The acquisition accelerates 1Password's ongoing efforts to expand the role of the password manager with secure SaaS management.

1Password's acquisition of software-as-a-service (SaaS) access management provider Trelica is the latest move in a race to broaden the scope and functionality of password managers beyond securely storing user credentials.

1Password and its competitors, including Bitwarden, Dashlane, and LastPass, have been piling on features in recent months, such as extended autofill capabilities; support for digital attachments, such as birth certificates; and the ability to use the System of Cross-domain Identity Management (SCIM) standard to automatically provision users and groups from a source directory.

The 1Password-Trelica deal announced last week fits with 1Password's plans to help enterprises manage SaaS and shadow IT in their environment. Addressing these two enterprise challenges is a natural progression of what 1Password has already been providing with credential management, says 1Password co-CEO David Faugno.

**Next Step for Password Management**

1Password has been steadily augmenting its password manager software with capabilities such as Secrets Automation and the Events API. The company launched 1Password Extended Access Automation (XAM) last year, which allows secure access to enterprise resources from employee-owned and unmanaged devices that are not set up with the organization's single sign-on tools.

Prior to launching XAM, 1Password acquired Kolide, which developed a tool that provides contextual access management by detecting the health and posture of devices before granting access to applications.

"Our vision for Extended Access Management, and the way we're building to it, includes the application side of the story, which is how you identify and discover applications in the shadow IT realm," Faugno says.

Faugno says SaaS authentication and management were both already on the product road map, but the company had not decided whether to build or buy the capabilities.

"When we found Trelica, it was very, very well aligned with how we saw the world and how we thought about what that element was going to be in our XAM platform," Faugno says. "The Trelica team was very philosophically aligned with the way they built the product, culturally, and was a really good fit, so the build-versus-buy decision became pretty clear for us."

Trelica, founded in 2018 by Iain McGhee, Richard Kirby, and Robert Stiff, integrates directly with 300 SaaS providers. The software's primary functions include shadow IT discovery, spend optimization, contract renewals, and access management workflows for automating onboarding, offboarding, provisioning, and privilege escalation tasks.

**Growing Enterprise Implementation**

Password managers have historically been designed to assist consumers in keeping track of usernames and passwords for all of their online accounts. In recent years, password managers integrated with single sign-on platforms from Microsoft, Okta, Ping Identity, and others to make it possible for employees to sign on to workforce systems.

"Most enterprises are using some form of password manager for dealing with SaaS and even on-premises applications," says IDC research vice president Jay Bretzmann.  

While demand is strong for 1Password and its leading competitors, they need to continue adding capabilities that meet enterprise needs to their core products if they are to grow.

"Odds are some of these vendors will be acquired or simply not keep up with investment \[in GenAI\] over the next three years," Bretzmann says. "Most of the leaders are focusing on the sprawl problem they currently solve for enterprise environments with too many point solutions. Password managers will still be relevant in the midmarket where identity problems are less complex."

According to a recent Bloomberg report, 1Password has been interviewing banks for a potential IPO. While Faugno was in New York at the Nasdaq exchange to announce the Telica acquisition, he dismisses that as a sign of immediate plans to go public.

"You know how these public exchanges woo you years before to get closer to the company," he says. "We're in no rush. We have a profile that is appealing to public market investors, but we're also very fortunate to have been a very profitable business for two decades, so we have no unnatural pressures to become public. When the timing is right, we'll do it."

**About the Author**

Contributing Writer

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

1Password's Trelica Buy Part of Broader Shadow IT Play

Emergent macOS vulnerability lets adversaries circumvent Apple's System Integrity Protection (SIP) by loading third-party kernels.

Source: Andrey Kryuchkov via Alamy Stock Photo

Cyber defenders are encouraged to ensure systems have been updated with the latest macOS patch, which includes a fix for a vulnerability that exposed the entire operating system to further compromise.

The bug, tracked under CVE-2024-44243, was patched in the Dec. 11 Apple security update, according to analysis from Microsoft Threat Intelligence that was released this week. The vulnerability could allow adversaries to bypass the macOS System Integrity Protection (SIP) restrictions, which limit operations that are detrimental to a device's security. Without SIP controls in place, a threat actor could install rootkits, drop persistent malware, and more, according to the Microsoft report. More disturbing, threat actors don't need physical access to pull off the cyberattack.

