bringing them to the DEV-0193 umbrella."

The interminable attacks have also led the U.S. State Department to announce rewards of up to $10 million for any information leading to the identification of key individuals who are part of the cybercrime cartel.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Russian Conti Ransomware Gang Threatens to Overthrow New Costa Rican Government

MDR Sentinel expands TorchLight’s leading managed detection and response (MDR) services with turnkey SIEM and SOAR capabilities from Microsoft; TorchLight also announces it attains elite Microsoft Gold Partner Status

**SPOKANE, WA – May 10, 2022** - TorchLight today announced MDR Sentinel, a scalable, cloud-native turnkey security information and event management (SIEM) and security orchestration, automation, and response (SOAR) service. The new service is powered by enterprise-grade Microsoft Sentinel security tools combined with TorchLight’s nationwide virtual security operations center (vSOC) capabilities.

TorchLight is a Complete Security Solutions Provider (CSSP) that offers turnkey MDR services in addition to its own SIEM/SOAR MDR service that works with all leading cybersecurity products and environments to manage alerts and respond quickly and effectively to all threats.

The turnkey nature of MDR Sentinel is ideal for customers that are significant users of Microsoft software and services. TorchLight has also partnered with Cisco Systems for a turnkey managed SOAR MDR service that combines the full suite of Cisco Secure products along with TorchLight vSOC services.

**MDR Sentinel Details**

MDR Sentinel offers security analytics and threat intelligence across endpoint and cloud network environments. The service features built-in data connectors to collect security data from Microsoft software and services – including Microsoft Azure and Microsoft’s Defender for Endpoints, Cloud Apps and Office365 – as well as leading third-party firewalls and security systems.

MDR Sentinel assesses this data at scale and can detect threats with minimal false positives and investigates those threats with Microsoft’s experienced artificial intelligence (AI). The system responds rapidly to any incidents alerting the live cybersecurity experts in TorchLight’s vSOC who analyze significant events and provide incident management and support.

As a cloud-based SIEM, MDR Sentinel is less expensive and faster to deploy than traditional on-premises SIEMs. The service establishes connections to Microsoft Azure which also increases efficiency gains and significantly reduces management effort. The collaboration with Microsoft allows TorchLight to offer its clients best-fit Microsoft licensing as well as access to Microsoft’s analytics and intelligence.

"The cloud is joining end-user devices as the repository for valuable business data. MDR Sentinel offers an unparalleled ability to protect the entire range of a company’s data assets. This breadth combined with TorchLight’s nationwide SOC services is a comprehensive service and a good value,” said TorchLight CTO Stephen Heath.

“Microsoft is a pioneer in cloud-native SEIM / SOAR capabilities and our goal as a Microsoft Gold Partner is to use this technology and our SOC capabilities to give companies new tools to modernize their security operations,” said Jim Kreutel of TorchLight.

MDR Sentinel is now available. More details are at the TorchLight website.

**About TorchLight**

TorchLight is a full-service, nationwide Complete Security Solution Provider (CSSP) founded and built on the concept of providing a complete Design-Build-Manage (DBM) approach to cybersecurity solutions. We deploy a risk-aligned approach to translate business needs into cybersecurity, and cybersecurity into business strategy, to drive customer trust and investor confidence—combined with 24×7 monitoring and intelligence gathering. Through partnerships with Cisco and Microsoft, the industry leading security technology companies, we provide both turnkey and Bring-Your-Own-Tech cybersecurity solutions, along with a full range of consulting, reselling, and managed security service provider (MSSP) services.

TorchLight Expands Cybersecurity Services With MDR Sentinel in Partnership With Microsoft

RUBRIK FORWARD: SAN DIEGO, Calif., May 17, 2022 -- Rubrik, the Zero Trust Data Security™ Company, today announced Rubrik Security Cloud to secure customers’ data, wherever it lives, across enterprise, cloud, and SaaS.

Ransomware is on the rise and cyberattacks are getting more sophisticated. Despite investments in infrastructure security tools, cybercriminals are still getting through to the data. And when they take the data down, they take down the entire business. It’s time for a new approach. The next frontier in cybersecurity pairs the investments in infrastructure security with data security giving companies security from the point of data.

Rubrik is a pioneer in data security and the Rubrik Security Cloud delivers three unique capabilities:

● Data Resilience: Safeguards data by providing immutable, logically air-gapped data protection with multi-factor authentication-based access control.

