July's security update included fixes for one actively exploited flaw, more than 30 bugs in Azure Site Recovery, and four privilege escalation bugs in Windows Print Spooler.

Microsoft today released patches for 84 vulnerabilities across its product categories, including one bug now actively exploited and four that the company rated as critical severity.

The July security update also includes fixes for four elevation of privilege vulnerabilities in the company's perennially buggy Windows Print Spooler technology, and more than 30 bugs in its Azure Site Recovery disaster recovery service. At least 12 of the 84 flaws disclosed today enable remote code execution, 11 were information disclosure-related, and four enable bypass of security features. Most of the remaining flaws enabled elevation of privilege.

**Priority One: CVE-2022-22047**

Security experts who reviewed Microsoft's latest update said the vulnerability that requires immediate attention is an elevation of privilege vulnerability (CVE-2022-22047) in the Windows Client Server Run-Time Subsystem (CSRSS) that is currently being exploited. Microsoft itself assessed the vulnerability as "Important," giving it a severity rating of 7.8 on a scale of 10. According to the company, the vulnerability — like every other bug in July's update — has not been publicly disclosed. Even so, Microsoft described the bug as being actively exploited, but did not provide any further information.

"The vulnerability allows an attacker to execute code as SYSTEM, provided they can execute other code on the target," an analysis on Trend Micro Zero Day Initiative's blog noted. "Bugs of this type are typically paired with a code execution bug, usually a specially crafted Office or Adobe document, to take over a system." Attacks of this type often leverage macros, which is why Microsoft's recent decision to delay blocking all macros by default — like it announced in February — is disheartening, the blog noted.

Chris Goettl, vice president of product management for security products at Ivanti, says organizations should not be lulled by Microsoft's characterization of the flaw as important. The fact that attackers are actively exploiting the bug makes it a priority, he says. "Organizations prioritizing using legacy rating methods could miss prioritizing the urgency of the OS update this month," he says.

**Other Bugs That Need Urgent Attention**

Other bugs in Microsoft's July update that security experts described as priorities: CVE-2022-30216, CVE-2022-22038, CVE-2022-30221, and CVE-2022-30222.

CVE-2022-30216 is a low-complexity tampering vulnerability in Windows Server Service that would allow an authenticated attacker to remotely upload a certificate to the Server service. Microsoft described the vulnerability as one that is more likely to be exploited because it requires no user interaction and low-level privileges. "While this is listed at 'Tampering', an attacker who could install their own certificate on a target system could use this bug for various purposes, including code execution," Trend Micro's ZDI said. "Definitely test and deploy this patch quickly — especially to your critical servers.”

CVE-2022-22038 is a Remote Procedure Call Runtime remote code execution vulnerability that could allow an unauthenticated attack to execute malicious code on a vulnerable system. Microsoft identified the bug as being complex to exploit because it requires an attacker "to invest time in repeated exploitation attempts through sending constant or intermittent data." Trend Micro's ZDI assessed the bug as having properties that could potentially make it wormable. "If the exploit complexity were low, which some would argue since the attempts could likely be scripted, the CVSS would be 9.8. Test and deploy this one quickly," the security vendor noted.

CVE-2022-30221 is a remote code execution vulnerability in the Windows Graphics Component. An attacker can exploit the vulnerability by convincing a user to connect to a malicious RDP server. An adversary who succeeds in doing that would be able to execute code in the context of the affected system's user, Microsoft said.

"On the surface, this one looks nasty," Kevin Breen, director of cyber threat research at Immersive Labs, said in emailed comments to Dark Reading. Microsoft has marked the vulnerability as less likely to be exploited because an attacker would need to first run a malicious RDP server and then convince a victim to connect to it. "This is not as far-fetched as it first sounds, as RDP shortcut files could be emailed to target victims, and these file types may not flag as malicious by email scanners and filters," Breen said.

CVE-2022-30222 is another remote code execution vulnerability — this time in the Windows Shell graphical user interface. The flaw allows an unauthenticated attacker to execute code on a vulnerable system by interacting with the login screen in a specific manner, Microsoft noted. Attacks targeting the flaw likely involve little complexity and no user interaction.

"Whilst this is titled as a Remote Code Execution vulnerability, the description suggests that this is actually a Local Code Execution vulnerability," Breen said. It appears the flaw would allow an attacker to run arbitrary command from the login page as authentication is not required, he noted. "Microsoft has suggested this is less likely to be exploited. But if you use RDP, definitely prioritize this patch," Breen said.

**Windows Print Spooler Flaws Make a Comeback**

Microsoft's July update also contains fixes for four flaws in Windows Print Spooler (CVE-2022-22022, CVE-2022-22041, CVE-2022-30206, and CVE-2022-30226). Flaws in Print Spooler have been a major problem for Windows users in recent years. One of the most notable recent flaws in the technology was PrintNightmare, a remote code execution bug that affected all Windows versions and prompted an advisory from the US government and others on the need for organizations to address it urgently.

"We have seen a steady stream of vulnerability disclosures in the Print Spooler Service since the original PrintNightmare flaws were disclosed in June (CVE-2021-1675) and early July of 2021 (CVE-2021-34527)," said Satnam Narang, senior staff research engineer at Tenable, in comments emailed to Dark Reading. The flaws that Microsoft has addressed in the technology are elevation of privilege flaws, which provide attackers the ability to gain system-level privileges on vulnerable systems, he said.

The risk with these four fixes is the potential to impact print functionality, Ivanti's Goettl says.

"Since PrintNightmare, there have been many Print Spooler fixes, and in more than one of those patch Tuesday events, the changes have resulted in operational impacts," he says. "This makes administrators a little gun-shy and warrants some extra testing to ensure no negative issues occur in their organization."

