Vectra offers a free of charge security assessment for your cloud tenant.

SAN JOSE, Calif. , June 1, 2022 /PRNewswire/ -- Vectra AI, a leader in AI-driven threat detection and response for hybrid and multi-cloud enterprises, today announced the launch of Vectra Protect, a posture management tool designed to discover and mitigate security risks in Microsoft 365 (M365). Vectra Protect combines 50,000+ hours of expert research and development with automation to analyze an organization's M365 security posture and provide customized implementation plans to remediate risk. To ensure all organizations, regardless of security staffing or resources, can have access to the solution, Vectra is extending a free sign-up for an Azure Active Directory scan until September 30, 2022.

With the accelerated use of M365 collaboration tools, which now have over 270 million users, cyber attackers are actively targeting access management tools like Azure AD to enter other SaaS tools and enterprise network assets. They then establish a foothold to launch ransomware attacks, steal intellectual property and gain unauthorized access to sensitive user data. With its scanning engine, Vectra Protect combines insights from the M365 Graph API with PowerShell module data to provide a truly holistic view into the integrity of every identity in an organization's M365 environment. As the only scan designed to uncover identity security issues in M365, Vectra Protect provides organizations with:

*   **Quick, actionable remediation insights:** With its multi-stage methodology, the scan provides organizations with actionable results within hours. Rather than hindering the security team with more alerts, the scan creates a comprehensive risk mitigation map that provides a path to implementation with clear guidance on risk and operational impact.
*   **Tailored cloud support:** Organizations can gain insight into the severity of vulnerabilities, material changes to their configuration state, the operational impact of the required solution, and the steps for remediation aligned to their applicable industry standards and regulatory requirements.
*   **Configuration correction and compliance:** Vectra Protect delves deep into the configuration complexities of M365, highlighting misconfigurations with clear context to guide companies to complete risk resolution and provide security teams with the proof they need to show their policies are effective and compliant.
*   **Confidence in collaboration:** By understanding areas where risks and configuration issues persist, organizations can fulfill the promises of cloud technology without creating unmanaged risk. Organizations can gain efficiencies in implementing and using SaaS tools like M365 by eliminating default settings and aligning operations, information technology, security, and audit teams on security priorities.

"Azure AD has become a large attack vector as cybercriminals look to exploit the lack of security controls and solutions currently available for the tool," said Aaron Turner, CTO of SaaS Protect at Vectra AI. "Organizations must understand that Microsoft's default security settings are not specifically tailored to their business operations or industry, which introduces waves of unnecessary risk. Combining this with the constant changes in M365, both internally and externally, leaves a host of potential vulnerabilities and configuration issues that organizations are responsible for correcting. Vectra Protect helps unravel this complexity to deliver the visibility and assurance organizations need to protect these essential business tools."

The free Vectra Protect for Azure AD scan, a value up to $50,000, will be readily available to any M365 customer operating in any M365 environment\*. The scan focuses on a common foothold for unauthorized access and risk: access management in the active directory. Turner will be showcasing the technology and enumerating how to protect the M365 tenant and hunt for threats during RSAC 2022 in San Francisco, CA. You can register for his session here.

For more details about Vectra Protect for Azure AD and to request a free scan, please visit: https://www.vectra.ai/azure-ad-scan

\*Exclusions apply.

**About Vectra AI  
**Vectra® is a leader in cyber threat detection and response for hybrid and multi-cloud enterprises. The Vectra platform uses AI to detect threats at speed across public cloud, identity, SaaS applications, and data centers. Only Vectra optimizes AI to detect attacker methods—the TTPs at the heart of all attacks—rather than simplistically alerting on "different". The resulting high-fidelity threat signal and clear context enables cybersecurity teams to respond to threats sooner and to stop attacks in progress faster. Organizations worldwide rely on Vectra for cybersecurity resilience in the face of dangerous cyber threats and to prevent ransomware, supply chain compromise, identity takeovers, and other cyberattacks from impacting their businesses. For more information, visit vectra.ai.