● Data Observability: Continuously monitors risks and investigates threats to data including Ransomware Monitoring and Investigation powered by machine learning to detect data anomalies, encryptions, deletions, and modifications; Sensitive Data Monitoring to find and classify the most sensitive data, and assess exfiltration risk; and Threat Monitoring and Hunting to identify indicators of compromise and find the last known clean copy of data.

● Data Recovery: Quickly contains threats and recovers data, whether it’s a file, application data or a mass recovery for the entire organization. Rubrik’s new Threat Containment capability quarantines malware and restricts user access to infected data to support safer recovery.

As organizations continue to struggle with cyberattacks that compromise data, Rubrik also launched the Data Security Command Center to easily assess whether data is safe and capable of being recovered from a cyberattack. Now, customers can see which data is at risk and get recommendations to make their data more secure.

“Every company in the world is vulnerable as cybercriminals get more savvy every day,” said Bipul Sinha, Rubrik CEO and co-founder. “With Rubrik Security Cloud, we are strengthening customers' defenses so they can secure their business across enterprise, cloud, and SaaS workloads. Our data security platform enables our customers to defend their data, recover quickly, and prevail in this new cyber landscape.”

“INTEGRIS Health is proud to be the largest not-for-profit health care system in Oklahoma, with eighteen hospitals in our network and more than a million patients that rely on us every year for their health care needs. With the expansive network we support, it’s paramount that our data is resilient, and we maintain a strong data security posture to keep our hospital moving. As a CIO, I believe Rubrik is an important service and helps us provide excellent patient care. As a Rubrik customer, we’re thrilled to see the continued innovation with Rubrik Security Cloud and the company’s ongoing focus on keeping customer data safe and making it easy to recover in the face of cyber-attacks, like ransomware,” said Bill Hudson, CIO of INTEGRIS Health.

"NJ TRANSIT delivered more than a quarter of a billion annual passenger trips before the pandemic and is responsible for our riders’ safety, mobility, and livelihoods every day. It’s imperative that nothing interrupts our business, so we’ve prioritized a strong data security strategy in partnership with Rubrik. We’re committed to the ongoing and necessary work that gives our data resilience and helps us reduce our risk as we face ever evolving, and inevitable, cyber threats,” said Rafi Khan, CISO of NJ TRANSIT.

**Research and Development Fuels Additional Capabilities**

As part of Data Observability, Sensitive Data Discovery for Microsoft 365 discovers and classifies sensitive data within Microsoft 365 to better assess risk and help maintain compliance with regulations.

These latest integrations build on the joint collaboration between Rubrik and Microsoft. Last year, Rubrik Cloud Vault built on Microsoft Azure was launched to help customers better defend against cyberattacks using a fully managed, secure and isolated cloud vault service. Since launch, Rubrik has seen strong demand for Rubrik Cloud Vault across key industries including Healthcare and Life Sciences, Manufacturing, State and Local Government, and Financial Services as customers build Zero Trust solutions to defend against and recover from ransomware.

“Businesses need a data resiliency strategy to keep their data secure in the face of escalating cyber threats,” said Jurgen Willis, Vice President Microsoft Azure. “Rubrik's Security Cloud, which builds on integrations with Rubrik Cloud Vault and Microsoft Azure, will help customers accelerate their Zero Trust journey.”

For more information about Rubrik Security Cloud and other R&D innovations, click here.

Rubrik Security Cloud is available now and new enhancements will be available in the months ahead.

**About Rubrik**

Rubrik, the Zero Trust Data Security™ Company delivers data resilience, data observability, and data recovery for organizations. Rubrik keeps your data safe and easy to recover in the face of cyber attacks and operational failures. Now you can recover the data you need, however and whenever you need it to keep your business running.

For more information please visit www.rubrik.com and follow @rubrikInc on Twitter and Rubrik, Inc. on LinkedIn.

Rubrik Launches Rubrik Security Cloud to Secure Data, Wherever it Lives, Across Enterprise, Cloud, and SaaS

By Deeba Ahmed
Microsoft has discovered a new Sysrv botnet variant deploying cryptocurrency miners on Windows and Linux systems. The Microsoft…
This is a post from HackRead.com Read the original post: New Sysrv-k Botnet Infecting Windows and Linux Systems with Cryptominer

Microsoft has discovered a new Sysrv botnet variant deploying cryptocurrency miners on Windows and Linux systems.