**Surfeit of Azure Site Recovery Bugs**

Goettl says Microsoft resolved 33 vulnerabilities in Azure Site Recovery that could allow attackers to take a variety of actions including remote code execution, privilege escalation, and information-stealing. None of the vulnerabilities have been publicly disclosed or are currently being exploited, but the concern is in the number of vulnerabilities that were fixed, Goettl notes. "They were identified by several independent researchers and anonymous parties, which means the knowledge of how to exploit these vulnerabilities is a bit more broadly distributed," he says.

And, resolution of these flaws is not simple: It requires signing into each process server as an administrator, then downloading and installing the latest version. "Vulnerabilities like this are often easy to lose track of, as they are not managed by the typical patch management process," he notes.

Microsoft Issues Fixes for 84 Vulnerabilities: Here's What to Patch Now

Implemented protections on AWS credentials that were not properly protected.

**WDC Tracking Number:** WDC-22009  
**Published:** July 11, 2022

**Last Updated:** July 11, 2022

**Description**

My Cloud Home Firmware 8.7.0-107 is a major release containing updates to help improve the security of your My Cloud Home devices. Numerous changes were made to the operating system to comprehensively improve its security and to upgrade the user experience to support our latest technologies.

The base operating system has been upgraded from an Android based operating system to the Linux operating system to align with security and stability updates from Debian 10 “Buster”.

Additionally, the Linux kernel has been updated to 4.9.266.

Your My Cloud Home device will be automatically updated to reflect the latest firmware version.    

**Product Impact**

**Minimum Fix Version**

**Last Updated**

My Cloud Home

8.7.0-107

July 8, 2022

My Cloud Home Duo

8.7.0-107

July 8, 2022

For more information on the latest security updates, see the release notes.

**Advisory Summary**

A vulnerability in the Linux kernel’s cgroup\_release\_agent\_write was addressed that could lead to escalation of privileges and bypass namespace isolation unexpectedly.  

Addressed an issue in OpenSSL that would make it possible to trigger an infinite loop by crafting a certificate that has invalid elliptic curve parameters. Since certificate parsing takes place before the certificate signature verification process, this could lead to a denial-of-service attack.

**CVE Number:** CVE-2022-0778  

Addressed a memory copy vulnerability in the Linux Wi-Fi driver.  

Addressed a command injection attack that could allow a malicious attacker on the same LAN to carry out a DNS spoofing attack via an unsecured HTTP call. This was done by removing the affected code from the product.

**CVE Number:** CVE-2022-22991, CVE-2022-22994

Reported By: Martin Rakhmanov (@mrakhmanov) working with Trend Micro’s Zero Day Initiative  

A vulnerability was discovered within the parsing of extended attributes (EA) metadata when opening a file in smbd. This vulnerability can be exploited by unauthenticated users if they are allowed write access to file extended attributes. This vulnerability was addressed by removing the "fruit" VFS module from the list of configured VFS objects and by changing EA support configurations.

**CVE Number:** CVE-2021-44142

Reported By: Nguyen Hoang Thach (@hi\_im\_d4rkn3ss) and Billy Jheng Bing-Jhong (@st424204) working with Trend Micro’s Zero Day Initiative  

Addressed multiple FFmpeg vulnerabilities by updating the version to 7:4.1.8-0+deb10u1.

**CVE Number:** CVE-2020-20445, CVE-2020-20446, CVE-2020-20453, CVE-2020-21041, CVE-2020-22015, CVE-2020-22016, CVE-2020-22017, CVE-2020-22019, CVE-2020-22020, CVE-2020-22021, CVE-2020-22022, CVE-2020-22023, CVE-2020-22025, CVE-2020-22026, CVE-2020-22027, CVE-2020-22028, CVE-2020-22029, CVE-2020-22030, CVE-2020-22031, CVE-2020-22032, CVE-2020-22033, CVE-2020-22034, CVE-2020-22035, CVE-2020-22036, CVE-2020-22037, CVE-2020-22049, CVE-2020-22054, CVE-2020-35965, CVE-2021-38114, CVE-2021-38171, CVE-2021-38291  

Addressed multiple FFmpeg vulnerabilities by updating the version to 7:4.1.9-0+deb10u1.  

Implemented firmware signing to prevent malicious modifications to the firmware and verify the firmware’s authenticity and integrity.  

Transitioned to Go’s crypto/tls library for secure communications.  

Enabled several kernel hardening options to make exploits of kernel and userland security bugs more difficult to develop.  

Addressed a remote code execution vulnerability by resolving a command injection vulnerability and closing an AWS S3 bucket that potentially allowed an attacker to execute unsigned code on My Cloud Home devices. Implemented protections on AWS credentials that were not properly protected..

**CVE Number:** CVE-2022-22997, CVE-2022-22998

Western Digital would like to thank Viettel Cyber Security for reporting this issue.  

Addressed multiple libtiff null pointer dereference vulnerabilities by updating the version to 4.4.0.

**CVE Number:** CVE-2022-0562, CVE-2022-0561, CVE-2022-0865  

Addressed an improper input validation and out-of-bounds write vulnerability in TensorFlow which is an open-source platform for machine learning. An attacker could pass negative values to cause a segmentation fault-based denial-of-service attack. Certain components also did not validate input arguments which could also trigger a denial-of-service attack.

**CVE Number:** CVE-2022-29191, CVE-2022-29213, CVE-2022-29208

CVE-2022-22998: WDC-22009 My Cloud Home Firmware Version 8.7.0-107 | Western Digital

Several pieces of Black Hat USA research will explore container design weaknesses and escalation of privilege attacks that can lead to container escapes.

In what's shaping up to be a summer of container escapes, a pair of talks slated for Black Hat USA next month will explore the kinds of architectural weaknesses in operating systems and in container platforms that can make it easy for attackers break down the barriers of container isolation and run roughshod over cloud infrastructure.

