Security AI-driven Attack Signal Intelligence automates cyber threat detection, triage, and prioritization across public cloud, SaaS, identity and networks.

**SAN JOSE, Calif., Oct. 12, 2022 /PRNewswire/** — Vectra AI, the leader in Security AI-driven hybrid cloud threat detection and response, today announced Attack Signal Intelligence — groundbreaking technology that automates threat detection, triage and prioritization for SOC teams.

As organizations face ever-growing unknown cyber threats targeting on-premises and cloud infrastructure, SaaS applications, and data and identity systems, SOC teams are challenged to keep pace. More attack surface to cover combined with more modern, evasive and sophisticated attackers has resulted in more manual time spent maintaining detection rules, triaging alerts and figuring out what alerts to prioritize — resulting in analyst fatigue and burnout. Vectra's Security AI-driven Attack Signal Intelligence frees security analysts of these everyday manual and mundane tasks and arms them to do what they do best — investigate and respond to real attacks. Core to the Vectra platform, Vectra MDR services and the expanding Vectra ecosystem, Attack Signal Intelligence empowers security analysts to:

*   **Think like an attacker** with AI-driven Detections that go beyond signatures and anomalies to understand attacker behavior and zero in on attacker TTPs across the cyber kill chain.
*   **Know what is malicious** by analyzing detection patterns unique to an organization's environment to surface relevant events and reduce noise.
*   **Focus on the urgent** with AI-driven Prioritization that provides a view of threats by severity and impact, enabling analysts to focus on responding to critical threats and lowering business risk.

Today's security teams are challenged with defending an ever-expanding attack surface and more evasive attacker methods while contending with overwhelming alert noise. These challenges all contribute to a threat actors' increasing ability to beat prevention tools, circumvent signatures and detection rules and bypass multifactor authentication to infiltrate and progress laterally inside an organization while going unnoticed. According to Vectra's Global Research Study, 72% of security practitioners believe that they have been breached but don't know it.

"The unknown compromise is the single biggest security risk organizations face today. Far more complex environments with greater attack surface exposure, more evasive attacker methods and overwhelming noise are all leading to unknowns for security teams," said Kevin Kennedy, SVP of Product at Vectra. "To erase these unknowns, security teams need more reliable, accurate and timely intelligence across all attack entry points and attack surfaces. Vectra's Attack Signal Intelligence is the first technology of its kind to automate threat detection, triage and prioritization so defenders can get ahead and stay ahead of modern attacks. Threat intelligence gives security the confidence to mitigate what is known. Vectra Attack Signal intelligence gives security the confidence to mitigate what was previously unknown."

By harnessing Attack Signal Intelligence with the Vectra platform, Vectra MDR services and the Vectra ecosystem, security teams detect real attacks and their progression throughout the cyber kill chain so they can rapidly investigate and stop an attack from becoming a breach. Contrast to approaches that leverage AI for anomaly detection and require human tuning and maintenance, Vectra Attack Signal Intelligence continuously and automatically monitors for attacker methods with a set of Security AI models programmed with an understanding of attacker TTPs. The results run through another layer of AI which combines an understanding of the organization's environment with threat models and human threat intelligence, to automatically surface and prioritize threats based on severity and impact. The result is that security teams are 85% more efficient in identifying actual threats and achieve >2x higher security operations productivity.

Vectra Attack Signal Intelligence is built into all Vectra Cloud, Identity and Network Threat Detection and Response products and services:

*   Vectra CDR for AWS
*   Vectra CDR for Microsoft 365
*   Vectra IDR for Microsoft Azure AD
*   Vectra NDR for on-premises and cloud networks
*   Vectra MDR for cloud, identity and network threat detection and response

**For more information on Vectra's Attack Signal Intelligence, please visit:**

Vectra Attack Signal Intelligence web page: https://www.vectra.ai/products/attack-signal-intelligence

Blog: Attack Signal Intelligence Commits to Erasing Unknown Threats in Your Organization: www.vectra.ai/blog/vectra-attack-signal-intelligence

Attack Signal Intelligence Solution Brief: www.vectra.ai/resources/attack-signal-intelligence

**About Vectra**

Vectra® is the leader in Security AI-driven hybrid cloud threat detection and response. Only Vectra optimizes AI to detect attacker methods — the TTPs at the heart of all attacks — rather than simplistically alerting on "different." The resulting high-fidelity threat signal and clear context enables cybersecurity teams to rapidly respond to threats and stop attacks from becoming breaches. The Vectra platform and services cover public cloud, SaaS applications, identity systems and network infrastructure — both on-premises and cloud-based. Organizations worldwide rely on the Vectra platform and services for resilience to ransomware, supply chain compromise, identity takeovers, and other cyberattacks impacting their organization. For more information, visit vectra.ai.

**SOURCE:** Vectra

Vectra Advances Security AI to Deliver Attack Signal Intelligence™, Empowering Security Teams to Investigate and Respond to Attacks in Real Time

Protecting against data breaches requires detailed analysis of recent attacks for remediation and prevention.

Data continues to drive enterprise business needs and processes, spurring the need for a rapidly growing number of data stores in which to house it all. Data's inherent value and impact on business operations have made it a prime target for cybercriminals. This has led to a sharp rise in data breaches that have disrupted business continuity and compromised the security and compliance posture of enterprises globally. In these breaches, attackers are commonly exploiting blind spots and misconfigurations.