The Microsoft Security Intelligence team posted a series of tweets on their official Twitter handle (@MsftSecIntel) to reveal startling details on the new variant of the notorious Sysrv botnet dubbed Sysrv-K.

According to the thread, the new variant exploits vulnerabilities recently identified in the Spring Framework’s API gateway called the Spring Cloud Gateway and WordPress and deploys cryptocurrency miners on Windows and Linux systems.

**How does the Botnet work?**

According to Microsoft, the botnet first scans the web to identify vulnerable servers and installs itself. The vulnerabilities it looks for include remote file disclosure, remote code execution, path traversal, and arbitrary file download.

The tech giant noted that Sysrv-K exploits numerous old flaws, particularly those identified in WordPress, as well as new vulnerabilities like CVE-2022-22947, which has a CVSS score of 10 and affects the Spring Cloud Gateway and Oracle’s Communications Cloud-Native Core Network Exposure Function.

The vulnerability exposes apps to code injection attacks and allows unauthorized attackers to carry out remote code execution. Interestingly, all these vulnerabilities have patches.

**Details of Sysrv and Sysrv-K**

The Sysrv botnet has been active since late 2020 and exploits known security flaws in access interfaces to install a Monero crypto miner on compromised Windows and Linux systems. The older version of the botnet targeted databases and web apps, such as Confluence, Jira, MongoDB, Oracle WebLogic, ThinkPHP, Mongo-Express, Drupal, Apache Struts, and Salt-API, reported Juniper in 2021.

The new version comes with a range of new features. Such as it can scan for WordPress configuration files and their backups to extract database credentials. The botnet uses the information to control the webserver.

Additionally, it boasts advanced communication features, including using a Telegram bot. It can scan for SSH keys, hostnames, and IP addresses and spread its copies across the network to infect the entire network and make it a part of its botnet army.

Microsoft Security Intelligence team on Twitter

**More Linux and Windows Botnet News**

1.  Old crypto-malware makes come back, hits Windows, Linux devices
2.  Kraken botnet bypasses Windows Defender to steal crypto wallet data
3.  HolesWarm crypto-malware hits unpatched Linux and Windows servers
4.  Beware; Adwind RAT infecting Windows, OS X, Linux and Android Devices
5.  Linux & Windows hit with disk wiper, ransomware & crypto Xbash malware

**How to Stay Safe?**

Microsoft suggests that organizations using internet-exposed Linux or Windows systems must install security updates immediately as it is imperative to secure these systems. They must ensure “building credential hygiene” and timely apply security updates.

New Sysrv-k Botnet Infecting Windows and Linux Systems with Cryptominer

A little-used feature of web addresses is being used to obfuscate malicious phishing URLs.
The post Long lost @ symbol gets new life obscuring malicious URLs appeared first on Malwarebytes Labs.

Threat actors have rediscovered an old and little-used feature of web URLs, the innocuous @ symbol we usually see in email addresses, and started using it to obscure links to their malicious websites.

Researchers from Perception Point noticed it being used in a cyberattack against multiple organization recently. While the attackers are still unknown, Perception Point traced them to an IP in Japan.

The attack started with a phishing email pretending to be from Microsoft, claiming the user has messages that have been embargoed as potential spam. (Using familiar, transactional messages from well-known brands like Microsoft has become a popular tactic for scammers, as a way to defeat spam filters and keen-eyed users.)

The message reads:

    You have new 5 held messages.
    
    You can release all of your held messages and permit or block future emails the senders, or manage messages individually.

If the recipient clicks any of the links in the email, they are directed to a phishing page made to look like an Outlook login page.

If the recipient follows the often-repeated advice to hover their pointer over the links before clicking them, to see where they go, they will see this weird-looking URL, and probably be none the wiser:

https://$%^&;\*\*\*\*((@bit.ly/3vzLjtz#ZmluYW5jZUBuZ3BjYXAuY29t

This is almost certainly designed to bamboozle users, but to your computer it looks fine. As weird as this URL appears, it is actually valid and acceptable, and your browser will happily parse it for you.

Users who clicked on the link were passed through a chain of redirects before ending up at a phishing page that looks like the Outlook login screen.

