While organizations wait for an official patch for the two zero-day flaws in Microsoft Exchange, they should scan their networks for signs of exploitation and apply these mitigations.

Microsoft has confirmed two new zero-day vulnerabilities in Microsoft Exchange Server (CVE-2022-41040 and CVE-2022-41082) are being exploited in "limited, targeted attacks." In the absence of an official patch, organizations should check their environments for signs of exploitation and then apply the emergency mitigation steps.

*   CVE-2022-41040 — Server-side request forgery, allowing authenticated attackers to make requests posing as the affected machine
*   CVE-2022-41082 — Remote Code Execution, allowing authenticated attackers to execute arbitrary PowerShell.

"Currently, there are no known proof-of-concept scripts or exploitation tooling available in the wild," wrote John Hammond, a threat hunter with Huntress. However, that just means the clock is ticking. With renewed focus on the vulnerability it is just a matter of time before new exploits or proof-of-concept scripts become available.

**Steps to Detect Exploitation**

The first vulnerability — the server-side request forgery flaw — can be used to achieve the second — the remote code execution vulnerability — but the attack vector requires the adversary to already be authentication on the server.

Per GTSC, organizations can check if their Exchange Servers have already been exploited by running the following PowerShell command:

Get-ChildItem -Recurse -Path <Path\_IIS\_Logs> -Filter "\*.log" | Select-String -Pattern 'powershell.\*Autodiscover\\.json.\*\\@.\*200

GTSC has also developed a tool to search for signs of exploitation and released it on GitHub. _This list will be updated as other companies release their tools._

**Microsoft-Specific Tools**

*   According to Microsoft, there are queries in Microsoft Sentinel that could be used to hunt for this specific threat. One such query is the Exchange SSRF Autodiscover ProxyShell detection, which was created in response to ProxyShell. The new Exchange Server Suspicious File Downloads query specifically looks for suspicious downloads in IIS logs.
*   Alerts from Microsoft Defender for Endpoint regarding possible web shell installation, possible IIS web shell, suspicious Exchange Process Execution, possible exploitation of Exchange Server vulnerabilities, suspicious processes indicative of a web shell, and possible IIS compromise can also be signs the Exchange Server has been compromised via the two vulnerabilities.
*   Microsoft Defender will detect the post-exploitation attempts as _Backdoor:ASP/Webshell.Y_ and _Backdoor:Win32/RewriteHttp.A_.

Several security vendors have announced updates to their products to detect exploitation, as well.

Huntress said it monitors approximately 4,500 Exchange servers and is currently investigating those servers for potential signs of exploitation in these servers. "At the moment, Huntress has not seen any signs of exploitation or indicators of compromise on our partners' devices," Hammond wrote.

**Mitigation Steps to Take**

Microsoft promised that it is fast-tracking a fix. Until then, organizations should apply the following mitigations to Exchange Server to protect their networks.

Per Microsoft, on-premises Microsoft Exchange customers should apply new rules through the URL Rewrite Rule module on IIS server.

*   In IIS Manager -> Default Web Site -> Autodiscover -> URL Rewrite -> Actions, select Request Blocking and add the following string to the URL Path:

.\*autodiscover\\.json.\*\\@.\*Powershell.\*

The condition input should be set to {REQUEST\_URI}

*   Block ports 5985 (HTTP) and 5986 (HTTPS) as they are used for Remote PowerShell.

_**If you are using Exchange Online:**_

Microsoft said Exchange Online customers are not affected and do not need to take any action. However, organizations using Exchange Online are likely to have hybrid Exchange environments, with a mix of on-prem and cloud systems. They should follow the above guidance to protect the on-prem servers.

Worried About the Exchange Zero-Day? Here's What to Do

Weeks after it breached the Los Angeles Unified School District, the Vice Society ransomware group is threatening to leak the stolen data, unless they get paid.

The clock is ticking for the Los Angeles Unified School District (LAUSD) — the second largest in the country. Following a ransomware attack at the beginning of the month, it has now has been given an ultimatum: meet Vice Society's ransom payment demands or have their data released to the public for anyone, including phishers and other cybercriminals, to access.

Brett Callow, a threat analyst for Emsisoft, shared a screen capture of the Vice Society leak site that shows the ransomware group is threatening to publish the goods in just a few days.

"The papers will be published by London time on October 4, 2022 at 12:00 a.m." the notice read.

The district has not provided an update on the types of information the cyberattackers are threatening to release, one district parent told Dark Reading.