Protecting against data breaches requires detailed and close analysis of recent attacks for remediation steps and preventative measures. Issues common to recent cloud data breaches include:

**1\. Data Leakage Through Compliance Boundaries**

A hard lesson from the past decade is that there's no going back once data goes outside of the organizational control plane and often to public repositories. For this reason, security owners are responsible for keeping tabs on any possibility of exposure, assessing fallout when exposure occurs, and acting accordingly.

Data leakage is more common than one would think and is not limited to enterprises with smaller security budgets. For example, Nestle's sensitive data was briefly exposed to the world from its internal network before surfacing a few months later in an alleged cyberattack by Anonymous.

**2\. Publicly Exposed Buckets**

Data is an asset and should be protected as such, whether it be a backup, audit record, or arbitrary file. Access should be based on the principle of least privilege, and any deviation should be identified, monitored, and alerted upon.

This was not the case for some organizations using public cloud data stores such as Amazon S3 buckets and Microsoft Azure Blobs. Four airports in Colombia and Peru, for example, had an S3 bucket — containing 3TB of data on employees — that was publicly accessible and did not require authentication.  

Meanwhile, Turkish airline company Pegasus had an S3 Bucket without password protection, exposing roughly 6.5TB of data that included personally identifiable crew information, flight charts, and secrets from the airline's EFB (Electronic Flight Bag) system.

Doctors Me, an online Japanese medical consultation site, experienced something similar. The service stored patient images, uploaded by customers, in an S3 bucket without proper access authorization and authentication controls, exposing the sensitive data of nearly 12,000 people.

**3\. Database Misconfigurations**

In their most basic function, databases are protected internal components that hold various records or documents. They are typically encapsulated behind an application or a service that facilitates access to data according to predetermined business logic. As such, databases have the potential to enforce strict access controls and to limit network access, ensuring that only service accounts or authorized personnel can directly reach them.

Databases exposed to the Internet, especially with weak authentication, are low-hanging fruit for bad actors who are constantly scanning for exposed services. This was the case for a popular Iranian chat application called Raychat, where a simple bot detected a misconfigured instance of the service's MongoDB database. All the attackers had to do was clone the database's content, wipe the database, and leave behind a note asking for a hefty ransom.

**4\. Missing Encryption**

Encryption is one of the top three industry best practices for data protection, but it cannot be considered a full security suite, as data protection is built in layers. When one layer is breached, it's up to the next to hold the line. We see this reflected in risk assessments and audit submissions, where each component, especially missing fundamental layer like encryption, changes the risk score of many other components that make up the entire environment. With common issues like false reporting and missing encryption, how can security owners reliably qualify and test the entirety of their known and unknown environment with assumptions and semi-reliable information?

The Department of Education in New York City struggled with this question when an online grading and attendance system was breached. Roughly 820,000 biographic records of current and former public-school students were stored without proper encryption, allowing the adversary to easily compromise and extract those.

**How Can Organizations Avoid These Mistakes?**

1\. Take ownership of your data: 

*   Identify sensitive and "need to be protected" assets with periodic scans of your environment to discover any unknowns and surprises, such as new data stores and network policies. 
*   Classify and evaluate any solution within your stack that you own or consume. 

2\. Improve your data security posture: 

*   Assess data stores against industry best practice and compliance standards. 
*   Incorporate data security into your organizational DNA by creating dedicated owners, allocating resources for long-term projects, and establishing incident handling procedures. 

3\. Control your data: 

*   Scope and periodically approve the target audience ensuring that only they can access it via both network policies and RBAC. 
*   Implement a "second set of eyes" methodology when it comes to data replication, export, creation, or deletion. 

4\. Observe and triage anomalous activities: 

*   Monitor activities against sensitive data and configuration changes around classified data stores. 
*   Create an alerting and triage mechanism for abnormal business scenarios.

Cloud Data Breaches Are Running Rampant. What Are the Common Characteristics?

Report also shows that cloud-based solutions minimize complexity to enable easy adoption by small to midsize businesses.

**PRAGUE, Oct. 12, 2022 /PRNewswire/** — GoodAccess, the company reinventing secure cloud access for small and midsize businesses, today announced a white paper presenting research from Enterprise Management Associates (EMA) that shows "68% of companies believe that zero trust network access (ZTNA) is an ideal solution for addressing work-from-anywhere risk."

The paper also outlines how cloud-delivered solutions mitigate complexity and enable easy adoption by any type or size of company or organization. Cloud-based Zero Trust Network Access solutions eliminate the need for hardware and cumbersome software suites to simplify set-up and ongoing maintenance, so that even small and medium businesses can readily adopt its use. According to the white paper, "Cloud-delivered ZTNA can address many of the adoption barriers that smaller companies perceive with zero trust technologies in general."

"Complexity has always been the enemy of security and the thing that keeps it from being implemented in the first place or used as directed in the second place," said Michal Čížek, chief executive officer and co-founder, GoodAccess. "GoodAccess has re-invented VPNs to be the means of providing Zero Trust Network Access to small and medium businesses by greatly reducing complexity, expense and necessary expertise. The research and white paper from EMA corroborate our strategy and underscore its necessity."

