New eXtended Detection and Response Solution is 450X more efficient than typical SOCs at converting telemetry and logs into actionable alerts.

**SAN JOSE, Calif. March 1, 2023** **–** Forescout Technologies Inc., the global leader in automated cybersecurity, today unveiled Forescout XDR, to help enterprises better detect, investigate, and respond to the broadest range of advanced threats, across the extended enterprise.

A typical SOC is flooded with 450 alerts per hour1, and analysts waste precious time trying to correlate low fidelity alerts and chasing false positives, often at the expense of focusing on legitimate attacks. Until now, a security operations center’s (SOC) field of view for threat detection and response has excluded critical devices that are increasingly common points of attack, including operational technology (OT), industrial control systems (ICS), building management systems (BMS), and medical and IoT devices. In addition, the technology stack that SecOps teams have had to rely on has made it difficult to respond to these threats in a rapid and comprehensive manner.

"The true value of an XDR solution lies in its ability to ingest telemetry and data from across the entire enterprise: cloud, campus, remote and datacenter environments, and every managed and unmanaged connected device. This is what the X in XDR is all about, after all," said **Justin Foster, CTO, Forescout.** "Traditional XDR products lack this capability, or they only leverage data from the vendor’s own EDR or a few other security tools. This significantly limits the flexibility, scalability and effectiveness that an XDR solution must provide."

Through the advanced application of data science and automation, Forescout XDR generates one high-fidelity alert that truly warrants analyst investigation, from every 50 million logs ingested, per hour2. Because Forescout XDR is vendor- and EDR-agnostic, this ingestion includes data from over 170 security, infrastructure, application, cloud/SaaS and enrichment sources, and dozens of leading vendors. And with over 70 sources of threat intelligence and 1500 verified detection rules and models, and data onboarding included, Forescout XDR customers can be operational within hours, actively detecting, investigating, and responding to threats.

"Forescout XDR, with the breadth and richness of its capabilities, particularly its dashboards and reporting, provides an out-of-the-box solution to SOC challenges that we spent 18-24 months trying to address," said **Samer Mansour, CISO, Panasonic Corporation of North America**. "It was easy to deploy, and fully operational in a matter of weeks. And with its tight integration to Forescout’s network security and visibility solutions, and our broader security tech stack, it gives us the ability to exert a lot more control across our IT and OT environments, and further elevate our overall security."

Seamless integration with Forescout’s industry-leading network access control solution, helps ensure that customers can:

1\.   Reduce the attack surface, and the risk of an attack in the first place, by preventing compromised or non-compliant devices from connecting to their networks. This proactive approach to XDR further elevates the effectiveness and performance of a modern SOC.

2.  Automate response workflows that can immediately touch every managed and unmanaged connected device, across the enterprise. This reduces an attack's blast radius in real-time, allowing proper mitigation or remediation measures to be completed. 

Because Forescout XDR has a multi-tenant architecture and supports local data storage while also being able to provide an aggregated global view of threats and SOC performance, it is ideally suited to large enterprises, multi-nationals, organizations with regional SOCs and managed security service providers (MSSPs).

**Pricing**

SaaS licensing is based on the total number of endpoints in the enterprise. As such, customers have the flexibility to leverage the data sources needed to fully support the use cases important to them, and help ensure better detection, without concern for escalating or fluctuating costs associated with cloud log storage.

**About Forescout**

Forescout Technologies, Inc. delivers automated cybersecurity across the digital terrain, maintaining continuous alignment of customers’ security frameworks with their digital realities, including all asset types- IT, IoT, OT, IoMT, and cloud environments. The Forescout Platform provides complete asset visibility, continuous compliance, network segmentation and a strong foundation for Zero Trust. For more than 20 years, Fortune 100 organizations and government agencies have trusted Forescout to provide automated cybersecurity at scale. Forescout arms customers with data-powered intelligence to accurately detect risks and quickly remediate cyberthreats without disruption of critical business assets. www.forescout.com

Forescout Addresses Modern SecOps Challenges With Launch of Forescout XDR

By authenticating and authorizing every application, and by maintaining data lineage for auditing, enterprises can reduce the chances of data exfiltration.

Ten or more years ago, most databases were on-premises only. There was no exposure outside the perimeter, and the only people who had access in an average company were a few database administrators. Then, enterprises and internal development teams began connecting them to a few applications, hardcoding the credentials into the software for convenience. But that handful kept growing. And now, no-code and low-code is essentially backing up the truck loaded with applications that have database access — and we're not always sure about the qualifications of the driver.

Low-code and no-code (LCNC) frameworks are speeding application development and enabling even non-technical users to quickly create software to suit their business needs. LCNC platforms have the potential to slash costs, reduce time-to-market, and disrupt industries; however, they could also be unwittingly laying the groundwork for future data disasters.