"I do wish they'd sent out a notice about what personal information of our kids and ourselves could be included in this planned release," she says. "And whether we could do anything about reducing harm."

**LAUSD Refuses to Pay Ransom**

The school district acknowledged the attack in a Sept. 5 statement and said it was working with law enforcement to investigate the breach. Los Angeles Unified School District superintendent Alberto Carvalho confirmed a ransomware demand was made after the cyberattack was announced, and that the district was not paying up.

"We can confirm that there was a demand made," Carvalho said during a Sept. 20 interview with the Los Angeles Times. "There has been no response to the demand."

At press time, all of the systems used by parents and students are fully functioning, the district parent confirms.

"I'm generally supportive of how the district has handled the breach — they brought in the Feds immediately and stood firm on not paying the ransom," she says. "I could quibble here and there about communication and the actual implementation of the password reset, but all things considered, they've done OK."

The LAUSD hit was part of a series of ransomware attacks against schools by Vice Society, which hoped to capitalize on the busy back-to-school season.

The wave of early September attacks also prompted the Cybersecurity and Infrastructure Agency (CISA) to issue a warning about Vice Society's campaign against educational institutions.

LA School District Ransomware Attackers Now Threaten to Leak Stolen Data

It's time to dispel notions of deepfakes as an emergent threat. All the pieces for widespread attacks are in place and readily available to cybercriminals, even unsophisticated ones.

Malicious campaigns involving the use of deepfake technologies are a lot closer than many might assume. Furthermore, mitigation and detection of them are hard.

A new study of the use and abuse of deepfakes by cybercriminals shows that all the needed elements for widespread use of the technology are in place and readily available in underground markets and open forums. The study by Trend Micro shows that many deepfake-enabled phishing, business email compromise (BEC), and promotional scams are already happening and are quickly reshaping the threat landscape.

**No Longer a Hypothetical Threat**

"From hypothetical and proof-of-concept threats, \[deepfake-enabled attacks\] have moved to the stage where non-mature criminals are capable of using such technologies," says Vladimir Kropotov, security researcher with Trend Micro and the main author of a report on the topic that the security vendor released this week. 

'We already see how deepfakes are integrated into attacks against financial institutions, scams, and attempts to impersonate politicians," he says, adding that what's scary is that many of these attacks use identities of real people — often scraped from content they post on social media networks.

One of the main takeaways from Trend Micro's study is the ready availability of tools, images, and videos for generating deepfakes. The security vendor found, for example, that multiple forums, including GitHub, offer source code for developing deepfakes to anyone who wants it. Similarly, enough high-quality images and videos of ordinary individuals and public figures are available for bad actors to be able to create millions of fake identities or to impersonate politicians, business leaders, and other famous personalities.

Demand for deepfake services and people with expertise on the topic is also growing in underground forums. Trend Micro found ads from criminals searching for these skills to carry out cryptocurrency scams and fraud targeting individual financial accounts. 

"Actors can already impersonate and steal the identities of politicians, C-level executives, and celebrities," Trend Micro said in its report. "This could significantly increase the success rate of certain attacks such as financial schemes, short-lived disinformation campaigns, public opinion manipulation, and extortion."

**A Plethora of Risks**

There's a growing risk also of stolen or recreated identities belonging to ordinary people being used to defraud the impersonated victims, or to conduct malicious activities under their identities. 

In many discussion groups, Trend Micro found users actively discussing ways to use deepfakes to bypass banking and other account verification controls — especially those involving video and face-to-face verification methods.

For example, criminals could use a victim's identity and use a deepfake video of them to open bank accounts, which could later be used for money laundering activities. They can similarly hijack accounts, impersonate top-level executives at organizations to initiate fraudulent money transfer or plant fake evidence to extort individuals, Trend Micro said. 

Devices like Amazon's Alexa and the iPhone, which use voice or face recognition, could soon be on the list of target devices for deepfake-based attacks, the security vendor noted.

"Since many companies are still working in remote or mixed mode, there is an increased risk of personnel impersonation in conference calls which can affect internal and external business communications and sensitive business processes and financial flows," Kropotov says.

Trend Micro isn't alone in sounding the alarm on deepfakes. A recent online survey that VMware conducted of 125 cybersecurity and incident response professionals also found that deepfake-enabled threats are not just coming — they are already here. A startling 66% — up 13% from 2021 — of the respondents said they had experienced a security incident involving deepfake use over the past 12 months.