In one talk, "The COW (Container on Window) Who Escaped the Silo," the research will explore the inherent security architectural design problems in the way that Windows containers are isolated from the real host settings. Eran Segal, research team leader of SafeBreach, says he will delve into the technical details that show how Windows kernel architecture isn't built to handle containers with the same kind of native security capabilities as Linux kernel architecture. Some of the workarounds Windows has built in response to implement containers leaves Windows containers open to attack.

"Windows containers isolated as 'process isolation' are not isolated well and it is possible to impact the host from inside," Segal explains.

He's saving the technical details for his Black Hat presentation, but offers a tease that his demonstration will show how an attacker can create a malicious container with low privileges that can communicate with other containers and start wreaking havoc on the host.

"I can't share it before the talk, but I can say that I'll gain a permissions system inside the container, cause a DoS to the host, and manage to access the entire kernel memory, and it is highly possible that the kernel memory contains passwords," Segal says.

He hopes that the discussion will offer security practitioners and fellow researchers a glimpse into the mechanics behind how Windows containers are built, the vulnerabilities he found with them, and how to start rooting out flaws similar to the ones he'll recap.

"They will learn about the internals of process isolated Windows containers, the internals of the vulnerabilities I found, and a recipe for finding additional vulnerabilities such as the ones I found," he says.

**Attack Techniques**

The exploration of container escapes like the one Segal will demonstrate is not a new field of security research, but it is one that has been heating up considerably of late. Just last month at RSA Conference, executives with CrowdStrike detailed attack techniques that could take advantage of a bug they discovered in March in the CRI-O container engine that underpins Kubernetes. That demonstration showed how this cr8escape bug could be used by attackers to escape containers and gain root access on the host.

And last week, news broke of a flaw dubbed FabricScape that posed serious container escape risk from Linux containers within Microsoft's Azure Service Fabric technology. Discovered by security researchers from Palo Alto Networks, details of the flaw were released last week as a follow-on to Microsoft's patch that fixed the issue on June 14. The vulnerability was in a logging function with high privileges in Service Fabric's Data Collection Agent (DCA).

"The vulnerability could allow malicious actors to take over Linux hosting environments. It allows a compromised container to escape and take over the cluster running it," wrote Aviv Sasson and Ariel Zelivanski of Palo Alto's Unit 42 research team. “Containers could become malicious if they are broken into through either a known vulnerability or zero-day vulnerability, or through a supply-chain attack such as typosquatting or a malicious package."

Unit 42 researchers have been on a tear with container escape research this summer. A pair of researchers from the team, Yuval Avrahami and Shaul Ben Hai, will present the other big container escape talk at Black Hat next month. "Kubernetes Privilege Escalation: Container Escape == Cluster Admin?" will take a deep dive look into how attackers can abuse service account tokens in system pods to turn a single container escape into an attack that can take over an entire Kubernetes cluster. The researchers also will also present tools to help discover these pods within infrastructure and identify privilege escalation paths in a cluster. That will help security defenders better harden their container infrastructure from escapes and broader escalation of privileges on the host.

Don't Have a COW: Containers on Windows and Other Container-Escape Research

Microsoft on Monday announced the general availability of a feature called Autopatch that automatically keeps Windows and Office software up-to-date on enrolled endpoints.
The launch, which comes a day before Microsoft is expected to release its monthly round of security patches, is available for customers with Windows Enterprise E3 and E5 licenses. It, however, doesn't support Windows Education

Microsoft on Monday announced the general availability of a feature called **Autopatch** that automatically keeps Windows and Office software up-to-date on enrolled endpoints.

The launch, which comes a day before Microsoft is expected to release its monthly round of security patches, is available for customers with Windows Enterprise E3 and E5 licenses. It, however, doesn't support Windows Education (A3) or Windows Front Line Worker (F3) licenses.

"Microsoft will continue to release updates on the second Tuesday of every month and now Autopatch helps streamline updating operations and create new opportunities for IT pros," Lior Bela said.

Autopatch works by applying security updates first to devices in what's called the Test ring, which contains a minimum number of representative devices. After a validation period, the updates are pushed to the First (1% devices), Fast (9%), and Broad (90%) rings.

The service was first teased by the tech giant in April 2022 in an attempt to apply Patch Tuesday updates in a timely fashion and prevent potential attack vectors.

Besides Windows 10 and 11 updates, Autopatch also covers Microsoft Edge and Microsoft 365 software, while enabling organizations to create testing rings, monitor updates, and even pause and roll back changes in the event any issues are encountered.

On top of that, the service incorporates provisions for an expedited release cadence should a threat be deemed critical (e.g., a zero-day flaw).

"Windows Autopatch aims to keep at least 95% of eligible devices on the latest Windows quality update 21 days after release," the company notes in its documentation.

"When running an expedited release, the regular goal \[...\] no longer applies. Instead, Windows Autopatch greatly accelerates the release schedule of the release to update the environment more quickly."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Windows Autopatch is Now Generally Available for Enterprise Systems

When it comes to insurance, better security means better savings.
The post 4 ways businesses can save money on cyber insurance appeared first on Malwarebytes Labs.

So, your business has just suffered a data breach and it’s time to dig deep in your pockets to pay all the resulting expenses. Without cyber insurance, you can expect to pay a dizzying amount of cash.

In 2022 alone, the average cost of a data breach for businesses under 1,000 employees was close to $3 million—and these costs are coming from activities that cyber insurers typically cover, such as detecting and responding to the breach.

Indeed, with liability limits ranging from $1 million to $5 million or more, cyber insurance policies can cover a good chunk of the damage caused by a data breach.

But if you’re looking to apply for cyber insurance, there’s a few things you should know first—especially if you want the lowest possible premium. 

Here are four ways your business can save money on its insurance.

**How is cyber insurance priced?**

Before we dive in any futher, it’s important to understand how cyber insurance policies are priced to begin with.