The first concern when it comes to LCNC platforms is a lack of visibility. There's often no knowledge about code quality, its vulnerabilities, or how well it's been tested. The non-IT pros who develop these applications aren't trained to maintain them, often create misconfigurations, and don't know the best practices on how to keep them from opening up security vulnerabilities such as data exfiltration.

**Why Zero Trust Alone Isn't Enough**

Increasingly, organizations are turning to the zero trust model to mitigate security risk. With this model, the goal is to enforce least privilege to users and applications. This calls for all users and applications to be authenticated, authorized, and continuously validated before being granted access to data.

Many enterprises rely upon privileged access management tools, which are important to helping achieve zero trust across much of the IT infrastructure. But these tools are blind to the context of the database. They are not equipped to grant privileges based on who or what is accessing the data, what they are accessing, and for what purpose. Because these controls only provide all-or-nothing access, no-code and low-code applications could end up exposing sensitive data.

The most under-discussed security issue around LCNC may be that even the apps IT has sanctioned often don't maintain a record of data lineage. There's often no knowledge of when these apps accessed databases, how much data was accessed, and what happened to that data. But every time an application accesses data, it needs to read and write data somewhere — even if it's temporary. And it often isn't, and the data pulled from a database for an app's use ends up living somewhere else too.

**Restoring Visibility to Reduce Risk**

These days, rather than on premises, data could reside in a database, data warehouse, or data pipeline. But without a framework to apply controls, there's no history or record — data is essentially in the enterprise wild.

This lack of data lineage records partially explains why it can take so long for organizations to notify affected parties after a data breach. It can take weeks, even months, to assess the impact of data exfiltration because today most organizations cannot tell you exactly which of their people and applications have access to their databases. Even fewer can point at which data within the databases those applications can access. It's becoming clear that unless organizations worldwide put a new level of data security governance in place, the LCNC paradigm will only accelerate the trend of data exfiltration.

However, security teams can have both LCNC and database security by following a few design principles:

*   Create a governance model that works across databases, data lakes, and data services
*   Enforce least privilege
*   Provide real-time visibility into which applications are accessing which data for what reason

By making sure every application is authenticated and authorized before it is provided fine-grained access, and by keeping a record of data lineage for future auditing, enterprises can reduce the risk of LCNC frameworks.

In the end, today's enterprises don't need to shrink away from using no-code and low-code technologies, but they do need to put data security governance controls in place. As each new app potentially gives rise to new vulnerabilities, rather than investing only in security tools that protect the perimeter or the vector, every company — whether a startup or a global enterprise — should invest in protecting the key source of value for the business operations: the data layer.

Visibility Is as Vital as Zero Trust for Low-Code/No-Code Security

**SAN FRANCISCO – March 1, 2023 –** Fastly, Inc. (NYSE: FSLY), the world’s fastest global edge cloud platform, today launched Fastly Managed Security Service, a premier 24/7 threat detection and response service dedicated to helping organizations significantly reduce the risk  of web application attacks and associated business costs due to lost transactions. Available to Fastly’s global Next-Gen WAF customers, Fastly Managed Security Service further demonstrates the company’s commitment to helping global marquee customers deliver innovative, secure digital experiences to their users.

Web applications continue to be popular targets for today’s attackers. In fact, according to the Verizon 2022 DBIR, web applications are the number one vector, and not surprisingly, they are also connected to the high number of Denial of Service attacks. This pairing, along with the growing use of stolen credentials (commonly targeting some form of web application) is consistent with what we’ve seen for the past few years. Existing security teams are spread thin and don’t always have the expertise or time to continuously monitor and detect these types of threats. Organizations can deploy Fastly Next-Gen WAF for accurate protection, and now they can further enhance this protection with Fastly’s Managed Security Service.

“Today’s defenders face an uphill battle against cyber adversaries due to an exploding attack surface and increasing volumetric attacks, particularly DDoS attacks. At the same time, security teams want to reduce complexity and prioritize their resources,”said Gino Lang, Vice President of Customer Security, Fastly. “By providing global 24/7 proactive protection, Fastly Managed Security Service delivers comprehensive visibility and the expert staff needed to quickly identify and mitigate potential threats. This frees up organizations to focus their security staff on other business priorities.” 

This latest announcement builds on the success of Fastly’s Response Security Service and other security offerings. “Fastly’s decision to extend its next-generation security capabilities to offer a managed security service is a natural evolution and reconfirms the company’s commitment to protecting organizations from today’s agile and persistent adversaries,” said Christopher Rodriguez, IDC Research Director, Security & Trust.

IDC recently recognized Fastly as a leader in the "IDC MarketScape: Worldwide Commercial CDN Services 2022 Vendor assessment", highlighting the company's ability to create fast, dynamic, and secure digital experiences.   