Help Organizations to Mitigate Risk in Microsoft 365 with 'Vectra Protect'

Rising threat of data breaches and ransomware attacks drives need for complete and accurate real-time information about devices and their risks.

ANTA CLARA, Calif., June 1, 2022 /PRNewswire/ -- Ordr has raised an additional $40 million to meet the growing need for organizations to understand, manage, and secure the growing number of connected devices in their environment, including Internet of Medical Things (IoMT), Internet of Things (IoT), and Operation Technology (OT). The funding round was co-led by Battery Ventures and Ten Eleven Ventures, with participation from new investor Northgate Capital and continuing investors Wing Venture Capital, Unusual Ventures, Kaiser Permanente Ventures, and Mayo Clinic. Other investors in Ordr's Series C include Silicon Valley entrepreneurs René Bonvanie, former CMO of Palo Alto Networks, Dan Warmenhoven, former Chairman and CEO of NetApp, and Dominic Orr, former Chairman and CEO of Aruba Networks. With this funding, Ordr has raised more than $90 million to date.

Ordr addresses two key enterprise initiatives associated with a growing reliance on and adoption of connected devices: **digital transformation** and **Zero Trust**. Each new device connection increases an organization's attack surface, along with the potential for a breach or ransomware attack. In industries such as healthcare and manufacturing, a cyberattack impacting an IoT device can easily disrupt the entire business or become a life-threatening situation. For organizations to move quickly from "detection" to "response" requires insights into the compromised device, where it's located, and what policies can be applied.

Ordr has raised an additional $40 million in Series C funding.

Ordr offers complete and accurate asset visibility, automates and enforces Zero Trust policies, and accelerates incident response by hours with insights into devices and risks. As a result, Ordr experienced more than **140% year-over-year growth** in new customer revenue in its most recent quarter ending on March 31, 2022, is **deployed in 3 of the world's top 6 hospitals**, and has been adopted across more than **150 manufacturing sites**.

"Ordr has built a platform that not only solves an important market issue - the need to definitively understand and protect what is connecting to your organization's network - but is truly scalable to keep pace with the speed of today's businesses. We've worked with Ordr's team and seen firsthand how well they've executed against aggressive goals. This additional funding will accelerate Ordr's market leadership and success in the market," said Dharmesh Thakker, general partner at Battery Ventures.

"We believe the connected device security market needs a strong, open, and independent player that prioritizes customer success, focuses on time-to-value, and integrates with all the key components of a customer's security and network infrastructure. This funding validates our best-in-class approach and solidifies our leadership in the market," said Greg Murphy, Ordr CEO.

Ordr plans to use the Series C funding to accelerate its sales and marketing efforts, especially in vertical markets such as **healthcare**, where the company has been named a market leader in the Healthcare IoT security industry by analyst firm KLAS Research for three consecutive years. The company will also look to further capitalize on steadily increasing demand from **manufacturing and financial services**, expand its channel and partnership programs, and accelerate investments in customer success.

"In order to advance their digital transformation goals, every organization needs to enable the visibility and security of connected devices, including IoT, IoMT, and OT. Ordr is a much-needed innovator in the market, with the ability to not only deliver granular visibility into devices, risks, and behaviors, but also automate and enforce Zero Trust policies to secure these devices from attacks," said Justin Stebbins, partner, Northgate Capital.

"As an early investor in the company, I have witnessed Ordr's impressive product evolution and growing traction within critical sectors, including healthcare, manufacturing, education, and extended enterprise IoT. They have developed one of the most scalable and technically robust platforms in the market, and some of the world's leading organizations depend on it to fulfill important security needs and deliver business insights. The time is right to accelerate the company's mission to be the leader in connected device security. We believe in their success and look forward to the next chapter." said Alex Doll, Founder and Managing Partner of Ten Eleven Ventures.