The phishing site is a copy of the Outlook login page

**Reading the URL**

As weird as it looks, the URL in this phishing campaign sticks to the rules of what’s allowed in a web address. The part you see least often is the @ symbol. RFC 3986 refers to anything after https:// and before the @ symobl, highlighted below, as userinfo. This part of the URL is for passing authentication information like a username and password, but it is very rarely used, and is simply ignored as a so-called “opaque string” by many systems.

https://**$%^&;\*\*\*\*((@**bit.ly/3vzLjtz#ZmluYW5jZUBuZ3BjYXAuY29t

The last part of the URL after the # is also ignored when you click the link. This is called the fragment identifier and it represents a piece of the destination page. The browser might use it to scroll to a section of the destination page, or it might be used to pass information to the destination page, but it plays no part in determining what the destination actually is.

https://bit.ly/3vzLjtz**#ZmluYW5jZUBuZ3BjYXAuY29t**

In this case the fragment ID—ZmluYW5jZUBuZ3BjYXAuY29t—appears to be a unique ID that identifies the email address the phish was sent to. If it’s removed, the link works but when you reach the final destination it simply shows a loading icon, perhaps to hide the site’s true intentions to accidental visitors or researchers.

What we are left with when we remove the parts that of the link that are ignored by the browser is a very ordinary-looking bit.ly link. Exactly the kind of thing you might think is suspicious in an email that says it’s from Microsoft.

https://bit.ly/3vzLjtz

As you probably know, bit.ly is a URL shortening service. The bit.ly link redirects users to another URL, likely used for tracking, which itself redirects users to the phishing page.

**Does your browser support the @ symbol?**

If you are one of the 2.6 billion people using Chrome, the answer is “yes”, URLs that use the @ symbol work in Chrome and other Chromium-based browsers such as Vivaldi, Brave, and Microsoft Edge.

The latest version of Microsoft’s Internet Explorer doesn’t parse URLs with the @ delimiter though.

Firefox and Firefox-based browsers, such as Tor and Pale Moon, are also affected.

And what about Safari?

According to Thomas Reed, Malwarebytes’ Director of Mac and Mobile, “This technique appears to work in Safari and all other major Mac browsers. Firefox will show a warning when attempting to visit such a link. Unfortunately, Safari—the most popular browser on macOS—does not display a warning and opens the link without objection, as does Chrome.”

Reed also points out that email software will often look for URLs in plain text emails and convert them to clickable links, but the @ symbol seems to prevent this. According to Reed: “The URL used by the phishing campaign does not become a clickable link by itself.” The links will still work in HTML emails, so this isn’t much of a barrier, just a feather in the cap of hold outs who insist on viewing their emails in plain text!

The wide support for the confusing and little-used @ symbol could see it used more widely. In a Threat Post interview, Perception Point’s Vice President of Customer Success and Incident Response, Motti Elloul, predicted that this won’t be the last time we’ll see phishing attacks taking advantage of it.

“The technique has the potential to catch on quickly, because it’s very easy to execute,” he said. “In order to identify the technique and avoid the fallout from it slipping past security systems, security teams need to update their detection engines in order to double check the URL structure whenever @ is included.”

Long lost @ symbol gets new life obscuring malicious URLs

Expansion includes new capabilities for hybrid deployment models and industrial Internet of things (IIoT) environments.

ATHENS, Greece, May 17, 2022 /PRNewswire/ -- Barracuda Discover.22 EMEA Partner Conference --

**Highlights:**

*   Cloud-native Secure Access Service Edge (SASE) platform from Barracuda now supports hybrid cloud environments, enabling deployments in Microsoft Azure and at the private service edge.
*   Barracuda provides industry-leading, highly scalable connectivity and security support for the industrial internet of things (IIoT). Technology integrations with FireMon, Skybox, TTTech, and Nozomi further expand the scope of security services.
*   Barracuda's Zero Trust Access solution is now simpler to deploy, leveraging a new virtual deployment with integrated directory connectors.

Barracuda Networks, Inc., a leading provider of cloud-first security solutions, today announced the expansion of its cloud-native SASE platform. Barracuda's SASE platform streamlines Secure SD-WAN, firewall-as-a-service, Zero Trust Network Access, and Secure Web Gateway functionality and incorporates secure connectivity to industrial IoT devices. The expansion includes new capabilities for hybrid deployment models and IIoT environments. Additionally, new technology integrations offer secure data transfer, orchestration, asset management, and anomaly detection.

**According to Gartner®**, "By 2024, 80% of SD-WAN deployments will incorporate security service edge (SSE) requirements, up from less than 25% in 2022."1

As part of the Barracuda SASE platform, CloudGen WAN, Barracuda's Secure SD-WAN service and firewall-as-a-service, now provides private service edge for hybrid deployments. Private service edge is ideal for organizations that need to follow certain geopolitical requirements or need full control over the data plane. Private service edge devices provide the same scope of security and networking functionality as the cloud service and are administrated and maintained via a central management platform.