While ZTNA provides a strong solution for "network-less" organizations where all or most employees are remote and applications and resources are cloud-based, many believe the technology is still out of reach of small and medium businesses. Results from a recent EMA survey show that:

*   Thirty-two percent (32%) of IT organizations consider budget as a barrier to zero trust adoption. The subsequent white paper points out that, "A cloud-delivered ZTNA solution is typically priced for modest budgets since they require no capital outlay."
*   Thirty-one percent (31%) of IT organizations believe zero trust is too complex to implement. The white paper counters the concern, noting, "A cloud-based solution can mitigate the complexity because they require no on-premises hardware or software, aside from client agents. Also, cloud-delivered ZTNA technology is typically configured via a web-based or SaaS GUI console."
*   Thirty-one percent (31%) of the organizations believe that they lack personnel with zero trust skills. Again, the white paper answers those concerns, stating, "Cloud-delivered ZTNA offloads much of the engineering and administrative requirements to the provider."

The paper shows how new solutions solve these traditional concerns by addressing cost, complexity and having necessary technological expertise. With cloud-based solutions, capital costs shift to affordable operational costs. Even more importantly, the complexity of installing and maintaining ZTNA becomes greatly simplified, with far less need for support time and expertise.

Commented Shamus McGillicuddy, vice president of Research, EMA, "The nature of work has permanently changed over the last few years. Hybrid and full remote work has become the standard for many companies. When businesses need to protect remote access to important business assets, cloud-delivered zero trust networking and security solutions are some of the main enablers of modern data security nowadays."

GoodAccess is a cloud-based SaaS application that enables organizations to create a resilient, Zero Trust network with identity- policy- and device-assessment-based access control and safe, deterministic connections to a company's cloud-based applications and resources. GoodAccess provides physical and virtual network segmentation to reduce attack surface and resource access with protection from phishing and unwanted employee behavior. The solution enables compliance enforcement with user activity monitoring and storing logs for all the network communication and systems. A company's risk and compliance administrator gain full visibility into who accesses your systems and when. Virtual access cards assign every user a private account and network identity.

Read a copy of the EMA white paper  
See the key principles of Zero Trust Network Access  
Start a free trial of GoodAccess  
Request a free consultation

**About EMA**

Founded in 1996, Enterprise Management Associates (EMA) is a leading industry analyst firm that provides deep insight across the full spectrum of IT and data management technologies. EMA analysts leverage a unique combination of practical experience, insight into industry best practices, and in-depth knowledge of current and planned vendor solutions to help EMA's clients achieve their goals. Learn more about EMA research, analysis, and consulting services for enterprise line of business users, IT professionals, and IT vendors at www.enterprisemanagement.com. You can also follow EMA on Twitter or LinkedIn.

**About GoodAccess**

GoodAccess is the global company dedicated to simplifying "anytime, anywhere" secure connectivity and access for small and medium businesses around the world, beginning with its free GoodAccess Starter product for unlimited usage for up to 100 employees. For companies with more than 100 employees and with the need for static IP addresses, Zero Trust access and other requirements, GoodAccess provides a competitively priced platform that maintains simplicity and ease of use. GoodAccess products are designed for set-up within 10 minutes and the flexibility to meet varying conditions.

For more information: www.goodaccess.com

**SOURCE:** GoodAccess

2 Out of 3 Companies See Zero Trust Network Access as Key to Mitigate Work-From-Anywhere Risks, According to New EMA Report

InterVision releases a new website focused on the customer experience, making B2B cybersecurity purchasing decisions easier.

**SAN JOSE, Calif. and ST. LOUIS, Oct. 12, 2022 /PRNewswire/** — InterVision, a leading information technology (IT) strategic service provider, announced today a corporate rebrand along with key findings from its Pulse study. Study results revealed that nearly half of all business leaders identify ransomware as the top threat to business operations. These announcements highlight the importance of doubling down on strategic cybersecurity measures.

The study ("Solving for Ransomware Threats: Insights Into Current Leadership Actions") shares insights from 100 IT leaders on ransomware's impact on business security. Surveyed IT leaders reported ransomware as one of the biggest threats to tech-related business in North America, with 45% citing ransomware as their top concern overall. The study also found that most organizations focus on ransomware attack recovery (46%) as opposed to prevention (21%). As a result, many IT systems cannot detect threats before they become critical to the organization. But when presented with the idea of Ransomware Protection as a Service (RPaaS), 90% of respondents were interested in the comprehensive strategy.

"With so many high-profile ransomware attacks over the past couple of years, organizations are starting to understand the urgency of implementing a ransomware protection strategy," said Allen Jenkins, CISO and VP of Cybersecurity Consulting at InterVision. "Respondents overwhelmingly identified the need to improve IT processes and technology. Creating the right bundle with Ransomware Protection as a Service (RPaaS) ensures multiple layers of protection and is a powerful step in the process of ransomware prevention."

InterVision's rebrand puts customer experience at the center of its website, making B2B cybersecurity purchasing decisions easier.

"Commitment to the customer experience has always set InterVision apart. Our suite of business continuity and disaster recovery services is best-in-class, and we prioritize customer service through 24/7 response offerings. Now, with an updated website, the customer experience is front and center from the beginning to the end of their engagement with InterVision," said Kathleen Amro, Vice President of Marketing at InterVision.

