The fact that the flaws enable remote code execution, exist across all major Apple OS technologies, and are being actively exploited heightens the need for a quick response.

Security researchers are urging users of Apple Mac, iPhone, and iPad devices to immediately update to newly released versions of the operating systems for each technology, to mitigate risk from two critical vulnerabilities in them that attackers are actively exploiting.

The zero-day flaws allow threat actors to take complete control of affected devices. They impact users of iPhone 6s and later, all models of iPad Pro, iPod touch (7th generation), iPad Ai2 and later, iPad 5th generation and later, and iPad mini 4 and later. Also affected are users with Macs running macOS Monterey, macOS Big Sur, and macOS Catalina. Apple disclosed the vulnerabilities and the updates addressing them on Wednesday.

**Remote Code Execution Flaws**

One of the zero-days (CVE-2022-32893) exists in WebKit, Apple's browser engine for Safari and for all iOS and iPadOS Web browsers. Apple described the flaw as tied to an out-of-bounds write issue that attackers could use to remotely take control of vulnerable devices. "Processing maliciously crafted web content may lead to arbitrary code execution," Apple warned in one of its typically terse vulnerability disclosures this week. "Apple is aware of a report that this issue may have been actively exploited," the company noted.

The other vulnerability (CVE-2022-32894) is also an out-of-bounds write flaw that gives attackers a way to execute code with kernel-level privileges on vulnerable devices. Such vulnerabilities allow attackers to gain complete access to the underlying hardware. The company said it is aware of reports of attackers actively exploiting the bug.

Apple said it had implemented "improved bounds checking" in iOS 15.6.1, iPadOS 15.6.1, macOS Monterey 12.5.1, and Safari 15.6.1 to address both issues.

Lisa Plaggemier, executive director of the National Cybersecurity Alliance, said the widespread use of Apple's technologies puts both businesses and consumers at risk from the vulnerabilities. "While cyber criminals will no doubt try to access personal information about consumers, accessing a business often has significantly more upside for malicious actors," she says.

**WebKit Flaw Has Wider Impact**

In a blog, Sophos identified CVE-2022-32893 as having potentially the wider impact compared to the other flaw that Apple disclosed this week. The flaw gives attackers a way to set up "booby-trapped" Web pages that can trick Macs, iPhones, and iPads into running untrusted software. "Simply put, a cybercriminal could implant malware on your device even if all you did was to view an otherwise innocent web page," the security vendor said.

The flaw has widespread impact because WebKit powers all Web rendering software on Apple's mobile devices and is used widely by Mac users as well. The vulnerability impacts more applications and systems components than just the Safari browser itself, so steering clear of the browser alone is not enough to mitigate risk, Sophos said.

"The WebKit component is particularly problematic, as it is the browser engine across all Apple software," says Rick Holland, chief information security officer and vice president of strategy at Digital Shadows. "Apple users should patch now. These updates need to be applied as soon as possible."

**Both Consumers & Organizations at Risk**

Like many others have noted about the sparse nature of software vendor vulnerability disclosures recently, Holland too said it would have been more useful for defenders if Apple had provided more context and details around the flaws.

"Apple is light on the technical details of this week's two zero-day vulnerabilities," he says. "However, it is never reassuring to see the phrase 'execute arbitrary code with kernel privileges'," as Apple's disclosure reads.

Defenders should push patches out immediately and send notifications that employees should be patching any personal iPhones, iPads, or Macs. These updates present a security awareness opportunity to discuss the risks to employees' lives and provide patching instructions, including how to enable automatic updates.

Mike Parkin, senior technical engineer at Vulcan Cyber, says there's not enough information to determine how easily attackers can exploit these vulnerabilities. But reports about the flaws being already used in the wild is concerning, he says, especially because they allow for remote code execution. Apple products are widely used both in enterprise and consumer markets, and often overlap for people who work in Bring Your Own Device (BYOD) environments, he says. Given that, and the relative lack of detail, it's hard to say who'll be more at risk.

