Twitter did not know what data it had or who had access to it, Peiter "Mudge" Zatko told Congressional lawmakers during a Senate panel hearing.

Former Twitter security chief Peiter Zatko, aka "Mudge," testified before a Senate panel (video) Tuesday alleging widespread security deficiencies at the social media company. His testimony expanded on the 200-plus page whistleblower complaint submitted to Congress last month.

Zatko, who was Twitter's head of security from November 2020 until being fired in January 2022, alleged "extreme, egregious deficiencies" in areas of user privacy, digital and physical security, and platform integrity/content moderation.

"What I discovered when I joined Twitter was that this enormously influential company was over a decade behind industry security standards," he said in his testimony.

**No Framework to Protect User Data**

As a social media platform, Twitter is sitting on a giant trove of user information, such as the user's phone number, the user's current and past IP addresses used to connect to Twitter, current and past email addresses, the person's approximate location based on IP addresses, the user's language, and information about the person's device or browser they are using.

Protecting that information is critical. In the wrong hands, it can be used to dox individual users and open them up to physical harm. The communications can expose information users may not want publicized.

Twitter doesn't know "what they have, where it lives, or where it came from," Zatko told Congressional lawmakers during his testimony. "And so, unsurprisingly, they can't protect it."

**No Access Logs**

One of the core tenets of data protection is to have access controls so that there is a way to monitor whether anyone is accessing information they should not be. Twitter did not have that kind of logging, Zatko said, claiming that Twitter had no visibility over what anyone was doing with the data.

Employees have "too much access to too much data," Zatko said. The information is available to roughly half of Twitter's staff, or about 4,000 employees, and engineers are given access to the data by default, he said.

The lack of controls made account takeovers trivial. "It's not far-fetched to say an employee inside the company could take over the accounts of all the senators in this room," Zatko said. "It doesn't matter who has keys if you don't have any locks on the doors."

That scenario isn't so far-fetched. Zatko came to Twitter shortly after a 2020 incident where a group of teenagers gained access to an internal tool and then took over the accounts of high-profile Twitter users as part of a crypto-currency scam.

"From research that I coordinated after the 2020 incident, it was obvious that Twitter did not have appropriate privileged user management controls nor separation of duty policies for developers and administrators of their systems," Aaron Turner, CTO of SaaS Protect at Vectra, previously told Dark Reading.

**Red Flags Were Ignored**

One system that tracked logins for Twitter engineers was registering "thousands" of failed login attempts each week, Zatko said. Despite the fact that the company saw as many as 3,000 failed attempts each day, the company did not prioritize investigating to see where the attempts were coming from or what systems were being targeted.

Not investigating was a missed opportunity. Trying to figure out what the failed attempts were targeting could have helped identify potentially vulnerable systems and whether they needed additional layers of protection.

Twitter is "so far behind on their infrastructure," and the engineers aren't given the opportunity to modernize the platform, Zatko testified.

Twitter has pushed back on the allegations. "Today's hearing only confirms that Mr. Zatko's allegations are riddled with inconsistencies and inaccuracies," a spokesperson said,

Key Takeaways From the Twitter Whistleblower's Testimony

CloudFox is a command-line tool that helps penetration testers understand unknown cloud environments.

Bishop Fox released CloudFox, a command-line security tool that helps penetration testers and security practitioners find potential attack paths within their cloud infrastructures.

The main inspiration for CloudFox was to create something like PowerView for cloud infrastructure, Bishop Fox consultants Seth Art and Carlos Vendramini wrote in a blog post announcing the tool. PowerView, a PowerShell tool used to gain network situational awareness in Active Directory environments, provides penetration testers with the ability to enumerate the machine and the Windows Domain.

For example, Art and Vendramini described how CloudFox could be used to automate various tasks penetration testers perform as part of an engagement, such as looking for credentials associated with Amazon Relational Database Service (RDS), tracking down the specific database instance associated with those credentials, and identifying the users who have access to those credentials. In that scenario, Art and Vendramini noted that CloudFox can be used to understand who — whether specific users or user groups — could potentially exploit that misconfiguration (in this case, the exposed RDS credentials) and carry out an attack (such as stealing data from the database).

The tool currently only supports Amazon Web Services, but support for Azure, Google Cloud Platform, and Kubernetes is on the road map, the company said.

Bishop Fox created a custom policy to use with the Security Auditor policy in Amazon Web Services that grants CloudFox all the necessary permissions. All CloudFox commands are read-only, meaning that executing them will not change anything in the cloud environment.

