According to new Venafi research, two-thirds of organizations have changed cyber strategy in response to war in Ukraine.

**SALT LAKE CITY, Aug. 24, 2022 —** Venafi®, the inventor and leading provider of machine identity management, today announced the findings of new research that evaluates the security impact of the increasing number of nation-state attacks and recent shifts in geopolitics. Venafi research into the methods used by nation-state threat actors shows the use of machine identities is growing in state-sponsored cyberattacks.

The study of over 1,100 security decision makers (SDMs) globally found that 66% of organizations have changed their cybersecurity strategy as a direct response to the conflict between Russia and Ukraine, while nearly two-thirds (64%) suspect their organization has been either directly targeted or impacted by a nation-state cyberattack.

Other key findings from the research include:

*   77% believe we're in a perpetual state of cyberwar
*   82% believe geopolitics and cybersecurity are intrinsically linked
*   More than two-thirds (68%) have had more conversations with their board and senior management in response to the Russia/Ukraine conflict
*   63% doubt they'd ever know if their organization was hacked by a nation-state
*   64% think the threat of physical war is a greater concern in their country than cyberwar

"Cyberwar is here. It doesn't look the way some people may have imagined it would, but security professionals understand that any business can be damaged by nation-states. The reality is that geopolitics and kinetic warfare now must inform cybersecurity strategy," said Kevin Bocek, vice president, security strategy and threat intelligence at Venafi**.** "We've known for years that state-backed APT groups are using cybercrime to advance their nations' wider political and economic goals. Everyone is a target, and unlike a kinetic warfare attack, only you can defend your business against nation-state cyberattacks. There is no cyber-Iron Dome or cyber-NORAD. Every CEO and board must recognize that cybersecurity is one of the top three business risks for everyone, regardless of industry."

Venafi research has also found that Chinese APT groups are conducting cyber espionage to advance China's international intelligence, while North Korean groups are funneling the proceeds of cybercrime directly to their country's weapons programs. The SolarWinds attack — which compromised thousands of companies by exploiting machine identities to create backdoors and gain trusted access to key assets — is a prime example of the scale and scope of nation-state attacks that leverage compromised machine identities. Russia's recent HermeticWiper attack, which breached numerous Ukrainian entities just days before Russia's invasion of the country, used code signing certificates to authenticate malware in a recent example of machine identity abuse by nation-state actors.

The digital certificates and cryptographic keys that serve as machine identities are the foundation of security for all digital transactions. Machine identities are used by everything from physical devices to software to communicate securely. The only way to reduce risks of machine identity abuse commonly used by nation-state attackers is through a control plane that provides observability, governance and reliability.

"Nation-state attacks are highly sophisticated, and they often use techniques that haven't been seen before. This makes them extremely difficult to defend against if protections aren't in place before they happen," continued Bocek. "Because machine identities are regularly used as part of the kill chain in nation-state attacks, every organization needs to step up their game. Exploiting machine identities is becoming the modus operandi for nation-state attackers."

For more information about this research, please read the blog.

**About the research**

Conducted by Sapio in July 2022, Venafi's study evaluated the opinions of 1,101 security decision makers across the United States, United Kingdom, France, Germany, Benelux (Belgium, Netherlands, Luxembourg) and Australia.

**About Venafi**

Venafi is the cybersecurity market leader in machine identity management. From the ground to the cloud, Venafi solutions manage and protect identities for all types of machines — from physical and IoT devices to software applications, APIs and containers. Venafi provides global visibility, life cycle automation and actionable intelligence for all machine identity types and the security and reliability risks associated with them.

Jetstack, a Venafi company, is a cloud native products and strategic consulting company working with enterprises using Kubernetes and OpenShift.

An open source pioneer, Jetstack has achieved notable industry recognition as the creator of cert-manager, the open source industry standard for cloud native machine identity management. Jetstack's open source products and solutions protect the application environments and platform infrastructure of global banks, multinational retailing companies and defense organizations by providing enterprise platform and security teams the power to build, scale and secure their cloud infrastructure.

With more than 30 patents, Venafi delivers innovative machine identity management solutions for the world's most demanding, security-conscious organizations and government agencies, including the top five U.S. health insurers; the top five U.S. airlines; the top four credit card issuers; three out of the four top accounting and consulting firms; four of the five top U.S. retailers; and the top four banks in each of the following countries: the U.S., the U.K., Australia and South Africa.