"This exposes the entire operating system to deeper compromise without needing physical access, threatening sensitive data and system controls," said Jason Soroko, senior fellow at Sectigo, in a statement.

**Detecting Other Apple Bug Exploits**

In addition to updating vulnerable macOS systems, experts suggest cyber defenders be on the lookout for suspicious behavior.

"Teams should proactively monitor processes with special entitlements, as these can be exploited to bypass SIP," said Mayuresh Dani, manager, security research, at Qualys, in a statement provided in reaction to the flaw. "The behavior of these processes in the environments should also be maintained."

Soroko also advised teams to monitor for unusual disk management activity, in addition to anomalous privileged user behavior, and to implement endpoint detection tools and controls for unsigned kernel extensions. Dani agreed that third-party kernel extensions should be managed with care to prevent these sorts of attacks.

Third-party kernel extensions "should be enabled only when absolutely necessary and with strict monitoring guidelines," Dani added.

This is just one of the recent cyberattacks that has found its way around Apple's defenses.

The macOS infostealer malware "Banshee" was recently observed skirting Apple's antivirus protections, courtesy of a string encryption algorithm stolen from Apple. It's up to cyber teams to have adequate protections in place to lock down their own environments.

"Regular integrity checks, principle-of-least-privilege policies, and strict compliance with Apple's security guidelines further reduce exposure to this critical threat," Soroko added.

This and other similar flaws are a demonstration of a lack of security between root users and the operating system, Lionel Litty, chief security architect at Menlo Security, explained in a statement. It's also an example of the limitations of endpoint-based solutions, he added.

"While endpoint-based security solutions are attractive from a cost and usability perspective compared to off-device solutions such as \[virtual desktop infrastructure\], the constant stream of OS vulnerabilities that allow a local attacker to bypass OS integrity protection mechanisms shows that this is a risky gamble," Litty said. "If your security controls involve installing an application on an unmanaged device and relying on this application protecting itself, you need to closely monitor this type of issue."

**About the Author**

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

Apple Bug Allows Root Protections Bypass Without Physical Access

Two hacker groups were paid to develop malware targeting victims in the US, Europe, and Asia, as well as various Chinese dissident groups.

Source: Herr Loeffler via Shutterstock

NEWS BRIEF

The US Justice Department and the FBI said on Jan. 14 that they were able to delete "PlugX" malware from thousands of devices globally as part of a cooperative effort.

The operation spanned a series of months, targeting the work of a group of China-sponsored hackers known as "Mustang Panda" and "Twill Typhoon." The group used PlugX malware to infect victims' computers and steal their information.

According to court documents, the Chinese government paid the hacking group to develop their strain of PlugX.

Since 2014, the group has targeted thousands of victims across the US, Europe, and Asia, as well as Chinese dissident groups. Many victims are still unaware their devices remain infected with the malware.

"This wide-ranging hack and long-term infection of thousands of Windows-based computers, including many home computers in the United States, demonstrates the recklessness and aggressiveness of \[People's Republic of China\] state-sponsored hackers," said US Attorney Jacqueline Romero.

French law enforcement led the international operation, and a French cybersecurity company, Sekoia.io, was able to identify and report on the capability to send commands to delete the PlugX version from infected devices.

The tactic was tested and deemed viable by the FBI, leading the organization to obtain nine warrants to begin deleting PlugX from US-based computers.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

FBI Wraps Up Eradication Effort of Chinese 'PlugX' Malware

An ongoing campaign targeting FortiGate devices with management interfaces exposed on the public Internet is leading to unauthorized administrative logins and configuration changes, creating new accounts, and performing SSL VPN authentication.

Source: Lutsenko Oleksandr via Shutterstock

A zero-day flaw is likely to blame for a series of recent attacks on Fortinet FortiGate firewall devices that have management interfaces exposed on the public Internet. Attackers are targeting the devices to make unauthorized administrative logins and other configuration changes, create new accounts, and perform SSL VPN authentication, researchers have found.

Researchers at Arctic Wolf have been tracking the campaign since they first noticed suspicious activity on FortiGate devices in early December, they revealed in a recent blog post. They observed threat actors gaining access to management interfaces on affected firewalls — the firmware versions of which ranged between 7.0.14 and 7.0.16 —  and altering their configurations. Moreover, in compromised environments, attackers also were using DCSync to extract credentials.