Since its last round of funding, Ordr has experienced tremendous growth, coinciding with an increased understanding of the organizational risk represented by unknown connected devices. Some additional highlights since the last funding round include:

*   Named a KLAS Research Healthcare IoT Security Market Leader for an unprecedented three years in a row.
*   Named a Representative Vendor in the 2022 Gartner Market Guide for Medical Device Security Solutions for the second year in a row.
*   Continued product innovation and market leadership in the healthcare industry with the launch of Clinical Defender, streamlining management of connected medical devices.
*   Enhanced the company's integrations with Cisco, making it even easier for Cisco customers to roll out Ordr across their network environments.
*   Launched the Ransom-Aware Rapid Assessment to help companies quickly and accurately assess their ransomware risks.
*   Successfully achieved SOC2 compliance to keep customer data secure.

"Data privacy and security are imperative IT initiatives within the healthcare industry with connected device security in particular as a critical need given the increase in connected devices in health care facilities. Kaiser Permanente Ventures is pleased to continue its investment in Ordr as a key technology leader in this space, to help protect connected devices automatically, preemptively and at scale across the enterprise," said Chris Stenzel, executive managing director, Kaiser Permanente Ventures.

Continuing the momentum of the past year, Ordr today also strengthened its executive team with the addition of Paul Davis as the company's new vice president of customer success. Paul has decades of experience in customer-facing roles at Axis Security, Splunk, Cisco, and other leading organizations. At Ordr, he will be responsible for managing customer relationships and ensuring the successful implementation and use of Ordr technology.

**About Ordr**

Ordr makes it easy to secure every connected device, from traditional IT devices to newer and more vulnerable IoT, IoMT, and OT. Ordr Systems Control Engine uses deep packet inspection and advanced machine learning to discover every device, profile its risk and behavior, map all communications and protect it with automated policies. Organizations worldwide trust Ordr to provide real-time asset inventory, address risk and compliance and accelerate IT initiatives. Ordr is backed by top investors including Battery Ventures, Wing Venture Capital, Ten Eleven Ventures, Northgate Capital, Kaiser Permanente Ventures, and Unusual Ventures.

For more information, visit www.ordr.net and follow Ordr on Twitter and LinkedIn.

SOURCE Ordr

Ordr Secures $40 Million in Series C Funding to Answer Increased Demand for Connected Device Security

EZ-NAS also provides add-on data backup, cloud connector and ransomware anomaly detection.

Sunnyvale, Calif., June 1, 2022 – StorCentric, a data-centric security company, offering a comprehensive portfolio of secure data management solutions, today announced the general availability (GA) launch of Nexsan EZ-NAS, network attached storage (NAS). Featuring an easy to configure 1U form factor and four drives with up to 72 TB of raw capacity and 1.5 GB/s of throughput, the new EZ-NAS array is ideal for small and medium sized businesses (SMBs) and large enterprises’ edge deployments.

The Nexsan EZ-NAS platform delivers advanced enterprise-class features such as in-line compression, AD support and data-at-rest encryption. EZ-NAS also comes with the Retrospect software for optional add-on services, including data backup, cloud connector and ransomware anomaly detection.

“The new Nexsan EZ-NAS product stands apart from every other solution in its class because of its ease of use, functionality, and price point,” said Rommel Caparanga, Technology Director, TIM Engineering Systems Solutions Corporation. ”This platform is what our customers have been asking for as a solid NAS solution to accommodate current and future data management needs. Further, the reliability of the brand speaks for itself.”

“The new EZ-NAS, which delivers Nexsan’s award-winning enterprise storage in a form factor and at a price ideal for SMBs and edge use cases, is the perfect fit for many data center applications such as edge repositories, digital video and media workflows, as well as video surveillance deployments,” said Surya Varanasi, CTO, StorCentric. “EZ-NAS can also protect high-value data from the unexpected, as a file backup target. With the optional Retrospect software license, the EZ-NAS enables secure backups, data sharing and disaster recovery use cases.”

To learn more about the Nexsan EZ-NAS, please visit: nexsan.com/ez-nas.