InterVision's refreshed website and brand also reflects the quality of the company's offerings — including RPaaS, which 90% of Pulse survey respondents reported interest in.

"With organizations facing the challenge of an ever-evolving threat landscape and global security talent shortage, InterVision's RPaaS will not only provide their customers with world-class protection but also the peace of mind that comes along with it," said Will Briggs, senior vice president of global channels, Arctic Wolf. "InterVision and Arctic Wolf both share a commitment to delivering positive security outcomes, and we are proud of how our security operations solutions play a key role in protecting and delighting our shared customers."

To view the full study, visit https://intervision.com/blog-solving-for-ransomware-threats/. For more information about InterVision offerings or to navigate the refreshed website, visit https://intervision.com/.

**About InterVision Systems  
**InterVision is the leading strategic services provider, delivering and supporting complex IT solutions for mid-to-enterprise and public sector organizations throughout the US. With more than 25 years of experience, coupled with one of the most comprehensive product portfolios of managed IT service offerings available, the company is uniquely positioned to guide clients through any stage of their technology journeys. InterVision drives business outcomes with an unparalleled focus on the customer experience to help organizations be more competitive, compliant, and secure. The company has headquarters in San Jose, CA, St. Louis, MO, and Richmond, Va. To learn more, visit www.intervision.com.

**SOURCE:** InterVision

InterVision Announces Study Identifying Ransomware as No. 1 Threat to Business Longevity

Early adopters reaping the benefits of improved SOC operations and efficiencies.

**SANTA CLARA, Calif., Oct. 12, 2022 /PRNewswire/** — Delivering on the promise to help organizations leverage massive scales of data for their defenses, Palo Alto Networks (NASDAQ: PANW) today announced the general availability of Cortex® XSIAM, a breakthrough autonomous security operations platform powering today's modern secure operations center (SOC) and fundamentally changing the way data, analytics and automation are used across enterprise and cloud security operations.

Earlier this year, Cortex XSIAM was made available to a number of top organizations through the XSIAM Design Partner Program. The design partners spanned healthcare, logistics, design and manufacturing, technology, public sector, and entertainment verticals. The common challenges these organizations face include overwhelming alert volumes accompanied by a high number of false positives, lack of visibility across all parts of the organization, including cloud environments, and excessive manual overhead associated with managing numerous siloed tools.

"The SOC is where some of the best cybersecurity professionals work, and it is time that they have the right platform to get their jobs done effectively. We want to give our customers a new approach to SOC operations with a focus on results, efficiency and productivity," said Lee Klarich, chief product officer, Palo Alto Networks. "Cortex XSIAM establishes an autonomous SOC where organizations can respond to threats in a fraction of the time it takes today, and analysts can focus on the highest priority incidents. The SOC of the future will be built on AI and automation — any other approach is destined for failure."

Palo Alto Networks operates its own SOC on Cortex XSIAM and has seen the benefits of intelligent data integration, machine learning-based threat models, extensive automation and proactive analysis of the IT environment to reduce the attack surface. The Palo Alto Networks SOC processes over one trillion events per month, with Cortex XSIAM automatically handling the vast majority of those events. On average, the Cortex-powered SOC detects threats in 10 seconds and responds to high priority threats in one minute, with an 80% reduction in alerts that SOC analysts need to analyze.

The feedback on XSIAM has been strong. Design partners consistently reported improved visibility, fewer incidents, reduced false positives and reduced mean time to response. Paul Alexander, director of IT operations at Imagination Technologies Group, an international leader in the creation and licensing of semiconductor System-on-Chip Intellectual Property, said, "XSIAM is already helping us to resolve and address threats way more quickly and efficiently, reduce risk and track metrics."

"We see XSIAM as a platform that combines multiple capabilities into one unified ecosystem," said David Norlin, CISO at Lumifi. "For us, that means empowering analysts to move quicker on multiple datasets, detect threats more comprehensively, and deliver an even better service to our clients."

"From our first demo of XSIAM as part of the early access program, we were shocked and impressed with the maturity of the platform," said Randy Watkins, chief technology officer at Critical Start. "This was not a beta product, but a solution that customers would immediately be able to build their entire security operations program around. The data models within XSIAM are some of the best approaches we've seen to solving the lack of consistency with log management."

"XSIAM aims at much more than SIEM and provides the engine for the autonomous SOC," said Bobby Brillhart, vice president of engineering at Norlem. "XSIAM creates unprecedented opportunities for us as an MDR provider to scale our services and significantly decrease our MTTR."

**Optimized for Cloud-Native Environments**

By design, XSIAM operates across both cloud and enterprise security operations, providing true end-to-end management of threats, wherever they originate. Unlike most existing SIEM products, XSIAM comes with the ability to collect and integrate cloud telemetry that is unique to cloud-native systems. While companies born in the cloud benefit from the scale and automation of XSIAM and the ease of integration with public cloud and SaaS telemetry, organizations with legacy SIEM deployments can seamlessly transition to XSIAM as the next-generation autonomous SOC platform.

**Availability**

Cortex XSIAM is now available globally with full support across multiple cloud locations to comply with local regulations.