Barracuda CloudGen WAN now offers Secure Connector virtual appliances and new ruggedized site devices. These updates provide highly scalable internet-of-things connectivity, as well as cloud and private service edge-based security for IIoT endpoints. The Secure Connector endpoint virtual agent can be deployed in Docker environments for a wide range of third-party IIoT solutions.

To meet the specific challenges and requirements of digitalization and the internet of things, Barracuda integrates with specialized technology partners, including FireMon, Skybox, TTTech, and Nozomi. These integrations provide the ability for customers to enable secure data transfer, take advantage of automated incident response, and align with the latest IIoT security standards.

Zero Trust Access is often the first step toward SASE. As part of Barracuda's SASE platform, Barracuda CloudGen Access now offers new tools and capabilities that radically simplify deployments. CloudGen Access is now available with a turnkey proxy for simple deployment and cloud user directory connector for easy sync of users and groups.

**Quotes:  
**"The expansion of Barracuda's cloud-native SASE platform for hybrid deployment models and IIoT environments solves a number of common security, connectivity, and scalability challenges that businesses are facing in this age of digital transformation," **said Tim Jefferson, SVP, Engineering for Data, Network, and Application Security at Barracuda.** "Today's announcement underscores Barracuda's ongoing commitment to collaborate with specialized technology partners to develop tailored solutions, integrate advanced technologies, and expand the capabilities of our cloud-first offerings."

"Barracuda offered the only cloud-native firewall-as-a-service that provided all the enterprise security levels we needed and even included SD-WAN for uninterrupted connectivity and reliable application access to Azure," **said Hans Redlich, IT Lead at Hagedorn Group of Companies, in a Barracuda case study.**

"Barracuda Secure Connector solutions made it easy for us to implement device connectivity and IoT-platform connectivity across our products," **said Ulrich Poeschl, Chief Information Security Officer at Test-Fuchs GmbH, in a Barracuda** **case study****.**

**Resources:**  
Check out the product page: https://www.barracuda.com/products/sase

Get the Gartner**®** report, How to Align SD-WAN Projects with SASE Initiatives: http://cuda.co/grptsdwansase

Gartner named Barracuda a Visionary in 2021 Magic Quadrant™ for Network Firewalls. Get the report: https://www.barracuda.com/networkfirewallsmq

**See the blog posts:  
**A closer look at the expansion of Barracuda's SASE platform: http://cuda.co/50895

Zero Trust adoption simplified: http://cuda.co/50893

Aligning SD-WAN projects with SASE initiatives: http://cuda.co/50891

**Citations:  
**1Gartner, "How to Align SD-WAN Projects With SASE Initiatives," by Bjarne Munch, Lisa Pierce, Craig Lawson, published December 1, 2021.

Gartner, Magic Quadrant for Network Firewalls, Rajpreet Kaur, Jeremy D'Hoinne, Nat Smith, Adam Hils, 1 November 2021

Gartner and Magic Quadrant are registered trademarks of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

**About Barracuda Discover.22 EMEA Partner Conference  
**Barracuda Discover.22 takes place May 17-19 in Athens, Greece. The informative event covers a wide range of topics, including security threats and trends, hands-on technical sessions, new product announcements, and the latest innovations in email protection, application and cloud security, network security, and data protection.

**About Barracuda  
**At Barracuda, we strive to make the world a safer place. We believe every business deserves access to cloud-first, enterprise-grade security solutions that are easy to buy, deploy, and use. We protect email, networks, data, and applications with innovative solutions that grow and adapt with our customers' journey. More than 200,000 organizations worldwide trust Barracuda to protect them — in ways they may not even know they are at risk — so they can focus on taking their business to the next level. For more information, visit barracuda.com. 

Barracuda Networks, Barracuda and the Barracuda Networks logo are registered trademarks or trademarks of Barracuda Networks, Inc. in the U.S. and other countries. Other trademarks are the property of their respective owners.

Barracuda Expands Cloud-Native SASE Platform to Protect Hybrid Cloud Deployments

Provides security architects with access to custom scripts that can be natively integrated with other Qualys solutions.