Tweet this: @StorCentric Launches EZ-NAS - Network-Attached Storage for SMBs and Enterprise Edge Deployments https://www.nexsan.com/nexsan-news-and-press/ #Affordable #Easy #Management #NAS #Data #Backup #DataServices

**About Nexsan**

Nexsan® is a global enterprise storage leader, enabling customers to securely store, protect and manage business data. Established in 1999, Nexsan has earned a strong reputation for delivering highly reliable and cost-effective storage while remaining agile to deliver purpose-built storage. Its unique and patented technology addresses evolving, complex enterprise requirements with a comprehensive portfolio of unified storage, block storage and secure data protection. Nexsan is transforming the storage industry by turning data into a business advantage with unmatched security and compliance standards. It is ideal for a variety of use cases including Government, Healthcare, Education, Life Sciences, Media & Entertainment, and Call Centers. Nexsan is part of the StorCentric family of brands. For further information, please visit: www.nexsan.com.

**About StorCentric**

StorCentric provides world-class, award-winning, and data security-focused data management solutions. The company has shipped over 1 million storage solutions and has won over 100 awards for technology innovation and service excellence. StorCentric innovation is centered around customers and their specific data requirements, and delivers quality solutions with unprecedented flexibility, data protection, high-performance and expandability. For further information, please visit: www.storcentric.com.

StorCentric Launches Nexsan EZ-NAS -Network-Attached Storage for SMBs and Enterprise Edge Deployments

AI and ML are important SecOps tools, but human involvement is still required.

Artificial intelligence (AI) can be used to enhance the efficiency and scale of SecOps teams, but it will not solve all your cybersecurity needs without the need for some human involvement — at least, not today.

Most commercial AI successes have been associated with supervised machine learning (ML) techniques specifically tuned for prediction tasks that yield business value. These use cases for ML, such as spoken language understanding for your smart-home assistant and object recognition for self-driving cars, make use of vast amounts of labeled data and computation required to train complex deep learning models. They also focus on solving problems that barely change. This is in contrast to cybersecurity, where we rarely have the millions of examples of malicious activity needed to train deep learning models, and we face intelligent adversaries that frequently change their tactics to try to outmaneuver our latest detection capabilities, including those using ML.

In addition, the digital exhaust from human behavior in enterprise environments is extremely hard to predict. Anomalies in these systems are common and very rarely represent malicious threat actor behavior. It is therefore unreasonable to expect that unsupervised anomaly detection can be used to learn about an enterprise environment’s normal behavior and be able to generate meaningful alerts about malicious activity without creating false alarms on unusual but benign events.

Finally, the degree of data imbalance in threat detection is unlike many other use cases for ML. Imagine for a moment that you are a midsize to large enterprise collecting 1 billion potentially security-relevant telemetry events per day and expect to find one incident worth seriously investigating. Nobody wants to lose the ransomware lottery and have their business grind to a halt with the potential for even worse reputational damage by missing that one security incident. However, if you build an ML-based threat detector processing each event by itself that is 99.9% accurate, you would be searching for that one true positive in a sea of 1 million false positives. Conquering this data imbalance requires significant expertise and a multipronged detection strategy.

Despite these challenges, there are ways for SecOps teams to leverage the technical power of AI/ML to gain operational efficiencies. The following principles should be considered when doing so.

**1\. Symbiotic Humans and Machines Work Better Together**

Consider ML a complement to human intelligence rather than a substitute for it. In the context of complex systems, especially when combatting intelligent adversaries that adapt quickly, automation will deliver the greatest value with active learning at its core. Humans should regularly review the results of ML-based systems, provide feedback, add additional examples of new malicious behaviors, retune the models, and constantly iterate. Anyone who has ever had to face an intelligent adversary, whether it be in cyberspace or in combat, should be familiar with the OODA loop, developed by US Air Force Colonel John Boyd. It has many similarities to active learning techniques that can be exceptionally useful in ensuring that automatable decisions made in each loop are using the best insights, optimizing the utility of manual analysis performed in some loops, and scaling it to assist in processing more loops than humanly possible.