"You can rest assured that nothing will be created, deleted, or updated," Art and Vendramini wrote.

Some commands include:

*   Inventory: Figure out which regions are used in the target account and provide the rough size of the account by counting the number of resources in each service.
*   Endpoints: Enumerates service endpoints for multiple services at the same time. Output can be fed into other tools, such as Aquatone, gowitness, gobuster, and ffuf.
*   Instances: Generates a list of all public and private IP addresses associated with the Amazon Elastic Compute Cloud (EC2) instances with names and instance profiles. Output can be used as input for nmap.
*   Access-keys: Returns a list of active access keys for all users. This list would be useful for cross-referencing a key to figure out which in-scope account the key belongs to.
*   Buckets: Identifies the buckets in the account. There are other commands that can be used to inspect the buckets further.
*   Secrets: Lists secrets from AWS Secrets Manager and AWS Systems Manager (SSM). This list can also be used to cross-reference secrets to find out who has access to them.

"Finding attack paths in complex cloud environments can be difficult and time consuming," Art and Vendramini wrote, noting that most tools to analyze cloud environments focus on security baseline compliance. "Our primary audience is penetration testers, but we think CloudFox will be useful for all cloud security practitioners."

Bishop Fox Releases Cloud Enumeration Tool CloudFox

In Microsoft's lightest Patch Tuesday update of the year so far, several security vulnerabilities stand out as must-patch, researchers warn.

Microsoft addressed a pair of important-rated zero-day bugs in its September Patch Tuesday update, including a local privilege-escalation (LPE) that's being actively exploited in the wild. To boot, it disclosed three separate critical vulnerabilities that could be used for worming attacks.

The patches are part of a cache of just 64 fixed vulnerabilities from Microsoft this week, the fewest for any month this year (and almost a 50% decrease from August). The disclosed bugs affect Microsoft Windows and Windows Components; Azure and Azure Arc; .NET, Visual Studio, .NET Framework; Microsoft Edge (Chromium-based); Office and Office Components; Windows Defender; and Linux Kernel.

**A Pair of Zero-Day Vulnerabilities**

The actively exploited vulnerability (CVE-2022-37969, with a CVSS score of 7.8) exists in the Windows Common Log File System Driver, which is a general-purpose logging subsystem first introduced in Windows 2003 R2 OS and which has shipped with all later versions. An exploit for the bug allows an attacker with initial system access to elevate their privilege to SYSTEM privileges on a zero-click basis.

"No other technical details are available, but since the vulnerability has low complexity and requires no user interaction, an exploit will likely soon be in the arsenal of both white hats and black hats," Mike Walters, cybersecurity executive and co-founder of Action1, wrote in an analysis provided to Dark Reading. "It’s recommended that you deploy the patch as soon as possible."

Dustin Childs of Trend Micro's Zero Day Initiative (ZDI) noted that it's likely being deployed in a tidy exploit chain package.

"Bugs of this nature are often wrapped into some form of social engineering attack, such as convincing someone to open a file or click a link," he wrote in his Patch Tuesday blog post. "Once they do, additional code executes with elevated privileges to take over a system."

This is one for everyone to patch quickly, he stressed: "Usually, we get little information on how widespread an exploit may be used. However, Microsoft credits four different agencies reporting this bug, so it’s likely beyond just targeted attacks."

The other zero-day bug (CVE-2022-23960) exists in Windows 11 for ARM64-based Systems. Microsoft didn't provide any further details, and it was not assigned a CVSS score, but Bharat Jogi, director of vulnerability and threat research at Qualys, offered context in an emailed comment, noting that it's a processor-based speculative execution issue of the sort made infamous with the Spectre and Meltdown attacks. A successful exploit would give attackers access to sensitive information.

"This \[is\] a fix for a vulnerability known as Spectre-BHB that affects ARM64-based systems," he noted. "This vulnerability is a variant of Spectre v2 which has reinvented itself on numerous occasions and has affected various processor architectures since its discovery in 2017."

He added, "This class of vulnerabilities poses a large headache to the organizations attempting mitigation, as they often require updates to the operating systems, firmware, and in some cases, a recompilation of applications and hardening."

**Five Critical Bugs for September**

As mentioned, three of the critical-rated bugs are wormable — i.e., could be used to spread infections from machine to machine with no user interaction.

The most concerning of these is likely CVE-2022-34718, researchers said, which can be found in Windows TCP/IP. It allows a remote, unauthenticated attacker to execute code with elevated privileges on affected systems without user interaction; and it can be exploited by sending a specially crafted IPv6 packet to a Windows node where IPsec is enabled.

"That officially puts it into the 'wormable' category and earns it a CVSS rating of 9.8," Childs said. "Definitely test and deploy this update quickly."

It should be noted that it only affects systems with IPv6 enabled and IPsec configured, but this is a common setup.

"If a system doesn’t need the IPsec service, disable it as soon as possible," said Action1's Walters. "This vulnerability can be exploited in supply chain attacks where contractor and customer networks are connected by an IPsec tunnel. If you have IPsec tunnels in your Windows infrastructure, this update is a must-have."

The other two wormable bugs, CVE-2022-34722 and CVE-2022-34721, are both found in Windows Internet Key Exchange (IKE) Protocol Extensions. They both allow RCE by sending a specially crafted IP packet to a target machine that is running Windows and has IPsec enabled, and both carry a CVSS score of 9.8.

Walters noted that the vulnerability impacts only IKEv1 and not IKEv2. "However, all Windows Servers are affected because they accept both V1 and V2 packets," he wrote. "There is no exploit or PoC detected in the wild yet; however, installing the fix is highly advisable."

The final two critical bugs (CVE-2022-34700 and CVE-2022-35805) both exist in Dynamics 365 (On-Premises), and "could allow an authenticated user to perform SQL injection attacks and execute commands as db\_owner within their Dynamics 356 database," Childs explained. They have a CVSS score of 8.8.

**Other Vulnerabilities of Note**

As for noncritical flaws to pay attention to first this month, Childs also flagged a denial-of-service bug in Windows DNS server (CVE-2022-34724, CVSS score of 7.5), which can be exploited by remote, unauthenticated attacker to knock out DNS service used to connect to cloud resources and websites.

While there's no chance of code execution, the bug should be treated as critical, he added. "With so many resources in the cloud, a loss of DNS pointing the way to those resources could be catastrophic for many enterprises," Childs said.

Rapid7's Patch Tuesday analysis this month, sent via email, also noted that SharePoint administrators should also be aware of four separate RCE bugs, all rated important (CVE-2022-35823, CVE-2022-37961, CVE-2022-38008, and CVE-2022-38009).

And there's a large swath of RCE bugs affecting OLE DB Provider for SQL Server and the Microsoft ODBC Driver (CVE-2022-34731; CVE-2022-34733, CVE-2022-35834, CVE-2022-35835, CVE-2022-35836, and CVE-2022-35840).

"These require some social engineering to exploit, by convincing a user to either connect to a malicious SQL Server or open a maliciously crafted .mdb (Access) file," Greg Wiseman, product manager at Rapid7, explained in the analysis.

Overall, administrators should have an easier time parsing the lighter patch load this month, but ZDI's Childs noted that the smaller collection is in line with the volume of patches from previous September releases. Qualys' Jogi also pointed out that while September's Patch Tuesday clocks in on the lighter side, Microsoft hit a milestone of fixing the 1,000th CVE of the year, meaning the software giant is "likely on track to surpass 2021, which patched 1,200 CVEs in total."

Microsoft Quashes Actively Exploited Zero-Day, Wormable Critical Bugs

Password compromise led to unauthorized access to a customer contract search tool over a five-month window, according to the company.

U-Haul said attackers were able to compromise two individual passwords and access the company's customer contract tool, exposing customer names and driver's license or state identification numbers.

Attackers had unauthorized access from Nov. 5, 2021, to April 5, 2022, U-Haul said. Once the breach was discovered, U-Haul changed the affected passwords and launched an investigation, the company explained on Sept. 9.

"The investigation determined an unauthorized person accessed the customer contract search tool and some customer contracts," according to U-Haul's notice of the cybersecurity incident. "None of our financial, payment processing or U-Haul email systems were involved; the access was limited to the customer contract search tool."

**U-Haul's Password Security Panned**

Experts like Sami Elhini, with Cerberus Sentinel, panned U-Haul's lack of password security.

"Ultimately, this is an identity management issue," Elhini explained in an emailed statement. "Determining you have a resolved identity based on a successful one-factor authentication is not only blissfully ignorant, but also potentially civilly and criminally negligent."

Lior Yaari, CEO of Grip Security was also withering in his assessment of U-Haul's cybersecurity.

"The passwords compromised in this U-Haul attack were clearly not governed or protected properly," Yaari said in an emailed statement. "There are probably other passwords that may have already been compromised that U-Haul, and hundreds of other companies, are unaware of and will not become aware of, until another breach like this occurs.”  

**Improving Password Protections**

While the precise approach might very across sectors and organizations, Yaari said the industry needs to stop repeating the same mistakes and relying on employees as an effective defense against cyberattack.

"The additional safeguards companies take to prevent password compromise will likely fail, and this type of breach will be repeated over and over again," Yaari added. "Rather than adding more Band-Aids, the industry needs to take a fresh approach that removes the burden of securing passwords from employees."

U-Haul Customer Contract Search Tool Compromised

Cyber spies are using legitimate apps for DLL sideloading, deploying an updated range of malware, including the new "Logdatter" info-stealer.

A threat group previously associated with the notorious ShadowPad remote access Trojan (RAT) has been observed using old and outdated versions of popular software packages to load malware on systems belonging to multiple target government and defense organizations in Asia.

The reason for using outdated versions of legitimate software is because they allow the attackers to use a well-known method called dynamic link library (DLL) sideloading to execute their malicious payloads on a target system. Most current versions of the same products protect against the attack vector, which basically involves adversaries disguising a malicious DLL file as a legitimate one and putting it in a directory where the application would automatically load and run the file.

Researchers from Broadcom's Software's Symantec Threat Hunter team observed the ShadowPad\-related threat group using the tactic in a cyber-espionage campaign. The group's targets have so far included a prime minister's office, government organizations linked to the finance sector, government-owned defense and aerospace firms, and state-owned telecom, IT, and media companies. The security vendor's analysis showed the campaign has been ongoing since at least early 2021, with intelligence being the primary focus.

**A Well-Known Cyberattack Tactic, but Successful**

"The use of legitimate applications to facilitate DLL sideloading appears to be a growing trend among espionage actors operating in the region," Symantec said in a report this week. It's an attractive tactic because anti-malware tools often don't spot the malicious activity because attackers used old applications for side loading.

"Aside from the age of the applications, the other commonality is that they were all relatively well-known names and thus may appear innocuous." says Alan Neville, threat intelligence analyst with Symantec's threat hunter team.  

The fact that the group behind the current campaign in Asia is using the tactic despite it being well-understood suggests the technique is yielding some success, Symantec said.

Neville says his company has not recently observed threat actors use the tactic in the US or elsewhere. "The technique is mostly used by attackers focusing on Asian organizations," he adds.

Neville says that in most of the attacks in the latest campaign, threat actors used the legitimate PsExec Windows utility for executing programs on remote systems to carry out the sideloading and deploy malware. In each case, the attackers had already previously compromised the systems on which it installed the old, legitimate apps.

"\[The programs\] were installed on each compromised computer the attackers wanted to run malware on. In some cases, it could be multiple computers on the same victim network," Neville says. In other instances, Symantec also observed them deploying multiple legitimate application on a single machine to load their malware, he adds.

"They used quite an array of software, including security software, graphics software, and Web browsers," he notes. In some cases, Symantec researchers also observed the attacker using legitimate system files from the legacy Windows XP OS to enable the attack.  

**Logdatter, Range of Malicious Payloads**

One of the malicious payloads is a new information stealer dubbed Logdatter, which allows the attackers to log keystrokes, take screenshots, query SQL databases, inject arbitrary code, and download files, among other things. Other payloads that the threat actor is using in its Asian campaign include a PlugX-based Trojan, two RATs dubbed Trochilus and Quasar, and several legitimate dual-use tools. These include Ladon, a penetration testing framework, FScan, and NBTscan for scanning victim environments.

Neville says Symantec has been unable to determine with certainty how the threat actors might be gaining initial access on a target environment. But phishing and opportunity targeting of unpatched systems are likely vectors.

"Alternatively, a software supply chain attack is not outside the remit of these attackers as actors with access to ShadowPad are known to have launched supply chain attacks in the past," Neville notes. Once the threat actors have gained access to an environment, they have tended to use a range of scanning tools such as NBTScan, TCPing, FastReverseProxy, and Fscan to look for other systems to target.

To defend against these kinds of attacks, organizations need to implement mechanisms for auditing and controlling what software might be running on their network. They should also consider implementing a policy of only allowing whitelisted applications to run in the environment and prioritize patching of vulnerabilities in public-facing applications. 

"We'd also recommend taking immediate action to clean machines that exhibit any indicators of compromise," Neville advises, "... including cycling credentials and following your own organization's internal process to perform a thorough investigation."

ShadowPad Threat Actors Return With Fresh Government Strikes, Updated Tools

Facebook lead-generation forms are being repurposed to collect passwords and credit card information from unsuspecting Facebook advertisers.

Attackers are piggybacking on the power of the Facebook brand by using emails that look like they're coming from Facebook Ads Manager. The idea is to lure victims into coughing up credentials and credit card information on a Facebook lead generation form.

According to a Tuesday report by the security research team at Avanan, attackers are sending phishing messages that appear to be urgent warnings from Meta's "Facebook AdManager" team. The messages claim the victim is not complying with the company's ad policies and that the ad account will be disabled if the target doesn't appeal the phony violation.

    

The Facebook Ads phishing message. Source: Avanan

The "appeal form" link leads to a credential harvesting site that uses a real Facebook lead-generation form to collect passwords and credit card information.

**Abusing the Facebook Ads System**

An interesting aspect to the campaign is that rather than using a harvesting site hosted on a sketchy IP somewhere, attackers are gaming the Facebook ads system to create lead-generation forms with malicious intent. Doing so kills two birds with one stone: First of all, it fools a lot of automated checks for malicious links used by email platforms. Using legitimate sites is what the Avanan team refers to as the Static Expressway.

"Hackers are leveraging sites that appear on static Allow Lists," explained Jeremy Fuchs, cybersecurity researcher for Avanan, in the report. "That means that email security services have broadly decided that these sites are trustworthy, and thus anything related to them comes through to the inbox."

Additionally, using Facebook Ads forms also offers a high degree of verisimilitude for any of the eight billion advertising users that Facebook works with who are already familiar with the Ads Manager platform and the lead-generation forms it produces.

"For the end user, seeing that their Facebook ad account has been suspended is cause for concern," Fuchs said. "Since it’s a legitimate Facebook link, the user would feel confident continuing on."

**Tell-Tale Signs of 'Brandjacking'**

Fuchs wrote that while the sites used in this credential harvesting campaign appeared to be legitimate, there is a red flag in the phishing messages they uncovered: Typically, these are coming from Outlook accounts such as \[email protected\]look.com.

Additionally, the physical address footer in the emails are wrong. But if users didn't notice these details, they could easily be foiled by this ploy.

According to research released earlier this year, brand impersonations, or brandjackings, like these increased by 274% last year as attackers continue to peddle their scams by looking like they come from reliable sources. Facebook is a particular favorite among phishers to impersonate. A report released by Vade this spring found Facebook was the No. 1 impersonated brand last year, edging out perennial favorite Microsoft for the top spot.

According to Abnormal Security research detailing data from the first half of 2022, email attacks increased by 48% in that timeframe, with more than 1 in 10 attacks impersonating well-known brands. Some 256 individual brands were impersonated, with LinkedIn and Microsoft appearing to be the favorites so far in 2022.

Cyberattackers Abuse Facebook Ad Manager in Savvy Credential-Harvesting Campaign

Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.

Avast ye! Come up with a cybersecurity-themed caption for the cartoon, above, and if it's Dark Reading editors' favorite, you'll win a $25 Amazon gift card. We offer four convenient ways for you to submit your security-related ideas before the contest closes on Wednesday, Oct. 12, 2022:

*   Email _\[email protected\]_ with the subject line "Dark Reading September Toon."
*   Via social media: Twitter, Facebook, and LinkedIn.

**Last Month's Winner**

Congrats, Brian N., because a $25 Amazon gift card is heading your way. The infosec pro's clever caption for last month's "Vicious Cycle" cartoon contest appears below:.

    

Thanks to all who played!

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Name That Toon: Shiver Me Timbers!

Siemplify veterans introduce Cloud Security Orchestration and Remediation platform, backed by high-profile investors including YL Ventures, Tiger Global, and CEOs of CrowdStrike and CyberArk

**TEL AVIV, Israel - September 13, 2022** -- Opus Security, a Cloud Security Orchestration and Remediation startup, today announced $10 million in seed funding led by YL Ventures with participation from Tiger Global and renowned security executives and serial entrepreneurs, including George Kurtz, co-founder, CEO and President of CrowdStrike; Udi Mokady, co-founder, Chairman and CEO of CyberArk; Dan Plastina, former Head of AWS Security Services; Oliver Friedrichs, co-founder and former CEO of Phantom Cyber, acquired by Splunk; and Alon Cohen, co-founder and former CTO of Siemplify, acquired by Google Cloud, among others.

Opus, the first holistic solution for managing and orchestrating cloud security response and remediation processes, was founded by experienced security professionals, Meny Har, CEO and Or Gabay, CTO, who were part of the founding team and leadership of SOAR pioneer Siemplify (acquired by Google). Customers expressed an acute need for a new security orchestration platform that can empower cloud security teams to reap the value of automation, gain control and lead remediation efforts across the entire organizational cloud environment using best practices and proven methodologies that can be implemented instantly, cutting down the time from detection to mitigation and conserving valuable resources.

“Organizations should not have to prioritize security over business continuity, and already strained SecOps teams are ill-equipped to handle the nuanced decisions demanded of them,” said Dan Plastina, former Head of Security Services at AWS. “Opus’ founders have built a platform that cloud-native security leadership demands — maximizing cloud security automation while retaining and enhancing business benefits.”

In recent years, revolutionary cloud security solutions created a higher level of visibility into potential threats. With more findings and more visibility, security operations had to expand from detection and response, and venture into risk reduction. This expansion and the shift-left mindset necessitated the involvement of a growing number of stakeholders across the organization, including security teams, DevOps/application teams and business owners.

Lacking comprehensive tools, built-in automation, or streamlined processes to remediate risk, security teams are left with manual, time-consuming processes and no clear understanding of who owns this risk, who can mitigate it, when automation is “safe” and how they should delegate tasks accordingly, leaving numerous gaps unresolved.

“When it comes to cloud response and remediation, we’re still stuck with ad-hoc techniques developed on the fly,” said Srinath Kuruvadi, Head of Cloud Security at Netflix. “There is a huge opportunity to bring context-aware standardization to cloud automation that appeals to SecOps and DevOps teams, with precise risk reduction metrics. Opus’ founders have the right skills and an extensive background in SOAR-like technologies to tackle this important space.”

Aware of the concerning challenges and skill gaps in cloud security, Opus is set to transform the way response and remediation are done in the cloud. Opus has built a singular, overarching platform that connects existing cloud and security tools and relevant stakeholders, and orchestrates the entire response and remediation process across all organizational environments based on tried-and-tested, easily deployed guidelines and playbooks. Leveraging automation to the highest degree, Opus knows when sensitive issues demand human involvement and allows automation to resolve the rest. With instant visibility and mapping of remediation metrics, Opus removes blind spots and provides security and business executives with immediate and tangible insights into the state of their risk.

“The massive transition to the cloud has created a need for a new and different type of security orchestration platform, one that minimizes organizational risk and excels at leveraging the countless automation opportunities in the cloud,” said Meny Har, co-founder and CEO of Opus. “The growing number of stakeholders that are now an inherent part of the security operations process should be connected and working together to reduce risk.”

“The proliferation of cloud-focused security solutions has dramatically raised organizational awareness to the scope of their risk surface,” said John Brennan, Senior Partner at YL Ventures. “While visibility in the cloud has greatly improved, customers now express the need for a dedicated solution to address the drastically increasing number of alerts. I cannot imagine a better convergence of an expert team solving a market-wide problem that they understand intimately. Meny and Or have leveraged their unique experience at Siemplify to build the industry’s first cloud-native remediation orchestration and automation platform.”

For more information on how to reimagine your remediation efforts in the cloud, go to opus.security.

**Additional Quotation**

“The shift-left trend has necessitated a revised approach to remediation,” said Gerhard Eschelbeck, former CISO at Google. “Organizations need to bridge skill and resource gaps and create an orchestrated, automated alignment process across all teams. Traditional manual tasks and friction between teams result in heightened risk and jeopardize business continuity.”

**About Opus Security**

Opus is a singular, overarching Cloud Security Orchestration and Remediation platform, transforming the way remediation is conducted in the cloud. Opus empowers cloud security teams to see beyond alerts and threats and gain control, knowledge, and capabilities to resolve them. Opus integrates with existing security tools and orchestrates the entire remediation process across all stakeholders and organizational environments, based on tried-and-tested, easily deployed guidelines and playbooks. Leveraging selective automation, Opus knows when sensitive issues demand human involvement and allows automation to resolve the rest, cutting down the time from detection to mitigation and conserving valuable resources. Finally, Opus provides security and business executives with immediate and tangible insights based on remediation metrics, with comprehensive visibility into the state of their risk. For more information on how to reimagine your remediation in the cloud, visit opus.security.

**About YL Ventures**

YL Ventures funds and supports brilliant Israeli cybersecurity entrepreneurs from seed to lead. Based in Silicon Valley and Tel Aviv, YL Ventures manages five funds with $800M in total assets under management. The firm accelerates the evolution of portfolio companies via a powerful network of Chief Information Security Officers, global industry leaders and a dedicated team of experts, providing tailored guidance and hands-on support on all critical company-building domains. The firm's track record includes investments in Israeli cybersecurity unicorns such as Axonius and Orca Security, as well as successful, high-profile portfolio company acquisitions by major corporations including Palo Alto Networks, Microsoft, CA and Proofpoint. For more information, visit ylventures.com.

Opus Security Emerges from Stealth with $10M in Funding for Cloud SecOps and Remediation Processes

*   _Significant Number of Businesses Experienced Permanent Data Loss_
*   _Businesses Unable to Maintain Business Continuity after Losing Data_
*   _Risk to Businesses as Disaster Recovery Plans Aren't Updated, Tested, and Well Documented_

Eden Prairie, MN – September 13, 2022 – Arcserve, the world's most experienced provider of backup, recovery and immutable storage solutions for unified data resilience against ransomware and disasters, today announced key findings from its annual independent global research study that showed the loss of critical data continues to disrupt businesses and remain an issue for organizations. In the research study of experiences and attitudes of IT decision makers (ITDMs), 76% of respondents reported a severe loss of critical data in their organization. Of that number, 45% had permanent data loss. Data is a priceless commodity, and these findings underscore the importance of building data resilience with a robust data backup and recovery plan with data integrity at the core to prevent severe business disruptions.

The research study also found that many organizations could not maintain business continuity on time once data was lost or compromised. It is vital for businesses to quickly recover data, especially in today's always-on world.

*   83% of respondents said that 12 hours or less is an acceptable level of downtime for critical systems before there is a measurable negative business impact. Still, only 52% could recover from a severe data loss in 12 hours or less.
*   29% of the businesses surveyed couldn't recover data for one day or more.

The research results also revealed that a new approach to disaster recovery is needed. Organizations should continuously update, test, and document their disaster recovery plan to build data resilience. The importance of protecting and recovering data should also be elevated to all company levels with specific goals.

*   95% of respondents in the survey said their company has a disaster recovery plan. However, only 24% have a mature plan that is well documented, tested, and updated.
*   83% said their organizations include data resilience in their strategies. Still, only 23% have a mature approach with associated goals to track progress.

Said Florian Malecki, executive vice president, marketing at Arcserve: "Our annual survey reinforces the business imperative for organizations to implement a data resilience strategy that incorporates mature data backup and disaster recovery plans. We live in a world of growing ransomware attacks and frequent natural disasters. Any downtime from data loss can be destructive for a business from impacting sales to losing customer loyalty." He continued: "Arcserve aims to help businesses avoid costly business disasters and reputational damage from data loss with our best-in-class unified data resilience solutions suite. Our backup and recovery solutions, and immutable storage offering, ensure a near-zero impact on businesses."

**About the research conducted by Dimensional Research:** 1,121 IT decision-makers completed the survey. All participants had a budget or technical decision-making responsibility for data management, data protection, and storage solutions at a company with 100 - 2,500 employees and at least 5 TB of data. The survey was fielded in Australia, New Zealand, Brazil, France, Germany, India, Japan, Korea, the United Kingdom, the United States, and Canada (North America).

**About Arcserve**  

Arcserve, a top 5 data protection vendor and unified data resilience platform provider, offers the broadest set of best-in-class solutions to manage, protect, and recover all data workloads, from SMB to enterprise, regardless of location or complexity. Arcserve solutions eliminate complexity while bringing best-in-class, cost-effective, agile, and massively scalable data protection and certainty across all data environments. This includes on-prem, off-prem (including DRaaS, BaaS, and Cloud-to-Cloud), hyper-converged, and edge infrastructures. The company's nearly three decades of award-winning IP, plus a continuous focus on innovation, means that partners and customers, including MSPs, VARs, LARs, and end-users, are assured of the fastest route to next-generation data workloads and infrastructures. A 100% channel-centric organization, Arcserve has a presence in over 150 countries, with 19,000 channel partners helping to protect 235,000 customers' critical data assets. Explore more at arcserve.com and follow @Arcserve on Twitter.