**Additional Resources**

*   Register for Palo Alto Networks' November event: The Modern SOC, Reimagined.
*   Join us at Ignite, Palo Alto Networks customer conference, to learn more and see XSIAM in action.
*   Follow Palo Alto Networks on Twitter, LinkedIn, Facebook and Instagram.

**About Palo Alto Networks**

Palo Alto Networks is the world's cybersecurity leader. We innovate to outpace cyberthreats, so organizations can embrace technology with confidence. We provide next-gen cybersecurity to thousands of customers globally, across all sectors. Our best-in-class cybersecurity platforms and services are backed by industry-leading threat intelligence and strengthened by state-of-the-art automation. Whether deploying our products to enable the Zero Trust Enterprise, responding to a security incident, or partnering to deliver better security outcomes through a world-class partner ecosystem, we're committed to helping ensure each day is safer than the one before. It's what makes us the cybersecurity partner of choice.

At Palo Alto Networks, we're committed to bringing together the very best people in service of our mission, so we're also proud to be the cybersecurity workplace of choice, recognized among Newsweek's Most Loved Workplaces (2021), Comparably Best Companies for Diversity (2021)and HRC Best Places for LGBTQ Equality (2022). For more information, visit www.paloaltonetworks.com.

_Palo Alto Networks, Cortex, and the Palo Alto Networks logo are registered trademarks of Palo Alto Networks, Inc. in the United States and in jurisdictions throughout the world. All other trademarks, trade names, or service marks used or mentioned herein belong to their respective owners. Any unreleased services or features (and any services or features not generally available to customers) referenced in this or other press releases or public statements are not currently available (or are not yet generally available to customers) and may not be delivered when expected or at all. Customers who purchase Palo Alto Networks applications should make their purchase decisions based on services and features currently generally available._

**SOURCE:** Palo Alto Networks, Inc.

Palo Alto Networks Ushers in the Next-Generation Security Operations Center With General Availability of Cortex XSIAM — the Autonomous Security Operations Platform

The computing giant didn't fix ProxyNotLogon in October's Patch Tuesday, but it disclosed a rare 10-out-of-10 bug and patched two other zero-days, including one being exploited.

For its October Patch Tuesday update, Microsoft addressed a critical security vulnerability in its Azure cloud service, carrying a rare 10-out-of-10 rating on the CVSS vulnerability-severity scale.

The tech giant also patched two "important"-rated zero-day bugs, one of which is being actively exploited in the wild; and further, there may be a third issue, in SharePoint, that's also being actively exploited.

Notably, however, the Microsoft didn't issue fixes for the two unpatched Exchange Server zero-day bugs that came to light in late September.

In all for October, Microsoft released patches for 85 CVEs, including 15 critical bugs. Affected products run the gamut of the product portfolio as usual: Microsoft Windows and Windows Components; Azure, Azure Arc, and Azure DevOps; Microsoft Edge (Chromium-based); Office and Office Components; Visual Studio Code; Active Directory Domain Services and Active Directory Certificate Services; Nu Get Client; Hyper-V; and the Windows Resilient File System (ReFS).

These are in addition to 11 patches for Microsoft Edge (Chromium-based) and a patch for side-channel speculation in ARM processors released earlier in the month.

**A Perfect 10: Rare Ultra-Critical Vuln**

The 10-out-of-10 bug (CVE-2022-37968) is an elevation of privilege (EoP) and remote code-execution (RCE) issue that could allow an unauthenticated attacker to gain administrative control over Azure Arc-enabled Kubernetes clusters; it could also affect Azure Stack Edge devices.

While cyberattackers would need to know the randomly generated DNS endpoint for an Azure Arc-enabled Kubernetes cluster to be successful, exploitation has a big payoff: They can elevate their privileges to cluster admin and potentially gain control over the Kubernetes cluster.

"If you are using these types of containers with a version lower than 1.5.8, 1.6.19, 1.7.18, and 1.8.11 and they are available from the Internet, upgrade immediately," Mike Walters, vice president of vulnerability and threat research at Action1, warned via email.

**A Pair (Maybe a Triad) of Zero-Day Patches – but Not THOSE Patches**

The new zero-day confirmed as being under active exploit (CVE-2022-41033) is an EoP vulnerability in the Windows COM+ Event System Service. It carries a 7.8 CVSS score.

The Windows COM+ Event System Service is launched by default with the operating system and is responsible for providing notifications about logons and logoffs. All versions of Windows starting with Windows 7 and Windows Server 2008 are vulnerable, and a simple attack can lead to gaining SYSTEM privileges, researchers warned.

"Since this is a privilege escalation bug, it is likely paired with other code-execution exploits designed to take over a system," Dustin Childs, from the Zero Day Initiative (ZDI), noted in an analysis today. "These types of attacks often involve some form of social engineering, such as enticing a user to open an attachment or browse to a malicious website. Despite near-constant anti-phishing training, especially during 'Cyber Security Awareness Month,' people tend to click everything, so test and deploy this fix quickly."

Satnam Narang, senior staff research engineer at Tenable, noted in an emailed recap that an authenticated attacker could execute a specially crafted application in order to exploit the bug and elevate privileges to SYSTEM.

