Majority of vulnerability scanner tools overwhelming teams with false positives and missing exploitable vulnerabilities.

**BE'ER SHEVA, Israel, Oct. 26, 2022 /PRNewswire/** — Rezilion, an automated vulnerability management platform accelerating software security, announced today the release of the company's Vulnerability Benchmark Report, which provides visibility into the inaccuracies and noise that are created by the market's most popular commercial and open source scanning technologies.

"Every day there are a multitude of new vulnerability disclosures across the software ecosystem, driving end-users to rely on vulnerability scanners to detect if these potentially exploitable vulnerabilities exist within their environment," said Yotam Perkal, Director of Vulnerability Research with Rezilion. "With a proven variability in the accuracy of the scanning tools on the market, companies are paying the cost of time spent triaging irrelevant vulnerabilities and worst, in the case of false negative detections, create blind spots for the organization and a false sense of security."

**Inconsistent results in scanners are common.** In this first-of-its-kind benchmark and root cause analysis, Rezilion researchers examined 20 popular containers on DockerHub, ran them locally, and scanned them using six different, popular vulnerability scanners in the commercial and open source market.

Each vulnerability scanner reported a different number of vulnerabilities, equating to less than 50 percent of common findings, exposing an exceptional amount of false positives and negatives. As a result, Rezilion has opened issues/support tickets for the misidentification of **over 1,600 different CVEs**.

**Key Findings:**

*   **Recall:** Compared to the ground truth (i.e., taking false negatives into account), scanners returned only 73% of relevant results out of all vulnerabilities that should have been identified, including those the scanners failed to detect.
*   **Precision:** On average, out of the total number of vulnerabilities reported by the scanners, only 82% were relevant results (identified correctly), regardless of vulnerabilities that scanners failed to report (18% were false positives).
*   Over 450 high and critical-severity vulnerabilities were misidentified across the 20 containers.
*   On average, across the 20 containers examined, the scanners failed to find (false negative result) more than 16 vulnerabilities per container.

"The primary problem is that the scanner performance data is not transparent and leaves end-users without visibility to accurately evaluate effectiveness of vulnerability scanners," continued Perkal. "With this research, we're committed to driving the industry forward and proactively approaching the issue. Rezilion's ultimate goal is to provide transparency about the performance of the scanners and improve the quality of vulnerability scanning across the board."

**Best Practices:**

*   Understand your specific scanner's capabilities and limitations and ensure your scanner of choice matches your specific needs.
*   Be mindful of the root causes for misidentification as presented in the research, and don't trust your scanner's results blindly.
*   Utilize a Software Bill of Materials (SBOM) to validate the accuracy of your scanner output and achieve visibility into your software dependencies.

**To download the full report, please visit:** https://www.rezilion.com/lp/scanning-the-scanners-what-vulnerability-scanners-miss-and-why/.

**About Rezilion:**

Rezilion's platform automatically secures the software you deliver to customers. Rezilion's continuous runtime analysis detects vulnerable software components on any layer of the software stack and determines their exploitability, filtering out up to 95% of identified vulnerabilities. Rezilion then automatically mitigates exploitable vulnerabilities across the SDLC, reducing vulnerability backlogs and remediation timelines from months to hours while giving DevOps teams time to build.

Learn more about Rezilion's software attack surface management platform at www.rezilion.com and get a 30-day free trial.

**SOURCE:** Rezilion

Rezilion Vulnerability Scanner Benchmark Report Finds Top Scanners Only 73% Accurate

New service from BlackBerry's Threat Research and Intelligence Team reduces unknowns to enhance detection and response.

**NEW YORK, Oct. 26, 2022 /PRNewswire/** — Today, at the BlackBerry Security Summit, BlackBerry Limited (NYSE: BB; TSX: BB) announced the release of its new Cyber Threat Intelligence (CTI) offering, a professional threat intelligence service to help customers prevent, detect, and effectively respond to cyberattacks.

Delivered on a quarterly subscription basis, BlackBerry's new CTI service  
provides actionable intelligence on targeted attacks and cybercrime-motivated  
threat actors and campaigns, as well as intelligence reports specific to  
industries, regions, and countries. BlackBerry's CTI will save organizations  
time and resources by focusing on specific areas of interest relevant to a  
company's security goals.

"Being cyber resilient means making the right decisions at the right time," said  
Ismael Valenzuela, Vice President, Threat Research and Intelligence at  
BlackBerry. "Cyberattacks are becoming more sophisticated and threat actors move  
quickly. BlackBerry's Cyber Threat Intelligence delivers the details needed to  
improve detection and response, so organizations can stay on top of cyber threat  
activity and anticipate any next moves."

"More businesses are recognizing the value of threat intelligence and the  
distinctive benefits it brings to security teams," said Chris Kissel, Vice  
President, Security and Trust Products at IDC Research. "Curated threat  
intelligence from credible experts in the space provides businesses and their  
front line security personnel with timely insights, enabling them to better  
detect, triage, and investigate threats. Integrating this service with existing  
security ecosystems helps businesses stay one step ahead of cyber threats as  
digital attack surfaces evolve and expand."