A 2019 paper published to the _Journal of Cybersecurity_ analyzed over 235 cyber insurance policies from New York, Pennsylvania, and California, as well as policies posted publicly on carriers’ websites. They found that cyber insurance companies price their policies one of in four ways:

*   **Base rate**. Insurers provide a base premium based on your organization’s annual revenues or assets (or number of employees/students). The basic logic is that more revenue equals more risk, therefore higher premiums, and vice versa.

*   **Base rate with security questions**. Insurers look at your organization’s security posture to determine the final premium pricing. This was by far the most widely-used approach by insurers (57 percent of policies analyzed). 

*   **Fixed rate.** Insurers provide a fixed rate regardless of firm or industry. This was most common for smaller businesses.

*   **Fixed rate with hazard groups**. This is the same as fixed rate, but with a single modifier based on the amount of perceived risk a business has (such as how much sensitive information is stored on its website). Again, typical for small businesses.

**How to save money on cyber insurance **

While it’s clear that the size of your business and the industry you’re in can affect costs, still a large portion of cyber insurance providers are looking at your security to determine premiums. 

So, what are some of the security controls that can lower your premium? 

For this article, we looked at security tips from the top five biggest cyber insurance companies—AXA XL, Chubb, AIG, Travelers, and AXIS—and found four commonalities across what they had to say. 

**1\. Use multi-factor authentication (MFA)**

Did you know that, according to Verizon’s 2022 Data Breach Investigations Report, 50 percent of data breaches start with stolen credentials? 

Given this statistic, it’s no surprise that using multi-factor authentication (MFA) could signal to cyber insurers that you’re less of a risk. By requiring you to use multiple forms of authentication, MFA makes it much more difficult for threat actors to pull off brute force attacks, or to use stolen passwords.

**2\. Implement a cybersecurity training program**

If stolen credentials are the most common initial attack vector in data breaches, then phishing is a close second—accounting for about 17 percent of all data breaches, according to the same Verizon report.

This is why implementing a cybersecurity training program for your employees is so important. 

A good training program should inform employees about common threats such as email phishing, spear phishing, and other common social engineering attacks. Cyber insurers are likely to view the implementation of such programs as a mark of high security maturity.

**3\. Disable Remote Desktop Protocol (RDP) services**

In about 50 percent of ransomware attacks, Remote Desktop Protocol (RDP) was the initial attack vector, according to a study by Palo Alto Networks.

RDP is a network communications protocol that allows users to remotely control their devices. Commonly used by remote workers, RDP is also used by IT staff to troubleshoot problems on employees’ devices.

However, hackers can easily search for computers that use RDP and them use a brute force attack to try to guess the password—and from there, they can carry out a ransomware attack. 

Securing RDP with best practices, such as following the principle of least privilege, removes a potential point of access for hackers. Read our article on how to protect RDP for more tips.

**4\. Deploy Endpoint Detection and Response (EDR)**

According to Ponemon’s 2020 State of Endpoint Security Risk report, the average financial loss from endpoint attacks was almost $9 million in 2019.

Not surprisingly, then, both Travelers and Axis cyber insurance explicitly mention endpoint protection as an important prevention measure.

Endpoint detection and response (EDR) is a form of endpoint protection that detects and protects against ransomware, malware, trojans, rootkits, backdoors, viruses, brute force attacks, and “zero-day” unknown threats. Learn more about how EDR can help secure your business.

**Better security means better savings**

Without cyber insurance, you can expect to pay a lot of cash to cover the cost of a data breach, and many companies are investing in it as a result. In this article, we explained how cyber insurance policies are typically priced, and how your organization’s assessed security posture is a prime consideration for many insurers. 

We also outlined four key processes and technologies that makes you a much more challenging target to attack, and consequetly a considerably less risky proposition for cyber insurers.

With Malwarebytes Endpoint Detection and Response, you can show cyber insurance companies you’re prepared to handle a cyberattack. To find out more, read how Mike Carney Toyota saved on cyber insurance by deploying Malwarebytes EDR.

4 ways businesses can save money on cyber insurance

rpc.py through 0.6.0 allows Remote Code Execution because an unpickle occurs when the "serializer: pickle" HTTP header is sent. In other words, although JSON (not Pickle) is the default data format, an unauthenticated client can cause the data to be processed with unpickle.

There is an Unauthenticated Remote Code Execution vulnerability in https://pypi.org/project/rpc.py/. No specific configuration is required, it works with the scripts from the “examples” folder. Versions v0.4.2 to v0.6.0 (latest) are affected. The maintainer has not replied to my emails in a time frame of two weeks, so I decided to disclose the vulnerability. The package has around 150 stars on Github at the time of writing and is advertised in the official ASGI documentations: https://asgi.readthedocs.io/en/latest/implementations.html

According to the rpc.py documentation: Currently supports three serializers, JSON, Pickle, Msgpack and CBOR. JSON is used by default. You can override the default JSONSerializer with parameters.

This is, however, not the whole truth. Looking at the code, one can see that this function somehow chooses the serializer according to the request headers:

The get_serializer function:

All we need to do is to pass the request header serializer: pickle and we can execute arbitrary code on the server by sending a malicious pickle payload.

The attack works against both sync_server.py and async_server.py from the “examples” folder.

The full exploit code can be found here:

CVE-2022-35411: Remote Code Execution 0-day in rpc.py - Elias Hohl - Medium

DUBLIN, July 8, 2022 /PRNewswire/ -- The "Global Enterprise Endpoint Security Market - Forecasts from 2022 to 2027" report has been added to **ResearchAndMarkets.com's** offering.

Endpoint security is the technique of preventing harmful actors and campaigns from exploiting endpoints or entry points of end-user devices such as PCs, laptops, and mobile devices. Endpoint security solutions on a system or cloud protect against cybersecurity threats. Endpoint security has progressed beyond antivirus software to supply comprehensive security against sophisticated malware and new zero-day dangers.