"Organizations should deploy the appropriate controls to minimize the risk to their environments," Parkin advocates. "The ones that allow BYOD devices will face some additional challenges, as they'll need to address systems that they don't directly control."

Patch Now: 2 Apple Zero-Days Exploited in Wild

Separate fixes to macOS and iOS patch respective flaws in the kernel and WebKit that can allow threat actors to take over devices and are under attack.

Separate fixes to macOS and iOS patch respective flaws in the kernel and WebKit that can allow threat actors to take over devices and are under attack.

Apple is urging macOS, iPhone and iPad users immediately to install respective updates this week that includes fixes for two zero-days under active attack. The patches are for vulnerabilities that allow attackers to execute arbitrary code and ultimately take over devices.

Patches are available for effected devices running iOS 15.6.1 and macOS Monterey 12.5.1. Patches address two flaws, which basically impact any Apple device that can run either iOS 15 or the Monterey version of its desktop OS, according to security updates released by Apple Wednesday.

One of the flaws is a kernel bug (CVE-2022-32894), which is present both in iOS and macOS. According to Apple it is an “out-of-bounds write issue \[that\] was addressed with improved bounds checking.”

The vulnerability allows an application to execute arbitrary code with kernel privileges, according to Apple, which, in usual vague fashion, said there is a report that it “may have been actively exploited.”

The second flaw is identified as a WebKit bug (tracked as CVE-2022-32893), which is an out-of-bounds write issue that Apple addressed with improved bounds checking. The flaw allows for processing maliciously crafted web content that can lead to code execution, and also has been reported to be under active exploit, according to Apple. WebKit is the browser engine that powers Safari and all other third-party browsers that work on iOS.

**Pegasus-Like Scenario**

The discovery of both flaws, about which little more beyond Apple’s disclosure are known, was credited to an anonymous researcher.

One expert expressed worry that the latest Apple flaws “could effectively give attackers full access to device,” they might create a Pegasus-like scenario similar to the one in which nation-state APTs barraged targets with spyware made by Israeli NSO Group by exploiting an iPhone vulnerability.

“For most folks: update software by end of day,” tweeted Rachel Tobac, the CEO of SocialProof Security, regarding the zero-days. “If threat model is elevated (journalist, activist, targeted by nation states, etc): update now,” Tobac warned.

**Zero-Days Abound**

The flaws were unveiled alongside other news from Google this week that it was patching its fifth zero-day so far this year for its Chrome browser, an arbitrary code execution bug under active attack.

The news of yet more vulnerabilities from top tech vendors being barraged by threat actors demonstrates that despite the best efforts from top-tier tech companies to address perennial security issues in their software, it remains an uphill battle, noted Andrew Whaley, senior technical director at Promon, a Norwegian app security company.

The flaws in iOS are especially worrying, given the ubiquity of iPhones and users’ utter reliance on mobile devices for their daily lives, he said. However, the onus is not only on vendors to protect these devices but also for users to be more aware of existing threats, Whaley observed.

“While we all rely on our mobile devices, they are not invulnerable, and as users we need to maintain our guard just like we do on desktop operating systems,” he said in an email to Threatpost.

At the same time, developers of apps for iPhones and other mobile devices also should add an extra layer of security controls in their technology so they are less reliant on OS security for protection, given the flaws that frequently crop up, Whaley observed.

“Our experience shows that this is not happening enough, potentially leaving banking and other customers vulnerable,” he said.

iPhone Users Urged to Update to Patch 2 Zero-Days

Spring4Shell and Veeam RCE exploit topped the list in Q1 2022

Spring4Shell and Veeam RCE exploit topped the list in Q1 2022

API-related security vulnerabilities continue to be a thorn in the side of organizations, with access control flaws now associated with high-severity CVEs.

According to a new whitepaper published by API security firm Wallarm, titled ‘API vulnerabilities discovered and exploited in Q1-2022’, a total of 48 API-related vulnerabilities were found and reported in the first quarter.