The Threat Research and Intelligence Team has released numerous first-to-market  
research reports over the past year leveraging BlackBerry's data-driven digital  
ecosystem and analytical capabilities. These research reports have revealed new  
developments in the ransomware and malware space, and targeted, state-sponsored  
APT activity, including Symbiote, DCRat, Chaos Yashma ransomware and LokiLocker,  
all of which have been well-received by BlackBerry's customer base and the  
broader security community.

The service will launch in December.

For more information on how BlackBerry's Cyber Threat Intelligence service can  
support your organization, please visit BlackBerry.com to connect with one of  
our experts.

**About BlackBerry**  
BlackBerry (NYSE: BB; TSX: BB) provides intelligent security software and  
services to enterprises and governments around the world. The company secures  
more than 500M endpoints including 215M vehicles. Based in Waterloo, Ontario,  
the company leverages AI and machine learning to deliver innovative solutions in  
the areas of cybersecurity, safety, and data privacy solutions, and is a leader  
in the areas of endpoint security, endpoint management, encryption, and embedded  
systems. BlackBerry's vision is clear — to secure a connected future you can  
trust.

BlackBerry. Intelligent Security. Everywhere.

For more information, visit BlackBerry.com and follow @BlackBerry.

Trademarks, including but not limited to BLACKBERRY and EMBLEM Design are the  
trademarks or registered trademarks of BlackBerry Limited, and the exclusive  
rights to such trademarks are expressly reserved. All other trademarks are the  
property of their respective owners. BlackBerry is not responsible for any  
third-party products or services.

**SOURCE:** BlackBerry Limited

BlackBerry Launches Cyber Threat Intelligence Service to Strengthen Cyber Defenses

The mission to run any containerized application on any infrastructure makes security a challenge on Kubernetes.

Kubernetes is the de facto container management platform in the modern cloud-native world. It makes it possible to develop, deploy, and manage microservices flexibly and scalably. Kubernetes works with various cloud providers, container runtime interfaces, authentication providers, and extensible integration points.

However, Kubernetes still has one major drawback: security. The integrator approach of Kubernetes to run any containerized application on any infrastructure makes it challenging to create holistic security around Kubernetes and the application stack living on it.

According to Red Hat's 2022 "State of Kubernetes" security report, the majority of Kubernetes users had their delivery halted due to unaddressed security concerns. In addition, over the course of the previous 12 months, almost every Kubernetes user in the study experienced at least one security incident. Therefore, it is fair to say that Kubernetes environments are not secure by default and are open to risks.

This article discusses the top 10 security risks with real-life examples and tips on how to avoid them.

**1\. Kubernetes Secrets**

Secrets are one of the core building blocks of Kubernetes for storing sensitive data like passwords, certificates, or tokens and using them inside containers. There are three critical issues related to Kubernetes secrets:

*   Secrets store sensitive data as base-64 encoded strings, but they are not encrypted by default. Kubernetes does offer encryption of the resources for storage, but you need to configure it. Furthermore, the biggest threat about secrets is that any pod — and any applications running inside the pod — in the same namespace can access and read them.
*   Role-based access control (RBAC) allows you to regulate who is granted access to Kubernetes resources. You need to properly configure RBAC rules so that only the relevant people and applications will have access to secrets.
*   Secrets and ConfigMaps are the two methods of passing data to running containers. If there are old and unused secrets or ConfigMap resources, it can create confusion and leak vulnerable data. For instance, if you delete your back-end application deployment but forget to delete the secret that has your database passwords, any malicious pod can use them in the future.

**2\. Container Images With Vulnerabilities**

Kubernetes is a container orchestration platform that distributes and runs containers on the worker nodes. However, it does not check the contents of containers for whether they have security vulnerabilities or exposures.

Therefore, it is necessary to scan the images before deployment to ensure that only images from trusted registries with no critical vulnerabilities (like remote code execution) will run on the cluster. Container image scanning should also be integrated into CI/CD systems for automation and detecting flaws earlier.

**3\. Runtime Threats**

Kubernetes workloads — namely, containers — run on the worker nodes, and the containers are controlled by the host operating system in the runtime. If there are permissive policies or container images with vulnerabilities, they can open backdoors into your whole cluster. Therefore, OS-level runtime protection is required to enforce security in runtime, and the most important protection against runtime threats and vulnerabilities is to implement the least-privileged principle throughout Kubernetes.

Open source and widely accepted tools like Seccomp, SELinux, and AppArmor in the Linux kernel level are available to implement policies and restrict access. These tools are not internal to Kubernetes and require external configuration and effort to enable protection against runtime threats. In order to secure Kubernetes in an automated fashion, try employing the Kubernetes Security Posture Management (KSPM) approach. KSPM leverages automation tools to detect, fix, and alert security, configuration, and compliance issues using a holistic approach.

**4\. Cluster Misconfiguration and Default Settings**

The Kubernetes API and its components consist of a complex set of resource definitions and configuration options. Therefore, Kubernetes offers default values for most of its configuration parameters and tries to remove the burden of creating long YAML files.