"While elevation of privilege vulnerabilities requires an attacker to gain access to a system through other means, they are still a valuable tool in an attacker’s toolbox, and this month’s Patch Tuesday has no shortage of elevation-of-privilege flaws, as Microsoft patched 39, accounting for nearly half of the bugs patched (46.4%)," he said.

This particular EoP problem should go to the head of the line for patching, according to Action1's Walters.

"Installing the newly released patch is mandatory; otherwise, an attacker who is logged on to a guest or ordinary user computer can quickly gain SYSTEM privileges on that system and be able to do almost anything with it," he wrote, in an emailed analysis. "This vulnerability is especially significant for organizations whose infrastructure relies on Windows Server."

The other confirmed publicly known bug (CVE-2022-41043) is an information-disclosure issue in Microsoft Office for Mac that has a low CVSS risk rating of just 4 out of 10.

Waters pointed to another potentially exploited zero-day: a remote code execution (RCE) problem in SharePoint Server (CVE-2022-41036, CVSS 8.8) that affects all versions starting with SharePoint 2013 Service Pack 1.

"In a network-based attack, an authenticated adversary with Manage List permissions could execute code remotely on the SharePoint Server and escalate to administrative permissions," he said.

Most importantly, "Microsoft reports that an exploit has likely already been created and is being used by hacker groups, but there is no proof of this yet," he said. "Nevertheless, this vulnerability is worth taking seriously if you have a SharePoint Server open to the internet."  

**No ProxyNotShell Patches**

It should be noted that these are not the two zero-day patches that researchers were expecting; those bugs, CVE-2022-41040 and CVE-2022-41082, also known as ProxyNotShell, remain unaddressed. When chained together, they can allow RCE on Exchange Servers.

"What may be more interesting is what isn’t included in this month's release. There are no updates for Exchange Server, despite two Exchange bugs being actively exploited for at least two weeks,” Childs wrote. “These bugs were purchased by the ZDI at the beginning of September and reported to Microsoft at the time. With no updates available to fully address these bugs, the best administrators can do is ensure the September … Cumulative Update (CU) is installed.”

"Despite high hopes that today's Patch Tuesday release would contain fixes for the vulnerabilities, Exchange Server is conspicuously missing from the initial list of October 2022 security updates," says Caitlin Condon, senior manager for vulnerability research at Rapid7. "Microsoft's recommended rule for blocking known attack patterns has been bypassed multiple times, emphasizing the necessity of a true fix."

As of early September, Rapid7 Labs observed up to 191,000 potentially vulnerable instances of Exchange Server exposed to the Internet via port 443, she adds. However, unlike the ProxyShell and ProxyLogon exploit chains, this group of bugs requires an attacker to have authenticated network access for successful exploitation.

"So far, attacks have remained limited and targeted," she says, adding, "That's unlikely to continue as time goes on and threat actors have more opportunity to gain access and hone exploit chains. We'll almost certainly see additional post-authentication vulnerabilities released in the coming months, but the real concern would be an unauthenticated attack vector popping up as IT and security teams implement end-of-year code freezes."

**Admins Take Note: Other Bugs to Prioritize**

As far as other issues to prioritize, ZDI's Childs flagged two Windows Client Server Run-time Subsystem (CSRSS) EoP bugs tracked as CVE-2022-37987 and CVE-2022-37989 (both 7.8 CVSS).

"CVS-2022-37989 is a failed patch for CVE-2022-22047, an earlier bug that saw some in-the-wild exploitation," he explained. "This vulnerability results from CSRSS being too lenient in accepting input from untrusted processes. By contrast, CVE-2022-37987 is a new attack that works by deceiving CSRSS into loading dependency information from an unsecured location."

Also notable: Nine CVEs categorized as RCE bugs with critical severity were also patched today, and seven of them affect the Point-to-Point Tunneling Protocol, according to Greg Wiseman, product manager at Rapid7. "\[These\] require an attacker to win a race condition to exploit them," he noted via email.

Automox researcher Jay Goodman adds that CVE-2022-38048 (CVSS 7.8) affects all supported versions of Office, and they could allow an attacker to take control of a system "where they would be free to install programs, view or change data, or create new accounts on the target system with full user rights." While the vulnerability is less likely to be exploited, according to Microsoft, the attack complexity is listed as low.

And finally, Gina Geisel, also an Automox researcher, warns that CVE-2022-38028 (CVSS 7.8), a Windows Print Spooler EoP bug, as a low-privilege and low-complexity vulnerability that requires no user interaction.

"An attacker would have to log on to an affected system and run a specially crafted script or application to gain system privileges," she notes. "Examples of these attacker privileges include installing programs; modifying, changing, and deleting data; creating new accounts with full user rights; and moving laterally around networks."

Microsoft Addresses Zero-Days, but Exchange Server Exploit Chain Remains Unpatched

New research demonstrates the use of thermal camera images of keyboards and screens in concert with AI to correctly guess computer passwords faster and more accurately.

Password-cracking and guessing attempts are successful enough as it is to put more than a little gray in the hair of experienced cybersecurity professionals. Now new research shows even more effective cracking attempts could be perpetrated by attackers equipped with a cheap thermal camera and some simple deep-learning models.

The AI-driven attacks were conceptualized and refined by Dr. Mohamed Khamis of the University of Glasgow School of Computing Science and his colleagues at the school, Norah Alotaibi and Dr. John Williamson, who are set to publish their results in an upcoming issue of the ACM Transactions on Privacy and Security journal.