Arcserve Independent Global Study Finds Businesses Still Losing Mission-Critical Company Data

The ransomware gang has been seen exploiting a Mitel RCE flaw discovered in VoIP devices in April (and patched in July) to perform double-extortion attacks.

A ransomware gang has been seen using a unique initial-access tactic to exploit a vulnerability in voice-over-IP (VoIP) appliances to breach corporate phone systems, before pivoting to corporate networks to commit double-extortion attacks.  

Researchers from Artic Wolf Labs have spotted the Lorenz ransomware group exploiting a flaw in Mitel MiVoice VoIP appliances. The bug (tracked as CVE-2022-29499) was discovered in April and fully patched in July, and is a remote code execution (RCE) flaw affecting the Mitel Service Appliance component of MiVoice Connect.

Lorenz exploited the flaw to obtain a reverse shell, after which the group leveraged Chisel, a Golang-based fast TCP/UDP tunnel that’s transported over HTTP, as a tunneling tool to breach the corporate environment, Arctic Wolf researchers said this week. The tool is "mainly useful for passing through firewalls," according to the GitHub page.

The attacks show an evolution by threat actors to use "lesser known or monitored assets" to access networks and perform further nefarious activity to avoid detection, according to Arctic Wolf.

"In the current landscape, many organizations heavily monitor critical assets, such as domain controllers and web servers, but tend to leave VoIP devices and Internet of Things (IoT) devices without proper monitoring, which enables threat actors to gain a foothold into an environment without being detected," the researchers wrote.

The activity underscores the need for enterprises to monitor all externally facing devices for potential malicious activity, including VoIP and IoT devices, researchers said.

Mitel identified CVE-2022-29499 on April 19 and provided a script for releases 19.2 SP3 and earlier, and R14.x and earlier as a workaround before releasing MiVoice Connect version R19.3 in July to fully remediate the flaw.

**Attack Details**

Lorenz is a ransomware group that has been active since at least February 2021, and, like many of its cohorts, performs double extortion of its victims by exfiltrating data and threatening to expose it online if victims don't pay the desired ransom in a certain time frame.

Over the last quarter, the group has primarily targeted small and medium businesses (SMBs) located in the United States, with outliers in China and Mexico, according to Arctic Wolf.

In the attacks that researchers identified, the initial malicious activity originated from a Mitel appliance sitting on the network perimeter. Once establishing a reverse shell, Lorenz made use of the Mitel device’s command line interface to create a hidden directory and proceeded to download a compiled binary of Chisel directly from GitHub, via Wget.

Threat actors then renamed the Chisel binary to "mem," unzipped it, and executed it to establish a connection back to a Chisel server listening at hxxps\[://\]137.184.181\[.\]252\[:\]8443, researchers said. Lorenz skipped TLS certificate verification and turned the client into a SOCKS proxy.

It's worth noting that Lorenz waited nearly a month after breaching the corporate network to conduct additional ransomware activity, researchers said. Upon returning to the Mitel device, threat actors interacted with a Web shell named "pdf\_import\_export.php." Shortly thereafter, the Mitel device started a reverse shell and Chisel tunnel again so threat actors could jump onto the corporate network, according to Arctic Wolf.

Once on the network, Lorenz obtained credentials for two privileged administrator accounts, one with local admin privileges and one with domain admin privileges, and used them to move laterally through the environment via RDP and subsequently to a domain controller.

Before encrypting files using BitLocker and Lorenz ransomware on ESXi, Lorenz exfiltrated data for double-extortion purposes via FileZilla, researchers said.

**Attack Mitigation**

To mitigate attacks that can leverage the Mitel flaw to launch ransomware or other threat activity, researchers recommend that organizations apply the patch as soon as possible.

Researchers also made general recommendations to avoid risk from perimeter devices as a way to avoid the pathways to corporate networks. One way to do this is to perform external scans to assess an organization's footprint and harden its environment and security posture, they said. This will allow enterprises to discover assets about which administrators may not have known so that they can be protected, as well as help define an organization's attack surface across devices exposed to the Internet, researchers noted.

Once all assets are identified, organizations should ensure that critical ones are not directly exposed to the Internet, removing a device from the perimeter if it doesn't need to be there, researchers recommended.

Artic Wolf also recommended that organizations turn on Module Logging, Script Block Logging, and Transcription Logging, and send logs to a centralized logging solution as part of their PowerShell Logging configuration. They also should store captured logs externally so that they can perform detailed forensic analysis against evasive actions by threat actors in the case of an attack.

Source

DARKReading