However, you need to be careful about three critical issues related to cluster and resource configuration:

*   Default Kubernetes configurations are helpful, as they try to increase flexibility and agility, but they are not always the most secure options.
*   Online examples for Kubernetes resources are helpful to get started, but it is necessary to double-check what these example resource definitions will deploy to your cluster.
*   It is customary to make changes to Kubernetes resources using "kubectl edit" commands while working on the clusters. However, if you forget to update the source files, the changes will be overwritten in the next deployment, and the untracked modifications could lead to unpredictable behavior.

**5\. Kubernetes RBAC Policies**

RBAC is the Kubernetes-native method of managing and controlling authorization to Kubernetes resources. Therefore, configuring and maintaining RBAC policies is essential to secure the clusters from unwanted access.

There are two critical points to consider while working with RBAC policies. First, some RBAC policies are too permissive, such as the cluster\_admin role, which can do basically everything in the cluster. These roles are assigned to regular developers to make them more agile. However, in the event of a security breach, attackers quickly get high-level access to the clusters using cluster\_admin. To avoid this, you should configure RBAC policies for specific resources and assign them to particular user groups.

Second, in general, various environments, like development, testing, staging, and production, exist in the software development life cycle. In addition, there are multiple teams with different focuses, such as developers, testers, operators, and cloud admins. RBAC policies should be assigned correctly for each group and each environment to limit exposure.

**6\. Network Access**

In Kubernetes, a pod can connect to other pods and external addresses outside the cluster; others can connect to this pod from inside the cluster by default. Network policies are the Kubernetes-native resources to manage and restrict the network access between pods, namespaces, and IP blocks.

Network policies can also work with the labels on the pods, so inefficient use of labels could lead to unwanted access. In addition, when the clusters live in cloud providers, the cluster network should also be isolated from the rest of the virtual private cloud (VPC).

**7\. Holistic Monitoring and Audit Logging**

When you deploy an application to a Kubernetes cluster, it's not sufficient to only monitor the application metrics. You must also watch the Kubernetes cluster's status, cloud infrastructure, and cloud controllers to have a holistic view of the complete stack. It is also important to watch for breaches and detect anomalies since intruders will be testing to access your clusters from every possible opening.

Kubernetes provides out-of-the-box audit logs for security-related incidents in the cluster. Still, you also need to collect the records from various applications and monitor their health in a central place.

**8\. Kubernetes API**

Kubernetes API is the core of the entire system, where all internal and external clients connect and communicate with Kubernetes. If you deploy and manage Kubernetes components in-house, you need to be more careful because the Kubernetes API server and its components are open source tools with potential — and actual — vulnerabilities. Therefore, you should use the latest stable version of Kubernetes and patch live clusters as early as possible.

If you use cloud providers, the Kubernetes control plane is in control of the provider itself, so the cloud infrastructure updates and patches automatically. However, users are responsible for upgrading worker nodes in most cases. Therefore, you can use automation and resource provisioning tools to upgrade nodes easily or replace them with new ones.

**9\. Kubernetes Resource Requests and Limits**

In addition to scheduling and running containers, Kubernetes can also limit the resource usage of containers in terms of CPU and memory. Although Kubernetes users mostly neglect them, resource requests and limits are critical for two reasons:

*   **Security:** When the pods and namespaces are not restricted, even a single container with a security vulnerability could access sensitive data inside your cluster.
*   **Cost:** When the requested resources are more than the actual usage, the nodes will run out of available resources. This will lead to an increase in the node pool if autoscaling is enabled, and the new nodes will increase your cloud bill inevitably.

When the resource requests are calculated and assigned correctly, the whole cluster works efficiently in terms of CPU and memory. In addition, when resource limits are set, both faulty applications and intruders will be limited in terms of resource usage. For instance, if there are no resource limitations, a malicious container could consume nearly all of the resources in the node and make your application unusable.

**10\. Data and Storage**

Although containers are designed to be ephemeral, Kubernetes makes it possible to run stateful containerized applications scalably and reliably. With the StatefulSet resource, you can deploy databases, data analytics tools, and machine-learning applications into Kubernetes quickly. The data will be accessible to the pods as volumes attached to the containers.

However, it is critical to limit access by policies and labels to avoid unwanted access by other pods in the cluster. In addition, storage in Kubernetes is provided by external systems, so you should consider using encryption for critical data in the cluster. If you manage your storage plugins, you should also check the security parameters to ensure that they are enabled.

**Conclusion**

Kubernetes is the indisputable container management platform for running microservice applications. However, holistic security is still one of its drawbacks, as it is not the core focus of the project. Therefore, you need to take extra steps to make your clusters and applications more secure.

Top 10 Kubernetes Security Risks Every DevSecOps Pro Should Know

Telos' aviation channeling service offers increased efficiency and flexibility in credentialing operations at the busiest airport in the Washington-Baltimore region.

**ASHBURN, Va., Oct. 25, 2022 (GLOBE NEWSWIRE)** — Telos Corporation (NASDAQ: TLS), a leading provider of cyber, cloud, identity and enterprise security solutions for the world’s most security-conscious organizations, today announced that the Maryland Aviation Administration has contracted with Telos to provide the Transportation Security Administration (TSA)-approved Designated Aviation Channeling (DAC) service for processing worker background checks at Baltimore/Washington International Thurgood Marshall Airport (BWI).