FOSTER CITY, Calif., May 17, 2022 /PRNewswire/ -- Qualys, Inc. (NASDAQ: QLYS), a pioneer and leading provider of disruptive cloud-based IT, security and compliance solutions, today unveiled Qualys Custom Assessment and Remediation, opening its Cloud Platform to give security architects access to custom scripts that can be natively integrated with other Qualys solutions. This new solution significantly reduces response time by empowering security teams to orchestrate workflows, secure custom applications, and take immediate action to counter threats like zero-day attacks lessening the need to rely on the IT operations teams.

When threats hit, security teams need to quickly discover, assess and remediate both their third-party and custom applications. A typical response involves creating new out-of-band processes and custom scripts that need to be rolled out across hundreds or thousands of applications and endpoints by the security teams using a variety of techniques and ITSM tools. This approach creates a blind spot from an auditing and tracking standpoint and negatively impacts responsiveness.

"Reducing mean time to respond (MTTR) is the key metric for managing security risk, but it requires having the right security tools in place to optimize efficiency," said Melinda Marks, senior analyst at Enterprise Strategy Group. "Qualys Custom Assessment and Remediation leverages the comprehensive capabilities of the Qualys Cloud Platform to speed up your ability to respond to a detected security issue. It provides centralized control while helping teams remediate issues within their existing tools and workflows, saving them from inefficient, costly out-of-band rework cycles."

Qualys Custom Assessment and Remediation opens the Qualys Platform for security architects allowing the creation of custom scripts in popular scripting languages, user-defined controls and automation, all seamlessly integrated within existing programs to quickly assess, respond and remediate threats across your global hybrid environment.

Qualys Custom Assessment and Remediation enables security teams to:

**Quickly Address Zero-Day Threats**– The solution puts the power to rapidly respond to zero-day vulnerabilities directly in the hands of the security team by automating processes such as collecting and evaluating data, synthesizing third-party threat intelligence feeds, and performing appropriate remediation actions, such as configuration changes, deleting suspicious files or deploying registry changes. The result is an accelerated MTTR, which is critical to containing an attack**.**

**Secure and Audit Custom Applications –** Security teams can add customized controls and processes, without IT intervention, for various organizational activities including remediation actions eliminating the need to reinvent new scripts. This improves efficiency and allows security practitioners time to focus on more strategic activities.

**Tightly Integrate into Qualys VMDR Workflows** – Scripts are seamlessly integrated into existing VMDR workflows via assignment of custom Qualys IDs and Control IDs, which increases efficiency.

**Access a Centralized Library for Custom Scripts and Controls** – The solution provides centralized control over custom scripts easily mapped into workflows, and it is secured by role-based access control (RBAC) as well as review and approval processes. Additionally, deployment of scripts is simplified by using a centrally managed and customizable library of more than 50 popular reusable scripts to address common problems.

"Security teams struggle to manage and respond to a range of challenges that often require custom approaches," said Nagi Prabhu, chief product officer, Qualys. "By opening the Qualys Platform, we put security teams in the driver's seat. Qualys Custom Assessment and Remediation enables the creation of custom scripts and controls that are seamlessly integrated into existing security processes and workflows while extending the capabilities of the Cloud Agent so organizations can respond to threats such as Zero-Days immediately."

**Availability**

Qualys Custom Assessment and Remediation is immediately available. To request a free trial, visit www.qualys.com/car-trial. Learn more by joining our June 1 webinar.

**Additional Resources**

*   Learn about Qualys Custom Assessment and Remediation
*   Details on the Qualys Cloud Platform
*   Follow Qualys on LinkedIn and Twitter

**About Qualys**

Qualys, Inc. (NASDAQ: QLYS) is a pioneer and leading provider of disruptive cloud-based security, compliance and IT solutions with more than 10,000 subscription customers worldwide, including a majority of the Forbes Global 100 and Fortune 100. Qualys helps organizations streamline and automate their security and compliance solutions onto a single platform for greater agility, better business outcomes, and substantial cost savings.

The Qualys Cloud Platform leverages a single agent to continuously deliver critical security intelligence while enabling enterprises to automate the full spectrum of vulnerability detection, compliance, and protection for IT systems, workloads and web applications across on premises, endpoints, servers, public and private clouds, containers, and mobile devices. Founded in 1999 as one of the first SaaS security companies, Qualys has strategic partnerships and seamlessly integrates its vulnerability management capabilities into security offerings from cloud service providers, including Amazon Web Services, the Google Cloud Platform and Microsoft Azure, along with a number of leading managed service providers and global consulting organizations. For more information, please visit http://www.qualys.com.