The paper details their work to use off-the-shelf thermal cameras and a probabilistic model that utilized 1,500 thermal images they took of recently used keyboards to create a method of accurately cracking passwords — even in uncontrolled settings. Dubbed ThermoSecure, the method captures heat signatures via thermal cameras and analyzes them with the researchers' AI modeling to guess a password with 86% accuracy when the images are taken within 20 seconds of input, and 62% accuracy within 60 seconds of input.

"Even without knowing the order of the keys, it is possible to significantly reduce the search space, which means fewer attempts are required to guess a password," the researchers wrote in their paper.

Khamis pointed to the accessible price of thermal cameras — which can be picked up for less than $200 — as a cue for why his team wanted to explore this as a potential threat vector. As he explains, this is likely an area where the bad guys are already innovating to develop ways to leverage these tools to their advantage.

"They say you need to think like a thief to catch a thief. We developed ThermoSecure by thinking carefully about how malicious actors might exploit thermal images to break into computers and smartphones," he said. "It's important that computer security research keeps pace with these developments to find new ways to mitigate risk, and we will continue to develop our technology to try to stay one step ahead of attackers."

**Not the First Thermal Rodeo**

While this is not the first piece of research touching on the use of thermal imaging to guess passwords, previous studies took pictures in highly controlled settings. This latest one focused on how the layering of AI can bridge the gap in accuracy in uncontrolled conditions that might be affected by different camera angles and user behavior. The study also examined how factors like password length and typing styles could impact the accuracy of this technique, offering some hints for mitigation measures.

For example, the jump from eight-symbol passwords up to 16-symbol passwords cut the accuracy of the attack by 26 points when images were taken 20 seconds after input. Similarly, faster-touch typists left less of a heat signature than slower "hunt-and-peck" typists, meaning that the accuracy was about 12 points lower for the former compared with the latter.

Some other mitigating factors included the use of backlit keyboards — which heat up keys enough to "light up" a thermal image enough to flummox the AI model — and the kind of plastic used in a keyboard. For example, ABS plastic retains heat for significantly less time than PBT plastic.

Of course, one of the most reliable mitigations are the ones that are cited for just about any kind of password-cracking or guessing attacks: that is, seeking out alternative login methods.

"Users can help make their devices and keyboards more secure by adopting alternative authentication methods, like fingerprint or facial recognition, which mitigate many of the risks of thermal attack," Khamis said. "In my team, we have previously proposed authentication schemes that rely on eye movements for password entry; gaze-based authentication is resistant to thermal attacks by design."

AI and Residual Finger Heat Could Be a Password Cracker's Latest Tools

Attackers could exploit the "Sandbreak" security bug, which has earned a 10 out of 10 on the CVSS scale, to execute a sandbox escape, achieve RCE, and run shell commands on a hosting machine.

A remote code execution (RCE) vulnerability in a widely used JavaScript sandbox has earned a top rating of 10 on the CVSS vulnerability risk scale; it allows threat actors to execute a sandbox escape and run shell commands on the hosting machine.  

Researchers from cloud security firm Oxeye discovered the dangerous flaw, which they dubbed "Sandbreak" in vm2, a JavaScript sandbox that has more than 16 million monthly downloads, according to its NPM package manager.

"The fact that this vulnerability has the maximum CVSS score of 10 and is extremely popular means its potential impact is widespread and critical," Oxeye architect Yuval Ostrovsky and security researcher Gal Goldshtein wrote in a blog post published Oct. 10.

Oxeye found the flaw on Aug. 16 and informed the project owners two days later. On Aug. 28, GitHub issued CVE-2022-36067 and gave the vulnerability the highest risk rating possible.

The project's maintainers reacted swiftly to issue a patch for Sandbreak in vm2 version 3.9.11, which should be applied by anyone using the sandbox because of the heightened risk of vulnerability, the researchers said.

**Sandboxes: Historically Trustworthy**

Like all sandboxes, vm2 offers an isolated environment where applications can run trusted code, serving a vital purposes in modern applications because developers or network administrators can use them to run programs or open files without affecting the app, system, or platform in which they run.  

Software developers often use sandboxes to test new programming code, and they are well known as an important tool in cybersecurity research, allowing researchers to test potentially malicious software without harming other parts of a network or app environment.

Indeed, the fact that a sandbox is so universally trusted is what makes the Sandbreak flaw so critical and should sound an alarm across all sandbox users to shore up their implementations, the researchers said.

"By their very definition, sandboxes are considered safe places and trusted as mechanisms that isolate potentially dangerous code from our applications," they wrote in the post. "But what would happen if this trust was compromised?"

**Technical Analysis**

Researchers explored just that in their investigation of Sandbreak, which they discovered while analyzing previous security lapses disclosed to the team maintaining vm2.

The bug exists in the vm2 bug reporter, which would allow cyberattackers to abuse the error mechanism in Node.js. They could customize the call stack of an error that occurred in the app to escape the sandbox, the researchers disclosed.

"Customizing the call stack can achieve this by implementing the 'prepareStacktrace' method under the global 'Error' object,'" the researchers explained in the post. "This means that when an error occurs and the 'stack' property of the thrown error object is accessed, Node.js will call this method while providing it with a string representation of the error alongside an array of 'CallSite' objects as arguments."