Telos’ DAC service improves data integrity, increases the efficiency of credentialing operations and reduces costs. The DAC service enables submissions of workers’ biographic and biometric data to conduct background checks for individuals working in secure areas of U.S. commercial airports.

“The DAC service deployment at BWI Marshall Airport is notable for its integration with BWI’s Identity Management System, enabling efficient biographic and biometric transmissions,” said Dawn E. Lucini, vice president of aviation security, Telos. “We have streamlined the TSA-required aviation worker background check process, while upholding the high security and customer service standards at BWI.”

Telos’ aviation channeling service meets the TSA and Department of Homeland Security (DHS) requirements for the transmission and protection of biographic and biometric data. Telos applies this TSA-accredited software-as-a-service platform to enable airports, air carriers, cargo carriers, and general aviation to perform identity and biometric-based background checks that mitigate insider threats to our nation’s aviation transportation infrastructure.

“Telos is the recognized leader in assuring the identities of aviation workers with advanced biometric and enrollment solutions, evidenced by the growing roster of airports and airlines – over 100 and counting – that currently use the Telos DAC solution,” said Lucini. “We are pleased to support the Maryland Aviation Administration and its world-class airport in their efforts to provide excellence in credentialing and vetting services of their aviation workers, all while reducing costs and providing superior customer care and flexibility.”

In August 2022, Telos announced the expansion of its aviation channeling service within the U.S. commercial aviation industry to include: USA Jet Airlines, IFL Group, California Redwood Coast Humboldt County Airport (ACV), Advanced Airlines, Backcountry Aviation and ABX Air, Albany Intl. Airport (ALB), Chicago O’Hare Intl. Airport (ORD), Chicago Midway Intl. Airport (MDW), Dallas Fort Worth Intl. Airport (DFW), Jacksonville Intl. Airport (JAX), Antonio B. Won Pat International Airport (GUM), Minneapolis-St. Paul Intl. Airport (MSF), Phoenix Sky Harbor International Airport (PHX), Salt Lake City International Airport (SLC), Santa Barbara Airport (SBA), St. Pete-Clearwater Intl. Airport (PIE), State of Hawaii Dept. of Transportation for State Commercial Airports and more.

For more information about the Telos Designated Aviation Channeling service, visit www.aviationchanneling.com.

**Forward-Looking Statements**

This press release contains forward-looking statements which are made under the safe harbor provisions of the federal securities laws. These statements are based on the Company’s management’s current beliefs, expectations and assumptions about future events, conditions and results and on information currently available to them. By their nature, forward-looking statements involve risks and uncertainties because they relate to events and depend on circumstances that may or may not occur in the future. The Company believes that these risks and uncertainties include, but are not limited to, those described under the captions “Risk Factors” and “Management’s Discussion and Analysis of Financial Condition and Results of Operations” set forth from time to time in the Company’s filings and reports with the U.S. Securities and Exchange Commission (SEC), including its Annual Report on Form 10-K for the year ended December 31, 2021, as well as future filings and reports by the Company, copies of which are available at https://investors.telos.com and on the SEC’s website at www.sec.gov.

Although the Company bases these forward-looking statements on assumptions that the Company’s management believes are reasonable when made, they caution the reader that forward-looking statements are not guarantees of future performance and that the Company’s actual results of operations, financial condition and liquidity, and industry developments, may differ materially from statements made in or suggested by the forward-looking statements contained in this release. Given these risks, uncertainties and other factors, many of which are beyond its control, the Company cautions the reader not to place undue reliance on these forward-looking statements. Any forward-looking statement speaks only as of the date of such statement and, except as required by law, the Company undertakes no obligation to update any forward-looking statement publicly, or to revise any forward-looking statement to reflect events or developments occurring after the date of the statement, even if new information becomes available in the future. Comparisons of results for current and any prior periods are not intended to express any future trends or indications of future performance, unless specifically expressed as such, and should only be viewed as historical data.

**About Telos Corporation**  
Telos Corporation (NASDAQ: TLS) empowers and protects the world’s most security-conscious organizations with solutions for continuous security assurance of individuals, systems, and information. Telos’ offerings include cybersecurity solutions for IT risk management and information security; cloud security solutions to protect cloud-based assets and enable continuous compliance with industry and government security standards; and enterprise security solutions for identity and access management, secure mobility, organizational messaging, and network management and defense. The company serves commercial enterprises, regulated industries and government customers around the world.

Baltimore/Washington International Thurgood Marshall Airport Selects Telos to Process Background Checks for Aviation Workers

ICS/OT Security joins the lineup of 14 cybersecurity topic sections on the media site.

Dark Reading this week launched a new section — ICS/OT Security — focused on covering breaking news, technology trends, and insights into issues for securing industrial control systems and operational technology environments.

The industrial sector long has been a critical topic in Dark Reading's comprehensive news coverage — we've been pioneering and reporting on news and topics in this space for nearly two decades, with in-depth coverage of the game-changer Stuxnet attack as well as Triton/Trisis, the Ukraine power grid attack, and Colonial Pipeline, and many other key research findings and technology advancements in OT. 