Qualys Adds Custom Assessment and Remediation to Its Cloud Platform

Microsoft researchers say they are tracking a botnet that is leveraging bugs in the Spring Framework and WordPress plugins.

Microsoft researchers say they are tracking a botnet that is leveraging bugs in the Spring Framework and WordPress plugins.

Unpatched vulnerabilities in the Spring Framework and WordPress plugins are being exploited by cybercriminals behind the Sysrv botnet to target Linux and Windows systems. The goal, according to researchers, is to infect systems with cryptomining malware.

The botnet variant is being called Sysrv-K by Microsoft Security Intelligence researchers that posted a thread on Twitter revealing details of the botnet variant.

Researchers said criminals behind Sysrv-K have programmed their bot army to scan for instances of the flaws in WordPress plugins as well as a recent remote code execution (RCE) flaw in the Spring Cloud Gateway (CVE-2022-22947).  
  
“These vulnerabilities, which have all been addressed by security updates, include old vulnerabilities in WordPress plugins, as well as newer vulnerabilities like CVE-2022-22947. Once running on a device, Sysrv-K deploys a cryptocurrency miner,” said Microsoft Security Intelligence in a tweet.

> We encountered a new variant of the Sysrv botnet, known for exploiting vulnerabilities in web apps and databases to install coin miners on both Windows and Linux systems. The new variant, which we call Sysrv-K, sports additional exploits and can gain control of web servers.
> 
> — Microsoft Security Intelligence (@MsftSecIntel) May 13, 2022

The Spring Cloud is an open-source library that eases the process of developing the JVM application for the cloud and the Spring Cloud Gateway provides a library for building API Gateways for Spring and Java.

The CVE-2022-22947 is a code injection vulnerability in the Spring Cloud Gateway library and an attacker can perform remote code execution (RCE) on unpatched hosts. The flaw affected the VMware and Oracle products and it has been marked as critical by both the vendors.

****Working of Sysrv-K****

The Microsoft security intelligence team warned that Sysrv-K can gain control of the web servers by scanning the internet for various vulnerabilities to install itself. The vulnerabilities range from RCE to an arbitrary file download and path traversal to remote file disclosure.

The security researcher at Lacework Labs and Juniper Threat Labs observed two main components of malware that is to spread itself across networks by scanning the internet for vulnerable systems and installing the XMRig cryptocurrency miner (used for mining Monero) following a surge of activity in March 2021.

The new feature of Sysrv-K is that it scans for WordPress config files and their backups to steal credentials and gain access to the webserver. Apart from this “Sysvr-K has updated communication capabilities, including the ability to use a Telegram bot” Microsoft added.

“Like older variants, Sysrv-K scans for SSH keys, IP addresses, and host names, and then attempts to connect to other systems in the network via SSH to deploy copies of itself. This could put the rest of the network at risk of becoming part of the Sysrv-K botnet” the Microsoft security intelligence team reported.

Microsoft advised the organizations to secure internet-facing Linux or Windows systems, timely apply security updates, and protect credentials. “Microsoft Defender for Endpoint detects Sysrv-K and older Sysrv variants, as well as related behavior and payloads,” they added.

The critical RCE, Worms, and 6 Zero-days including (CVE-2022-22947) were faced by Microsoft in January 2022.

Sysrv-K Botnet Targets Windows, Linux

The goal was Win32k Lockdown – a serious step up in Windows security

The goal was Win32k Lockdown – a serious step up in Windows security

Mozilla’s Firefox has introduced improved security mechanisms to reduce the browser attack surface.

On May 12, Mozilla security engineering manager Gian-Carlo Pascutto confirmed that the changes were included in Firefox 100, released to the stable channel on May 3.

**Process isolation**

When users browse the web through Firefox, the software renders content into separate processes, isolated from the operating system (OS) and managed by a single privileged parent process.

The reasoning behind this model is that if a bug exists in a content process, the potential attack vectors are limited.

**YOU MIGHT ALSO LIKE** ‘Browser in a browser’ – Phishing technique simulates pop-ups to exploit users

The Mozilla team wanted to refine the model further – a challenging prospect since “content processes need access to some operating system APIs to properly function: for example, they still need to be able to talk to the parent process”, according to Pascutto.

The team has already introduced Fission, a sandbox for web pages and frames, as well as RLBox, a subcomponent isolator.