**About Fastly Managed Security Service**

Fastly Managed Security Service is a premium offering that provides Fastly Next-Gen WAF customers with continuous monitoring and proactive mitigation of web-application attacks, all backed by a 15-minute response time SLA for critical security incidents. We combine this with robust post-event reporting and regular, strategic security consultation in order to ensure the highest level of application protection to strengthen an organization’s overall security posture. 

Staffed 24/7 by Fastly’s global Customer Security Operations Center (CSOC), this service enables in-house teams to improve their overall security posture and focus on their core competencies, strategic initiatives, and high-impact projects.

Fastly’s Managed Security Service is now available to Fastly Next-Gen WAF customers. To learn more about how your organization can add this white glove experience to your security program, please contact \[email protected\]. For additional information about the new service, please visit here. 

**About Fastly**

Fastly’s powerful and programmable edge cloud platform helps the world’s top brands deliver the fastest online experiences possible, while improving site performance, enhancing security, and empowering innovation at global scale. With world-class support that achieves 95%+ average annual customer satisfaction ratings, Fastly’s beloved suite of edge compute, delivery, security and observability offerings has been recognized as a leader by industry analysts such as IDC, Forrester and Gartner. Compared to legacy providers, Fastly’s powerful and modern network architecture is the fastest on the planet, empowering developers to deliver secure websites and apps at global scale with rapid time-to-market and industry-leading cost savings. Thousands of the world’s most prominent organizations trust Fastly to help them upgrade the internet experience, including Reddit, Pinterest, Stripe, Neiman Marcus, The New York Times, Epic Games, and GitHub. Learn more about Fastly at https://www.fastly.com, and follow us @fastly.

Source: Fastly, Inc.

Fastly Launches Managed Security Service to Protect Enterprises From Rising Web Application Attacks

The cyberattackers might have potentially accessed customer information, the service provider warns.

A Feb. 23 ransomware attack is to blame for a disruption to Dish Network's internal communications capabilities, customer call centers, and Internet sites, the satellite service provider said in an SEC filing this week.

The threat actor behind the attack also accessed Dish Networks' IT systems and extracted data from it that could potentially include personal information, the company said — without clarifying whether that meant employee information, customer information, or both.

**Broad Impact on Dish Customers**

Dish TV and its streaming subsidiary Sling's services remain operational, as do its wireless and data networks. But the incident has affected the ability for customers to access their accounts, make payments, and reach the company's service desks, Dish said. 

"We're making progress on the customer service front every day, including ramping up our call capacity," Dish said in a note to customers on its main website, which earlier this week was inaccessible to many. "But it will take a little time before things are fully restored."

Dish has hired outside cybersecurity experts and advisers to help evaluate the situation and conduct a forensic investigation of the incident. If that analysis shows the breach impacted customer information. Dish said it will notify affected customers and take appropriate action.

Dish's disclosure about the ransomware attack comes days after the company first reported a cybersecurity incident as causing a systems issue. The service disruptions that the attack caused added to already broader Wall Street concerns about the company's ability to take advantage of 5G opportunities and other issues. It at least partially contributed to a 8% decline in Dish Network's share prices this week after a Wall Street analyst double downgraded the company's stock.

**Six Service Providers Hit So Far, and Counting**

At least six other major Internet services and utilities provides have experienced similar attacks since the beginning of 2023 according to Comparitech, which maintains a running tracker of ransomware attacks around the world. Rebecca Moody, head of data research at Comparitech, says that in addition to Dish, her company has confirmed ransomware attacks on South African ISP RSAWeb, Tonga Communications Corp., Águas e Energia do Porto in Portugal, Grupo Albanesi in Argentina, and US-based Encino Energy.

The attacks in 2023 come after a rash of hits on telecom service providers in the last few months. However, ransomware attacks on utilities providers of all types actually dropped last year — from 49 in 2021 to 38 in 2022, and the average ransom demand dropped from $27.2 million in 2021 to $14 million last year, according to Comparitech data. However, the average number of customer records impacted in these attacks saw a staggering surge — from 192,888 in 2021 to 9.8 million in 2022.

Moody says it's difficult to know for sure what the ransomware attacks on services firms in January and February 2023 portend for the rest of the year. "But if we compare these six attacks throughout January and February of this year to last year's figures \[of\] two attacks in total, it would suggest hackers have started this year with a renewed focus on utilities companies," she says.

**Network Segmentation & Damage Containment**

Moody says one fact that could be driving the trend is the huge effect these attacks can have on the victim company and the vast number of customers and businesses that rely on their services. "Regaining control of systems as quickly as possible will be a key priority, which hackers may see as an opportunity to secure a ransom demand," Moody says.