Dark Reading's new ICS/OT Security section will help cybersecurity professionals navigate the challenges and trends unique to OT security, as well as the security implications of the convergence of IT and OT networks, including the relationship between the teams that manage securing the business network and those who manage securing the industrial one. 

This section will provide the latest news and analysis on threats and attacks against OT environments, as well as security tools, technologies, and strategies for protecting ICS and OT networks. This includes industrial systems such as medical devices and equipment, building automation systems, PLCs, SCADA, robotics systems, and other critical infrastructure components. 

Dark Reading already publishes a section dedicated to non-industrial IoT (Internet of Things) topics.

In keeping with the editorial mission of Dark Reading, the new ICS/OT Security section aims to provide you with the best and most in-depth ICS/OT security content to help you do your job on a day-to-day basis. If there are topics you'd like to see covered, news tips you would like to share — or if you'd like to tell us how we're doing, please ping us via \[email protected\].

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Dark Reading Launches New Section Dedicated to ICS/OT Security

A pair of Microsoft bugs allow cyberattackers to bypass native Windows Internet download security, says former CERT CC researcher who discovered the flaws.

Two separate vulnerabilities exist in different versions of Windows that allow attackers to sneak malicious attachments and files past Microsoft's Mark of the Web (MoTW) security feature.

Attackers are actively exploiting both issues, according to Will Dormann, a former software vulnerability analyst with CERT Coordination Center (CERT/CC) at Carnegie Mellon University, who discovered the two bugs. But so far, Microsoft has not issued any fixes for them, and no known workarounds are available for organizations to protect themselves, says the researcher, who has been credited with discovering numerous zero-day vulnerabilities over his career.

**MotW Protections for Untrusted Files**

MotW is a Windows feature designed to protect users against files from untrusted sources. The mark itself is a hidden tag that Windows attaches to files downloaded from the Internet. Files that carry the MotW tag are restricted in what they do and how they function. For example, starting with MS Office 10, MotW-tagged files open by default in Protected View, and executables are first vetted for security issues by Windows Defender before they are allowed to run.

"Many Windows security features — \[such as\] Microsoft Office Protected view, SmartScreen, Smart App Control, \[and\] warning dialogs — rely on the presence of the MotW to function," Dormann, who is presently a senior vulnerability analyst at Analygence, tells Dark Reading.

**Bug 1: MotW .ZIP Bypass, with Unofficial Patch**

Dormann reported the first of the two MotW bypass issues to Microsoft on July 7. According to him, Windows fails to apply the MotW to files extracted from specifically crafted .ZIP files.

"Any file contained within a .ZIP can be configured in a way so that when it's extracted, it will not contain MOTW markings," Dorman says. "This allows an attacker to have a file that will operate in a way that makes it appear that it did not come from the Internet." This makes it easier for them to trick users into running arbitrary code on their systems, Dormann notes.

Dormann says he cannot share details of the bug, because that would give away how attackers could leverage the flaw. But he says it affects all versions of Windows from XP on. He says one reason he has not heard from Microsoft likely is because the vulnerability was reported to them via CERT's Vulnerability Information and Coordination Environment (VINCE), a platform that he says Microsoft has refused to use.

"I haven't worked at CERT since late July, so I cannot say if Microsoft has attempted to contact CERT in any way from July on," he cautions.

Dormann says other security researchers have reported seeing attackers actively exploiting the flaw. One of them is security researcher Kevin Beaumont, a former threat intelligence analyst at Microsoft. In a tweet thread earlier this month, Beaumont reported the flaw as being exploited in the wild.

"This is without a doubt the dumbest zero day I’ve worked on," Beaumont said.

In a separate tweet a day later, Beaumont said he wanted to release detection guidance for the issue but was concerned about the potential fallout.

"If Emotet/Qakbot/etc find it they will 100% use it at scale," he warned.

In an emailed comment a Microsoft spokeswoman said the company is "aware of the technique and are investigating to determine the appropriate steps to address the issue_."_  The statement did not say which of the two MoTW related issues Microsoft is investigating or might be planning to address. Meanwhile, Slovenia-based security firm Acros Security last week released an unofficial patch for this first vulnerability via its 0patch patching platform.

In comments to Dark Reading, Mitja Kolsek, CEO and co-founder of 0patch and Acros Security, says he was able to confirm the vulnerability that Dormann reported to Microsoft in July. 

"Yes, it is ridiculously obvious once you know it. That's why we didn't want to reveal any details," he says. He says the code performing the unzipping of .ZIP files is flawed and only a code patch can fix that. "There are no workarounds," Kolsek says.

Kolsek says the issue is not difficult to exploit, but he adds the vulnerability alone is not enough for a successful attack. To exploit successfully, an attacker would still need to convince a user into opening a file in a maliciously crafted .ZIP archive — sent as an attachment via a phishing email or copied from a removable drive such as a USB stick for instance.

"Normally, all files extracted from a .ZIP archive that is marked with MotW would also get this mark and would therefore trigger a security warning when opened or launched," he says, but the vulnerability definitely allows attackers a way to bypass the protection. "We are not aware of any mitigating circumstances," he adds.   

**Bug 2: Sneaking Past MotW With Corrupt Authenticode Signatures**

Kolsek noted that his firm has a patch candidate ready for the second issue as well and should release it by Friday.