Based on industry standards, 18 were considered high-risk and 19 were labeled as of medium severity, the report (PDF) says.

The critical vulnerabilities disclosed publicly earned themselves CVSS v3 scores ranging from 8.1 and 10.

**Top API threats**

Merging both OWASP Top 10 and OWASP API Security Top 10 standards, the cybersecurity firm categorized the most significant API threat disclosures as issues relating to broken access controls (or broken function level authorization, depending on the OWASP standard), as well as injection attacks.

While security flaws including cryptographic failures, insecure design, excessive data exposure, and misconfigurations also made the list, the most dangerous, exploited API vulnerabilities disclosed in Q1 2022 relate to injection attacks, incorrect authorization or a complete bypass, and incorrect permission assignment.

Topping the list of the four most dangerous API vulnerabilities disclosed and reported in the first quarter of 2022 is CVE-2022-22947, also known as ‘Spring4Shell.’

**BACKGROUND** Spring4Shell: Microsoft, CISA warn of limited, in-the-wild exploitation

Spring4Shell is linked to two vulnerabilities – CVE-2022-22963, a SpEL expression injection bug in Spring Cloud Function, and CVE-2022-22947, a code injection attack leading to remote code execution (RCE) in Spring Framework’s Java-based Core module.

A developer publicly released exploit code for the critical bug in March, and although promptly deleted, the release of working RCE code ensured Spring4Shell became a headache for developers who needed to apply Spring’s emergency patch quickly.

The vulnerability was compared to Log4j due to the Spring Framework’s popularity. Before long, Microsoft and CISA warned of active exploitation of the zero-day flaw. Attackers then harnessed the bug to grow the Mirai botnet.

**Enterprise technologies targeted**

The second vulnerability at the top of the API vulnerability list is CVE-2022-26501 (CVSS 9.8), an improper authentication bug in Veeam Backup and Replication that allows attackers to execute arbitrary code remotely without authentication. Veeam supports over 400,000 customers, many of which are enterprise firms.

According to Nikita Petrov, the Positive Technologies researcher who disclosed the critical bug alongside two others, CVE-2022-26501 had the potential to “be exploited in real attacks and put many organizations at significant risk”.

The third flaw, another assigned a CVSS score of 9.8, impacts Zabbix, an enterprise-grade open source network tool. Tracked as CVE-2022-23131, when a non-default setting to enable SAML SSO authentication was in use, the tool’s front end was susceptible to privilege escalation and admin session hijacking – as long as an attacker knew the admin’s username.

**YOU MIGHT ALSO LIKE** SOS.dev program launched to help protect critical upstream software

Fourth is CVE-2022-24327, a lower-grade bug assigned a CVSS score of 7.8 but still considered a severe vulnerability. Found in the JetBrains suite hub, the bug related to developer accounts integrated into the hub which inadvertently exposed API keys with excessive permissions, potentially leading to account takeover or hijacking.

Finally, Wallarm has bundled a category of API security threats as a common denominator in many cyber-attacks today. Described by Mitre as “CWE-639: Authorization Bypass Through User-Controlled Key”, the issues surround system authorization functionality which allows key values to be tampered and users to access other users’ data or records without permission.

APIs, as key communication methods between functions, will remain a target for cyber-attackers as long as they are in use due to their critical roles in modern networks and services.

In recent API security news, open source hacking tool GoTestWAF has introduced API security platform evaluation capabilities, emulating OWASP and API exploits to test API security defenses.

**RECOMMENDED** Vulnerability in open source identity management system Free IPA could lead to XXE attacks

API security: Broken access controls, injection attacks plague the enterprise security landscape in 2022

Payara through 5.2022.2 allows directory traversal without authentication. This affects Payara Server, Payara Micro, and Payara Server Embedded.

Payara Community Version 5.2022.3 is out today, bringing concurrency enhancements previously seen in Enterprise and a key security fix, solving the recently discovered CVE-2022-37422. You must update your environments to the latest version to be safe.