For more information, visit www.venafi.com and www.jetstack.io.

The (Nation) State of Cyber: 64% of Businesses Suspect They've Been Targeted or Impacted by Nation-State Attacks

Understanding how and why people respond to cyber threats is key to building cyber-workforce resilience.

The complexity, ceaselessness, and increasingly destructive nature of today's cyber threats creates a high cognitive workload. This is why it's crucial to ensure that employees are developing the right cognitive skills and agility to protect against attacks. Doing so will have a powerful impact on an organization's cyber-workforce resilience.

A recent "Cyber Workforce Benchmark" report from Immersive Labs took the pulse of cyber skills, knowledge, and preparedness of organizations and their workforces across numerous industries, including financial services, retail, healthcare, and government. The report examines how prepared certain industries are for cyberattacks, providing results from a psychological standpoint. Here are some key findings from the report and the psychological analysis behind them.

**The frequency of organizations conducting cyber-crisis exercises varies significantly across different industries — and can also impact performance scores.**

An analysis of more than 6,400 crisis response decisions shows that technology and financial services companies prepare the most for cyberattacks, running nine and seven exercises per year, respectively. Critical national infrastructure organizations prepare the least, with just one exercise per year. Healthcare runs a mere two. When it comes to these industries' performance in cyber-crisis exercises, healthcare scored 18%, which is low when compared with technology companies, which scored 80%.

_What it means: The more an organization exercises its abilities, the better they become._

Psychology provides an explanation as to why this is the case. People develop surface-level knowledge of a capability before moving on to more advanced thinking. If these skills aren't reinforced or exercised, they fade. It's like learning a new language: If you don't practice the language and speak it on a regular basis, odds are you will lose your knowledge of it. Only with regular, consistent practice and exercise will crisis response teams be able to develop the ability to make connections between previous decisions and how to apply them — or not — during a cyberattack.

**Ransomware causes great uncertainty for crisis response teams.**

The research asked participants to rate how confident they were in their answers during training, and the simulations that focused on ransomware were the ones where participants lost confidence in their decision-making and judgments. Teams did not want to pay the ransom, with 83% of participants saying they would not do so. However, they were also uncertain about the outcome if they did not pay. Interestingly, the report showed, the industries most likely to pay ransoms were education (25%), consulting (23%), and retail and e-commerce (20%).

_What it means: This lack of decision-making confidence points to a classic issue for crisis response teams, often referred to as a "wicked problem."_

When considering options with no clear-cut resolution, decisions are challenged by data overload and decision fatigue. The sheer amount of information can be overwhelming. Decisions may be rushed, based on uncertainty or even fear. In the end, because the brain becomes overwhelmed, we settle on a compromise that leads to a lack of confidence in the decision.

**High-profile vulnerabilities see a significantly decreased time to capability.**

Four of the top five fastest-developed skills in 2021 came from dealing with the Log4j vulnerability. It took cybersecurity teams an average of two days to develop the knowledge and skills to defend against it. This was a whopping 48 times faster than the average threat intelligence lab. This reflects the severe impact of Log4j. It also demonstrates the scramble many teams faced in understanding and responding to the threat.

_What it means: The human need to take action is an automatic response, hardwired into our brains, and could cause people to rush into making decisions — good or bad._

The brain makes assumptions and takes shortcuts based on previous experiences, which could spell trouble for organizations. These assumptions and shortcuts, known as biases and heuristics, can lead to irrelevant decisions that may end up backfiring or even making situations worse. If people understood how their minds work and how they react in emergencies, they could learn how to eventually counteract their natural instincts. This will help increase confidence and the effectiveness of decision-making in the future.

**The Bottom Line**

Cyber-workforce resilience is more crucial than ever before. Cyber-crisis exercises should not be considered a one-and-done occurrence — nor should they be exclusive to cyber teams. We must shift our mindset to making regular exercises a critical business function, developing cognitive agility across the entire workforce. Continuous professional development needs to become part of the day job. We call this concept "microdrilling." It helps to sharpen teams' skills, bolster their confidence when making decisions, and enable them to make smarter decisions in real-life situations. The goal is not to teach people to respond to a specific crisis, but rather to develop the necessary decision-making skills to respond to _any_ crisis. Organizations will never become truly cyber resilient unless they make regular cyber exercises across the workforce a priority.

What You Need to Know About the Psychology Behind Cyber Resilience

Increase driven by increasingly sophisticated cyberattacks as well as increase in mobile-based business-critical applications, according to report.

**CHICAGO****, Aug. 24, 2022 /PRNewswire/** -- Penetration Testing Market size is expected to grow from an estimated value of USD 1.4 billion in 2022 to 2.7 billion USD by 2027, at a Compound Annual Growth Rate (CAGR) of 13.7% from 2022 to 2027, according to a new report by MarketsandMarkets™.

Some of the factors that are driving the market growth include regular penetration testing practices required due to strict regulations and compliances; increasing sophistication of cyberattacks, causing organisations to suffer financial and reputational losses; and more people are using smartphones and the internet, leading to an increase in mobile-based business-critical applications.

_Browse in-depth TOC on_ **"Penetration Testing Market"  
401 – Tables  
49 – Figures  
320 – Pages**

**Download PDF Brochure:** https://www.marketsandmarkets.com/pdfdownloadNew.asp?id=13422019

**By deployment mode, the cloud segment is projected to grow with a higher CAGR during the forecast period.**

An authorized, simulated cyberattack on a system that is hosted on a cloud provider, such as Microsoft Azure or Amazons AWS, is known as cloud-based penetration testing. Finding a system's vulnerabilities and strengths allows for an accurate assessment of its security situation, which is the fundamental goal of a cloud penetration test. Increased technical assurance and a greater comprehension of the attack surface that the systems are exposed to are two main advantages of a cloud penetration test. Whether they are Infrastructure as a Service, Platform as a Service, or Software as a Service, cloud systems are susceptible to security vulnerabilities, attacks, and threats similar to traditional systems. Despite cloud service providers providing more effective security measures, it is ultimately the organization's responsibility to secure its cloud-based operations. As a result, businesses must use penetration testing services for the cloud both now and in the future.

**By Type, the web application segment to hold a larger market size during the forecast period.**

With an increase in the use of web applications, the business process has changed along with sharing and accessing data. Because of this, malicious attackers get an opportunity to intrude into the system. Therefore, web application pen testing has become important to defend the application and network. Web application penetration testing simulates unauthorized attacks internally or externally to access sensitive data. This process helps end users discover the possibility for a hacker to access the data from the internet, check out the security of their email servers, and secure the web hosting site and server. Furthermore, the outcomes of web application penetration testing help identify and mitigate the security weaknesses in web applications and other components, such as source code, back-end network, and database associated with application penetration testing.

**Request Sample Pages:** https://www.marketsandmarkets.com/requestsampleNew.asp?id=13422019

**By region, Europe to grow at a significant CAGR during the forecast period.**

Europe comprises the major growing economies, including the UK, Germany, and France. The region has been exhibiting continued growth in adopting penetration-testing solutions. The growing number of mobile users accessing huge amounts of business data and the lack of skills have led to concerns over data security and privacy breaches across the region.

In Europe, penetration testing is mostly adopted to comply with regulations, such as the Payment Card Industry Data Security Standard (PCI DSS) or the EU GDPR. Various regulations and standards have multiple offerings specifically related to system auditing and security and either indicate or specify that penetration testing is necessary to determine whether identified vulnerabilities pose a genuine risk to an organization. Red teaming has become an increasingly present practice in the finance sector. The EU has developed the Threat Intelligence-Based Ethical Red (TIBER) teaming initiative to test the resilience of European financial institutions with regard to cyberattacks.

**Get 10% Free Customization on this Report:** https://www.marketsandmarkets.com/requestCustomizationNew.asp?id=13422019

**Market Players**

Major vendors in the global **Penetration Testing Market** include Rapid7 (US), Secureworks (US), Synopsys (US), CrowdStrike (US), IBM (US), Coalfire Labs (US), Indium Software (US), Cigniti Technologies Ltd. (US), Trustwave (US), Cisco Systems (US), Fortinet (US), Bugcrowd (US), Invicti (US), Hackerone (US), Raxis (US), RSI Security (US), Rhino Security Labs (US), Sciencesoft Limited (US), Portswigger (UK), Netragard (US), Software Secured (Canada), Vumetric Cybersecurity (Canada), Nettitude (UK), Zimperium (US), NowSecure (US), SecurityMetrics (US), NetSPI (US), CovertSwarm (UK), Holm Security (Sweden), Intruder Systems (UK), BreachLock (US), ISECURION (India), and Redbot Security (US).

**Browse Adjacent Markets**: Information Security Market Research Reports & Consulting

**Related Reports:**

**Application Security Market** by Component (Software Tools (SAST and DAST) and Services), Type (Web Application Security and Mobile Application Security), Organization Size, Deployment Mode, Vertical (Healthcare and BFSI), and Region — Global Forecast to 2025

**Automated Breach and Attack Simulation Market** by Offering (Platform and Tools, and Services), Service, Deployment Mode, Application (Configuration Management, Patch Management, and Threat Intelligence), End User, and Region — Global Forecast to 2025

**About MarketsandMarkets™**

MarketsandMarkets™ provides quantified B2B research on 30,000 high growth niche opportunities/threats which will impact 70% to 80% of worldwide companies' revenues. Currently servicing 7,500 customers worldwide, including 80% of global Fortune 1000 companies as clients. Almost 75,000 top officers across eight industries worldwide approach MarketsandMarkets™ for their pain points around revenues decisions.

Our 850 fulltime analyst and SMEs at MarketsandMarkets™ are tracking global high growth markets following the "Growth Engagement Model — GEM". The GEM aims at proactive collaboration with the clients to identify new opportunities, identify most important customers, write "Attack, avoid and defend" strategies, identify sources of incremental revenues for both the company and its competitors. MarketsandMarkets™ now coming up with 1,500 MicroQuadrants (Positioning top players across leaders, emerging companies, innovators, strategic players) annually in high growth emerging segments. MarketsandMarkets™ is determined to benefit more than 10,000 companies this year for their revenue planning and help them take their innovations/disruptions early to the market by providing them research ahead of the curve.

MarketsandMarkets's flagship competitive intelligence and market research platform, "Knowledge Store," connects over 200,000 markets and entire value chains for deeper understanding of the unmet insights along with market sizing and forecasts of niche markets.

Penetration Testing Market Worth $2.7B By 2027: MarketsandMarkets(TM) Report

Optiv's Black Employee Network offers the scholarship, paid out over 4 years, for students seeking a career in the cybersecurity/information security industry.

**KANSAS CITY, Mo., Aug. 24, 2022 /PRNewswire/** — As part of its continued commitment to diversity within the cyber and information security fields, Optiv, the cyber advisory and solutions leader, is accepting applications until Jan. 27, 2023, for its annual $40,000 scholarship for Black, African-American-identifying STEM (science, technology, engineering and mathematics) students.

Awarded by Optiv's Black Employee Network, the scholarship is paid out over four years. Previous recipients include AJ McCrory, a freshman studying computer science with an emphasis on software development at James Madison University, and Lauren Harris, a sophomore studying biology and computer science at Princeton University.

Applicants must meet the following qualifications to apply:  
— Be a graduating high school senior.  
— Verify acceptance into an eligible degree program in a STEM-related field (including, but not limited to, computer science, electrical engineering, math, etc.).  
— Minimum cumulative high school GPA is 3.5 on 4.0 scale.  
— Must maintain a cumulative undergraduate GPA of at least 2.8 on 4.0 scale over the course of four years to remain eligible for the scholarship.  
— Be planning a career in cybersecurity/information security.  
— Complete the scholarship application, including a one-page essay and two letters of reference.  
— Identify as Black and/or African-American (African, African-American, Caribbean, for example) and be a US Citizen, US national or permanent resident.  
Qualified candidates are encouraged to apply and learn more about the scholarship program here.

"It's our belief that our organization is at its best and our clients are better-served when a diverse range of voices has the opportunity to be heard, lead, and make an impact," said Heather Strbiak, Optiv's chief human resources officer. "We want boardrooms and breakrooms across our industry to more closely represent the population at large. By dedicating effort and resources to spur that outcome, we're aiming to close the talent and diversity gap in cybersecurity."

Optiv's Black Employee Network (BEN) is entirely employee-driven and part of the company's Diversity, Equity, and Inclusion (DEI) initiative.

"The most creative, thought-provoking, and successful projects I've worked on have been the result of inclusive environments where everyone's unique ideas were valued and represented," said Tesfaye Williams, Optiv's BEN community outreach leader. "This scholarship is our way of ensuring the cybersecurity industry continues to progress and be an attractive career path for people of color seeking to make a difference."

Optiv honors and embraces the diverse perspectives, ideas, backgrounds, and experiences of its people. The company's approach to DEI is grounded in listening, learning, and growing.

Learn more about Optiv at https://www.optiv.com/company/optiv-newsroom.

Follow Optiv  
Twitter: www.twitter.com/optiv  
LinkedIn: www.linkedin.com/company/optiv-inc  
Facebook: www.facebook.com/optivinc  
YouTube: www.youtube.com/c/OptivInc  
Blog: www.optiv.com/explore-optiv-insights/blog

**Optiv Security: Secure greatness.™**

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy, and operate complete cybersecurity programs, from strategy and managed security services to risk, integration, and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners, and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber-risk so you can secure your full potential. For more information, visit www.optiv.com.

SOURCE: Optiv Security Inc.

Optiv's Annual $40K Scholarship for Black, African-American-Identifying STEM Students Now Open for Applicants

The US Cybersecurity and Infrastructure Security Agency had wanted federal agencies to implement the fix for the RCE flaw in Hikvision cameras by Jan. 24, 2022.

Some 2,300 organizations worldwide — many of them in the United States — remain at risk of major compromise via a known critical remote code execution (RCE) vulnerability in Hikvision IP video cameras that was disclosed last year.

The bug (CVE-2021-36260) is a command injection vulnerability that is present in the Web server of several Hikvision cameras. Attackers can exploit the vulnerability to launch commands that allow them to gain complete root-shell access to an affected device — something that even the owners don't have, according to the researcher that discovered the flaw.

The organizations using the unpatched devices are at risk of network compromise, and potentially even physical attack; attackers could use the zero-click vulnerability to take complete control of affected Hikvision cameras. From there, they could disable them ahead of a physical breach, or use them to breach connected enterprise networks, launch denial-of-service attacks on them, add them to a botnet, steal data, and carry out other malicious actions. 

"This is the highest level of critical vulnerability — a zero click unauthenticated remote code execution (RCE) vulnerability affecting a high number of Hikvision cameras. Connected internal networks at risk," according to the bug report.

The firmware vulnerability was discovered in June 2021 and reported to the hardware vendor, which then issued a patch for it last September. However, close to a year later, tens of thousands of affected devices — whose users include at least some federal civilian agencies — remain unpatched against the vulnerability.

**Hikvision Camera Analysis**

Researchers from Cyfirma recently analyzed a sample of 285,000 Internet-facing Hikvision cameras and found some 80,000 of them that are still open to exploit via the vulnerability. 

The countries with the greatest number of vulnerable devices were China (12,690), the US (10,611), and Vietnam (7,394). Other countries with a sizeable number of vulnerable Hikvision cameras included the United Kingdom, Ukraine, Thailand, and South Africa. The cameras belong to more than 2,300 organizations scattered across these and other countries.

In its vulnerability disclosure last September, Hikvision listed dozens of its products as being impacted by the vulnerability — some going as far back as 2016. The company had urged organizations using affected Hikvision cameras to install updated firmware to patch the flaw and guard against potential attacks targeting the flaw. 

The US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2021-36260 to its catalog of known exploited vulnerabilities on Jan. 10 this year, and it required federal agencies using Hikvision cameras to install the firmware updates by Jan. 24.

According to Cyfirma, nearly a year after the flaw was disclosed, attacker interest in it remains high. The security vendor said it had observed multiple instances where threat actors sought to collaborate with each other to exploit the flaw.

"Specifically in the Russian forums, we have observed leaked credentials of Hikvision camera products available for sale," Cyfirma said. "These can be leveraged by hackers to gain access to the devices and exploit further the path of attack to target an organization's environment." Cyfirma noted it has reason to believe that a few Chinese threats actors, including APT41 and APT10, are also looking to exploit the vulnerability to breach target networks where possible.

In a blog post this week, security vendor Malwarebytes noted that adversaries have few obstacles to exploitation given several proofs-of-concept that have been published. These include a potential exploit for it that was published on Packet Storm last October; a Metasploit module based on CVE-2021-36260 that Packet Storm published this February; and reports of a Mira botnet variant called Moobot that was spreading via the Hikvision vulnerability. 

"Given the amount of available information, it is trivial even for a 'copy and paste criminal' to make use of the unpatched cameras," Malwarebytes warned.

The researcher who discovered the flaw — who goes by the handle "Watchful\_IP" — described the vulnerability as trivial to exploit, giving attackers the ability to take complete remote control of Hikvision cameras simply by accessing the camera's http(s) server port, which usually is 80/443.

"No username or password \[is\] needed, nor any actions need to be initiated by the camera owner," the security researcher observed in his initial vulnerability disclosure last year. "It will not be detectable by any logging on the camera itself."

Vulnerabilities in IoT devices — which can be anything from video cameras and building management systems to critical Internet-connected systems in medical, industrial control systems (ICS), and operational technology (OT) networks — present a growing challenge for enterprise organizations. A new report from Claroty this week noted a 57% year-over-year increase in vulnerability disclosures involving IoT products. 

The security vendor's study showed that for the first time the percentage of disclosed firmware vulnerabilities, like the one in Hikvision cameras, was nearly the same as the percentage of software vulnerabilities — 46% vs. 48%. In addition, the combined number of IoT vulnerabilities and vulnerabilities in medical IoT devices exceeded IT vulnerabilities for the first time as well. Claroty noted: "This indicates enhanced understanding on the part of vendors and researchers to secure these connected devices as they can be a gateway to deeper network penetration."

Thousands of Organizations Remain at Risk From Critical Zero-Click IP Camera Bug

The FTK 7.6 portfolio promises better integration with other security and network resources, as well as unified analysis of mobile and computer evidence.

Digital forensics – the discipline of finding the traces that applications and processes leave behind in order to piece together events – has become vital to law enforcement agencies, lawyers, and researchers. Granted, combing through and analyzing even a single cell phone can be daunting in its sheer volume of data, but the knowledge gleaned can create a priceless "Perry Mason moment." 

Originating in 1984 with the US FBI's Computer Analysis and Response Team, the practice of digital forensics has expanded past government walls to create a marketplace of private service providers. Indeed, the worldwide digital forensics market is expected to grow from $10 billion in 2022 to almost $24 billion in 2030, according to Future Market Insights.

Digital forensics companies aim to make scanning for, collecting, and analyzing data easier and quicker. Toward that end, legal GRC software provider Exterro today announced an update to its FTK 7.6 set of products that the company says can make parsing mobile phone evidence from Android or iOS 10 times faster than previous generations of its products. Mobile evidence can be stored in the same database as computer evidence for unified analysis.

In addition, FTK Connect helps clients connect FTK tools with existing systems, including SIEM and SOAR/XSOAR, case management, e-discovery, and in-house applications. Besides allowing FTK users to collect and process data more quickly, the integration reduces the risk that moving data between systems creates, Exterro said.

While the company emphasized that its latest release is geared mainly for forensics for judicial use, it also improves incident response. Exterro pointed out that the FTK tool set allows enterprise cybersecurity staff to investigate potentially compromised endpoints, examining and collecting folders and files even when the endpoint is not connected to the corporate VPN.

Exterro counts among its customers dot-com businesses like DoorDash and Pinterest, big corporations like American Express and Nestle, and government entities such as the cities of Denver, Colorado and Sparks, Nevada; state offices in California, Massachusetts, and Maryland; and agencies such as the US General Services Administration and the Los Alamos National Lab.

New Exterro FTK Update Accelerates Mobile Digital Forensics

The bug tracked as CVE-2022-0028 allows attackers to hijack firewalls without authentication, in order to mount DDoS hits on their targets of choice.

The US Cybersecurity and Infrastructure Security Agency (CISA) is warning that a high-severity security vulnerability in Palo Alto Networks firewalls is being actively exploited in the wild.

The bug (CVE-2022-0028, CVSS severity score of 8.6), exists in the PAN-OS operating system that runs the firewalls, and could allow a remote threat actor to abuse them to deploy distributed denial-of-service (DDoS) attacks against targets of their choice — without having to authenticate.

Two weeks since its disclosure, CISA said that it has now seen the bug being adopted by cyber adversaries in the wild, and it's added it to its Known Exploited Vulnerabilities (KEV) catalogue. Attackers can exploit the flaw to deploy both reflected and amplified versions of DDoS floods.

Exploitation of the issue can help attackers to cover their tracks and location, according to the original Palo Alto Networks advisory issued earlier this month.

"The DoS attack would appear to originate from a Palo Alto Networks PA-Series (hardware), VM-Series (virtual) and CN-Series (container) firewall against an attacker-specified target," according to the firm.

"The good news is that this vulnerability does not provide attackers with access to the victim's internal network," says Phil Neray, vice president of cyber-defense strategy at CardinalOps. "The bad news is that it can halt business-critical operations \[at other targets\] such as taking orders and handling customer service requests."

He notes that DDoS attacks aren't just mounted by small-time nuisance actors, as is often assumed: "DDoS has been used in the past by adversary groups like APT28 against the World Anti-Doping Agency."

The bug arises thanks to a URL-filtering policy misconfiguration, so instances that use a non-standard configuration are at risk. To be exploited, the firewall configuration "must have a URL filtering profile with one or more blocked categories assigned to a security rule with a source zone that has an external facing network interface," the advisory read.

**Exploited in the Wild**

Bud Broomhead, CEO at Viakoo, says bugs that can be marshaled into service to support DDoS attacks are in more and more demand by cybercriminals -- and are increasingly exploited.  

"The ability to use a Palo Alto Networks firewall to perform reflected and amplified attacks is part of an overall trend to use amplification to create massive DDoS attacks," he says. "Google's recent announcement of an attack which peaked at 46 million requests per second, and other record-breaking DDoS attacks will put more focus on systems that can be exploited to enable that level of amplification."

The speed of weaponization also fits the trend of cyberattackers taking increasingly less time to put newly disclosed vulnerabilities to work — but this also points to an increased interest in lesser-severity bugs on the part of threat actors.

"Too often, our researchers see organizations move to patch the highest-severity vulnerabilities first based on the CVSS," Terry Olaes, director of sales engineering at Skybox Security, wrote in an emailed statement. "Cybercriminals know this is how many companies handle their cybersecurity, so they've learned to take advantage of vulnerabilities seen as less critical to carry out their attacks."

But patch prioritization continues to be a challenge for organizations of all stripes and sizes thanks to the sheer number of patches that are disclosed in a given month — it totals hundreds of vulnerabilities that IT teams need to triage and assess, often without much guidance to go on. And furthermore Skybox Research Lab recently found that new vulnerabilities that went on to be exploited in the wild rose by 24% in 2022.

That said, "any vulnerability that CISA warns you about, if you have in your environment, you need to patch now," Roger Grimes, data-driven defense evangelist at KnowBe4, tells Dark Reading. "The \[KEV\] lists all the vulnerabilities that were used by any real-world attacker to attack any real-world target. Great service."

He notes that the list is exhaustive: "It isn't just full of Windows or Google Chrome exploits. I think the average computer security person would be surprised about what's on the list. It's full of devices, firmware patches, VPNs, DVRs, and a ton of stuff that isn't traditionally thought of as being highly targeted by hackers."

**Time to Patch & Monitor for Compromise**

For the newly exploited PAN-OS bug, patches are available in the following versions:

*   PAN-OS 8.1.23-h1
*   PAN-OS 9.0.16-h3
*   PAN-OS 9.1.14-h4
*   PAN-OS 10.0.11-h1
*   PAN-OS 10.1.6-h6
*   PAN-OS 10.2.2-h2
*   And all later PAN-OS versions for PA-Series, VM-Series and CN-Series firewalls.

To determine if the damage is already done, "organizations should ensure they have solutions in place capable of quantifying the business impact of cyber-risks into economic impact," Olaes wrote.

He added, "This will also help them identify and prioritize the most critical threats based on the size of financial impact, among other risk analyses such as exposure-based risk scores. They must also enhance the maturity of their vulnerability management programs to ensure they can quickly discover whether or not a vulnerability impacts them and how urgent it is to remediate."

Grimes notes that it's a good idea to subscribe to CISA's KEV emails as well.

"If you subscribe, you'll get at least an email a week, if not more, telling what the latest exploited vulnerabilities are," he says. "It isn't just a Palo Alto Networks problem. Not by any stretch of the imagination."

CISA: Just-Disclosed Palo Alto Networks Firewall Bug Under Active Exploit

The Russia-backed Nobelium APT has pioneered a post-exploitation tool allowing attackers to authenticate as any user.

The attackers responsible for the SolarWinds supply chain attack have added a new arrow to their quiver of misery: A post-compromise capability dubbed MagicWeb, which is used to maintain persistent access to compromised environments and move laterally.

Researchers at Microsoft observed the Russia-backed Nobelium APT using the backdoor after gaining administrative privileges to an Active Directory Federated Services (AD FS) server. With that privileged access, the attackers replace a legitimate DLL with the MagicWeb malicious DLL, so that the malware is loaded by AD FS as if it were legitimate.

Like domain controllers, AD FS servers can authenticate users. MagicWeb facilitates this on the part of the threat actors by allowing manipulation of the claims passed in authentication tokens generated by an AD FS server; thus, they can authenticate as any user on the network.

According to Microsoft, MagicWeb is a better iteration of the previously used specialized FoggyWeb tool, which also establishes a difficult-to-shake foothold inside victim networks.

"MagicWeb goes beyond the collection capabilities of FoggyWeb by facilitating covert access directly," Microsoft researchers explained. "It manipulates the user authentication certificates used for authentication, not the signing certificates used in attacks like Golden SAML."

For now, MagicWeb use appears to be highly targeted, according to Microsoft's advisory.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Efficient 'MagicWeb' Malware Subverts AD FS Authentication, Microsoft Warns

Center Hospitalier Sud Francilien (CHSF), a hospital outside of Paris, has redirected incoming patients to other medical facilities in the wake of a ransomware attack that began on Aug. 21.

Ransomware has disrupted operations at the Center Hospitalier Sud Francilien (CHSF), a 1,000-bed hospital outside Paris, locking down the facility's main systems including patient admissions and medical imaging. CHSF was forced to redirect incoming patients to other medical facilities, and hospital staff reverted to pen and paper. 

According to a report in Le Monde, the attackers demanded $10 million to decrypt the systems; it's unclear though whether the hospital paid the attackers any of the ransom. French authorities are investigating the ongoing incident and the threat actors behind the attack, which began on Aug. 21. 

"This attack does not impact the operation and security of the hospital building" and its telecommunications system, CHSF said in a statement, which was translated from French. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Ransomware Gang Demands $10M in Attack on French Hospital

An insider threat or remote attacker with initial access could exploit CVE-2022-31676 to steal sensitive data and scoop up user credentials for follow-on attacks.

An important-rated security vulnerability in VMware Tools could pave the way for local privilege escalation (LPE) and complete takeover of virtual machines that house important corporate data, user info and credentials, and applications.

VMware Tools is a set of services and modules that enable several features in VMware products used to manage user interactions with guest operating systems (Guest OS). Guest OS is the engine that powers a virtual machine.

"A malicious actor with local non-administrative access to the Guest OS can escalate privileges as a root user in the virtual machine," according to VMware's security advisory, issued this week, which noted that the bug, tracked as CVE-2022-31676, carries a rating of 7.0 out of 10 on the CVSS vulnerability-severity scale.

Exploitation paths could take many forms, according to Mike Parkin, senior technical engineer at Vulcan Cyber.

"It is unclear from the release whether it requires access through the VMware virtual console interface or whether a user with some form of remote access to the Guest OS, such as RDP on Windows or shell access for Linux, could exploit the vulnerability," he tells Dark Reading. "Access to Guest OS should be limited, but there are many use cases that require logging into a virtual machine as a local user."

The virtualization virtuoso has patched the issue, with patched-version details available in the security alert. There are no workarounds for the flaw, so admins should apply the update to avoid compromise.

The issue, while not critical, should still be patched as soon as practicable, Parkin warns: "Even with cloud migration, VMware remains a staple of virtualization in many enterprise environments, which makes any privilege escalation vulnerability problematic."

To monitor for compromise, John Bambenek, principal threat hunter at Netenrich, recommends deploying behavioral analytics to detect credential abuse, as well as an insider threat program to detect problem employees who may abuse their already legitimate access.

"VMWare (and related) systems manage the most privileged systems, and compromising them is a force multiplier for threat actors," he says.

The patch comes on the heels of the disclosure of a critical bug earlier this month that would allow authentication bypass for on-premises VMware implementations, to give attackers initial local access and the ability to exploit LPE vulnerabilities such as this one.

Source

DARKReading