Artic Wolf released a security bulletin in December upon discovery of the campaign, while the recent blog post revealed more in-depth details, including the attackers likely exploiting a zero-day flaw. However, they have not "definitively confirmed" this initial access vector, though the compressed timeline across affected organizations as well as firmware versions affected by the campaign suggest that attackers are exploiting an as-yet-undisclosed vulnerability, according to the Arctic Wolf researchers.

Victims of the campaign did not represent a specific sector or organization size, suggesting "that the targeting was opportunistic in nature rather than being deliberately and methodically targeted," they added.

The researchers didn't provide details on the scope or volume of the campaign.

**Cyber Abuse of the Fortinet Administrator Console**

What alerted the researchers to the malicious activity "in contrast with legitimate firewall activities, is the fact that \[attackers\] made extensive use of the jsconsole interface from a handful of unusual IP addresses," according to the post.  FortiGate next-generation firewall products have a standard and "convenient" feature that allow administrators to access the command-line interface through the Web-based management interface, the researchers explained.

"According to the FortiGate Knowledge Base, when changes are made via the Web-based CLI console, the user interface is logged as jsconsole along with the source IP address of whomever made the changes," they wrote. "In contrast, changes made via ssh would be listed as ssh for the user interface instead."

The researchers do not have direct confirmation that such commands are used in the present campaign; however, the observed activities follow a similar pattern in the way they invoke jsconsole, they added.

"Given subtle differences in tradecraft and infrastructure between intrusions, it is possible that multiple individuals or groups may have been involved in this campaign, but jsconsole usage was a common thread across the board," the researchers wrote.

**A Four-Phase Cyberattack, Still Ongoing**

The researchers broke the campaign down into four phases that started in mid-November: It started with a vulnerability scanning phase, followed by a reconnaissance phase at the end of November, an SSL VPN configuration phase in the beginning of December, and then wrapping up with lateral movement from mid- to late December. However, they noted that the campaign is ongoing and they may uncover further activity in the future.

"These phases are delineated by the types of malicious configuration changes that were observed on compromised firewall devices across multiple victim organizations, and the activities that were taken by threat actors upon gaining access," the researchers explained.

Typically, the total count of successful jsconsole logins from anomalous IP addresses ranged between several hundred and several thousand entries for each victim organization, spanning the four phases of the campaign.

"Most of these sessions were short-lived, with corresponding logout events within a second or less," the researchers wrote. "In some instances, multiple login or logout events occurred within the same second, with up to four events occurring per second."

**Don't Expose Management Interfaces to Public Internet**

Fortinet devices are a popular target for threat actors, with vulnerabilities found in the products widely exploited to breach networks. To protect against attack, organizations should never expose Fortinet device management interfaces on the public Internet, regardless of the product specifics, according to the researchers. Instead, access to these interfaces should be limited to trusted internal users.

"When such interfaces are left open on the public internet, it expands the attack surface available to threat actors, opening up the potential to identify vulnerabilities that expose features that are meant to be limited to trusted administrators," they wrote in the post.

Administrators also should follow the common best practice of regularly updating firmware on the devices to patch any flaws or other security issues. Further, the researchers added, organizations also should ensure that syslog monitoring is configured for all of an organization’s firewall devices to increase the likelihood of catching malicious activity early.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Zero-Day Security Bug Likely Fueling Fortinet Firewall Attacks

In times of unprecedented change, innovative mindsets and attentiveness of startup culture make for a community everyone can leverage to understand the world and guard against its dangers.

Source: Vladimir Badaev via Alamy Stock Photo

COMMENTARY

In 2024, early growth startups found capital hard to come by, yet venture capitalists couldn't help but invest in emerging data and AI security. Solutions tackling data-in-motion and application data flows were a heavy focus. And there was a mad scramble to solve deepfakes and disinformation.

It was the year of deepfake awareness. Global governments were on high alert during election time, and even Wiz was touched by a failed deepfake attack. Yet the most disturbing news involved a conference call of synthetic co-workers, including a deepfake chief financial officer (CFO) who tricked a Hong Kong financial analyst into wiring $25 million. 

Imperceptible impersonation attacks are not difficult to generate these days. Real-time face swapping tools have proliferated on GitHub, such as Deep-Live-Cam and DeepFaceLive. Synthetic voice tools, like Descript and ElevenLabs, are also readily available.

In years past, monitoring human audio and video has fallen under the purview of insider threat and physical security. Now SecOps will deploy tech to monitor conference calls using startups like Validia and RealityDefender. These identity assurance solutions put participants through models looking for indicators of liveness, and provide confidence scores.

Governmental threat intelligence spans state-sponsored disinformation and narrative attacks as part of their broader information warfare operations. In the corporate space, monitoring brand reputation and disinformation traditionally has fallen under the legal and PR comms departments. Yet in 2024 there were signs of a shift.

New disinformation and narrative attacks not only destroy brands but have attempted to frame executives for Securities and Exchange Commission (SEC) violations, as well as incite violence after the recent United Healthcare assassination. Ignoring them could mean executive jail time or worse.

There's a belief in the startup community that boards of directors will want a single unified view of these threats. Threat intelligence that spans cybersecurity exfil, insider threats, impersonation, and broader information warfare. In the future, the chief information security officer’s (CISO’s) threat intel teams may find  their scope expanded with startups like Blackbird.AI, Alethea, or Logically.

Data security was another notable focus within the early growth startup world in 2024.

**Model Data Leakage Is the Problem of the Decade**

Models can be thought of as databases that are conversationally queried in English, and that store what was learned from Internet-sized chunks of unstructured text, audio, and video. Their neural network format doesn't get enough credit for density, storing immense data, and intelligence in models that may even fit on devices. 

The impending rollout of agentic AI, which produces agents that click UIs and operate tools, will only expand on-device model deployment. Agentic AI may even deploy adaptive models that learn device data. 

It sounds too insecure to adopt. Yet how many organizations will pass up AI's productivity gains?

To add to the complexity, the AI arms race produces groundbreaking foundational models every week. This encourages designing AI native apps that lean toward flexible code architectures — architectures that allow app vendors to swap out models under an organization's nose.

How will companies protect data as it collapses into these knowledge-dense neural nets? It's a data leakage nightmare.

**Time to Tackle Data in Motion**

A 2024 trend was the startup world's belief that it's time to rebuild cybersecurity for data in motion. Data flows are tackled on two fronts. First, reinventing traditional user and device controls, and second, providing app security under the chief technology officer (CTO). 

Data loss prevention (DLP) has been a must-buy category for compliance purposes. It places controls on the egress channels of users and devices, as well as between data and installed applications, including AI apps. In 2024, investors see DLP as a big opportunity to reinvent. 

At RSA and BlackHat's 2024 startup competitions, DLP startups Harmonic and LeakSignal were named finalists. MIND also received an $11 million seed investment last year.

DLP has traditionally focused on users, devices, and their surrounding network traffic, though one startup is eyeing the non-human identities that today outnumber humans, and are often microservices or apps deployed within Kubernetes. The leaking of secrets by these entities in logfiles has become a growing concern, and LeakSignal is employing cyber mesh concepts to control this data loss channel.

This leads to the CISOs' second data battleground, a data security approach that could govern code and AI development under CTOs. 

**Data Security Intersects Application Security**

Every company is developing software, and many leverage private data to train proprietary models. In this application world, CISOs need a control plane.

Antimatter and Knostic both appeared as finalists in 2024 RSA and BlackHat startup competitions. They offer privacy vault APIs that, when fully adopted by an organization, enable cybersecurity teams to govern the data that engineers expose to models. 

Startups working on fully homomorphic encryption (FHE) appear in competitions annually, touting this Holy Grail of AI privacy. It's a tech that produces an intermediate but still AI-usable encryption state. FHE's ciphertext remains usable because it maintains entity relationships, and models can use it during both training and inference time to deliver insights without seeing secrets.

Unfortunately, FHE is too computationally expensive and bloated for broad usage. The lack of partial word searching is another notable limitation. That's why we're seeing a privacy trend that delivers FHE as only one approach within a wider blend of encryption and token replacement. 

Startup Skyflow deploys polymorphic technology using FHE when it makes sense, along with lighter forms of encryption and tokenization. This enables handling partial searches, examining the last four digits of IDs, and being performative on devices. It's a blended approach similar to Apple's end-to-end encryption across devices and the cloud.

It's not hyperbole to say these are times of unprecedented change. Here one should note the innovative mindset and attentiveness of startup culture. It makes for a community that all can leverage to understand the world and guard against its dangers.

**About the Author**

Cybersecurity Analyst

Paul Shomo is an experienced analyst focusing on emerging cybersecurity and early-growth startups. A prescient forecaster, Paul is featured in Dark Reading, CSO Online, eWeek, and the Genealogy of Cybersecurity podcast. A patent holder and engineering leader behind EnCase, Paul was a founding pioneer of DFIR and enterprise forensics from 2006 to 2015. Paul was also a former kernel developer for Wind River Systems.

New Startups Focus on Deepfakes, Data-in-Motion &amp; Model Security

PRESS RELEASE

Today, CISA released the Cybersecurity Performance Goals Adoption Report to highlight how adoption of Cybersecurity Performance Goals (CPGs) benefits our nation’s critical infrastructure sectors. Originally released in October 2022, CISA’s CPGs are voluntary practices that critical infrastructure owners can take to protect themselves against cyber threats. 

This report is based on analysis of 7,791 critical infrastructure organizations enrolled in CISA’s Vulnerability Scanning service from Aug. 1, 2022, through Aug. 31, 2024. Data reveals that four critical infrastructure sectors are most impacted by CPG adoption: Healthcare and Public Health, Water and Wastewater Systems, Communications, and Government Services and Facilities. These four sectors have strong partnerships with CISA.

As CISA strengthens partnerships across all 16 critical infrastructure sectors, the agency hopes that CPG adoption will continue to expand. CISA urges critical infrastructure to learn more by visiting Cross-Sector Cybersecurity Performance Goals. 

This product is provided subject to this Notification and this Privacy & Use policy.

CISA Releases the Cybersecurity Performance Goals Adoption Report

PRESS RELEASE

HONOLULU, Jan. 08, 2025 (GLOBE NEWSWIRE) -- Krilla Kaleiwahea LLC (K2), a Native Hawaiian Organization leader in defense, technology, resilience, and workforce development for the U.S. federal government, is proud to announce its selection as a prime contractor on the prestigious Navy SeaPort contract. This achievement underscores K2’s commitment to delivering innovative solutions and unparalleled support to the U.S. Navy and its mission-critical operations.

SeaPort NxG, the Navy’s electronic procurement platform, facilitates efficient and streamlined acquisition of professional support services in various functional areas, including engineering, financial management, and program management. As a trusted partner, K2 is now positioned to provide exceptional services across these domains, ensuring the Navy meets its strategic objectives with cutting-edge capabilities.

Driving Innovation and Excellence

“Being awarded the SeaPort contracting vehicle is a testament to K2’s dedication to excellence and our proven track record of supporting the Department of Defense with world-class talent,” said Peter Krilla, Co-Founder of K2. “We are honored to serve the Navy and contribute to its mission by delivering forward-thinking solutions and unmatched expertise.”

With this award, K2 will leverage its deep industry knowledge, advanced technologies, and talented team to address the complex challenges faced by the Navy and its partners. This contract allows K2 to expand its footprint and continue its tradition of excellence in supporting national security initiatives.

About K2

K2 is an 8(a) Native Hawaiian Organization and a leading provider of advanced solutions for the U.S. federal government's defense, technology, resilience, and workforce development sectors. Backed by decades of senior leadership experience in government, military, and corporate, we bring forward-thinking strategies that empower our clients to achieve operational success in the most demanding environments. As a Native Hawaiian Organization, we dedicate a portion of our profits to supporting the Native Hawaiian community. For more information about K2 and its services, visit www.k2-nho.com/

You May Also Like

K2 Secures Navy SeaPort Next Generation Contract

PRESS RELEASE

New York City, January 13, 2025 — Grupo Bimbo Ventures, the venture capital arm of Grupo Bimbo, the world's leading baking company and a significant player in the snack industry, is pleased to announce a strategic investment in NanoLock Security, a global leader in OT cybersecurity and management solutions for industrial manufacturing and critical infrastructure. This investment underscores Grupo Bimbo's commitment to embrace innovation that can benefit global markets and needs.

The food industry plays a critical role in national resilience. However, it has increasingly become a target for cyber threat actors. Food manufacturers manage complex and diverse industrial systems across multiple sites, creating vulnerabilities that threat actors can exploit. The use of third-party contractors for system maintenance and updates further heightens risks if not properly monitored.

NanoLock Security's solutions are designed to protect industrial systems, ensuring the integrity and security of critical operations. Their zero-trust approach provides centralized, global enforcement of security policies across diverse industrial environments. This flexibility is crucial for maintaining the security and operational integrity of manufacturing facilities worldwide.