"Examples of deepfake attacks \[already\] witnessed include CEO voice calls to a CFO leading to a wire transfer, as well as employee calls to IT to initiate a password reset," says Rick McElroy, VMware's principal cybersecurity strategist.

**Few Mitigations for Deepfake Attacks & Detection Is Hard**

Generally speaking, these types of attacks can be effective, because no technological fixes are available yet to address the challenge, McElroy says. 

"Given the rising use and sophistication in creating deepfakes, I see this as one of the biggest threats to organizations from a fraud and scam perspective moving forward," he warns. 

The most effective way to mitigate the threat currently is to increase awareness of the problem among finance, executive, and IT teams who are the main targets for these social engineering attacks. 

"Organizations can consider low-tech methods to break the cycle. This can include using a challenge and passphrase amongst executives when wiring money out of an organization or having a two-step and verified approval process," he says.

Gil Dabah, co-founder and CEO of Piaano, also recommends strict access control as a mitigating measure. No user should have access to big chunks of personal data and organizations need to set rate limits as well as anomaly detection, he says.

"Even systems like business intelligence, which require big data analysis, should access only masked data," Dabah notes, adding that no sensitive personal data should be kept in plaintext and data such as PII should be tokenized and protected.

Meanwhile on the detection front, developments in technologies such as AI-based Generative Adversarial Networks (GANs) have made deepfake detection harder. "That means we can't rely on content containing 'artifact' clues that there has been alteration," says Lou Steinberg, co-founder and managing partner at CTM Insights.

To detect manipulated content, organizations need fingerprints or signatures that prove something is unchanged, he adds.

"Even better is to take micro-fingerprints over portions of the content and be able to identify what's changed and what hasn't," he says. "That's very valuable when an image has been edited, but even more so when someone is trying to hide an image from detection."

**Three Broad Threat Categories**

Steinberg says deepfake threats fall into three broad categories. The first is disinformation campaigns mostly involving edits to legitimate content to change the meaning. As an example, Steinberg points to nation-state actors using fake news images and videos on social media or inserting someone into a photo that wasn't present originally — something that is often used for things like implied product endorsements or revenge porn.

Another category involves subtle changes to images, logos, and other content to bypass automated detection tools such as those used to detect knockoff product logos, images used in phishing campaigns or even tools for detecting child pornography.

The third category involves synthetic or composite deepfakes that are derived from a collection of originals to create something completely new, Steinberg says. 

"We started seeing this with audio a few years back, using computer synthesized speech to defeat voiceprints in financial services call centers," he says. "Video is now being used for things like a modern version of business email compromise or to damage a reputation by having someone 'say' something they never said."

Reshaping the Threat Landscape: Deepfake Cyberattacks Are Here

While ransomware seems stalled, business email compromise (BEC) attacks continue to make profits from the ProxyShell and Log4j vulnerabilities, nearly doubling in the latest quarter.

While published trends in ransomware attacks have been contradictory — with some firms tracking more incidents and other fewer — business email compromise (BEC) attacks continue to have proven success against organizations.

BEC cases, as a share of all incident-response cases, more than doubled in the second quarter of the year, to 34% from 17% in the first quarter of 2022. That's according to Arctic Wolf's "1H 2022 Incident Response Insights" report, published on Sept. 29, which found that specific industries — including financial, insurance, business services, and law firms, as well as government agencies — experienced more than double their previous number of cases, the company said.

Overall, the number of BEC attacks encountered per email box has grown by 84% in the first half of 2022, according to data from cybersecurity firm Abnormal Security.  

Meanwhile, so far this year, threat reports released by organizations have revealed contradictory trends for ransomware. Arctic Wolf and the Identity Theft Resource Center (ITRC) have seen drops in the number of successful ransomware attacks, while business customers seem to be encountering ransomware less often, according to security firm Trellix. At the same time, network security firm WatchGuard had a contrary take, noting that its detection of ransomware attacks skyrocketed 80% in the first quarter of 2022, compared with all of last year.

**The Gleam of BEC Outshines Ransomware**

The surging state of BEC landscape is unsurprising, says Daniel Thanos, vice president of Arctic Wolf Labs, because BEC attacks offer cybercriminals advantages over ransomware. Specifically, BEC gains do not rely on the value of cryptocurrency, and attacks are often more successful at escaping notice while in progress.

"Our research shows that threat actors are unfortunately very opportunistic," he says.  