Nation-states, hacktivists, organized crime, and purposeful and unintentional insider threats all pose a hazard to businesses of all sizes. Endpoint security is frequently referred to as cybersecurity's frontline, and it is one of the first places where businesses attempt to defend their networks. Due to several benefits, such as cost savings with cloud storage, compute scalability, and low maintenance requirements, enterprise use of SaaS-based or cloud-delivered endpoint security solutions continues to grow.

**The growing number of enterprise endpoints and mobile devices with access to sensitive data has created a tremendous need for endpoint security solutions, which is expected to drive the market.**

In today's environment, mobile gadgets such as smartphones and tablets have become necessary for both individuals and businesses. The number of employees using their phones for work is fast expanding, and mobile devices and applications have presented a slew of new attack vectors and data security challenges.

These cyber dangers range from Trojans and viruses to botnets and toolkits, and they can have a significant impact on the broader network, putting sensitive and private data at risk. For example, according to the Mobile Security Report 2021 by Check Point, 97 percent of businesses globally were hit by mobile attacks that used several attack vectors. At least one employee in 46 percent of those businesses downloaded a malicious app to their phone.

According to the same report, nearly every firm had at least one smartphone malware assault in 2020. The mobile network was responsible for 93 percent of the attacks. As previously stated, around 40% of all mobile devices are at risk of being targeted by cyber-attacks. As a result, businesses are increasingly implementing endpoint security solutions to secure their networks and give secure access to confidential data to their employees.

As a result, factors such as increased mobile and wireless device usage, advancements in connectivity infrastructure around the world, and dropping mobile device prices are all expected to have a significant impact on the endpoint security industry. For instance, according to Ericsson, there are already over six billion smartphone subscribers worldwide, with several hundred million more expected in the next years.

By 2026, the number of smartphone users is predicted to increase to 7516 million. Employees at firms are increasingly using their personal mobile devices to access corporate data owing to the growing BYOD trend. However, it poses security concerns, necessitating powerful endpoint security solutions to protect sensitive company data, resulting in significant demand.

However, the lack of awareness about endpoint security among the general public, as well as the fact that many enterprises are struggling to deal with security threats and data breaches as a result of a lack of understanding about endpoint security, is expected to limit the market expansion.

**By region, the Asia Pacific and North America are expected to hold a notable share in the global enterprise endpoint security market during the forecast period.**

North America and Asia-Pacific are predicted to have a significant share of the global enterprise endpoint security market. Applying technology to restrict threats on organizational endpoints and the rising penetration of mobile devices that are initially prone to endpoint attacks are two reasons supporting the market expansion in these regions.

For instance, in July 2021, SentinelOne and ConnectWise established a partnership to strengthen their security relationship. MSPs will be able to obtain SentinelOne Control and SentinelOne Complete as standalone products from ConnectWise rather than having to purchase them as part of the SOC-targeted Fortify Endpoint offering.

Similarly, in September 2020, Palo Alto Networks and OPSWAT expanded their partnership to add support for new endpoint platforms and IoT devices in GlobalProtect and Prisma Access for branch offices, retail locations, and mobile users. The integration detects and evaluates the state of the endpoint as well as any third-party security programs installed on it. The Host Information Profile (HIP) gathers data about the network's endpoints' security state, used to implement gateway policies.

**COVID-19 Insights**

The COVID-19 outbreak compelled enterprises all around the world to mobilize swiftly in order to secure large numbers of remote workers and expand their tooling beyond traditional security measures. With the growing number of cybercrimes in 2020, the market for global enterprise endpoint security has been positively impacted by the pandemic.

For instance, the US Department of Health and Human Services (HHS) systems were subjected to a large DDoS attack in March 2020. In the same month, a cyberattack hit databases at the University Hospital in Brno, one of the Czech Republic's main centers for COVID-19 blood testing. As a result, doctors could not complete coronavirus testing and had to postpone several surgical procedures.

**Key Topics Covered:**

**1\. INTRODUCTION**

**2\. RESEARCH METHODOLOGY**

**3\. EXECUTIVE SUMMARY**

**4\. MARKET DYNAMICS**  
4.1. Market Drivers  
4.2. Market Restraints  
4.3. Porter's Five Forces Analysis  
4.3.1. Bargaining Power of Suppliers  
4.3.2. Bargaining Powers of Buyers  
4.3.3. Threat of Substitutes  
4.3.4. Threat of New Entrants  
4.3.5. Competitive Rivalry in Industry  
4.4. Industry Value Chain Analysis

**5\. GLOBAL ENTERPRISE ENDPOINT SECURITY MARKET, BY SOLUTION**  
5.1. Anti-Virus  
5.2. Firewall  
5.3. Endpoint Device Control  
5.4. Anti-Spyware/Anti-Malware  
5.5. Others

**6\. GLOBAL ENTERPRISE ENDPOINT SECURITY MARKET, BY COMPONENT**  
6.1. Application Control  
6.2. Endpoint Encryption

**7\. GLOBAL ENTERPRISE ENDPOINT SECURITY MARKET, BY DEPLOYMENT**  
7.1. Cloud  
7.2. On-Premise

**8\. GLOBAL ENTERPRISE ENDPOINT SECURITY MARKET, BY ORGANIZATION SIZE**  
8.1. Small  
8.2. Medium  
8.3. Large

**9\. GLOBAL ENTERPRISE ENDPOINT SECURITY MARKET, BY INDUSTRY VERTICAL**  
9.1. BFSI  
9.2. Government  
9.3. Aerospace and Defense  
9.4. Healthcare  
9.5. Communication and Technology  
9.6. Others