Neil Jones, director of cybersecurity evangelism at Egnyte, says the scope of the attack on Dish Networks suggests the threat actors behind it had broad access to its systems. "Generally, there's a strong correlation between the number of systems that are taken down in a cyberattack and the level of access that cyberattackers may have attained," Jones says.

In this instance, Dish's Internet sites, internal communications systems, customer call centers, and customers' bill payment systems were all affected. And early reports suggested that the attack also affected systems subsidiary Boost Mobile, he says. "This suggests that cyberattackers may have gained broad access to the conglomerate's systems and may have compromised their environment some time ago," Jones says.

A research-based report that Ivanti released earlier this year showed that in most ransomware attacks, threat actors exploited old bugs to gain initial access and maintain persistence on them.

Jones adds that the seemingly broad impact of the Dish Network breach shows why network segmentation is crucial to breach containment. Most organizations don't segment their networks as meticulously as they should resulting in many recent situations where a single breach impacted the victim's source code, financial data, and their customer data. "So, I'm confident that network segmentation will be more of an industry focus going forward," Jones says.

Dish Blames Ransomware Attack for Disruptions of Internal Systems, Call Center Services

Updated OffSec™ identity substantiates the company's commitment to expanding its cybersecurity content and resources to prepare infosec professionals for the future.

**NEW YORK****,** **March 1, 2023** **/PRNewswire/ --** Offensive Security (OffSec), the leading provider of hands-on cybersecurity education, today unveiled a refreshed brand identity including a new, shortened name, OffSec. This update reflects OffSec's commitment to helping cybersecurity professionals and organizations look beyond traditional training and certification to provide additional educational content and hands-on resources that help learners advance in their field and companies develop their security team members.

The abbreviated name reflects OffSec's move beyond offensive security topics with expansion into new areas such as defensive security, and new learning paths for today's most in-demand cybersecurity job roles. The OffSec brand also speaks to the company's expansion beyond training and beyond certification to a continuous learning model that supports the unique needs of organizations and individual learners alike. The company's new tagline, _The Path to a Secure Future™_, highlights OffSec's commitment to supporting security professionals and infosec teams in achieving cyber preparedness through a growing skills library focused on keeping pace with evolving cyber threats.

Offensive Security built its global reputation on training penetration testing with its flagship course, _Penetration Testing with Kali Linux_ and the OSCP certification. The company is the developer and maintainer of Kali Linux, the widely-popular open-source distribution used by infosec professionals worldwide. More recently, OffSec has since moved well beyond foundational pentesting topics and has added new content and certifications in Cloud Security, Web Application Security, Secure Software Development, Security Operations, and Exploit Development. The ever-growing OffSec Learning Library (OLL) currently includes nearly 6,000 hours of written content, 1,500 videos, 2,500 practical exercises, and 900 hands-on labs, with more being added all the time. The OLL features an unmatched depth and breadth of content, helping learners build indispensable skills by offering a comprehensive variety of role-specific content, from entry-level to advanced.

"OffSec broke the mold when we started with a new way of presenting information security training, and with the OffSec Learning Library we are so excited to do it again," Jim O'Gorman, Chief Content and Strategy Officer at OffSec said. "Our library approach allows us to continue to offer our industry-leading content, but in a more flexible non-linear approach allowing for a more customizable learning experience. Learners can engage with OffSec content in a course-based context, follow learning paths specific to job roles or skill sets, or pick and choose their own pathway through a multitude of learning units and modules. This approach allows everyone, regardless of skill level or experience, to have custom access to unparalleled cybersecurity learning content, all of which embody OffSec's highly-regarded and time-tested approach and methodology."

About the brand refresh, Scott Ablin, OffSec's Chief Marketing Officer said, "Since our inception, we've been at the forefront of cybersecurity education and offered training by the best practitioners. We defined the industry with our intense, hands-on, practical approach. As OffSec, we are expanding our content and learning paths to prepare learners for career advancement and organizations for current and future threats. We all know the cybersecurity threat landscape is continually changing, and our new brand symbolizes our commitment to keeping pace for individual professionals looking for education to advance their career and organizations who seek to recruit, retain, and upskill top talent."

**Elements of the refreshed identity include:**

**New Logo**:

The logo mark is now in a circular shape to mirror the "O" in OffSec. It has morphed from the familiar Offensive Security door icon to the shape of a path, symbolizing the onward voyage for infosec professionals and teams.

**New Brand Colors**:

Previously red and black, the rebranded logo mark is rendered in a teal-to-purple gradation, reflecting the process of educational change experienced by learners, a movement driven by a philosophy dedicated to transforming students into industry leaders.

**New Tagline:** _The Path to a Secure Future™_

OffSec defined the industry with its intensive, practical approach. Our methodology, content, and learning paths prepare organizations and learners for whatever lies ahead on their journey - whether it's securing their future by upskilling for an individual, or team development that provides organizations a more secure posture.

**New Website Address:**

Website visitors can learn more about the company, purchase a course or package, request a meeting, or explore free learning resources at offsec.com.

**About OffSec**

OffSec is the leading provider of continuous professional and workforce development, training, and education for cybersecurity professionals. Created by the community for the community, OffSec's one-of-a-kind mix of practical, hands-on training and certification programs, virtual labs, and open-source projects provide practitioners with the highly desired offensive skills to get a job, advance their careers and better protect their organizations. OffSec is committed to funding and growing Kali Linux, the leading operating system for penetration testing, ethical hacking, and network security assessments. For more information, visit offsec.com and follow @OffSectraining and @kalilinux on Twitter.

Offensive Security Is Now OffSec - Refresh Reflects Future of Cybersecurity Learning and Skills Development

An infamous Chinese cyber-hacking team has extended its SysUpdate malware framework to target Linux systems.

A pervasive cyber-espionage group known as Iron Tiger, believed to be out of China, has updated one of its malware frameworks to attack Linux-based systems.

Researchers at Trend Micro recently discovered that Iron Tiger (aka Emissary Panda or APT27) had added new features to its so called SysUpdate malware family, which allows it to infect Linux platforms in addition to Windows. SysUpdate abuses system services, grabs screenshots, browses and terminates processes, retrieves drive information, executes commands, and can find, delete, rename, upload, and download files as well as peruse a victim's file directory.

One other new feature the firm found with the newest version of SysUpdate: command-and-control communications via DNS TXT requests. "While DNS is not supposed to be a communication protocol, the attacker abuses this protocol to send and receive information," the researchers wrote in a blog post about their findings.

Iron Tiger was among a group of five cyber-espionage groups flagged in 2020 by BlackBerry as targeting Linux-based systems.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Linux Support Expands Cyber Spy Group's Arsenal

More cyberattackers are targeting organizations' cloud environments, but some cloud services, such as Google Cloud Platform's storage, fail to create adequate logs for forensics.

Major cloud platforms, such as Google Cloud Platform (GCP), fail to adequately log the event data that could facilitate the detection of compromises and the forensic analysis during post-compromise response, according to an analysis. 

Cloud security firm Mitiga stated in an advisory published on March 1 that the Google Cloud Platform allows customers to turn on storage access logs, but faced with an attacker that successfully compromises a legitimate user's identity, the logs fail to provide enough detail, creating forensic visibility gaps.

The security issues include failing to generate dedicated log information for critical actions related to exfiltration, failing to collect detailed information about changes to data, and a general lack of visibility that would give a picture of what happened, the advisory stated.

A variety of events, for example, are included under a single type of access — such as reading a file or downloading data — leaving analysts unclear as to what actually happened, says Veronica Marinov, an incident response investigator with Mitiga and author of the advisory.

"Google Cloud storage logging is missing granular log events," she says. "In the case of interacting with bucket objects, you can’t really differentiate between downloading the object, viewing its content, and just looking at the metadata of the said object."

As companies move their infrastructure and operations to the cloud, attackers have followed. For instance, the company faced an opportunistic attacker that moved laterally inside a cloud environment to successfully steal sensitive data, only to be stopped by rigorous permissions, according to a report earlier this week.

In its latest annual "Global Threat Report", cybersecurity services firm CrowdStrike noted that cloud exploitation incidents had increased by 95% in 2022, compared with the previous year, while cloud-conscious threat actors — which the firm defined as those who use "a variety of tactics, techniques, and procedures (TTPs) to exploit cloud environments" — nearly tripled. The increase in cloud-focused attacks means that companies need to focus on visibility and really understanding the changes being made to cloud environments, says Adam Meyers, head of intelligence at CrowdStrike.

"For years, cloud threats have been concerning, but it was pretty low tech, and they generally resulted in a cryptominer being deployed," he says. "Cloud is clearly in the sights of the threat actors now."

**Logs Need More Detail**

A key to understanding what happened during a compromise is having adequate visibility through detailed logging of events in cloud services. Forensics investigators rely on logs to determine what happened, what data may have been at risk, and what threat actors accomplished, Mitiga stated in the advisory.

While attackers often turn off logging as part of their compromise of cloud services, a knowledgeable attacker could also skip that and construct an attack chain that results in very little detail being revealed in Google Cloud Platform log files, Mitiga stated.

"Unfortunately, GCP does not provide the level of visibility in its storage logs that is needed to allow any effective forensic investigation, making organizations blind to potential data exfiltration attacks," Mitiga said in its advisory. "This prevents organizations from efficiently responding to incidents, as they have no chance to correctly assess what data has been stolen or whether it has been stolen at all."