This second vulnerability involves the handling of MotW tagged files that have corrupt Authenticode digital signatures. Authenticode is a Microsoft code-signing technology that authenticates the identity of the publisher of a particular piece of software and determines whether the software was tampered with after it was published.

Dormann says he discovered that if a file has a malformed Authenticode signature, it will be treated by Windows as if it had no MotW; the vulnerability causes Windows to skip SmartScreen and other warning dialogs before executing a JavaScript file.

"Windows appears to 'fail open' when it encounters an error \[when\] processing Authenticode data," Dormann says, and "it will no longer apply MotW protections to Authenticode-signed files, despite them actually still retaining the MotW."

Dormann describes the issue as affecting every version of Windows from version 10 on, including the server variant of Windows Server 2016. The vulnerability gives attackers a way to sign any file that can be signed by Authenticode in a corrupt manner — such as .exe files and JavaScript files — and sneak it past MOTW protections.

Dormann says he learned of the issue after reading an HP Threat Research blog from earlier this month about a Magniber ransomware campaign involving an exploit for the flaw.

It's unclear if Microsoft is taking action, but for now, researchers continue to raise the alarm. "I have not received an official response from Microsoft, but at the same time, I have not officially reported the issue to Microsoft, as I'm no longer a CERT employee," Dormann says. "I announced it publicly via Twitter, due to the vulnerability being used by attackers in the wild."

Windows Mark of the Web Zero-Days Remain Patchless, Under Exploit

A credential-stealing attack that spoofed LinkedIn and targeted a national travel organization skates past DMARC and other email protections.

A phishing email purportedly from LinkedIn with the subject line "We noticed some unusual activity" was discovered targeting users at a travel organization, in an attempt to pilfer their credentials on the social-media platform.

The phishing campaign slipped past Google's email security controls after cheating email authentication checks via SFP and DMARC, according to Armorblox, whose email security system at the victim organization found and stopped the attack pointed at some 500 user inboxes.

"The main call-to-action button (_Secure my account_) included within the email contains a bad URL and took victims to a fake landing page. This fake landing page ... mimicked a legitimate LinkedIn sign in page that included LinkedIn logos, language, and illustrations that mirrored true LinkedIn branding," Armorblox wrote in a post about the attack campaign.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

LinkedIn Phishing Spoof Bypasses Google Workspace Security

Ursnif, a one-time banking Trojan also known as Gozi, becomes the latest codebase to be repurposed as a more general backdoor, as malware developers trend toward modularity.

Threat groups continue to recycle code from older tools into more generalized frameworks, a trend that will continue as the codebases incorporate more modularity, security experts said this week.

In the latest example, the threat group behind Ursnif — aka Gozi — recently moved the tool away from a focus on financial services to more general backdoor capabilities, cybersecurity services firm Mandiant stated in an analysis. The new variant, which the company has dubbed LDR4, is likely intended to facilitate the spread of ransomware and the theft of data for extortion.

The modular malware joins Trickbot, Emotet, Qakbot, IcedID, and Gootkit, among others, as tools that started as banking Trojans but have been repurposed as backdoors, without requiring the development effort of creating an entirely new codebase, says Jeremy Kennelly, senior manager for financial crime analysis at Mandiant.

"The developers working on banking Trojans have taken multiple approaches to retooling their malware as a backdoor to support intrusion operations, though a major code rewrite hasn’t generally been deemed necessary," he says. "These malware families — at their core — are just modular backdoors that have historically loaded secondary components enabling 'banker' functionality."

Mandiant's analysis of Ursnif points out that maintaining multiple codebases is a challenging task for malware developers, especially when one mistake could give defenders a way to block an attack and investigators a way to hunt down the attacker. Maintaining a single modular codebase is much more scalable, the company's analysis this week stated.

**A Malware Movement Toward Backdoor Modularity**

It's unsurprising that malware developers are moving to more general and modular code, says Max Gannon, a senior intelligence analyst at Cofense.

"In some cases, a purpose-built remote access Trojan (RAT), traditionally viewed as a backdoor, may be more conducive to the threat activity," he says. "However, a lot of threat actors want more than just a backdoor, and many commodity malware families have morphed to become multipurpose tools that simply include backdoor access."

The specialization of tools in the cybercriminal underground is also a reason why older codebases are being repurposed. By focusing specific tools on areas of attack — such as initial access, lateral movement, or data exfiltration — the developers of these tools are able to differentiate themselves against competitors and offer a unique set of features. Using existing codebases also saves time, and making such projects modular allows the tool to be customized for the customer's — read, "attacker's" — needs, says Jon Clay, vice president of threat intelligence at Trend Micro.

"The coders behind many of these toolkits create them and sell them within the cybercriminal underground markets, as they offer newbies and other malicious actors with a ready-made kits for executing attacks," he says. "Many of these offer automations now as well as GUI interfaces to manage the attacks and victim information/data."