**10\. GLOBAL ENTERPRISE ENDPOINT SECURITY MARKET, BY GEOGRAPHY**  
10.1. Introduction  
10.2. North America  
10.2.1. United States  
10.2.2. Canada  
10.2.3. Mexico  
10.3. South America  
10.3.1. Brazil  
10.3.2. Argentina  
10.3.3. Others  
10.4. Europe  
10.4.1. Germany  
10.4.2. France  
10.4.3. United Kingdom  
10.4.4. Spain  
10.4.5. Others  
10.5. Middle East and Africa  
10.5.1. Saudi Arabia  
10.5.2. Israel  
10.5.3. Others  
10.6. Asia Pacific  
10.6.1. China  
10.6.2. Japan  
10.6.3. South Korea  
10.6.4. India  
10.6.5. Thailand  
10.6.6. South Korea  
10.6.7. Taiwan  
10.6.8. Indonesia  
10.6.9. Others

**11\. COMPETITIVE ENVIRONMENT AND ANALYSIS**  
11.1. Major Players and Strategy Analysis  
11.2. Emerging Players and Market Lucrativeness  
11.3. Mergers, Acquisition, Agreements, and Collaborations  
11.4. Vendor Competitiveness Matrix

**12\. COMPANY PROFILES**  
12.1. Intel Corporation  
12.2. Broadcom Inc. (Symantec Corporation)  
12.3. Trend Micro Incorporated  
12.4. RSA Security LLC  
12.5. Kaspersky Lab  
12.6. Bitdefender  
12.7. WatchGuard Technologies  
12.8. ESET  
12.9. Sophos Ltd  
12.10. McAfee LLC

For more information about this report visit https://www.researchandmarkets.com/r/fyl26c

Worldwide Enterprise Endpoint Security Industry to 2027: Focus on Antivirus, Firewall, Endpoint Device Control, and Anti-Spyware/Anti-Malware

Latest campaigns are a break from its usual financially motivated attacks and appear aligned with Russian interests, security researchers say.

In a break from precedent, Russia's hitherto purely financially motivated Trickbot threat group has systematically been attacking targets in Ukraine over the past three months, apparently in support of Russian government interests in the region.

Researchers from IBM's X-Force threat intelligence group this week said they had uncovered two campaigns — and analyzed four others that Ukraine’s Computer Emergency Response Team (CERT-UA) disclosed — where Trickbot went after targets in Ukraine. The campaigns began after Russia’s invasion of Ukraine in February and have targeted Ukrainian state authorities, government organizations, specific individuals, and the general population. Several of the attacks have involved phishing emails with various themes designed to grab the attention of Ukrainian users — included some that are war-related.

The attacks highlight an unprecedented shift for Trickbot, and it's notable because threat groups in former Soviet Union states have typically avoided attacking targets in each other’s countries, IBM said.

Prior to the Russian invasion, ITG23, which is the name by which IBM tracks Trickbot, had not been known to target Ukraine. "Much of the group's malware was even configured to not execute on systems if the Ukrainian language was detected," IBM said in a report summarizing its findings this week. "ITG23's campaigns against Ukraine are notable due to the extent to which this activity differs from historical precedent and the fact that these campaigns appeared specifically aimed at Ukraine with some payloads that suggest a higher degree of target selection."

**Multiple Malware Tools**

IBM said it has observed Trickbot distributing several known malware tools such as IcedID, Cobalt Strike, AnchorMail, and Meterpreter in its attacks on Ukrainian targets. Some of the attacks involved the use of new tools such as a malicious Excel downloader, a self-extracting archive for dropping various malware payloads and a new malware encryption and obfuscation tool.

One of the two Trickbot campaigns that IBM uncovered was in early May. In those attacks, IBM observed the threat actor using a weaponized Excel file to download its AnchorMail backdoor on compromised systems. AnchorMail is a revamped version of Trickbot’s AnchorDNS, a backdoor that members of the closely affiliated Conti group have been using to deploy Conti ransomware. IBM X-Force researchers have previously described the malware as notable for communicating with its command-and-control (C2) server using the DNS protocol.

The second recent Trickbot campaign that IBM X-Force researchers spotted occurred likely in late May or early June. In that campaign, Trickbot actors used an ISO image file — or archive file containing the contents of an optical disk — as part of an attack chain to drop the Cobalt Strike post-exploit attack kit on target system. In June, Trickbot users were observed exploiting the so-called “Follina” zero-day bug in the Windows Microsoft Support Diagnostic Tool (MSDT) to deploy Cobalt Strike.

The campaigns that CERT-UA disclosed, and which IBM X-Force researchers analyzed, involved Trickbot attempts to deploy IcedID, a banking Trojan turned malware distributor; Metasploit attack payload, Meterpreter; and Cobalt Strike. In five of the six observed campaigns, Trickbot actors directly downloaded Cobalt Strike, AnchorMail, or Meterpreter on target systems — another break from their usual habit of deploying these tools as secondary payloads. IBM said the switch suggests "these attacks are part of targeted campaigns during which ITG23 is willing to immediately deploy higher-value backdoors."

IBM described the new malicious Excel downloader that Trickbot is using in the Ukrainian attacks as designed to download malware from a hard-coded URL. The downloader is stored as a macro within the Excel file and runs automatically if the file is opened — provided the user has macros enabled. The new dropper for AnchorMail that IBM observed is in the form of a WinRAR Self Extracting Archive. The dropper is rigged to extract and execute a script for building and configuring AnchorMail on infected systems.

Trickbot is a highly successful threat group that has been around since at least 2016. The group initially used its eponymously named malware to steal credentials to banking accounts. Over the years, the group evolved into a sort of initial access broker and a distributor for several ransomware and malware tools, most notably Conti and Ryuk and Emotet. Trickbot is used variously for stealing data, enabling cryptomining, enumerating systems, and other malicious activities.