**2\. Pick The Right Tool for the Job**

You do not have to become an AI expert to make good AI-related decisions for your team, but you should be reasonably informed about the basics to ensure that you are picking the right tool for the job.

First, it is important to know the difference between anomalous and malicious behaviors because they are rarely the same and require very different techniques when it comes to detection. The former is easy to discover with unsupervised anomaly detection that does not require labeled training data, but the latter requires supervised learning that typically requires many historical examples.

Second, alerts with a high signal-to-noise ratio are critical for SecOps teams, and you need to fully understand the downstream effects of any probabilistic system that will not be 100% accurate.

Finally, while nearly every ML technique has been applied to cybersecurity, it is still important to have thousands of signatures from threat intelligence that operate like a minefield of trip wires. When constantly tuned by an expert team of security researchers, signatures provide a critical baseline for detecting known threats that needs to be a part of every security program for the foreseeable future.

**3\. Use AI Where It Can Be Most Successful**

It is ironic that many cybersecurity professionals who might trust AI to drive their car are skeptical about AI executing remedial containment actions. Automated action, after all, is one of the best ways to make your SecOps team more efficient. Automation frees the creative human mind from getting bogged down in time-consuming operational tasks — which are right in AI's wheelhouse. ML is useful in detecting advanced threats, especially when you can aggregate evidence, and it is also useful when prioritizing alerts from a variety of detectors that may come from different systems. AI can automate low-risk containment actions, such as quarantining suspicious files or requiring users to re-authenticate, which can dramatically increase your SecOps efficiency and lower your cyber-risk.

With all that said, AI/ML cannot be your only cybersecurity strategy — at least, not in 2022. When you are searching for important needles in immense haystacks, the most effective strategy still comes from pairing machine intelligence with the human intuition of expert analysts.

Distinguishing AI Hype From Reality in SecOps

SAN DIEGO, May 31, 2022 /PRNewswire/ -- ESET, a global leader in cybersecurity, has announced a new suite of products for the Telecommunications and Internet Service Provider (Telco and ISP) industry, with the aim of offering extensive protection to consumers. Cybercrime is a borderless problem and ESET telemetry shows that the volume of cyberattacks is increasing, with a trend toward attacks against smartphones. ESET's newly launched NetProtect suite ensures that service providers and their end users have the tools they need to combat these advanced and evolving mobile threats.

**About the new ESET NetProtect products  
**The new offering includes ESET NetProtect for Mobile and ESET NetProtect for Mobile Advanced, which offer security via mobile networks, and ESET NetProtect for Home Advanced, which helps secure fixed network connections. These solutions protect customer devices connected to Telco and ISP networks (fixed or mobile) against malicious web domains or domain categories such as malware, phishing and potentially unwanted content. With ESET NetProtect Advanced (fixed or mobile), parents also have full control of their children's filters through Web Content Filter. The management portal for end users allows them to manage the ESET NetProtect settings of their connected devices, manage their domain whitelists and blacklists, and generate security reports, giving users an insight into how ESET protects their devices as well as summary information about detected threats, blocked webpages and more.

Thanks to easy integration into Telco and ISP network services and existing activation processes, network-level solutions do not require any software installation on end user devices, and are compatible with both Android and iOS. The solutions are provided as a one-click service activation from the users' trusted internet provider and automatically provide protection to any connected device. Security tailored to customers' needs is ensured by offering robust local customer and partner support coverage along with comprehensive protection that is a step ahead of online threats via ESET's first access to a unique set of malware detected and pooled at a worldwide network of research and development centers.

"We are thrilled to launch this new suite of advanced cybersecurity products designed for service providers and their customers, which represents a critical threat vector for bad actors," said Brent McCarty, President of ESET North America. "At ESET, we always develop products with our customers in mind, and with our ESET NetProtect offering we have created an easy-to-use and elegant solution not only for the industry leaders in the Telco and ISP sector, but for the consumers who are the actual end users of our products."