Google Cloud acknowledged the issues, while stressing that it does not consider the lack of visibility to impact the security of its platform. The company maintained that there is no risk of data infiltration, that the issue is not a vulnerability, and that customer data is secure (all assertions also made by Mitiga). Google Cloud plans to further investigate the forensics gap, however.

"While improving log forensics hasn't been an issue raised by our customers, we are continually evaluating ways to improve customers' insight into their storage," the company said in a statement sent to Dark Reading. "The highlighted forensics gap in the blog is one of those areas we are examining."

Among Google Cloud's recommendations are turning on and configuring VPC Service Controls and organization restriction headers, to limit access and produce additional log events.

**Not Just Google**

The ability to access detailed logs is part of the shared-responsibility compact between cloud providers and customers. To take responsibility for their infrastructure in the cloud, organizations need to have detailed insight into activity. While the advisory specifically calls out GCP, other cloud providers have similar issues, Marinov says, without naming names.

"We had seen, in other cloud providers, cases where we can't really understand what happened only by seeing the logs," she says. "We are in touch with vendors on such specific gaps. Only after completing our responsible disclosure process are we able to share details with the media."

Amazon's Simple Storage Service (S3) buckets, for example, collect the right level of detail, the advisory stated: "It is important to note that this deficiency is not inherent to cloud services and could be easily addressed by providing more detailed information in the logs. An example can be seen with AWS S3 access logs, which distinguish each of the event types with its own event log name."

Mitiga did not say whether AWS's other services are among those the company is investigating for gaps in forensics information.

What Happened in That Cyberattack? With Some Cloud Services, You May Never Know

Make sure cybersecurity is taken seriously and consistently across the board. Educate the ecosystem beyond your own organization to mitigate security risks for everyone.

There's been a lot of speculation about how this year will unfold. Many economic authorities, such as the US Federal Reserve, the European Central Bank, the Swiss government, and Morgan Stanley are predicting a macroeconomic slowdown as the year progresses. Whether a temporary pause in growth or a full-blown recession emerges, the fact is organizations are increasingly critically eyeing their budgets and, at minimum, trying to do more with what they have, or going down the path of fiscal reduction.

The fact is, regardless of the financial environment, cyber threats will continue evolving, and threat actors will only get more innovative in how they attempt to manipulate their targets. Therefore, the cybersecurity attack surface is certain to expand. There's simply no room to stand still, regardless of whether we're facing an economic downturn. Everyone reading this article understands the financial damage cyberattacks can cause and how they can serve to further heighten economic damage in an already challenging scenario.

**The Importance of Unifying Security Investments**

A key consideration for organizations in this climate is to examine the value of unifying their existing security investments to streamline their security operations. Typically, this can be done even in a period of stagnating budgets while still bolstering proactive defenses.

Questions to ask include: Is there overlap between elements of the security stack? As stated in the NIST Cybersecurity Framework (PDF), security applications need to cohesively and mutually support an organization's security posture by ensuring identification, protection, detection, response, and recovery are fully supported.

All these elements are, of course, interconnected. Security professionals need to keep that in mind, rather than introduce and/or manage the chaos of a siloed collection of point tools. We're long past the era of having to deal with disparate security systems. Rather, platforms, applications, and tools must be interoperable and interconnected, for comprehensive management, monitoring, and measurement.

**Evolving Beyond "Code Warrior" Silos**

Another key consideration in recession-proofing security operations is the importance of empowering more than "code warriors" when it comes to contributing to managing cybersecurity deployments. In 2023, it needs to be "all hands on deck," and it can't just be a tiny group of people responsible for large-scale enterprise security. Enterprise security management tools can play a major role in empowering a wider group of people to protect organizations.

Why does this matter? Because part of maximizing value involves security processes that focus on shared responsibilities, in which employees, R&D, DevOps, and IT are true partners and collaborators in protecting their organizations. An example of this is how security automation is now moving toward validating end users' identities and enabling them to have temporary security clearances to engage in system updates, credential retrieval, and remote access, with dramatically minimized risk. This is enabled through integration across communications and project management tools, anchored by workflows that ensure accurate verification and access controls.

**Empowering Your Customers and Partners**

There's another element that is rarely discussed when it comes to an optimal cybersecurity posture and managing costs: educating customers and partners about their own cybersecurity standards. After all, cybersecurity is an end-to-end multiorganization ecosystem. Cybersecurity problems that affect one company can come home to roost in another. The fewer issues that occur with customers and partners, the fewer problems your organization must deal with.

Developing a customer and partner awareness campaign can be crucial here. It's very important to educate the ecosystem beyond your own organization to mitigate risk for everyone. Organizations can deploy best practices via their own emails, newsletters, social media, customer and partner portals, and account managers. The best approach is to use multiple elements to get the word out about ensuring cybersecurity is taken seriously and consistently across the board.

In general, cybersecurity companies need to emphasize their proactive capabilities and philosophies over the historic reactive element in current economic circumstances. If they position themselves as a critical, protective layer and consultative presence, it will go a long way to cementing the essential nature of their offerings.

The Importance of Recession-Proofing Security Operations

The flaw, which drew attention in October when it was found in ConnectWise products, could pose a significant risk to the supply chain if not patched immediately.

A high-severity authentication bypass vulnerability in a widely used open source Java framework is under active exploit by threat actors, who are using the flaw to deploy backdoors to unpatched servers, the US Cybersecurity and Infrastructure Security Agency (CISA) and security researchers are warning.

The scenario could pose a significant supplychain threat for any unpatched software that uses the affected Java library, which is found in the ZK Java Web Framework, experts said.

The CISA has added CVE-2022-36537, which affects ZK Java Web Framework versions 9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2, and 8.6.4.1, to its catalog of Known Exploited Vulnerabilities (KEV).

The flaw, found in ZK Framework AuUploader servlets, could allow an attacker "to retrieve the content of a file located in the Web context," and thus steal sensitive information, according to the KEV listing. "This vulnerability can impact multiple products, including but not limited to ConnectWise R1Soft Server Backup Manager," CISA said.

Indeed, the flaw first drew widespread attention in October 2022 when ConnectWise sounded an alarm over its existence in its products — specifically, ConnectWise Recover and R1Soft server backup manager technologies. Senior security researchers John Hammond and Caleb Stewart at Huntress subsequently published a blogpost about how the flaw can be exploited.

In an update to that blog post published concurrent with the CISA's advisory, Huntress warned that "the vulnerability discovered last year in ConnectWise's R1Soft Server Backup Manager software has now been seen exploited in the wild to deploy backdoors on hundreds of servers via CVE-2022-36537."

CISA and Huntress both based their warnings on research from Fox-IT published Feb. 22 that found evidence of a threat actor using a vulnerable version of ConnectWise R1Soft Server Backup Manager software "as an initial point of access _and_ as a platform to control downstream systems connected via the R1Soft Backup Agent," the researchers wrote in a blog post.

"This agent is installed on systems to support being backed up by the R1Soft server software and typically runs with high privileges," according to the post. "This means that after the adversary initially gained access via the R1Soft server software it was able to execute commands on all systems running the agent connected to this R1Soft server."

**History of the Flaw**

For its part, ConnectWise moved swiftly to patch the products in October, pushing out an automatic update to both the cloud and client instances of ConnectWise Server Backup Manager (SBM), and urging customers of the R1Soft server backup manager to upgrade immediately to the new SBM v6.16.4.

A researcher from Germany-based security vendor Code White GmbH was the first to identify CVE-2022-36537 and report it to the maintainers of the ZK Java Web Framework in May 2022. They fixed the issue in version 9.6.2 of the framework.

ConnectWise became aware of the flaw in its products when another researcher from the same company discovered that ConnectWise's R1Soft SBM technology was using the vulnerable version of the ZK library and reported the issue to the company, according to the Huntress blog post.

When the company did not respond in 90 days, the researcher teased a few details on how the flaw could be exploited on Twitter, which researchers from Huntress used to replicate the vulnerability and refine a proof-of-concept (PoC) exploit.

Huntress researchers ultimately demonstrated they could leverage the vulnerability to leak server private keys, software license information, and system configuration files and eventually gain remote code execution in the context of a system superuser.

At the time, researchers identified "upwards of 5,000 exposed server manager backup instances via Shodan — all of which had the potential to be exploited by threat actors, along with their registered hosts," they said. But they surmised that the vulnerability had the potential to impact significantly more machines than that.

**Supply Chain at Risk**

When Huntress did its analysis of the flaw, there was no evidence of active exploit. Now, with that scenario changed, any unpatched versions of the ZK Java Web Framework found not only in ConnectWise but also other products are fair game for threat actors, which could create significant risk for the supply chain.

Fox-IT's research indicates that worldwide exploitation of ConnectWise's R1Soft server software started around the end of November, soon after Huntress released its PoC.

"With the help of fingerprinting, we have identified multiple compromised hosting providers globally," the researchers wrote.

In fact, Fox-IT researchers said on Jan. 9 that they had identified a "total of 286 servers running R1Soft server software with a specific backdoor."

CISA is urging that any organizations still using unpatched versions of the affected ConnectWise products update their products "per vendor instructions," according to the KEV listing. And while, so far, the existence of the flaw is known only in the ConnectWise products, other software using unpatched versions of the framework would be vulnerable as well.

CISA: ZK Java Framework RCE Flaw Under Active Exploit

The open authentication standard addresses existing multifactor authentication security vulnerabilities.

Remember when multifactor authentication (MFA) gave security professionals that nice, warm feeling that their data and users were protected? Those days are over. Traditional approaches to MFA don't cut it anymore, as attackers have developed effective workarounds for cracking that door wide open. For proof, consider last year's headline-grabbing breaches at Okta, Uber, and Cisco, just to name a few. A better approach is urgently needed — and it starts with the FIDO2 user authentication specifications.

**MFA Weaknesses**

Why do we need a new approach to authentication? Bypassing existing MFA techniques to garner employee credentials or to take over employee accounts has become child's play for attackers. There are even videos on YouTube explaining how to do it. Techniques range from simple phishing to push bombing — where attackers send push notifications until the employee accepts one — to more complex SS7 communications protocol exploits to obtain texted MFA codes.

For example, take the common MFA technique of using a push notification as the second factor.

One common approach the attackers use is to create a fake company login page, then send out phishing emails to drive employees to that page. When an employee enters their username and password into the fake page, the attacker simply takes the credentials and enters them into the real login page. When the employee receives the MFA request (the push notification), they are likely to treat it as genuine and click "Yes." With that simple approach, the attacker has now compromised the employee's account and has a beachhead into the company's network that can allow them to move laterally and install malware or ransomware.

**People as a Point of Failure**

Not all vulnerabilities are technical. Social engineering is becoming more sophisticated, with attackers using texts and voice calls targeted at specific employees to add credibility and urgency to that phishing email. The attackers pose as IT technicians or other trusted authorities to create that trust with the targeted employee. These techniques can be very effective, as hapless users willingly will do as asked, assuming they are speaking with a trusted person from their own organization.

**Enter the FIDO2 Standard**

So, what is FIDO2, and how can it help address these MFA vulnerabilities? Developed by the Fast Identity Online (FIDO) Alliance, FIDO2is an authentication method containing two components: WebAuthn (W3C) and CTAP (FIDO Alliance), which together eliminate the security gaps in standard MFA services.

With FIDO2, the site requesting authentication constructs the authentication challenge, encrypts it with the registered authenticator's public key, and sends it to the user by way of the user agent (browser) that originally requested access. The browser adds some context and forwards to the attached authenticator. The authenticator decrypts the challenge with its private key and compares it with its own registration records and the context provided by the browser. By nature of this process, attackers using stolen credentials are blocked (they receive the challenge but can't do anything, as they don't have the authenticator). Attackers who are actively man-in-the-middle are detected and blocked as well (they can replay the bidirectional traffic, but they cannot construct a challenge that would be accepted by the authenticator). This method makes it virtually impossible to compromise MFA. The key features of FIDO2 are:

*   Authentication credentials are based on private/public key pairs.

*   No shared secrets — the private key is generated by the FIDO2 authenticator, is stored in secure hardware on the authenticator, and cannot be exported or tampered with. Only the public key is sent to the server-side (website) when registering.

*   Authentication challenges are delivered to the user agent (the browser), which adds context about the challenge and then delivers it to the attached FIDO2 authenticator, which allows detection of a man-in-the-middle.

*   Platform authenticators (tied to the platform and only usable on that device) and roaming authenticators (that can be used across any device).

**Why Isn't Everyone Using FIDO2 MFA?**

Security professionals recognize the value that FIDO2-based MFA provides. However, because companies need to buy, distribute, and manage physical FIDO2 security keys, the added cost and complexity has slowed down adoption. In addition, users really dislike using a physical security key — it's yet another piece of hardware they have to carry around. Because of these factors, many companies will deploy FIDO2 for high-risk employees but use standard MFA for other employees.

**Phish-Proof Protection**

Authentication methods based on FIDO2 are the closest thing there is to a "phish-proof" solution, and the security community has taken note. The Cybersecurity and Infrastructure Security Agency (CISA) recently called FIDO "the gold standard" for authentication, urging corporate leaders to make it part of their MFA strategy. US federal agencies are also moving to FIDO2 to address the vulnerabilities of existing MFA techniques.

As it becomes more widely recognized, expect to see FIDO2 as a recommended or even required standard for online interactions/transactions where critical data must be protected. Currently, most underwriters of cyber insurance require MFA implementation to qualify for coverage. It's not a stretch to imagine that requirement expanding to include FIDO2.

**Time to Up Your Game**

For any organization concerned about cybercrime — and the economic and reputational risk it poses — proactively adopting FIDO2 authentication seems like a smart business move. For organizations that rely on vendors or partners for their online employee and/or customer interactions, now is a good time to find out whether they have adopted FIDO2.

As cybercriminals continue to up their game, organizations must do likewise. Don't wait until an attacker finds your weakness. Now is the time to take a critical look at your authentication protocols and see how FIDO2 can address MFA deficiencies and close that door.

Source

DARKReading