The original Ursnif code appeared in the mid-2000s. The Zeus banking Trojan — used in thefts of tens of millions, and likely hundreds of millions, of dollars — has had a similar trajectory, with its adoption accelerated by a source code leak. Another banking Trojan, Emotet, has now become a general backdoor, allowing its development group to offer access as a service to other cybercriminals, a business relationship also demonstrated by Qakbot, another Trojan initially created as a banking Trojan.

All of these programs had the benefit of modularity, says Mandiant's Kennelly.

"All bankers that have been broadly repurposed as backdoors were already modular, which has the added benefit of limiting the complexity of the core malware while providing significant operational flexibility," he says. "These established malware families also had a proven track record and general familiarity to the actors using them."

**Swiss Army Knife Malware Delivery**

Rather than changes in functionality, a lot of the evolution in categorizing attackers tools has come about because labeling has had to catch up to changes in the malware design. By redesigning the codebases to be modular, defining a tool as a single thing — whether a banking Trojan, a spam bot, or a worm — becomes much more difficult. Adding a single new module would change the label for the code.

In the past, for example, computer viruses spread by infecting files, while worms used automated scanning and exploitation to spread quickly and more widely. However, a number of Trojans incorporated either or both functionality, leading to a more general term: malicious software, or malware.

A similar evolution has happened around the classification of attacker tools. Programs that were originally considered to be banking Trojans, RATs, or a scanning tools are now capabilities of more general frameworks, says Codefense's Gannon.

"If we think of a backdoor as software that sits on a machine to provide access that skirts normal security measures, banking Trojans inherently act as backdoors in order to perform their usual functions, so almost any banking Trojan can be used as one without the need for many changes," he says. "The difference is often simply in the intent of the user."

**How to Protect Against Modular Malware**

To combat the threat, companies should have tools that look for telltale signs that a backdoor or RAT are being used inside their network. Since phishing attacks are a common way to compromise end user's systems, multifactor authentication (MFA) and employee training can also help harden businesses against attacks.

Overall, having visibility into change to systems and anomalous traffic on the network can help immensely, Trend Micro's Clay says.

"The main thing to know is that in many cases there are early signs of these tools being used within the organization and that if seen," he says, "they should be taken very seriously that there is likely an active campaign against them."

Threat Groups Repurpose Banking Trojans into Backdoors

A more secure organization starts with stronger alignment between HR and the IT operation.

A common shortcoming of human resources (HR) departments is that — despite being an operation designed to put humans at the center of how an organization is run — they often fail to adequately align with their IT counterparts and the core technology systems that define how a business is run and protected from cyber-risk.

Insufficient coordination between HR and IT processes and procedures remains common and gives rise to security gaps that can represent some of the most dangerous vulnerabilities on a company's attack surface. Let's examine the scope of the challenge and some key cyber-asset management priorities that can close the schism for a more robust cybersecurity posture.

**Elevating HR's Role in Securing the Enterprise**

Gone are the days when HR's role in securing the enterprise relied on basic tutorials for employees about protecting passwords on company equipment. Today's threat environment intersects with the workforce in more ways than ever — from BYOD and authentication gaps to user vulnerabilities that make spear-phishing seem quaint. Traditional social engineering attacks are now being augmented by zero-click exploits that compromise employee devices without the user ever having to click a link or take any action at all.

Beyond malicious threats, even routine HR processes can introduce risk to the organization when they're not adequately aligned with the IT processes in an organization. As just one example, when an employee leaves a company, the offboarding goes far beyond just the exit interview to also include removing access to multiple enterprise systems, accounts, and devices — all of which require close coordination between HR and IT personnel and systems.

To better secure the enterprise, it's mission-critical to get HR and IT more united in a common and advanced understanding of cyber hygiene and risk mitigation. This relies on enhanced awareness of the impact that HR processes have on cyber assets in other parts of the organization, as well as the HR role in access management for employees and contractors. This requires asset visibility that must be ongoing and in real time, since our roles, devices, and access to data and systems may change multiple times over the course of our employment.

**Three Priorities for Better Cyber-Asset Visibility and Alignment Between HR and IT**

Any lack of IT coordination across the many integration points and business systems involved in the HR operation creates risk for the company. There must be an effort toward more visibility and synergetic business processes to align HR operations with the organization's larger IT estate. Here are three priorities for achieving this:

*   **Increase the data IQ among HR professionals:** Data literacy among domain-specific business analysts is important, and that message needs to get louder within the HR community. The more HR professionals can understand the technology implications of their work, the more they can help protect the IT estate as their processes and policies play out in the workforce.

*   **Fully integrate HR as a well-represented domain in the IT estate:** Unison between the HR department and the IT department security relies heavily on the alignment of their respective business processes. Ideally, this integration should include predefined, HR-specific compliance frameworks within the cyber-asset management domain that can be applied to all existing and future cyber assets. There should also be clear coordination with IT on HR's role in employee access to systems, files, and data.

*   **Automation is essential:** HR's digital reach into the organization is such that automation will inevitably be needed. As an example, let's return to the case of employee offboarding. Especially with the current "great resignation," the multiple IT tickets generated by each offboarding can pile up and lead to backlogs that expose the company to unnecessary risk, unless automation is introduced to handle more of these HR-related processes and handle them more quickly.