One of the methods exposed by the CallSite objects because of the issue is "getThis," which is responsible for returning the “this” object that was available in the related stack frame, the researchers found.

This behavior can lead to sandbox escapes because some of the "CallSite" objects "may return objects created outside the sandbox when invoking the 'getThis' method," they wrote. If an attackers could gain hold of a "CallSite" object created outside of the sandbox, they could access Node's global objects and execute arbitrary system commands from there.

**Bypassing the Mitigation**

The maintainers of vm2 were aware that overriding "prepareStackTrace" could indeed lead to a sandbox escape. They tried to mitigate the escape path by wrapping the Error object and the "prepareStackTrace" method with their own implementation, which succeeded in preventing anyone from overriding the method and performing the escape, they said.

However, Oxeye researchers found they could bypass this, because vm2 missed wrapping specific methods related to the "WeakMap" JavaScript built-in type, they said. "This allowed the attacker to provide their own implementation of 'prepareStackTrace,' then trigger an error, and escape the sandbox," the researchers wrote.

Knowing that the prepareStackTrace function of the Error object is the function they needed to override to escape the sandbox, Oxeye researchers went even further and decided to try to override the global Error object with their own object.

Doing this implemented the prepareStackTrace function, which allowed them to escape the sandbox. A few simple steps later and they had access to the currently executing process and could execute commands on the system running the sandbox, they said.

**Using Sandboxes Safely**

Although sandboxes by their very nature are meant to safely run untrusted code within an app or system, enterprises shouldn't automatically assume they are without risk, the researchers warned.

However, if using a sandbox in an environment is unavoidable, Oxeye recommends reducing risk by separating the logical, sensitive part of an application from the microservice that runs the sandbox code.

This will ensure that "if a threat actor successfully breaks out from the sandbox, the attack surface is limited to the isolated microservice," the researchers wrote.

Enterprises also should avoid using a sandbox that relies on a dynamic programming language such as JavaScript when possible, they said.

"The dynamic nature of the language widens the attack surface for a potential attacker, making defending against such attacks much harder," researchers observed in their post.

Critical Open Source vm2 Sandbox Escape Bug Affects Millions

The IT security executive led ICS/OT, IT/OT integration, and other security programs, as well as diversity and inclusion efforts in the industry.

Paul Brager, a leading operational technology (OT) expert and executive, passed away late last month while on a business trip.

Brager, who most recently was director of the global OT security program at energy technology company Baker Hughes, was a well-known industry leader in the industrial cybersecurity sector and worked in the IT security field for 27 years, specializing in industrial control system (ICS)/OT, IT/OT convergence, and cyber-risk topics, among other areas. He was also a researcher and a renowned speaker in the industry, including at Interop and on the Dark Reading News Desk at Black Hat USA. 

Brager also led mentoring and advocacy initiatives for people of color and for women in cybersecurity, promoting diversity and inclusion.

His wife, Keirsten Brager, a cybersecurity professional as well as an author, announced her husband's passing this week via his LinkedIn profile, noting that Paul suffered a heart attack on Sept. 27 while on a business trip in Brazil.

_**NOTE: Dark Reading editors had the honor of interviewing Paul Brager on several occasions, as well as working** **with him as a speaker for the security track of Interop in 2017**_**_. His insights on industry issues_ _always made us smarter, and our reporting more informed. Our hearts and thoughts go out to Keirsten and their childre__n,_ _Kaylie and Dylan. The industry has lost a true leader._**

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

OT Cybersecurity Leader Paul Brager Passes Away

Exposed code included private key for Intel Boot Guard, meaning it can no longer be trusted, according to a researcher.

Intel has confirmed the leak of the Unified Extensible Firmware Interface (UEFI) BIOS of Alder Lake, the company's code name for its latest processor — the 12th generation Intel Core processor — which debuted in late 2021. 

According to reports, the Intel UEFI code was first leaked late last week on 4chan, and later GitHub, and it contained 5.97GB of data. It was dated 9-30-22, likely when it was exfiltrated, analysts reported. "In addition, one thing should be noted that the key pairs required by Boot Guard during provisioning stage is also included in the leaked content," researchers from Hardened Vault who analyzed the leaked data explained. 

Researcher Mark Ermolov noted the same thing on Twitter on Oct. 8, adding, "... the Intel Boot Guard on the vendor's platforms can no longer be trusted." 

The researchers at Hardened Vault pointed out the code could be particularly useful for malicious actors who want to reverse engineer the code to find vulnerabilities. 

In a statement provided to Security Week, Intel acknowledged the breach, attributing it to a third-party and downplaying its potential security risk. "Intel does not believe this exposes, or creates, any new security vulnerabilities as we do not rely on obfuscation of information as a security measure," Intel said in a statement. "We are reaching out to customers, partners and the security research community to keep them informed of this situation." 

The Hardened Vault team said it hasn't been able to trace the data back to the leaker but suggested that the developer of the firmware solution, Insyde, might have more information to share. "But it is still impossible to confirm the person who leaked it," the team wrote. "The leak is part of Insyde solution which integrate Intel’s resources. Perhaps Insyde knows more than we do."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading