Cybersecurity exceptions are a fact of life in most organizations, but there's work that should be done to make sure those exceptions are justified and worth the risk.

There is always a new shiny object to chase in cybersecurity: zero trust, AI, passwordless authentication, quantum computing. These are just some of the latest hot topics, and organizations are feeling pressure to adopt them to stay ahead of current threats.

While these new technologies are certainly relevant, they may not be as important as getting the "cyber basics" right. Buying new cutting-edge tools or planning a whole new architecture won't replace excelling at those foundational, structural underpinnings that build a successful security program. One example of these fundamental considerations is the area of "exceptions." 

It is simply a given in any enterprise that there will be exceptions to cybersecurity policies and procedures. These range from patching exceptions to multifactor authentication (MFA) exceptions to access and firewall exceptions. How an organization processes and tracks exception requests, and evaluates risks associated with exceptions, can have a major impact on how easy or difficult it is for the organization to monitor, detect, and respond to cyberattacks.

**Are Cybersecurity Exceptions Justified? **

Attackers will leverage exceptions because they provide an easier path into an organization's environment. For example, I supported a military contract and the command was rolling out application allowlisting. The aides to senior officers requested exceptions for those seniors because they were concerned that the technology might "interfere" with the senior officers' work. However, the senior officers were the exact group needing additional security protection. 

We were able to meet and explain to the aides how the tech would better protect these VIPs, and we would coordinate with their offices to quickly resolve any issues with the technology. Despite some misgivings, the VIPs ultimately were better protected and the exception requests were dropped. All it took was sitting down and discussing the users' worries and patiently explaining how to ease those worries. 

Exceptions ultimately indicate how good your security could be — if there were fewer exceptions (or none at all). Here are some things to keep in mind:

*   Ensure you have a clear and concise process for requesting and approving exceptions. (Hint: Convenience is not a good basis for granting exceptions!) That process should align with other security policies, such as the organization's acceptable use policy.
*   The process should include a risk assessment to determine the impact of the exception.
*   Track all exceptions to ensure they are not being abused.
*   If you have too many exception requests, you may need to modify your policy so that employees can get their work done securely.
*   Exceptions should expire. If necessary, they can be reviewed to see if they are still valid.

If you're falling short on cybersecurity fundamentals, such as an exception process, you're going to be facing security issues regardless of how much time and money you invest in new technologies. Automation and other solutions can help, but they don't erase every problem, including those that require new human behaviors and processes. Just like Achilles from Greek mythology, it’s easy to forget a weak spot if you’ve lived with it for a long time. And just like Achilles, such forgetfulness can have severe consequences.

_Read more_ Partner Perspectives from Google Cloud

What are Your Exception Expectations?

**PRESS RELEASE**

**PALO ALTO, Calif.****,** **Oct. 19, 2023** **/PRNewswire/ --** Artificial intelligence (AI) provides a powerful tool for energy companies to deliver an affordable, reliable clean energy transformation. Today before a U.S. House Energy and Commerce Subcommittee, EPRI Senior Technical Executive Jeremy Renshaw testified that parties need to collectively work on addressing today's AI challenges and tomorrow's opportunities.

For more than a decade, EPRI has been studying AI and its potential impacts on the energy sector, and in the last five years, the institute has accelerated its activities around AI and data science. To date, EPRI has been involved in more than 70 projects related to AI applications in the energy sector.

As EPRI research has found, AI can help energy companies improve efficiency of existing assets, assist with wildfire risk evaluation and early-stage detection, aid vegetation management and storm recovery, and optimize energy usage, among other benefits.

"AI allows computers and humans to interact more effectively to improve safety and reliability while reducing costs," Renshaw testified before the House Energy and Commerce Subcommittee on Energy, Climate, and Grid Security. "This is done by allowing humans to do what humans do best - creative thinking and dealing with new or unforeseen situations, while computers do what computers do best - rapid, accurate computations," he said.

"While AI has come a long way in a short amount of time, there are still many more opportunities to solve existing challenges today, as well as considerations for ethical and responsible use of AI," Renshaw noted. Among pressing considerations:

*   **Data privacy and security**: AI models are typically trained on large datasets, which may contain personally identifiable information or other sensitive data. Steps should be taken to ensure the security and privacy of the data.
*   **AI-assisted cybersecurity**: EPRI and other companies are developing tools to proactively monitor and address suspicious cyber-related activity.
*   **Data**: Without sufficient quantity and quality of data, AI systems can potentially produce erroneous results that can be used in decision-making processes.
*   **Workforce training**: People need to be trained on how and when AI is the right tool to use and when it is not.

"Clearly, AI will have a significant impact on the energy industry, likely both positive and negative. It is anticipated that, through the introduction of AI, utilities will be able to utilize its benefits for maintaining or improving safety, affordability, reliability, efficiency, and environmentally friendly energy production," Renshaw concluded.

A copy of Renshaw's prepared testimony is available here. To learn more about EPRI's AI work, visit www.ai.epri.com.

**About EPRI**

Founded in 1972, EPRI is the world's preeminent independent, non-profit energy research and development organization, with offices around the world. EPRI's trusted experts collaborate with more than 450 companies in 45 countries, driving innovation to ensure the public has clean, safe, reliable, affordable, and equitable access to electricity across the globe. Together, we are shaping the future of energy.

SOURCE EPRI

AI 'Will Have a Significant Impact on Energy Industry,' EPRI Tells Congress

**PRESS RELEASE**

**TEMPE, Ariz.** **& PRAGUE****,** **Oct. 19, 2023** **/PRNewswire/ --** Norton, a consumer Cyber Safety brand of Gen™ (NASDAQ: GEN), today unveiled new features included with Norton Password Manager and Norton AntiTrack. Norton Password Manager offers a premium password management experience that continues to be available at no cost, and a new Private Email feature now available in Norton AntiTrack helps consumers quickly and easily take back control of their online privacy.

"Our enhancements to Norton Password Manager and Norton AntiTrack exemplify our passion for constantly improving our products and services to help our customers protect their online privacy and stay one step ahead of threats to their security," said Leena Elias, Chief Product Officer at Gen. "Free password managers are traditionally basic, difficult to access on different devices, and lack multi-layered security. With Norton Password Manager, you no longer have to choose between conveniently accessing your accounts and having excellent password protection. And, our addition of Private Email as part of Norton AntiTrack allows you to easily take steps to protect your online privacy when you're engaging with the digital world and protect your personal email address, which is often the gateway to your personal information and accounts. We are committed to helping our customers safeguard their online privacy through the launch of these solutions."

Accessible via the web, and available as a browser extension or mobile app, Norton Password Manager has been rebuilt with improvements to password security and privacy and redesigned to provide a seamless, intuitive customer experience.

Norton Password Manager now delivers greater convenience, security, and privacy with the following upgrades:

*   **Strengthened Vault Security and Recovery:** We notify you if your vault password needs to be strengthened and monitor the dark web for your vault password to help keep your passwords secure. New vault access recovery helps you recover the vault password if it's forgotten without compromising security.
*   **Improved Password Assessment:** Password strength is automatically assessed. If a weak password is detected, it's now easier to change it to be more complex and difficult to crack.
*   **Easy to Use:** A modern look and feel that's simple to set up and access the most used features from more locations; auto-filling and credential saving options appear seamlessly as you browse the web to provide quick access to accounts.

In addition to Norton Password Manager enhancements, Private Email is now available in Norton AntiTrack on Windows PCs. Private Email improves email privacy by masking your personal email addresses so they're unrecognizable, and removes hidden trackers often found in sent emails that can be used to gather private, personally identifiable information, including location, device usage, interests, and shopping behaviors.

Norton Password Manager is compatible with Windows PC, Mac, Android, and iOS, and available as a browser extension on Chrome, Firefox, Microsoft Edge, Safari, as well as browsers from Gen brands, Norton, Avast and Avira. For more information and to download Norton Password Manager, visit us.norton.com/products/norton-password-manager. Norton AntiTrack with Private Email is available to download at https://norton.com/products/norton-antitrack.

**About Norton**

Norton is a leader in Cyber Safety, and part of Gen™ (NASDAQ: GEN), a global company dedicated to powering Digital Freedom with a family of trusted consumer brands. Norton empowers millions of individuals and families with award-winning protection for their devices, online privacy, and identity. Norton products and services are certified by independent testing organizations including AV-TEST, AV-Comparatives, and SE Labs. Norton is a founding member of the Coalition Against Stalkerware. Learn more at www.norton.com.

Norton Boosts Security and Privacy With Enhanced Password Manager and AntiTrack

**PRESS RELEASE**

**SAN JOSE, Calif.****,** **Oct. 18, 2023** **/PRNewswire/ --** Spec, a leading cybersecurity firm specializing in advanced frauddetection and defense, is thrilled to announce the successful closure of its $15M Series A funding round, marking a significant milestone in the company's journey. This funding round was led by SignalFire, with participation from Legion Capital, and Rally Ventures.

From its beginnings as a "hello world" prototype during the early days of the pandemic, the Spec platform has advanced to invisibly protect enterprises processing billions in online transactions. Today, Spec's platform scans the entire customer journey, allowing for the identification of all threats and attacks, and then deploys active countermeasures, especially against the AI-powered attack tools that threaten to disrupt online businesses.

This funding round will power Spec's continued growth and innovation. With this new investment, the company is poised to:

*   Advance the Spec platform to deliver increased visibility and control over attack detection and exploit remediation
*   Expand its threat labs, the R&D powerhouse that deconstructs the tools and tactics used by modern attackers and develop countermeasures that neutralize their impact
*   Co-develop specialized products with partners that resolve the fraud problems that customers cannot fix with single point solutions

"I'm excited about our continued partnership with SignalFire, who led this funding round," said Spec co-founder and CEO Nate Kharrl. "The firm's deep expertise in cybersecurity and AI at enterprise scale is a perfect match for our mission. We're equally grateful for the continued support from Legion Capital and Rally Ventures, whose insights and experience are invaluable."

Kharrl further expressed gratitude to everyone who has been part of Spec's remarkable journey, emphasizing that trust and support forms the very foundation of the company's success. "I'm proud of what this team has accomplished. I'm also grateful for the support of the enterprise customers that helped us grow our platform into what it is today, bolstered by the incredible support and guidance of our board and investors," he said. "We're excited to forge ahead on our mission to protect customer journeys against a landscape of evolving threats."

About Spec: Spec is a leading cybersecurity firm specializing in advanced fraud detection and defense, providing enterprises with unparalleled fraud security solutions. With a commitment to innovation, Spec is dedicated to protecting businesses against emerging threats and security challenges.

For more information, visit www.specprotected.com.

SOURCE SPEC

Spec Secures $15M Series A Funding, Accelerating Innovation in Fraud Defense

**PRESS RELEASE**

**CHICAGO****,** **Oct. 17, 2023** **/PRNewswire/ --** Fingerprint, the world's most accurate device intelligence platform, raised $33 million in Series C funding led by Nexus Venture Partners with participation from Uncorrelated Ventures. Fingerprint aids developers in building device identification with flexible APIs capable of identifying fraudsters while ensuring low-friction experiences for trusted users. The Fingerprint platform leads with best-in-class accuracy, identifying 99.5% of returning users in less than 500 milliseconds of processing time. The new funding brings the company's total funding to $77 million.

"With the gradual death of cookies and proliferation of VPNs, high accuracy device identification has never been more important. Companies battle sophisticated attacks from online fraudsters while needing to ensure their trusted customers have a frictionless experience," said Dan Pinto, Fingerprint's co-founder and CEO. "Fingerprint solves this challenge for thousands of companies by enabling accurate device identification and providing additional signals to inform visitor intent without inconveniencing legitimate users."

Since its last round of funding in 2021, Fingerprint has seen significant growth stemming from its ease of integration, instant value for new customers via API and extensive documentation. Industry leaders like Dropbox trust Fingerprint to detect and block account takeover attempts, while Neiman Marcus relies on the same technology to create personalized experiences for its most valued customers.

"Fingerprint is becoming a modern utility for the internet economy to combat fraud," said Abhishek Sharma, Managing Director of Nexus Venture Partners. "Any business that processes online transactions or payments should use Fingerprint. Its device intelligence API helps high-scale websites and apps prevent fraudulent transactions. We're impressed by the product's ability to deliver 10x+ ROI for its customers consistently. We love Fingerprint's developer-focused go-to-market approach coupled with its ubiquitous open-source library, FingerprintJS. The company has commercially grown 20x over the past three years. It has a resounding product-market fit, from small businesses to large public companies. We're thrilled to triple down and further strengthen our partnership with Fingerprint."

Unlike other device identification methods, Fingerprint's persistent visitor identifier continuously improves and maintains accuracy, even as browsers are upgraded. Providing a complete view of all users across web and mobile devices — whether or not they are logged in or concealing their identity — enables companies to build superior frauddetection and user experiences. Companies use Fingerprint for a variety of use cases, including:

*   Protecting login pages from automated account takeover attacks and phishing attempts.
*   Preventing payment fraud of all forms for payment processors and eCommerce retailers.
*   Account sharing detection and prevention for SaaS and subscription services.
*   Securing cryptocurrency exchanges.
*   Building paywalls that can't be evaded by going incognito, changing IP addresses or clearing cookies.
*   Restricting access for bad actors in online gaming and gambling.

Fingerprint also makes it easy for any developer to get started with popular third-party integrations such as Cloudflare, Segment, CloudFront and many more. Additionally, Fingerprint partners with software vendors, including Dodgeball, Okta and Spec, to generate additional value for customers and increase customer retention.

The funding will enable Fingerprint to accelerate adoption within larger Enterprise customers, which have been a critical driver of the company's recent growth. Fingerprint aims to build new tools and capabilities to tackle the most complex challenges in device identification.

For more information on Fingerprint device intelligence, visit Fingerprint.com.

**About Fingerprint**

Fingerprint, powered by the most accurate device intelligence platform, enables companies to prevent fraud and improve user experiences. Fingerprint processes almost 100 signals from the browser, device, and network to generate a stable and persistent unique visitor identifier that can be used to understand visitor behavior. With a commitment to best-in-class data security and privacy, Fingerprint is proud to be ISO 27001 certified, SOC 2 Type II, GDPR, and CCPA compliant. Fingerprint is trusted by over 6,000 companies worldwide, including 16% of the top 500 websites, to help catch sophisticated fraudsters and personalize experiences for trusted users. Learn more at fingerprint.com.

**About Nexus Venture Partners**

Nexus Venture Partners is a venture capital firm that supports extraordinary founders in building product-first companies. The firm takes a high-conviction approach, serving as inception, seed, or series-A stage partner to founders, actively engaging with them throughout the company lifecycle. With $2.6B capital in management, Nexus portfolio includes Postman, Apollo.io, MinIO, Fingerprint, Nx, Druva, Observe.ai, Rancher, Pubmatic, Delhivery, H2O.ai, Hasura, Kaltura, Quizizz, Sibros, TileDB, Turtlemint, Unacademy, Zepto, and Zomato. For more information, visit www.nexusvp.com or follow @nexusvp on X.

Fingerprint Raises $33M in Series C Funding to Accelerate Enterprise Device Intelligence and Fraud Prevention Adoption

**PRESS RELEASE**

**AUSTIN, Texas** – **Oct. 10, 2023** – SailPoint Technologies, Inc., a leader in enterprise identity security, today released the findings from the 2023 edition of its annual research report, ‘The Horizons of Identity Security,’ at Navigate 2023. Produced in collaboration between SailPoint and Accenture, a leading global professional services company, the report is based on insights from more than 375 global cybersecurity executives across the Americas, Europe and Asia. The goal was to examine the current state and future direction of the identity security market.

With 90% of cybersecurity breaches being identity related, identity security is the most important security aspect that every organization must get right. Yet, findings from the Horizons of Identity Security report show that 44% of companies are still at the beginning of their identity journeys. And, concerningly, even mature companies cover less than 70% of the identities in their organizations through foundational governance capabilities. However, respondents noted that communicating the business value of identity security to executives is a key challenge. This underscores the need for identity security advocates to build executive-friendly business cases that are tailored to their audiences’ strategic priorities and value-driven mindset.

A worrying 77% of respondents indicate that “limited executive sponsorship or focus” is a primary obstacle to investment in identity security, second only to budgetary constraints (91%). However, report findings clearly demonstrate that a strong identity security program can power business agility and innovation, risk mitigation, efficiency gains, and advancement of tech initiatives. For example, it can accelerate organizational change by as much as 30% through quicker integration of identities, applications, data and infrastructure. 

“A strong identity security program can generate real value for today’s organizations, but that value isn’t always obvious to business stakeholders,” said Matt Mills, President of Worldwide Field Operations, SailPoint. “In today’s threat landscape, stopping just one breach can save millions of dollars in lost revenue, regulatory fines, and reputational damage. It’s important for security teams to have the information they need to communicate their needs in an outcomes-based way. Focusing on the business value that identity security drives is going to resonate best with executives and help them understand the pressing need to accelerate their identity maturity if they want to avoid becoming the next major victim.”

Identity ecosystems are becoming increasingly complex and a preferred attack vector for threat actors. According to the report findings, on average more than 30% of the identities in an organization are not properly covered by identity solutions, with particular gaps around third-party identities, machine identities and data. Bringing those identities under the umbrella of a strong identity management program is essential for breach avoidance. Foundational security capabilities accelerate incident response, prevent bad actors from authenticating into internal systems and limit excessive access rights for employees — which survey respondents selected as the most common security deficiency enabling breaches.

Among other notable findings in the report was the fact that AI-based solutions have proven to be a potent accelerator, helping businesses add advanced new capabilities and drive greater agility. Encouragingly, the report shows a growing number of organizations are exploring AI-backed dynamic trust models to evolve access based on user behavior. The findings also show that companies leveraging SaaS, AI and automation scale a notable 10-30% faster and get more value for their security investment through increased capability utilization. More specifically, an identity platform leveraging automation and AI enables companies to scale identity-related capabilities up to 37% faster than companies without AI enablement. 

“Organizations are facing unprecedented challenges when it comes to managing their complex identity environments and massive data sets,” said Damon McDougald, the global Security Digital Identity lead at Accenture. “While advanced technologies like artificial intelligence and generative AI are making it easier to expedite, manage and scale identity security initiatives many organizations are still at the start of their journeys. Organizations should view this as an opportunity to accelerate their identity maturity timetable and establish a foundation for a secure digital transformation.”

**Adoption Assessment tool**

SailPoint is launching a new adoption assessment tool that can help organizations assess their current capabilities, as well as how they stack up against their peers. The tool can help businesses identify what their greatest barriers to stronger identity security are, and how they can generate greater business value by investing in identity. To access the adoption assessment tool, click here. 

SailPoint’s flagship ‘Navigate: Identity Security Accelerated’ conference kicks off in Austin, Texas on October 9th, and will be followed by a series of global events in London, Singapore, Sydney, Washington DC, Toronto and São Paulo. To register, visit the Navigate website.

**2023 Horizons of Identity Security Resources**

*   To download a copy of the 2023 Horizons of Identity Report, click here. 
*   Read more about the report’s top findings in this SailPoint blog. 
*   For a snapshot of the report’s key findings, click here. 
*   To reference the 2022 Horizons of Identity Report or take the maturity assessment, click here. 

**About SailPoint**

SailPoint is a leading provider of identity security for the modern enterprise. Enterprise security starts and ends with identities and their access, yet the ability to manage and secure identities today has moved well beyond human capacity. Using a foundation of artificial intelligence and machine learning, the SailPoint Identity Security Platform delivers the right level of access to the right identities and resources at the right time—matching the scale, velocity, and environmental needs of today’s cloud-oriented enterprise. Our intelligent, autonomous, and integrated solutions put identity security at the core of digital business operations, enabling even the most complex organizations across the globe to build a security foundation capable of defending against today’s most pressing threats.

SailPoint Unveils Annual 'Horizons of Identity Security' Report

Two weeks after the first data leak from the DNA ancestry service, the threat actor produces an additional 4 million user records they purportedly stole.

A threat actor who claimed responsibility for the compromise of the 23AndMe site earlier this month has released a new dataset, including the records of more than 4 million people's genetic ancestry.

The cybercriminal, known by the handle Golem, alleges in a cybercrime Dark Web forum the stolen data includes information on, "the wealthiest people living in the US and Western Europe," according to reports.

23andMe spokesperson Andy Kill said in a statement the organization is still trying to confirm whether the most recently leaked data is genuine.

Prior to this most recent leak, an Oct. 1 post on a Dark Web forum by Golem claimed they have a total of 20 million individual pieces of 23andMe data and leaked 1 million lines of data as a teaser, along with an offer to bulk sell data profiles.

23andMe confirmed in early October that users who opted to share information through its "DNA Relatives" were impacted and suggested the breach was a result of a credential stuffing cyberattack.

"After learning of suspicious activity, we immediately began an investigation," 23andMe's disclosure said. "While we are continuing to investigate this matter, we believe threat actors were able to access certain accounts in instances where users recycled login credentials — that is, usernames and passwords that were used on 23andme were the same as those used on other websites that have been previously hacked."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

23AndMe Hacker Leaks New Tranche of Stolen Data

Known threat groups Diamond Sleet and Onyx Sleet focus on cyber espionage, data theft, network sabotage, and other malicious actions, Microsoft says.

Two North Korean state-backed threat groups, whom Microsoft is tracking as Diamond Sleet and Onyx Sleet, are actively exploiting CVE-2023-42793, a critical remote code execution (RCE) bug in on-premises versions of JetBrains TeamCity continuous integration and delivery server.

The attackers are leveraging the bug to drop backdoors and other implants for carrying out a wide range of malicious activities, including cyber espionage, data theft, financially motivated attacks, and network sabotage, Microsoft said in a report this week. TeamCity is a platform that some 30,000 organizations — including several major brands like Citibank, Nike, and Ferrari — use to automate software build, test, and deployment processes.

**Critical Authentication Bypass Vulnerability**

Based on previous campaigns, Diamond Sleet presents a threat mainly to organizations in IT services, media, and defense-related sectors globally. Onyx Fleet has a somewhat narrower focus and has mostly targeted defense and IT services entities in the US, South Korea, and India. "While the two threat actors are exploiting the same vulnerability, Microsoft observed Diamond Sleet and Onyx Sleet utilizing unique sets of tools and techniques following successful exploitation," Microsoft said.

JetBrains disclosed CVE-2023-42793 on Sept. 30 and assigned it a near-maximum severity score of 9.8 out of 10 on the CVSS scale. The software vendor described the vulnerability as enabling an unauthenticated attack to perform a RCE attack and gain administrative privileges on an affected, Internet-exposed TeamCity server. The vulnerability is present in all on-premises versions of TeamCity.

**ForestTiger Backdoor and Other Payloads**

In Diamond Fleet's attacks targeting the flaw, the threat actor has been using PowerShell to download two malicious payloads from legitimate infrastructure that the threat actor appears to have compromised previously. One of the payloads is a backdoor dubbed ForestTiger that the attacker uses to run scheduled tasks on compromised systems and also to dump credentials. The other malicious payload is a configuration file for the malware that contains information on its command-and-control (C2) infrastructure and other parameters.

Microsoft said it also observed Diamond Sleet actors leveraging PowerShell to download a malicious dynamic link library (DLL), a technique that threat actors often use to execute unauthorized code on compromised systems.

Meanwhile, Onyx Sleet's tactic after exploiting CVE-2023-42793 has been to create a new user account on compromised systems with a name that appears designed to impersonate the legitimate Kerberos Ticket Granting Ticket Account, Microsoft said. The attacker has then been adding the account to the Local Administrators Group and using it to download and decrypt an embedded Portable Executable (PE) resource which is then loaded and launched in memory. "The inner payload is a proxy tool that helps establish a persistent connection between the compromised host and attacker-controlled infrastructure," Microsoft noted.

**Trivial to Find and Exploit**

Stefan Schiller, vulnerability researcher at Sonar, which discovered and reported CVE-2023-42793 to JetBrains, says the vulnerability is very easy for a threat actor to find and abuse. The version of a TeamCity instance can be determined by simply visiting the login page and determining whether the specific version is 2023.05.3 and below, which would mean it is vulnerable. "Once a vulnerable instance is identified, the exploitation is straightforward. Neither authentication nor any kind of user interaction is necessary to exploit the vulnerability," Schiller says.

Due to the nature of the vulnerability, its exploitation is also very reliable. "This makes it very likely that all publicly exposed, vulnerable instances are successfully exploited," he says.

The attacks are the latest manifestation of growing threat actor interest in software development pipelines as an initial access vector and avenue for stealing source code and secrets from companies and for potentially poisoning software and apps in SolarWinds-like fashion.

Vulnerabilities such as CVE-2023-42793 in a CI/CD platform enable supply chain attacks that can have far reaching consequences, says Henrik Plate, security researcher at application security company Endor Labs. It's often not just the organization using the affected software that feels the impact but also any downstream users that might download and execute software built on the system. "The worst-case scenario is probably one where attackers silently manipulate the software created by TeamCity, as this would affect all the users running such infected software," he says. "Such attacks are comparable to the SolarWinds incident, where compromised versions of SolarWinds were downloaded and run by numerous organizations."

**Addressing Supply Chain Risks**

At a high-level, software organizations should try and establish a traceable and verifiable link between the source code and the final build artifact that will be distributed to consumers, Plate says. They need to be able to answers questions like what version of the source code was used as input, which tools were used to compile and transform the various inputs, and what were their configurations. Resources such as the SLSA project and NIST's Strategies for the Integration of Software Supply Chain Security in DevSecOps CI/CD Pipeline offer actionable advice on the steps software teams can take to address CI/CD security, Plate notes.

In addition, implementing practices such as Reproducible builds can help in post-compromise situations, because they produce bit-identical software artifacts, as long as the same inputs and environment are used. "However, making builds reproducible can take a considerable effort and must have been put in place before the incident," Plate says.

JetBrains released a fixed version of TeamCity (version 2023.05.4) at time of vulnerability disclosure and strongly urged organizations to upgrade to it, to mitigate exposure to the threat. The company also released a security patch that organizations — which cannot update to the new version immediately — can plug in to their existing TeamCity version to address the RCE.

North Korean State Actors Attack Critical Bug in TeamCity Server

Several countries in Europe as well as the United States and Japan were involved in the operation, which is aimed at defanging one of the bigger names in ransomware.

In an ongoing operation conducted by law enforcement, Ragnar Locker's Tor negotiation and data leak sites were taken down and replaced with a notice stating that the websites had been seized in a "coordinated international law enforcement action."

Europol is involved in taking action against the ransomware group, as well as law enforcement officials from the United States, and Japan. According to a Europol spokesperson, a press release will be announced on Oct. 20 when "all actions have been finalized."

"While on the surface, this feels like a win, ultimately it may be no more than an inconvenience for the Ragnar group if they are able to quickly set up other servers to replace these," stated Erick Kron, security awareness advocate at KnowBe4. "In addition, this could cause problems for people whose organizations have been impacted by a ransomware attack but have now lost a method to negotiate with the bad actors. Unless the websites that were seized contain information or decryption keys for these people, it could significantly delay their ability to recover."

It is still unclear as to whether or not any arrests have been made or if any stolen funds were recovered. 

According to Dragos, the group is known for focusing on the energy sector. In the past, Ragnar Locker has been tied to various attacks, including when it hit the Mayanei Hayeshua Medical Center in Bnei Brak just this past summer, and when it targeted TAP Air Portugal's systems and claimed to have stolen data. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Europol Strike Wounds Ragnar Locker Ransomware Group

Dark Reading's special report on SecOps data analytics looks at the elements needed to set up a proper data foundation — because getting the data right when collecting, aggregating, and analyzing it is essential.

If there's something all security operations (SecOps) teams need, but few get right, it is the ability to use security data analytics effectively. After all, an effective SecOps data analytics program enables SecOps teams to continuously monitor their environments for signs of compromise and stop potential attacks before they can cause serious damage. Also, good data makes collaboration among SecOps teams and IT more effective.

"There are a lot of different ways to do aggregation and analysis. But there's no way to answer the question, 'Tell me the biggest threat to the business' if you're not doing systematic aggregation and analysis of your data," says Mike Rothman, general manager at Techstrong Research. "In many cases, you'll have a hard time answering it anyway. But if you're not even doing the basics, you have no shot."

Dark Reading's special report "The Secrets of Successful SecOps Data Analytics" digs into important decisions enterprises must make to effectively collect, analyze, and manage their security data so that SecOps teams can make the best decisions possible.

Paradoxically, security teams don't suffer from too little security data or too few security data sources — rather, they have too many data sources and too much data to sift through. This overabundance can make finding the most pressing threats daunting.

"SecOps teams are drowning under the weight of multiple security tools, alert fatigue, and manual operations," says Anton Chuvakin, security adviser at the office of the CISO, Google Cloud. "Analyzing large — the meaning of 'large,' of course, changing dramatically in 20 years — amounts of data at scale and speed have never been more important, but it remains tricky when this data is coming from so many disparate sources."

Getting the data right, however, when it comes to collecting, aggregating, and analyzing is essential. SecOps teams need data to be effective, and security teams can be only as effective as the information they've based their decisions and actions on. The better-quality data SecOps teams get, and the better they can analyze that data for swift decisions, the more effectively they can respond to the actions of the threat actors targeting them.

Read Dark Reading's "The Secrets of Successful SecOps Data Analytics" to understand how to keep and manage data connections across on-premises and cloud systems and help SecOps teams make decisions about how best to disrupt attacks before the threat actors manage to succeed in inflicting damage to the organization.

Source

DARKReading