For more than 30 years, ESET has invested heavily in multiple layers of proprietary technology that prevent breaches of its customers' endpoints and systems, by both known and never-before-seen threats. These products are informed by world-class threat analysis and expertise from the company's global research team. With a presence in over 200 countries worldwide and 13 research and development centers around the world, ESET offers its over 400,000 business customers peace of mind that their interests are protected at all times. ESET also helps protect the Google Play store and is trusted by millions of consumers around the world. To read more about the new offering for Telcos and ISPs or to contact the ESET team for more information, please click here.

**About ESET  
**For more than 30 years, ESET® has been providing enterprises across the globe with industry-leading IT security software and services, including endpoint detection and response, encryption and authentication, and comprehensive security services packages. With high-performing, easy-to-use solutions that cater to businesses of all sizes, ESET protects customers from increasingly sophisticated digital threats in an ever-evolving landscape. ESET delivers to the enterprise market the people, expertise, and cutting-edge technology required to keep businesses safe and running without interruption. For more information, visit www.eset.com or follow us on LinkedIn, Facebook, and Twitter.

SOURCE ESET

ESET Launches NetProtect Suite of Advanced Cybersecurity Offerings for Telcos and ISPs

Researchers from Shadowserver recommend removing the servers from the Internet to shrink external attack surface.

Shadowserver researchers scanning the Internet for exposed MySQL servers said they received more than 2.3 million IPv4- and 1.3 million IPv6 addresses in response to their connection requests on port 3306/TCP, indicating the connected servers were wide open to attack. 

Of the more than 3.6 million exposed MySQL servers, most were located in the US, with more than 740,000; followed by China, with more than 296,000; and Poland, with more than 207,000 accessible devices.   

"It is unlikely that you need to have your MySQL server allowing for external connections from the Internet (and thus a possible external attack surface)," Shadowserver said in a post about the MySQL findings. "If you do receive a report on your network/constituency, take action to filter out traffic to your MySQL instance and make sure to implement authentication on the server."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

3.6M MySQL Servers Found Exposed Online

Industry veterans roll out end-to-end incident response services and innovative tech-enabled platform, following successful incubation.

PHILADELPHIA, May 31, 2022 /PRNewswire/ -- Surefire Cyber today launched as a new incident response company to help cyber insurers, brokers, law firms, and the organizations they support to better manage cyber events such as ransomware, email compromise, and other cybercrimes. The company also announced $10 million in Series A funding, led by Forgepoint Capital.

Industry veterans roll out end-to-end incident response services and innovative tech-enabled platform, following success

"Surefire Cyber's goal is to work with our clients and partners to swiftly manage a cyber incident and then bring forward capabilities to help them become more cyber resilient. Our delivery of end-to-end digital forensics and incident response capabilities is built on a tech-enabled framework and delivered through a platform that aligns and connects an organization's executives, technical team, insurance carrier, and legal counsel." said Billy Gouveia, the CEO and Founder of Surefire Cyber.

Mark Greisiger, President and Founder of NetDiligence®, comments that "Surefire Cyber is committed to being great partners to carriers, brokers, Breach Coaches®, and the clients they work together to support. We are pleased to welcome them as new contributors to the cyber insurance ecosystem who offer deep experience and a valuable perspective."

Given two long-term trends, the rising cost of cyber incidents and the growing adoption of cyber insurance, industry veterans created Surefire Cyber as a purpose-built response firm that leverages a proven team and a tech-enabled platform to improve transparency, accelerate decision making, reduce business interruption, and guide organizations from recovery through to long term resilience.

Surefire Cyber is backed by Forgepoint Capital, the world's most active early-stage venture capital firm focused on cybersecurity. Prior to launching Surefire Cyber, Gouveia joined Forgepoint as an Entrepreneur-in-Residence to incubate and develop the company's strategy, model, technology, and team while establishing valuable partnerships with companies across the firm's portfolio.

"Our support from Forgepoint Capital enabled us to bring aboard a highly-experienced team of skilled responders, to develop a tech-enabled solution for collaboration with clients and partners during a response, and to leverage the leading cyber venture firm's unmatched capabilities of over 30 portfolio companies so that our clients can better protect their data and defend their organizations," continued Gouveia.