For that reason, BEC — which uses social engineering and internal systems to steal funds from businesses — continues to be a stronger source of revenue for cybercriminals. In 2021, BEC attacks accounted for 35%, or $2.4 billion, of the $6.9 billion in potential losses tracked by the FBI's Internet Crime Complaint Center (IC3), while ransomware remained a small fraction (0.7%) of the total. 

In terms of revenue from individual attacks on businesses, the Arctic Wolf analysis noted that the median ransom for the first quarter was about $450,000, but the research team did not provide the average loss for victims of BEC attacks.

**Shifting Financially Motivated Cyber Tactics**

Abnormal Security found in its threat report earlier this year that that the vast majority of all cybercrime incidents (81%) involved external vulnerabilities in a few highly targeted products — namely, Microsoft's Exchange server and VMware's Horizon virtual-desktop software — as well as poorly configured remote services, such as Microsoft's Remote Desktop Protocol (RDP).

Unpatched versions of Microsoft Exchange in particular are vulnerable to the ProxyShell exploit (and now the ProxyNotShell bugs), which uses three vulnerabilities to give attackers administrative access to an Exchange system. While Microsoft patched the issues more than a year ago, the company did not publicize the vulnerabilities until a few months later.

VMware Horizon is a popular virtual desktop and app product vulnerable to the Log4Shell attack that exploited the infamous Log4j 2.0 vulnerabilities.

Both avenues are fueling BEC campaigns specifically, researchers have noted. 

In addition, many cyber gangs are using data or credentials stolen from businesses during ransomware attacks to fuel BEC campaigns.

"As organizations and employees become more aware of one tactic, threat actors will adjust their strategies in an effort to stay one step ahead of email security platforms and security awareness training," Abnormal Security said earlier this year. "The changes noted in this research are just some of the indicators that those shifts are already occurring, and organizations should expect to see more in the future."

    

81% of incidents involved an external vulnerability or weakness. Source: Arctic Wolf

Social engineering is popular, too, as ever. While external attacks on vulnerabilities and misconfigurations are the most prevalent way that attackers gain access to systems, human users and their credentials continue to be a popular target in BEC attacks, says Arctic Wolf's Thanos.

"BEC cases are often the result of social engineering, compared to ransomware cases, which are often caused by exploitation of unpatched vulnerabilities or remote access tools," he says. "In our experience, threat actors are more likely to attack a company via remote exploit than dupe a human.  

**How to Avoid BEC Compromise**

To avoid being a victim, basic security measures can go a long way, Arctic Wolf found. In fact, many companies falling prey to BEC attacks did not have security controls that potentially could have prevented damage, the company stated in its analysis. 

For instance, the research found that 80% of those companies suffering a BEC incident had no multifactor authentication in place. In addition, other controls, such as network segmentation and security awareness training, could help prevent BEC attacks from being costly, even after the attacker successfully compromises an external system.

"Companies should strengthen their employee defenses through security training," Thanos says, "but they also need to address the vulnerabilities that threat actors focus on."

Cybercriminals See Allure in BEC Attacks Over Ransomware

Malicious Comm100 files have been found scattered throughout North America, and across sectors including tech, healthcare, manufacturing, telecom, insurance, and others.

A new supply chain attack uses a Trojanized version of the Comm 100 Live Chat Application to compromise networks, and until Sept. 29, it was actively available for download from Comm 100's official website. 

The Comm100 Live Chat application enables organizations to communicate with real-time chat and boasts more than 15,000 customers across 51 countries. 

Researchers with CrowdStrike reported the malicious Comm100 installer was available for download on the company's website and was signed on Sept. 26. 

Following the CrowdStrike disclosure, Comm100 has released an updated installer (10.0.9) on Thursday and is performing a deep analysis to learn more about the attack, the researchers said.  

Despite the relatively short lifespan of the supply chain attack, the malware was able to infect several organizations, with some infections still active.

"The trojanized file was identified at organizations in the industrial, healthcare, technology, manufacturing, insurance and telecommunications sectors in North America and Europe," the report on the supply chain attack said. 

The CrowdStrike team members added they are moderately confident the threat actors are from China, based on several factors, including the use of the Chinese language in notes in the code. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Trojanized, Signed Comm100 Chat Installer Anchors Supply Chain Attack

The "ProxyNotShell" security vulnerabilities can be chained for remote code execution and total takeover of corporate email platforms.

Microsoft is fast-tracking patches for two Exchange Server zero-day vulnerabilities reported overnight, but in the meantime, businesses should be on the lookout for attacks. The computing giant said in a Friday update that it's already seeing "limited targeted attacks" chaining the bugs together for initial access and takeover of the email system.