Now, Firefox has debuted Win32k Lockdown, which together with Fission and RLBox “will significantly improve Firefox’s security”.

**Win32k Lockdown**

Win32k Lockdown is specific to Windows machines. Mozilla says that the parent process requires access to the full Windows API by default – including threats, OS processes, and memory.

Specifically, Mozilla wanted to restrict access to win32k.sys, an API historically exploitable, via Microsoft’s , an app for disabling access to win32k.sys system calls.

However, doing so meant that web content processes couldn’t perform a range of graphical, management, or input processing tasks otherwise handled by the API.

Therefore, Mozilla Firefox undertook a serious redesign. This included a switch to WebRender for painting web page content, making Canvas 2D and WebGL 3D operate remotely, and tweaking form controls and displays so they do not need to call OS widget APIs from within the content process.

In addition, Firefox has also rehashed line break functionality. However, challenges remain when it comes to third-party DLL loading and interactions, and a fix is planned for a future Firefox release.

**Gradual expansion**

While this security update has primarily focused on Windows machines, macOS and Linux users were not forgotten.

A quiet change was introduced for Mac users In Firefox 95 that blocked access to the WindowServer, improving process startup by between 30 - 70% and bumping up security. In Linux, the link between content processes and the X11 Server was broken in Firefox 99.

“Retrofitting a significant change in the separation of responsibilities in a large application like Firefox presents a large, multi-year engineering challenge, but it is absolutely required in order to advance browser security and to continue keeping our users safe,” Pascutto commented.

“We’re pleased to have made it through and present you with the result in Firefox 100.”

Read more of the latest browser security news

Alongside the security improvements, Firefox 100 also included new video caption support, credit card autofill for UK users, color scheme fixes, and patches for bugs such as CVE-2022-29909, a permission prompt bypass in nested browsing contexts and CVE-2022-29911, an iframe sandbox bypass.

Both Chome and Firefox have now reached the triple-digits in browser versions. When websites rely on identifying the browser version to perform business logic functions, moving from double to triple could break website functionality.

Both organizations provided compatibility testing tools to allow webmasters to identify issues before the transition.

_The Daily Swig_ has reached out to Mozilla and we will update when we hear back.

**RELATED** ‘Dangerous’ EU web authentication plan threatens to undercut browser-led certification system, detractors claim

Firefox debuts improved process isolation to reduce browser attack surface

Microsoft is warning of a new variant of the srv botnet that's exploiting multiple security flaws in web applications and databases to install coin miners on both Windows and Linux systems.
The tech giant, which has called the new version Sysrv-K, is said to weaponize an array of exploits to gain control of web servers. The cryptojacking botnet first emerged in December 2020.
"Sysrv-K scans the

Microsoft is warning of a new variant of the **srv botnet** that's exploiting multiple security flaws in web applications and databases to install coin miners on both Windows and Linux systems.

The tech giant, which has called the new version **Sysrv-K**, is said to weaponize an array of exploits to gain control of web servers. The cryptojacking botnet first emerged in December 2020.

"Sysrv-K scans the internet to find web servers with various vulnerabilities to install itself," the company said in a series of tweets. "The vulnerabilities range from path traversal and remote file disclosure to arbitrary file download and remote code execution vulnerabilities."

This also includes CVE-2022-22947 (CVSS score: 10.0), a code injection vulnerability in Spring Cloud Gateway that could be exploited to allow arbitrary remote execution on a remote host via a maliciously crafted request.

It's worth noting that the abuse of CVE-2022-22947 has prompted the U.S. Cybersecurity and Infrastructure Security Agency to add the flaw to its Known Exploited Vulnerabilities Catalog.

A key differentiator is that Sysrv-K scans for WordPress configuration files and their backups to fetch database credentials, which are then used to hijack web servers. It's also said to have upgraded its command-and-control communication functions to make use of a Telegram Bot.

Once infected, lateral movement is facilitated through SSH keys available on the victim machine to deploy copies of the malware to other systems and grow the botnet's size, effectively putting the entire network at risk.

"The Sysrv malware takes advantage of known vulnerabilities to spread their Cryptojacking malware," Lacework Labs researchers noted last year. "Ensuring public facing applications are kept up to date with the latest security patches is critical to avoid opportunistic adversaries from compromising systems."

Besides securing internet-exposed servers, Microsoft is additionally advising organizations to apply security updates in a timely fashion and build credential hygiene to reduce risk.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#microsoft