Please note: This is not the final Payara 5 Community release, but that final release is coming up in September - soget prepared to move to Jakarta EE 10 or choose Enterprise.

Payara Community Version 5.2022.3 brings 10 bug fixes, 6 component updates, 7 improvements and 1 key security fix.

You can download Payara Community Version 5.2022.3here.

**You Must Update - CVE-2022-37422**

There is a recently detected a 0-day vulnerability in all distributions of the Payara Platform that affects web applications that are deployed in the default context root(/). To this effect, we have prepared a fix. 

All Payara users must update their environment as soon as possible to remain safe. The safe versions are:

*   Payara Enterprise 5.42.0
*   Payara Community 5.2022.3
*   Payara Enterprise 4.1.2.191.36

Not out yet, but coming soon:   

*   Payara Community 6.2022.1.Alpha4

We would like to credit and give thanks to Marcin Dudek (@dudekmar) who originally reported the issue.

**Payara Community Receives Concurrency Enhancements **

Payara 5 Community users can now enjoy concurrency enhancements previously brought to Payara Enterprise.

Payara-resources.xml already allowed several different types of resources to be defined within it. Now, ManagedExecutorServices is one of them.This allows you to create concurrent ManagedExecutor resources automatically when the .ear or .jar that needs them is deployed. 

You can also now use ForkJoinPool for Managed Executor Services.

However, please note, that Payara 5 Community will soon be discontinued and the only safe way to use these enhancements will be with Payara 6 Community or Payara 5 Enterprise - find out more here.

**Enterprise Users: Payara 4.x Extended Maintenance **

Today also sees the release of Payara 4.1.2.191.36. This is the last release before it enters its Extended Support phase. You have been emailed about this but monthly patches will stop being released for the current minor version, and we'll stop implementing hotfixes and backport fixes for releases older than 4.1.2.191. Please upgrade your environments and contact our support team via the usual channels with any questions.

**Webinar Move Your GlassFish Upstream: What You Need to Know About Migration**

If you are reading this, it is likely you are already using Payara Platform - but if you still have applications or projects in GlassFish, or know people who do, it's time to make the change. 

Previously scheduled for July, the webinar has now been rearranged for August 24, 3.00 PM BST. Make sure you re-sign up:Release Notes

Payara Community Version 5.2022.3 brings 10 bug fixes, 6 component updates, 7 improvements and 1 key security fix. 

See a more detailed overview in the Release Notes:

*   Payara Platform  Community Edition  5.2022.3

**Comments**

CVE-2022-37422: August Payara 5 Community Release Out Today!

An insufficient validation input flaw, one of 11 patched in an update this week, could allow for arbitrary code execution and is under active attack.

An insufficient validation input flaw, one of 11 patched in an update this week, could allow for arbitrary code execution and is under active attack.

Google has patched the fifth actively exploited zero-day vulnerability discovered in Chrome this year as one in a series of fixes included in a stable channel update released Wednesday.

The bug, tracked as CVE-2022-2856 and rated as high on the Common Vulnerability Scoring System (CVSS), is associated with “insufficient validation of untrusted input in Intents,” according to the advisory posted by Google.

Google credits Ashley Shen and Christian Resell of its Google Threat Analysis Group (TAG) for reporting the zero-day bug, which could allow for arbitrary code execution, on July 19. The advisory also unveiled 10 other patches for various other Chrome issues.

Intents are a deep linking feature on the Android device within the Chrome browser that replaced URI schemes, which previously handled this process, according to Branch, a company that offers various linking options for mobile applications.

“Instead of assigning window.location or an iframe.src to the URI scheme, in Chrome, developers need to use their intent string as defined in this document,” the company explained on its website. Intent “adds complexity” but “automatically handles the case of the mobile app not being installed” within links, according to the post.

Insufficient validation is associated with input validation, a frequently-used technique for checking potentially dangerous inputs to ensure that they are safe for processing within the code, or when communicating with other components, according to MITRE’s Common Weakness Enumeration site.