The flaws specifically affect on-premises versions of Microsoft Exchange Server 2013, 2016, and 2019 that face the Internet, according to Microsoft. However, it's worth noting that security researcher Kevin Beaumont says that Microsoft Exchange Online Customers running Exchange hybrid servers with Outlook Web Access (OWA) are also at risk, despite the official advisory stating that Online instances aren't impacted. The team at Rapid7 echoed that assessment.

The bugs are tracked as follows:

*   CVE-2022-41040 (CVSS 8.8), a server-side request forgery (SSRF) vulnerability giving access to any mailbox in Exchange;
*   CVE-2022-41082 (CVSS 6.3), which allows authenticated remote code execution (RCE) when PowerShell is accessible to the attacker.

Importantly, authenticated access to the Exchange Server is necessary for exploitation, Microsoft's alert pointed out. Beaumont added, "Please note exploitation needs valid non-admin credentials for any email user."

**Patches & Mitigations for CVE-2022-41040, CVE-2022-41082**

So far, there's no patch available, but Microsoft has triaged the bugs and is fast-tracking a fix.

"We are working on an accelerated timeline to release a fix," according to Microsoft's Friday advisory. "Until then, we're providing the mitigations and detections guidance."

The mitigations include adding a blocking rule in "IIS Manager -> Default Web Site -> Autodiscover -> URL Rewrite -> Actions" to block the known attack patterns; and the company included URL rewrite instructions in the advisory, which it said it "confirmed are successful in breaking current attack chains."

Also, the alert noted that "since authenticated attackers who can access PowerShell Remoting on vulnerable Exchange systems will be able to trigger RCE using CVE-2022-41082, blocking the ports used for Remote PowerShell can limit the attacks."

**Blindsiding-Bug Disclosure**

The flaws were disclosed in a blog post from Vietnamese security company GTSC, which noted that it submitted bug reports to Trend Micro's Zero Day Initiative last month. While typically this would have resulted in a responsible vulnerability disclosure process in which Microsoft would have 120 days to patch before the findings were made public, GTSC decided to publish after seeing in-the-wild attacks, it said.

"After careful testing, we confirmed that those systems were being attacked using this 0-day vulnerability," GTSC researchers noted in its Thursday blog post. "To help the community temporarily stop the attack before an official patch from Microsoft is available, we publish this article aiming to those organizations who are using Microsoft Exchange email system."

It also offered detail analysis of the bug chain, which is similar under the hood to the ProxyShell group of Exchange Server vulnerabilities. This prompted Beaumont (@gossithedog) to dub the chain "ProxyNotShell," complete with its own logo.

He said in his analysis on Friday that while many attributes of the bugs are exactly like ProxyShell, the ProxyShell patches don't fix the issue. He also noted that in terms of attack surface, "near a quarter of a million vulnerable Exchange servers face the internet, give or take."

He characterized the situation as "pretty risky" in a Twitter feed, noting that exploitation seems to have been going on for at least a month, and that now that the flaws are public, things could "go south pretty quickly." He also called into question Microsoft's mitigation guidance.

"My guidance would be to stop representing OWA to the internet until there is a patch, unless you want to go down the mitigation route ... but that has been known about for a year, and, eh — there's other ways to exploit Exchange for RCE without PowerShell," Beaumont tweeted. "For example, if you have SSRF (CVE-2022-41040) you are god in Exchange, and can access any mailbox via EWS — see the prior activity. So, I'm not sure that mitigation will hold."

Microsoft did not immediately respond to a request for comment by Dark Reading.

Microsoft Confirms Pair of Blindsiding Exchange Zero-Days, No Patch Yet

The SolarMarker group is exploiting a vulnerable WordPress-run website to encourage victims to download fake Chrome browser updates, part of a new tactic in its watering-hole attacks.

Researchers have discovered the cyberattack group behind the SolarMarker malware targeting a global tax consulting organization with a presence in the US, Canada, the UK, and Europe, which is using fake Chrome browser updates as part of watering hole attacks.  

It's a new approach for the group, replacing its previous method of search engine optimization (SEO) poisoning, also known as spamdexing.

SolarMarker is multistage malware which can exfiltrate autofill data, saved passwords, and saved credit card information from victims' Web browsers.

**Preparation for a Wider Attack?**

According to an advisory published by eSentire's Threat Response Unit (TRU) on Friday, the threat group was seen exploiting weaknesses in a medical equipment manufacturer's website, which was built with the popular open source content management system WordPress.

The victim was an employee of a tax consulting organization and searched for the manufacturer by name on Google.

"This tricked the employee into downloading and executing SolarMarker, which was disguised as a Chrome update," the advisory noted.

"The fake browser update overlay design is based on what browser the victim is utilizing while visiting the infected website," the advisory added. "Besides Chrome, the user might also receive the fake Firefox or Edge update PHP page."

It is unclear whether the SolarMarker group is testing new tactics or preparing for a wider campaign, given that the TRU team has only observed a single infection of this vector type — previous SolarMarker attacks used SEO poisoning to hit people who searched online for free templates of popular business documents and business forms.

**Monitor Endpoints, Raise Employee Awareness**

The TRU advisory outlines four key steps organizations can take to reduce the impact of these kinds of attacks, including raising employee awareness regarding browser updates that occur automatically, and avoiding downloading files from unknown sites.

"Threat actors research the kind of documents businesses look for and try to get in front of them with SEO," the advisory stated. "Only use trusted sources when downloading content from the internet, and avoid free and bundled software."

The advisory also recommended more vigilant endpoint monitoring, which TRU adds will require more frequent rule updates to detect the latest campaigns, as well as enhanced threat-landscape monitoring to bolster the organization's overall defense posture.

**SolarMarker Campaigns Back After Dormant Period**

The .NET malware was first discovered in 2020 and is typically spread via a PowerShell installer, with information-gathering capabilities and a backdoor.

In October 2021, Sophos Labs observed a number of active SolarMarker campaigns that followed a common pattern: using SEO techniques, the cybercriminals managed to place links to websites with Trojanized content in the search results of several search engines.

A previous SolarMarker campaign reported by Menlo Security in October 2021 used more than 2,000 unique search terms, luring users to sites that then dropped malicious PDFs rigged with backdoors.

SolarMarker Attack Leverages Weak WordPress Sites, Fake Chrome Browser Updates

Reports to the National Vulnerability Database jumped in 2022, but we should pay just as much attention to the flaws that are not being reported to NVD, including those affecting the software supply chain.

"You can't improve what you don't measure" is an oft-cited bit of wisdom frequently attributed to the famous management consultant Peter Drucker.

It's hard to dismiss the core truth of the saying, even if — for the record — he didn't say it, according to the Drucker Institute. After all, metrics from quarterly sales to individual KPIs are the basis for compensation, promotions, and more in 21st century organizations. There is also abundant evidence — from B.F. Skinner, for one — that humans quickly tailor their behaviors to how they're measured and incentivized.

The question that goes unasked is whether the right things are being measured, or whether the measurements in question are complete enough that they don't distort the perceptions (and decisions) of those doing the measuring. Those kinds of inconvenient questions informed research sponsored by ReversingLabs, the firm I co-founded, that analyzed six months of reports to the National Vulnerability Database (NVD) maintained by the National Institute of Standards and Technology (NIST).

**2022: A Banner Year for CVEs**

Our analysis found that vulnerability reports of new Common Vulnerabilities and Exposures (CVEs) to the NVD are accelerating, with 2022 on track to be the biggest year ever for new vulnerability reports. If the current trend holds, there will be more than 24,500 reports by year's end. That would mark a 22% increase over 2021, which was also a record-breaking year.

Those numbers seem to suggest that software security is deteriorating and that more forceful interventions by the public and private sector are needed to shore up software security. But there's a lot that's missed in that quick take. In its two decades of existence, the NVD has seen inconsistent growth in the number of reported vulnerabilities and exposures. Before 2005, the annual number of vulnerabilities assigned a CVE identifier never exceeded 2,500. For more than a decade after that, disclosed issues fluctuated between 4,000 and 8,000 reports per year.

The number of new CVEs in those years reflected the limited capacity of the CVE team at the nonprofit corporation MITRE, which was charged with taking in and documenting new CVE reports. We know that, because once MITRE began inviting more organizations to report vulnerabilities as CVE Number Authorities (CNAs) in 2016, the number of vulnerabilities surged. It doubled in 2017, and each year since has surpassed the previous year's record of reported CVEs.

The message: Considering a metric like the number of new CVEs is a mostly meaningless exercise if you're trying to assess the overall state of software security. More contributing firms will result in more CVEs. Fewer contributing firms will produce a drop in CVEs. The overall trend line is meaningless — at least so long as participation in the CVE program and submissions to the NVD by software vendors are voluntary.

**Software Supply Chain Security: Unmeasured and Unimproved**

As to the question of whether the right things are being measured? Here again, the current configuration of the NVD is misleading and heavily skewed toward the "usual suspects." Linux distributions Fedora and Debian accounted for 1,123 and 958 vulnerabilities, respectively, in the first half of 2022 and rank first and third on the list of software firms affected by reported issues, our research revealed. Google, Microsoft, Oracle, and Apple accounted for more than 500 vulnerabilities each.

The NVD has far less to say about flaws in popular open source platforms that are getting attention from sophisticated cyber actors. For example, our research shows that attacks on the popular software package repositories NPM and Python Package Index (PyPI) spiked 289% in the past few years, to 1,010 in 2021 from 259 in 2018. But only 56 CVEs referencing PyPI are in the NVD. PyPi's owner, the Python Software Foundation, is not a CNA. Other popular development and CI/CD platforms like CodeCov, CircleCI, and Bamboo are likewise not CNAs.

**Uncomfortable Question: Can We Trust Code?**

What does this disconnect mean for the future of public resources like the NVD? Change, for one thing. Recent events — such as the hijacking of the popular ua-parser-js project by a cryptominer — show that even seemingly secure projects can be compromised.

The lesson from incidents like this is that software security teams need to expand their focus beyond vulnerability scanning and even source code analysis to look at what code is doing. As long as we ignore this core question — can we trust code? — we are not addressing software supply chain security.

NIST and the federal government are also slowly pushing forward to implement the White House's year-old executive order on improving the nation's cybersecurity, which requires all federal government contractors and software providers to create a software bill of materials (SBOM) that can be reviewed. Recently released practice guidelines from the NSA, CISA, and ODNI further spell out steps organizations can take to secure software supply chains.

To keep pace with these larger changes, however, the NVD also needs to evolve. At the very least, its scope should expand to consistently include software supply chain exposures. Only then will the NVD move closer to representing the full breadth of threats facing modern organizations.

With the Software Supply Chain, You Can't Secure What You Don't Measure

Onyxia, an AI-powered cybersecurity strategy and performance platform providing a centralized way for security teams to monitor and manage cybersecurity efforts in real time, has raised $5 million in seed fundraising led by World Trade Ventures with participation by Silvertech Ventures and angel investors.

**NEW YORK (PRWEB), Sept. 29, 2022 —** Onyxia, an AI-powered cybersecurity strategy and performance platform providing a centralized way for security teams to monitor and manage cybersecurity efforts in real time, has raised $5 million in seed fundraising led by World Trade Ventures (WTV) with participation by Silvertech Ventures and angel investors. Onyxia is setting a new standard in cybersecurity by enabling enterprises and managed security service providers (MSSPs) to consistently have real-time insight into their internal systemic and macro cybersecurity postures, proactively highlighting strategies to close imminent security gaps and threats. The funding will be used to accelerate automation development, expand staff, and enhance platform design.

From data destruction to monetary theft, cybercrimes today take many different shapes and sizes. Globally, organizations suffered a ransomware attack every 11 seconds in 2021. New attacks on consumers and businesses are expected to occur every two seconds by 2031 and cybercrime is predicted to hit $10.5 trillion by 2025.

“CISOs work in an environment where threats and security solutions change rapidly. Too often, legacy cybersecurity software fails to keep up with an evolving landscape despite security teams spending $150 billion annually (Gartner) on consulting and manual processes,” said Charlie Federman, Partner at SilverTech Ventures. “Onyxia is addressing a blind spot in the market. Its dynamic solution is what every CISO needs in order to maintain an accurate picture of their cybersecurity landscape and make insight-driven decisions.”

Leveraging AI, Onyxia’s platform keeps pace with the ever-changing security landscape while personalizing the platform and remediation recommendations for each company. And with actionable insights, Onyxia empowers security professionals to define their security environment and highlight the best solutions and strategies to close vulnerable gaps before they emerge.

“​​Traditional cybersecurity systems are reactive, burdening CISOs with manual work. As a result, many vulnerabilities are ignored while pervasive cyber threats are becoming more complex,” says Sivan Tehila, CEO of Onyxia. “We built Onyxia to be a proactive solution to cybersecurity threats, aimed at keeping CISOs ahead of the curve by providing them with tailored insights based on real-time data, so companies properly prioritize and are best prepared.”