As a global leader in the baking industry, Grupo Bimbo understands the importance of ensuring uninterrupted production and uphold the highest standards of quality and safety. NanoLock's proven expertise and successful deployments with leading manufacturers in APAC, US, Israel & EU align perfectly with Grupo Bimbo's vision for a secure and resilient future in the food sector.

"We are excited to partner with NanoLock Security and leverage their advanced solutions to enhance food operations worldwide," said Constantino Matouk Iriondo, VP Global Bimbo Ventures. "This investment reflects our dedication to ensuring a safer world, and we are impressed with how NanoLock’s customers, from different sectors, are benefiting from their unique technology and capabilities."

Grupo Bimbo Ventures is a minority shareholder of NanoLock Security, having invested alongside Awz Ventures. Awz Ventures has a proven track record of pioneering multi-use, innovative deep-tech investments. It has led NanoLock’s investment from inception in 2018 through subsequent rounds.

About Grupo Bimbo Ventures

Grupo Bimbo Ventures is the venture capital arm of Grupo Bimbo, the world's leader and largest baking company and a significant player in the snack industry.

About NanoLock Security

NanoLock Security is a global leader in OT cybersecurity and management solutions for industrial manufacturing and critical infrastructure. NanoLock provides comprehensive protection of operational technology environments, ensuring the integrity, resilience and security of critical systems and infrastructure.

You May Also Like

Grupo Bimbo Ventures Announces Investment in NanoLock Security

According to the tech giant, it has observed a threat group seeking out vulnerable customer accounts using generative AI, then creating tools to abuse these services.

Source: MAXSHOT.PL via Shutterstock

NEWS BRIEF

Microsoft's Digital Crimes Unit is pursuing legal action to disrupt cybercriminals who create malicious tools that evade the security guardrails and guidelines of generative AI (GenAI) services to create harmful content.

According to an unsealed complaint in the Eastern District of Virginia, though the company goes to great lengths to create and enhance secure AI products and services, cybercriminals continue to innovate their tactics and bypass security measures.

"With this action, we are sending a clear message: the weaponization of our AI technology by online actors will not be tolerated," said Microsoft in a blog post about the lawsuit.

In the court filings that were unsealed on Jan. 13, Microsoft noted that it had "observed a foreign-based threat-actor group develop sophisticated software that exploited exposed customer credentials scraped from public websites."

The group tried to access accounts with generative AI services in order to alter the capabilities of those services, then resold this unlawful access to other malicious actors, providing instructions on how to use the tools to create harmful content.

Since discovering the group's actions, Microsoft has revoked access and enhanced safeguards to mitigate this kind of activity in the future.

As the company continues to seek out proactive measures it can take alongside legal action, it highlights a report, "Protecting the Public From Abusive AI-Generated Content," that provides recommendations for organizations and governments to protect the public from AI-created threats.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Microsoft Cracks Down on Malicious Copilot AI Use

The security vulnerability tracked as CVE-2024-50603, which rates 10 out of 10 on the CVSS scale, enables unauthenticated remote code execution on affected systems, which cyberattackers are using to plant malware.

Source: Everett Collection Historical via Alamy Stock Photo

Multiple threat actors are actively targeting a recently disclosed maximum-severity security bug in the Aviatrix Controller centralized management platform for cloud networking.

In a worst-case scenario, the vulnerability, identified as CVE-2024-50603 (CVSS 10) could allow an unauthenticated remote adversary to run arbitrary commands on an affected system and take full control of it. Attackers are currently exploiting the flaw to deploy XMRig cryptomining malware and the Sliver backdoor on vulnerable targets.

**CVE-2024-50603: A High-Impact Vulnerability**

The vulnerability presents an especially severe risk in Amazon Web Services (AWS) cloud environments, where Aviatrix Controller allows privilege escalation by default, researchers at Wiz Security warned in a blog on Jan. 10.

"Based on our data, around 3% of cloud enterprise environments have Aviatrix Controller deployed," the researchers noted. "In 65% of such environments, the virtual machine hosting Aviatrix Controller has a lateral movement path to administrative cloud control plane permissions."

Hundreds of large companies use Aviatrix's technology to manage cloud networking across AWS, Azure, Google Cloud Platform (GCP), and other multi-cloud environments. Common use cases include automating the deployment and management of cloud network infrastructure, and managing security, encryption, and connectivity policies. The company lists organizations such as Heineken, Raytheon, Yara, and IHG Hotels and Resorts among its customers.

Related:In Appreciation: Amit Yoran, Tenable CEO, Passes Away

CVE-2024-50603 stems from Aviatrix Controller not properly checking or validating the data that users send through its application programming interface (API). It is the latest bug to highlight the security risks tied to the growing use of APIs among organizations of all sizes. Other common API-related risks include those stemming from configuration errors, lack of visibility, and inadequate security testing.

The flaw is present in all supported versions of Aviatrix Controller before 7.2.4996 or 7.1.4191. Aviatrix has issued a patch for the bug and recommends that organizations apply it or upgrade to either versions 7.1.4191 or 7.2.4996 of the Controller.

"In certain circumstances the patch is not fully persistent across controller upgrades and must be re-applied, even if the controller status is displayed as 'patched,'" the company noted. One such circumstance is applying the patch on non-supported versions of the controller, Aviatrix said.

**Hackers Mount Opportunistic Cloud Attacks**

Security researcher Jakub Korepta of SecuRing, who discovered and reported the bug to Aviatrix, publicly disclosed details of the flaw on Jan. 7. Just one day later, a proof-of-concept exploit for the bug became available on GitHub, triggering near-immediate exploit activity.

Related:Managing Cloud Risks Gave Security Teams a Big Headache in 2024

"Since the proof-of-concept release, Wiz observed that most of the vulnerable instances were specifically targeted by attackers looking for unpatched Aviatrix deployments," says Alon Schindel, vice president of AI & Threat Research at Wiz. "The overall volume of exploitation attempts has been steady. However, we see customers patching their systems and preventing attackers from targeting them."

Schindel characterizes the exploit activity so far as largely opportunistic in nature, and emanating from scanners and automated tool sets combing the Internet for unpatched Aviatrix instances.

"Although some of the payloads and infrastructure used suggest higher sophistication in a few cases, most of the attempts appear to be broad sweeps rather than highly customized or targeted attacks on specific organizations," he says.

Available telemetry suggests that multiple threat actors, including organized criminal gangs, are leveraging the flaw in various ways. So far at least, there is no evidence pointing to any single group as dominating the exploitation activity, Schindel says. "Depending on the environment's setup, an attacker might exfiltrate sensitive data, access other parts of the cloud or on-prem infrastructure, or disrupt normal operations," he notes.

Related:DDoS Attacks Surge as Africa Expands Its Digital Footprint

**A Reminder of API-Based Cyber-Risks**

Ray Kelly, a fellow at Black Duck, says the Aviatrix Controller vulnerability is another reminder of both the growing risks associated with API endpoints and the challenges involved in addressing them. The vulnerability shows how a server can be compromised via a simple Web call to an API, and highlights the need for thorough testing of APIs. But such testing can be daunting, given the size, complexity, and interdependence of APIs and the fact that many APIs are developed and managed by external software and service providers.

"One effective approach to mitigating these risks is by establishing clear 'rules of governance' for third-party software," Kelly says. "This includes implementing thorough vetting processes for third-party providers, enforcing consistent security measures, and maintaining continuous monitoring of software performance and vulnerabilities."

Wiz's Schindel says the best recourse for organizations affected by the new Aviatrix bug is to apply the company's patch for it as soon as possible. Organizations that are unable to patch immediately should restrict network access to the Aviatrix Controller via an IP allowlist so only trusted sources can reach it, Schindel advises. They should also monitor logs and system behavior closely for suspicious activity or known exploit indicators, set up alerts for abnormal behavior associated with Aviatrix, and reduce unnecessary lateral movement paths between their cloud identities.

Jessica MacGregor, spokeswoman for Aviatrix says the company issued an emergency patch for the vulnerability back in November 2024 given its potential severity. The security patch applied to all supported releases and also for versions of Aviatrix Controller for which support had ended two years ago. The company also reached out privately to customers via multiple targeted campaigns to make sure affected organizations applied the patch, MacGregor says.

While a significant portion of affected customers have applied the patch and recommended hardening measures, some organizations have not. And it is these customers that are experiencing the current attacks, she notes. "While we strongly recommend that customers remain current in their software, customers on Controller version 6.7+ who have applied the Security Patch can be protected even if they have not upgraded to the latest versions with the permanent fixes," she says.

 MacGregor says Aviatrix wants anyone unable to upgrade or patch their systems to reach out so the company can work with them to harden their configuration based on best practices. "We will also work closely with customers that believe they been exploited to restore their Aviatrix software to a clean state."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Source

DARKReading