“When software does not validate input properly, an attacker is able to craft the input in a form that is not expected by the rest of the application,” according to a post on the site. “This will lead to parts of the system receiving unintended input, which may result in altered control flow, arbitrary control of a resource, or arbitrary code execution.”

**Fending Off Exploits**

As is typical, Google did not disclose specific details of the bug until it is widely patched to avoid threat actors taking further advantage of it, a strategy that one security professional noted is a wise one.

“Publicizing details on an actively exploited zero-day vulnerability just as a patch becomes available could have dire consequences, because it takes time to roll out security updates to vulnerable systems and attackers are champing at the bit to exploit these types of flaws,” observed Satnam Narang, senior staff research engineer at cybersecurity firm Tenable, in an email to Threatpost.

 Holding back info is also sound given that other Linux distributions and browsers, such as Microsoft Edge, also include code based on Google’s Chromium Project. These all could be affected if an exploit for a vulnerability is released, he said.

“It is extremely valuable for defenders to have that buffer,” Narang added.

While the majority of the fixes in the update are for vulnerabilities rated as high or medium risk, Google did patch a critical bug tracked as CVE-2022-2852, a use-after-free issue in FedCM reported by Sergei Glazunov of Google Project Zero on Aug. 8. FedCM—short for the Federated Credential Management API–provides a use-case-specific abstraction for federated identity flows on the web, according to Google.

**Fifth Chrome 0Day Patch So Far**

The zero-day patch is the fifth Chrome bug under active attack that Google has patched so far this year.

In July, the company fixed an actively exploited heap buffer overflow flaw tracked as CVE-2022-2294 in WebRTC, the engine that gives Chrome its real-time communications capability, while in May it was a separate buffer overflow flaw tracked as CVE-2022-2294 and under active attack that got slapped with a patch.

In April, Google patched CVE-2022-1364, a type confusion flaw affecting Chrome’s use of the V8 JavaScript engine on which attackers already had pounced. The previous month a separate type-confusion issue in V8 tracked as CVE-2022-1096 and under active attack also spurred a hasty patch.

February saw a fix for the first of this year’s Chrome zero-days, a use-after-free flaw in Chrome’s Animation component tracked as CVE-2022-0609 that already was under attack. Later it was revealed that North Korean hackers were exploiting the flaw weeks before it was discovered and patched.

Google Patches Chrome’s Fifth Zero-Day of the Year

Categories: Exploits and vulnerabilities
Categories: News
Tags: macOS

Tags:  iOS

Tags:  CVE-2022-32894

Tags:  CVE-2022-32893

Tags:  kernel privileges

Tags:  WebKit

Tags:  actively exploited

Tags:  watering hole

Tags:  exploit kit

Apple has released emergency security updates to fix two zero-day vulnerabilities previously exploited by attackers to hack iPhones, iPads, or Macs.



(Read more...)




The post Urgent update for macOS and iOS! Two actively exploited zero-days fixed appeared first on Malwarebytes Labs.

Apple has released emergency security updates to fix two zero-day vulnerabilities previously exploited by attackers to hack iPhones, iPads, or Macs.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). These are the CVEs you need to know:

**Kernel privileges**

CVE-2022-32894: An out-of-bounds write issue was addressed with improved bounds checking. The vulnerability could allow an application to execute arbitrary code with kernel privileges. The kernel privileges are the highest possible privileges, so an attacker could take complete control of a vulnerable system by exploiting this vulnerability.

Apple points out that they are aware of a report that this issue may have been actively exploited.

**WebKit**

CVE-2022-32893: An out-of-bounds write issue was addressed with improved bounds checking. Processing maliciously crafted web content may lead to arbitrary code execution. An attacker could lure a potential victim to a specially crafted website or use malvertising to compromise a vulnerable system by exploiting this vulnerability. Since the vulnerability exists in Apple’s HTML rendering software (WebKit). WebKit powers all iOS web browsers and Safari, so possible targets are iPhones, iPads, and Macs which could all be tricked into running unauthorized code.

Apple points out that they are aware of a report that this issue may have been actively exploited.

**More details**

Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. And even then, it depends on the anonymous researcher(s) that reported the vulnerabilities whether we will ever learn the technical details. Or when someone is able to reverse engineer the update that fixes the vulnerability.

That being said, it seems likely that these vulnerabilities were found in an active attack that chained the two vulnerabilities together. The attack could, for example, be done in the form of a watering hole or as part of an exploit kit. CVE-2022-32892 could be exploited for initial code to be run. This code could be used to leverage CVE-2022-32894 to obtain kernel privileges

**Mitigation**

Users are under advice to implement the updates as soon as possible, by upgrading to:

*   iOS 15.6.1
*   iPadOS 15.6.
*   macOS Monterey 12.5.1

Details can be found on the security content for macOS page. And instructions to apply updates are available on the Apple Security Updates page.

Stay safe, everyone!

Urgent update for macOS and iOS! Two actively exploited zero-days fixed

Apple on Wednesday released security updates for iOS, iPadOS, and macOS platforms to remediate two zero-day vulnerabilities previously exploited by threat actors to compromise its devices.
The list of issues is below -

CVE-2022-32893 - An out-of-bounds issue in WebKit which could lead to the execution of arbitrary code by processing a specially crafted web content
CVE-2022-32894 - An

Apple on Wednesday released security updates for iOS, iPadOS, and macOS platforms to remediate two zero-day vulnerabilities previously exploited by threat actors to compromise its devices.

The list of issues is below -

*   **CVE-2022-32893** - An out-of-bounds issue in WebKit which could lead to the execution of arbitrary code by processing a specially crafted web content
*   **CVE-2022-32894** - An out-of-bounds issue in the operating system's Kernel that could be abused by a malicious application to execute arbitrary code with the highest privileges

Apple said it addressed both the issues with improved bounds checking, adding it's aware the vulnerabilities "may have been actively exploited."

The company did not disclose any additional information regarding these attacks or the identities of the threat actors perpetrating them, although it's likely that they were abused as part of highly-targeted intrusions.

The latest update brings the total number of zero-days patched by Apple to six since the start of the year -

*   **CVE-2022-22587** (IOMobileFrameBuffer) – A malicious application may be able to execute arbitrary code with kernel privileges
*   **CVE-2022-22620** (WebKit) – Processing maliciously crafted web content may lead to arbitrary code execution
*   **CVE-2022-22674** (Intel Graphics Driver) – An application may be able to read kernel memory
*   **CVE-2022-22675** (AppleAVD) – An application may be able to execute arbitrary code with kernel privileges

Both the vulnerabilities have been fixed in iOS 15.6.1, iPadOS 15.6.1, and macOS Monterey 12.5.1. The iOS and iPadOS updates are available for iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Apple Releases Security Updates to Patch Two New Zero-Day Vulnerabilities

The high-severity security vulnerability (CVE-2022-2856) is due to improper user-input validation.

A zero-day security vulnerability in Google's Chrome browser is being actively exploited in the wild.

The Internet behemoth released 11 security patches for Chrome this week, which are now being pushed out in stages to those with automatic updates enabled for Windows, Mac, and Linux; however, everyone can manually update now.

The zero-day (CVE-2022-2856) is rated as high severity and involves “insufficient validation of untrusted input in Intents,” according to Google's advisory.

Intents, where the bug resides, are used by Chrome to process user input; if the browser doesn't validate this input properly, an attacker is able to specially craft an input (say, a post in the comments section of a website) that's not expected by the application.

"This will lead to parts of the system receiving unintended input, which may result in altered control flow, arbitrary control of a resource, or arbitrary code execution," according to MITRE.

Other details of the bug are scant — Google usually restricts details until a quorum of users have applied the updates.

Still, “Google is aware that an exploit for CVE-2022-2856 exists in the wild,” reads the alert, so users should patch now.

This is the fifth actively exploited zero-day vulnerability disclosed in Chrome in 2022. The previous four were: CVE-2022-0609 (February), CVE-2022-1096 (March), CVE-2022-1364 (April), and CVE-2022-2294 (July).

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Google Chrome Zero-Day Found Exploited in the Wild

Funds will support product development and market expansion for ThreatX, which delivers real-time protection for APIs and Web apps against complex botnets, DDoS, and multimode attacks.

**Boston – August 17, 2022** - ThreatX, the leading API protection platform, today announced it has raised $30 million in Series B funding led by Harbert Growth Partners, with participation from Vistara Growth. Existing ThreatX investors .406 Ventures, Grotech Ventures and Access Venture Partners also participated in the round. With these funds, ThreatX will accelerate investments in platform development and scale their global sales and marketing initiatives as companies seek to block complex attacks targeting APIs and web applications.

As organizations undergo digital transformation efforts and deliver new capabilities to connect with customers and partners, APIs have emerged as a strategic priority. Coupled with growth in web applications, the enterprise attack surface has exploded and is under constant threat from botnets, DDoS attacks and complex, multi-mode offensive attack campaigns. In this context, customers need API and web application protection capabilities that can identify and respond to attacks in real time, even as perpetrators evolve their techniques.

ThreatX stands in stark contrast to other API security solutions by providing organizations the ability to discover and visualize their attack surface; block attacks in real-time; and have access to 24/7 managed services to support resource-constrained security teams.

Recently, ThreatX announced the company has been acknowledged twice as a Sample Vendor in the Gartner® Hype CycleTM for Application Security, 2022 report. ThreatX was listed within the API Threat Protection and Cloud WAAP categories.

“While APIs bring rich opportunities to companies across nearly every market, they can also quickly devolve into business threats if not secured,” said Gene Fay, CEO, ThreatX. “The ThreatX platform delivers the one-two punch that modern organizations seek in API and web application protection by incorporating behavioral analytics and multiple detection methods within a single analytics engine. This funding will enable us to accelerate development of our platform’s capabilities and expand our global go-to-market strategy.”

In addition to the Series B funding, ThreatX also announced that Tom Roberts, General Partner at Harbert Growth Partners, will join the company’s Board of Directors.

“The rapidly growing API security market is on the cusp of making an aggressive pivot,” said Roberts. “When we met with the ThreatX team and saw the technology in action, we knew they were positioned to lead the shift toward real-time attack protection across both APIs and web applications. We are pleased to partner with Gene and the ThreatX team to build upon their already leading platform and run fast at the API protection opportunity.”

“As CISOs and their teams prioritize API security, the opportunity to think more broadly about API and web application protection is growing. A consolidated approach makes sense given the fact that DDoS attacks and botnets are often targeting both types of assets at the same time,” said John O’Donoghue, Principal at Vistara Growth. “We see huge potential in ThreatX to deliver an integrated platform that protects both APIs and web apps against complex attacks in real time and look forward to supporting the company’s growth in the coming years.”

**About ThreatX**

ThreatX’s API protection platform makes the world safer by protecting APIs from all threats, including DDoS attempts, bot attacks, API abuse, exploitations of known vulnerabilities, and zero-day attacks. Its multi-layered detection capabilities accurately identify malicious actors and dynamically initiate appropriate action. ThreatX effectively and efficiently protects APIs for companies in every industry across the globe. For more information, visit: https://www.threatx.com/.

ThreatX Raises $30 Million in Series B Funding to Accelerate Growth in Global API Protection Market

Especially if your e-commerce and CMS platforms are integrated, you risk multiple potential sources of intrusion, and the integration points themselves may be vulnerable to attack.

Chances are your business has both an e-commerce platform and a content management system. Perhaps they're one and the same. Together, these technologies drive your business, empowering customers, sales staff, and partners. The content management system (CMS) gives them information; the e-commerce platform handles transactions. Easy.

However, these technologies can also be a target, providing everything that a bad actor wants, from trade secrets (such as inventories and price discount sheets), lists of partners and suppliers, discount codes, and even sensitive information about customers.