These priorities underscore the pivotal role cyber-asset management plays at the nexus of HR and IT operations. Better adherence to common data standards, a rigorous cloud tagging schema, and other cyber-asset management basics can streamline and scale the ability for HR and IT teams to work seamlessly together. The result is more visibility and control, and a single source of truth around where and how HR and IT operations affect each other, a clarity that enhances the overall security of the enterprise.

HR Departments Play a Key Role in Cybersecurity

Cybersecurity pros discuss a trio of lessons from the Equifax hack and how to prevent similar attacks in the enterprise.

On the morning of Sept. 7, 2017, US credit bureau giant Equifax announced hackers had infiltrated its network and exfiltrated customer names, Social Security numbers, birthdates, and addresses. The news of the breach — which compromised the private records of 147.9 million Americans (almost 50% of the entire US population), 15.2 million Britons, and almost 19,000 Canadians — immediately created pandemonium across organizations, forcing many business leaders to reconsider their security postures. Much has changed over the past five years, but the lessons from the Equifax breach are still relevant for enterprises.

Equifax didn't reveal the breach as soon as it discovered it — the company sat on the information for more than a month. It was the perfect antithesis: A business known to provide credit score rating, fraud solutions, financial marketing, and analytical services had been hacked. The attackers had gotten in through an unpatched vulnerability in Apache Struts. The worst part? Apache had already warned about the flaw and a patch was available.

"The Equifax breach is a unique attack in that a conscious decision was made by a company and its leadership: not to patch the vulnerability when the software vendor announced the vulnerability and provided the patch," says James Turgal, vice president of cyber risk, strategy, and board relations at Optiv.

The attack, now linked to four hackers from the Chinese military, represents one of the most sweeping attacks conducted against US businesses by foreign nationals. Industry experts discuss with Dark Reading what lessons to draw from the breach and how organizations can prevent similar threats in their environments.

**Data Management Is Still an Enterprise Problem**

"Equifax shows that organizations need to focus on data management," Adam Marrè, CISO at Arctic Wolf and former FBI special agent/cyber investigator, tells Dark Reading.

"With so many different IT and security priorities, companies aren't thinking about data management in the right ways. Most organizations only think about how best to monetize data or how to use it to serve their customers, but they often miss the significant increase in risk that storing the data brings."

Turgal agrees, noting that enterprises and individuals are at risk of data exfiltration and identity theft.

"Every day, companies large and small fall victim to identity theft," he says. "Both the high volume of activity and large transactions occurring at the corporate level attract threat actors, using data that typically has been exfiltrated from another breach by a separate threat actor and sold to the highest bidder to impersonate the identity of a business to commit fraud."

Gartner estimates that until 2025, "80% of organizations seeking to scale digital business will fail because they do not take a modern approach to data governance." That's a lot of businesses, and it's a figure that Marrè agrees with.

"In my experience, most companies don't have a comprehensive picture of how they collect, store, and manage data," he says. "Especially from a security standpoint, most businesses have no idea who has access to what data, how to properly classify it, how to protect it, and even how to set up data retention policies to properly get rid of it. By focusing on these aspects, businesses can transform their data strategies and further protect themselves and their customers."

Turgal suggests that organizations can safeguard data and identity by doing the following:

*   Include artificial intelligence and machine-learning technologies into the business processes to quickly spot anomalous behavior.
*   Review and update access permissions and utilize data encryption when the data is in transit and at rest.
*   Establish protocols for user provisioning and deprovisioning of regular and privileged access holders.
*   Continually educate employees on how to minimize risk.

**Enterprises Aren't Paying Attention to the Basics**

The fundamentals of cybersecurity are still lacking in several enterprise efforts at securing user data. Leaning on his experience in the FBI and private sector, Marrè says he has seen so many organizations that are not adequately prioritizing security. With security incidents at high-profile businesses and rampant ransomware and extortion attacks worldwide, organizations can no longer afford to ignore or sideline their security, he says.

"Although there are new and exciting technologies that are aimed at solving different attack vectors, focusing on successfully executing the fundamentals of cybersecurity remains the most effective strategy," Marrè says. "When it comes to protecting your organization and your data, prevention is good, but detection is a must."

Many attacks can be avoided by implementing zero-trust architecture to the letter. In hindsight, for example, the Equifax attack could have been prevented if the organization had paid more attention to the multiple threat warnings the company had received before the hack.

The Equifax breach was "a strong example of why enterprises should evaluate their data to understand the business need and ensure it is classified appropriately," says Andrew Bayers, head of threat intelligence at Resilience, adding that data should be stored and transmitted securely — and ultimately retained for only the amount of time needed.

**Cyber Resilience Needs Action, Not Reaction**

While it's true that some players in the enterprise are investing heavily in cybersecurity, several others are still lagging — giving malicious actors an opening to capitalize on discrepancies and take control of critical data assets. Although its activities are not immediately noticeable, a proactive cybersecurity team is worth its weight in gold.

"Having a skilled security team is the backbone of a sound cybersecurity strategy," Marrè says. "Whether it's a world-class team from a partner or in-house experts, this should be a priority for all companies."

To become cyber resilient, Bayers adds, organizations should identify vulnerabilities in their systems and prioritize patching according to the risks they pose.

Source

DARKReading