Court documents in connection with the arrest of a key member of the group last year showed that nearly 20 cybercriminals — including several malware experts — collaborated in building the malware. A massive 2020 international law enforcement operation to take the threat actor down temporarily disrupted its activities but failed to stop them.

In Switch, Trickbot Group Now Attacking Ukrainian Targets

By Jon Munshaw. 
Welcome to this week’s edition of the Threat Source newsletter. 
I’ve been thinking a lot recently about the pros and cons of the way we publicize our threat research. I had a few conversations at Cisco Live with people — who are more generally IT-focused than...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

_By Jon Munshaw._ 

Welcome to this week’s edition of the Threat Source newsletter. 

I’ve been thinking a lot recently about the pros and cons of the way we publicize our threat research. I had a few conversations at Cisco Live with people — who are more generally IT-focused than hyper-focused on cybersecurity — about the amount of information we share on our blog and social media profiles. Our blog serves as the main mouthpiece for Talos, but I’m also always talking to our audience, directly or indirectly, through social media channels, our podcasts, or out in the world at conferences. But during these conversations, readers may wonder if we’re indirectly “helping” the bad guys by pointing out what they’re doing wrong or what we are doing to track them. 

There will always be pros and cons to any type of disclosure of information at this level of cybersecurity. But it’s important to know that we don’t take this issue lightly. When we publicize a technique — whether it be in a blog post, conference talk or podcast — those attackers are actively using, it forces them to change tactics and take time to make tweaks and changes. Unfortunately, we alone do not have the power to bring an end to cybercrime. However, if we can increase the cost of doing business for a threat actor, it's a win for defenders and potential victims. As defenders, we must keep attackers out of their comfort zone and force them to innovate or perish. Without that information being out there publicly, these bad actors could keep using the same tactics indefinitely to infect other targets. 

This is by no means an easy decision to make, it’s a fine line all cybersecurity defenders must continually walk. But as we’ve pointed out several times, cybersecurity is a team sport. Prior to publishing any blog post, we take several steps to make sure everyone is on the same page, including victim notifications and information sharing with our partners like the Cyber Threat Alliance. I think we should all play on the same team and provide our teammates with as much information as possible so they’re ready for game time. To continue the analogy, information sharing with the public allows under-resourced teams to take action to defend themselves without needing to further strain their budgets and people.  

It does us no good to either keep this information to ourselves and try to go out on our own and single-handedly defeat these threat actors because that’s never going to work. And it also doesn’t make sense to be super competitive. We always seek to protect our customers first and foremost, and that includes responsible disclosure policies from our vulnerability management team to our threat researchers. Our intelligence pushes research and defenders forward, and we will always seek to arm them with as much information as possible.  

**The one big thing **

U.S. federal agencies unveiled a great deal about the MedusaLocker ransomware group last week with a joint advisory on the attackers’ operations. The U.S. Cybersecurity Infrastructure Security Agency, FBI and others shared several IOCs related to the actor, warning that they’ve spotted a recent uptick in MedusaLocker’s operations. MedusaLocker gains access to victim devices through vulnerable Remote Desktop Protocol (RDP) configurations or with malicious phishing and spam emails. Once on the targeted system, the attackers encrypt a victim’s files and await ransom payment while propagating across the network. 

> **Why do I care? **Cisco Talos first observed MedusaLocker operating in 2019. Clearly, the group has only expanded its operations since then and is now part of the massive ransomware-as-a-service industry that features several major threat actors. This group made its name by targeting health care organizations during the COVID-19 pandemic, but CISA’s advisory states any industry could be a target. The advisory includes new information on potential mitigations for this malware family, along with known IOCs to block associated with the group.   
> **So now what? **In addition to implementing the mitigations outlined in the advisory, Cisco Secure also has several options available to defend against this attack. There are multiple Snort rules that detect this ransomware’s activity along with several ClamAV signatures. As with all ransomware activity, it’s important to have physical backups on hand in the event of an attack so you can recover quickly. And you can always be prepared for the worst with a Cisco Talos Incident Response plan and/or playbook. 

**Other news of note**

The North Korean state-sponsored actor Lazarus Group is suspected to be behind a recent $100 million cryptocurrency theft. Members of the group allegedly exploited the Harmony Horizon Bridge software that allows users to trade virtual currency between the Harmony blockchain and other blockchains. Attackers obtained username and passwords of Harmony employees that they then used to break into the bridge and deploy several money laundering techniques to hide their actions. The tactics in this case are similar to another attack in April in which attackers stole $600 million from Ronin Bridge. (Bloomberg, Fortune) 

Bad actors are creating fake job applications and attending virtual interviews with deepfake videos. A new warning from the FBI states the adversaries are trying to obtain contractor-level jobs at technology companies, likely to steal sensitive information or make money illegitimately. These fake applicants use stolen identities, fake videos and doctored voices during the application process, including adding in what seem like normal human coughing, sneezing and blinking. The FBI recommends that recruiters or hiring managers look out for telltale signs of deepfake videos like sounds that do not line up with the video on the screen or unnatural lip movements. (TechCrunch, Gawker) 

Google is warning of a high-severity vulnerability in the Chrome web browser for Android that is actively being exploited in the wild. CVE-2022-2294 is a heap buffer overflow bug that, if exploited, could lead to denial-of-service attacks or arbitrary code execution. The company released a security update to patch the vulnerability this week. This update also includes fixes for another high-severity vulnerability (CVE-2022-2295) and an unspecified internal issue discovered. This is the fourth zero-day vulnerability to pop up in Chrome this year. (Dark Reading, Decipher) 

**Can’t get enough Talos? **

*   Talos Takes Ep. #102: Unmasking ransomware groups on the dark web
*   Researcher Spotlight: Around the security world and back again with Nick Biasini
*   Researchers Share Techniques to Uncover Anonymized Ransomware Sites on Dark Web

  