Whether your e-commerce platforms and CMSes are combined in an all-in-one comprehensive suite, or are disparate systems integrated together, the risks and potential weak spots are mainly the same. If you have integrated e-commerce and CMS platforms, not only does your tech now have multiple potential sources of intrusion, but the integration points themselves may be vulnerable to attack, or at least to snooping. If you have an all-in-one system, a single exploited vulnerability or phishing-enabled breach could give cybercriminals everything in one fell swoop.

For this discussion, let's assume that your company follows well-established cybersecurity best practices, such as applying patches and fixes to operating systems, applications, drivers, and libraries. Failure to make these updates in a timely fashion is a leading cause of breaches. Also, let's assume you employ state-of-the-art encryption for data in transit, and change all default access and admin passwords for your servers, routers, and services.

With that as a baseline, let's talk about seven specific steps that are particularly well-suited to CMS and e-commerce platforms.

**Gather the Least Amount of Customer Information Possible**

Then be careful where (and how) you store that data. If you steal customer credit card numbers or medical information, the market impact, civil lawsuit penalties, and adverse publicity could put you out of business. Oh, don't forget HIPAA and GDPR fines, depending on what and where your data is stolen.

**Careful What You Store On Internet-Facing Servers**

Yes, your e-commerce platform needs to be aware of inventory levels and pricing discounts in order to facilitate e-commerce. What if competitors can retrieve that information in a tidy bundle? They might be able to use your business data against you.

**Monitor Lists of Zero-Day Threats and Other Vulnerabilities**

You can start with the one published by organizations like the Cybersecurity & Infrastructure Security Agency. It's not enough to receive threat-assessment reports, of course. They need to be read and acted upon. An issue with a very large impact appeared, for example, in the popular Log4j library not long ago. Every organization that uses Log4j needed to update to version 2.16 or later immediately. Is there someone in your organization responsible for knowing about that sort of incident? If not, there's a vulnerability right there.

**Use Penetration Testing Tools and Services**

No matter whether your software is off the shelf, tailored by consultants, or homegrown, you don't know how secure it is unless you test, test, test. Conduct pen tests regularly and thoroughly; not only do systems become less secure if not maintained properly (see the first point), also your service landscape changes and attackers are becoming more sophisticated as well. If you haven't pen tested recently, or used a white-hat firm to assess your defenses, you don't know what you don't know.

**Vet Software Suppliers, and Insist They Follow Secure Coding Practices**

If you are using cloud services, examine those carefully. Consider everything. For example, the CMS company I work for is certified at the highest level for its security practices, conforming to ISO 27001 security protocols. These protocols include regular code reviews, strict access control, anomaly detection and rigorous security testing. You should expect nothing less from every supplier.

**Check With Banks, Payment Processors to Ensure You're Doing It Right**

There are many practices for working with ACH transfers and credit-card payments. Some of these appear obvious, such as using CVV values on credit cards, and verifying that shipping addresses match the bank account's address — but e-commerce platforms may not enable those extra levels of validation by default. I would also highly suggest using a service that specializes in payment transactions. These services will be certified according to PCI DSS requirements and you can focus on your core competencies.

**Log Everything and Analyze Those Logs for Anomalies, Attack Patterns**

Every transaction, every privileged login to the CMS or e-commerce platform, every error caused by someone entering a bad password, should be logged. Don't trust humans to be able to understand those logs, by the way; modern-day attacks can be both fast and subtle, and there's too much data to correlate for patterns. Use machine-learning tools to monitor events and logs, and as in the fourth point above, make sure someone is responsible for receiving, reading, and following up on those reports.

Follow these seven steps, and your CMS and e-commerce platforms will be more secure and more trustworthy than ever before. Are these steps reasonable? Yes. Are they easy? Once systems are in place to work safely and run securely, yes. Your customers, suppliers, and partners want your systems to be safe. Let's get to work.

Tag

#zero_day