Onyxia was founded by Sivan Tehila, who served as CISO of the Research and Analysis Division and Head of Information Security for the Israeli Defense Force (IDF) prior to founding the company.

**About Onyxia:**  
Onyxia is an AI-powered cybersecurity strategy, management, and performance SaaS platform enabling enterprise security professionals to understand their Cybersecurity posture in real-time. By leveraging automation and scalability, Onyxia enables CISOs to gain a holistic view of their entire cybersecurity environment while highlighting the best solutions and strategies to close security gaps. For more information, visit https://onyxia.io/.

**About Silvertech Ventures:**  
Silvertech Ventures is a venture capital firm focused on helping entrepreneurs grow their companies by respecting the role of the CEO, helping with our network and experience, and most importantly, by being there when needed. Other security investments by Silvertech Ventures include Semperis, Reveal Security, and Firedome. Visit https://silvertechventures.com/ for more information.

Onyxia Raises $5M to Help Companies Proactively Manage Cybersecurity Risks Using AI

Multiple providers say  'cloud data sprawl' makes managing cloud data risk a priority initiative within the next 12 months.

SAN MATEO, Calif. and TEL AVIV, Israel , Sept. 28, 2022 /PRNewswire/ -- Cyera, cloud data security company, released the results of a survey of 200 cybersecurity professionals today that found 33% of organizations want to minimize cloud data risk and 48% want to improve governance or policy management of cloud data access.

Cyera's survey polled nearly 200 cybersecurity professionals on their security focus areas for the next 12 months and found that:

*   43% prioritize data protection in their public cloud infrastructure as a top priority.
*   31% rank discovering and classifying cloud data a priority.
*   35% utilize at least two public cloud providers from a list that included Amazon Web Services, Google Cloud, Microsoft Azure, Alibaba, IBM and Oracle; 17% of respondents rely on three or more.

"The survey data affirms that security teams are struggling to keep pace with data proliferation across their cloud environments," said Yotam Segev, Cyera co-founder and CEO. "The cloud provides obvious business advantages, but the sheer volume of data moving to the cloud, lack of visibility and the use of multiple cloud service providers all increase the threat surface exponentially."

Migrating to the cloud can cut operating costs by nearly 40%. It also boosts development agility, reduces time spent maintaining traditional IT infrastructure, and offers flexibility and scalability benefits over traditional on-premises infrastructure. But cloud providers only offer limited visibility into what data customers have, how sensitive it is, and how to improve the security and risk posture of that data across their cloud estate. This results in greater cyber-resilience and compliance risks stemming from exposed sensitive data, overly permissive access, and free movement of data between environments and individuals.

Common examples include sensitive data in non-production environments, customer and employee personally-identifiable information that is accessible to users that have no business justification to access them, and poor backup management. In the latter case, a business may believe that they no longer have a reason to manage data from a given application and decommission the cloud data stores associated with it.

Recently, Cyera found ghost data in over 30% of cloud data stores. These are typically found in non-production environments that are not secured with the same rigor as a production environment, where sensitive data they contain is more susceptible to inadvertent disclosure or exfiltration. They also represent a potential GDPR (EU General Data Protection Regulation) violation, because maintaining personal data when there is no longer a business purpose to maintain it violates the statute.

"Cloud data security requires a new approach to addressing the secular growth in data volumes, cloud migration, and risks posed by data regulation and cyber attackers," said Phillipe Botteri, partner at Accel. "CISOs and security teams are in need of rapidly-deployable, comprehensive and innovative solutions."

Cyera is purpose-built to deliver protection for cloud data and provide complete, detailed context on data, access and identities. Intelligent and context-rich, the platform creates a bridge between business imperatives and security controls. With Cyera, security teams can reduce access risk, contain data sprawl and ensure encryption from a unified view that provides continuous visibility without impacting security or performance. Cyera empowers customers to realize the speed and scale that the cloud promises, allowing their teams to innovate and build value with security as an enabler.

**About Cyera**

Cyera is the cloud data security company that gives businesses context and control over their cloud data. The company's mission is to empower security teams to enable innovation, securely. As the industry's most advanced cloud data protection platform, Cyera instantly provides companies a strong baseline for all security, risk management, and compliance efforts and ensures the entire organization operates with the same policies and guardrails. Backed by leading investors including Sequoia, Accel, and Cyberstarts, Cyera is defining the way companies do cloud data security. To learn more, visit www.cyera.io.

Source

DARKReading