**Upcoming events where you can find Talos **

**A New HOPE** (July 22 - 24, 2022)  
New York City 

**BlackHat** **U.S.** (Aug. 6 - 11, 2022)  
Las Vegas, Nevada 

**DEF CON U.S.** (Aug. 11 - 14, 2022)  
Las Vegas, Nevada 

**Most prevalent malware files from Talos telemetry over the past week  **

**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f   

**Typical Filename:** VID001.exe   

**Claimed Product:** N/A   

**Detection Name:** Win.Worm.Coinminer::1201 

**MD5:** 2c8ea737a232fd03ab80db672d50a17a    

**Typical Filename:** LwssPlayer.scr    

**Claimed Product:** 梦想之巅幻灯播放器    

**Detection Name:** Auto.125E12.241442.in02    

**MD5:** 10f1561457242973e0fed724eec92f8c    

**Typical Filename:** ntuser.vbe    

**Claimed Product:** N/A    

**Detection Name:** Auto.1A234656F8.211848.in07.Talos   

**MD5:** a7742a6d7d8b39f1a8cdf7f0b50f12bb    

**Typical Filename:** wrsanvs.exe  

**Claimed Product:** N/A      

**Detection Name:** W32.Auto:91e994229a.in03.Talos

Threat Source newsletter (July 7, 2022) — Teamwork makes the dream work

When examining the modern threat landscape, empowering your security operations and overcoming the limitations inherent with other malware prevention solutions is imperative.

The implementation of defense-in-depth architectures and operating system hardening technologies have altered the threat landscape. Historically, zero-click, singular vulnerabilities were commonly discovered and exploited. The modern-day defensive posture requires attackers to successfully chain together multiple exploit techniques to gain control of a target system. The increased utilization of dynamic analysis systems has driven attackers to evade detection by requiring input or action from the user. Sometimes, the victim must perform several manual steps before the underlying payload is activated. Otherwise, it remains dormant and undetectable through behavioral analysis.

It is well known that client-side attacks are the predominant access vector for most initial access. Web browser and email-based malware campaigns target users through phishing, social engineering, and exploitation. Productivity and business tools from vendors like Adobe and Microsoft are widespread and provide attackers with many options. Combining the lack of security awareness training and well-developed social engineering tactics frequently results in users permitting the execution of malicious embedded logic like weaponized macros or other scripts. Analysis of these common malware carriers is time-consuming and tedious, and it requires expert skills. To adequately prevent, detect, and respond to these threats, an organization must throw everything at the problem and augment this previously human-intensive process.

Deep File Inspection (DFI) is one approach to ease the burden associated with continuous security monitoring. DFI is a static-analysis engine that inspects beyond Layer 7 of the OSI model, essentially automating the work of your typical SOC analyst or security researcher. Regardless of the complexity of evasive techniques a threat actor utilizes, DFI dissects malicious carriers to expose embedded logic, semantic context, and metadata. Coercive graphical lures are extracted and processed through a machine vision layer, adding to the semantic context of the original file. Commonly used obfuscation methods and encoding mechanisms are automatically discovered and deciphered.

A public concern that SOC analysts, IR teams, and security researchers encounter is the limited availability of context for detection analytics. In the case of intrusion prevention systems, resources are limited to microseconds of time and kilobytes of analyzable data. Intrusion detection systems can typically dig deeper, taking additional milliseconds to expose further data.

Regarding the time-analysis trade-off, the next step up is behavioral monitoring or sandboxed execution. This class of solutions detonates samples in a virtualized environment and annotates the system's behavior for threat detection; this process is both compute- and time-intensive, taking minutes to analyze each file. There is a middle ground where a few additional seconds can provide previously unseen detection opportunities.  

**Use Case: Qbot Malware Delivered via Follina and Malspam**

An example of an evasive threat is the recent TA570 campaigns that delivered Qbot malware with thread-hijacked emails. This wave of malspam utilized two different methods to provide the payload. The first method used a shortcut LNK to run a DLL with the hidden attribute. The second method is a Word document using the Follina (CVE-2022-30190) exploit.

    

Figure 2. Recent Qbot threat sequence. Source: InQuest

The attached HTML file contains an antiquated JS function to convert the embedded base64 string into a zip archive and prompt the victim to download. When extracted, the zip file contains a disk image that will be mounted showing either a shortcut or the shortcut and word document. The shortcut will execute the Qbot DLL within the directory with the hidden attribute set. At the same time, the Word file will attempt to exploit the MSDT vulnerability and download the payload from a remote server.

It is challenging for many solutions to carve the zip archive from the encoded HTML, extract the IMG file, and identify the weaponized contents. In this example, multiple threat signatures are seen from ambiguities within the SMTP headers, down to the hidden DLL or Follina document.

    

Figure 3. Variety of signatures alerts. Source: InQuest

Another interesting approach for detection is the concept of retrospective analysis or RetroHunting. While DFI creates a new dimension of data, RetroHunting provides a new dimension of time for analyzing historical events. The appearance of Follina and other zero-day vulnerabilities illustrates the usefulness of this capability by facilitating the detection of previously unseen alerts with emerging threat intelligence and detection logic.

In addition to a library of predeveloped signatures, analysts can develop user-defined YARA rules to combine strings, bytes patterns, and regular expressions via flexible conditional logic.

When confronted with novel attack techniques being encountered in the wild, security leaders must provide an opportunity to empower your detection operations and overcome the limitations inherent with other malware prevention solutions. A free resource to test the efficacy of a mail provider's security controls is the Email Security Assessment.

**About the Author**

    

Josiah Smith has almost a decade of experience in the realm of security. Before becoming a threat engineer, Josiah worked as a cyber operator, overseeing signature management and host-based detection programs. He spent several years in a room without windows, focusing on network detection, threat hunting, and IR investigations. He began his career as a member of the US Air Force, and most of his experience is with the DoD.

Tag

#zero_day