"Surefire Cyber has brought together leading responders with hands-on experience in preparing for all aspects of a cyber incident, expertise to collaboratively guide clients and partners through high-stakes response events, and skill in helping organizations emerge stronger," said Don Dixon, Managing Director of Forgepoint Capital. "What Billy and team are building is truly unprecedented and serves a critical gap in the market."

To learn more, please visit www.surefirecyber.com.

**About Surefire Cyber**

Surefire Cyber delivers swift, strong response to cyber incidents such as ransomware, email compromise, malware, data theft, and other threats with end-to-end response capabilities. Surefire Cyber was founded to provide clients confidence by helping them prepare, respond, and recover from cyber incidents--and to fortify their cyber resilience after an incident. To learn more, please visit: www.surefirecyber.com or follow us on LinkedIn.

Breach Coach is a registered trademark of NetDiligence®.

**About Forgepoint Capital**

Forgepoint Capital is the most active cybersecurity venture capital firm in the world, with 36 active portfolio companies and the largest and most diverse team dedicated to investing in the sector. The firm brings over 100 years of proven company-building experience and its Advisory Council of more than 75 senior executives across industries to support entrepreneurs advancing innovation as they protect the digital future. Founded in 2015, Forgepoint has raised $770 million, deployed over $500 million, and empowered industry leaders such as 1Kosmos, Area 1 Security (Cloudflare), Attivo Networks (SentinelOne), BehavioSec (RELX), Bishop Fox, Cysiv, Huntress, IronNet Cybersecurity (NYSE: IRNT), Noname Security, NowSecure, ReversingLabs, Uptycs and more to reach their market potential. Learn more about Forgepoint at https://forgepointcap.com or follow us on LinkedIn.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Surefire Cyber Launches to Help Cyber Insurance Ecosystem from Response to Resilience, with $10 Million in Funding by Forgepoint Capital

"Follina" vulnerability in Microsoft Support Diagnostic Tool (MSDT) affects all currently supported Windows versions and can be triggered via specially crafted Office documents.

Attackers are actively exploiting an unpatched and easy-to-exploit flaw in the Microsoft Support Diagnostic Tool (MSDT) in Windows that allows for remote code execution from Office documents even when macros are disabled.

The vulnerability exists in all currently supported Windows versions and can be exploited via Microsoft Office versions 2013 through Office 2019, Office 2021, Office 365, and Office ProPlus, according to security researchers that have analyzed the issue.

Attackers can exploit the zero-day flaw — dubbed "Follina" — to remotely execute arbitrary code on Windows systems. Microsoft has warned of the issue giving attackers a way to "install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights." Researchers have reported observing attacks exploiting the flaw in India and Russia going back at least one month.

**Delayed Acknowledgement?**

Microsoft on Monday assigned the flaw a CVE identifier — CVE-2022-30190 — after apparently initially describing it as a non-security issue in April when crazyman, a security researcher with APT threat hunting group Shadow Chaser Group, first reported observing a public exploit of the vulnerability. Though the company's advisory described the flaw as being publicly known and actively exploited, it did not describe the issue as a zero-day threat.

In a May 30 blog post, Microsoft recommended that organizations disable the MSDT URL protocol to mitigate the issue and said it would provide more updates later without specifying when. Microsoft said the Protected View feature in Microsoft Office and the Application Guard for Office both would prevent attacks that try to exploit the flaw.

Microsoft did not respond to a Dark Reading query on whether it had initially described the issue as a non-security issue or when it might have first learned of the flaw. Instead, a spokeswoman pointed to Microsoft's Monday advisory as the only comment the company has on the issue at this time.

MSDT is a Windows support tool that collects and sends data from a user's system to Microsoft support staff so they can analyze and diagnose issues that a user might be encountering on their system. According to Microsoft, the vulnerability is triggered when an Office app like Word calls MSDT using the URL protocol. "An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application," the company noted.

**Multiple Exploits in the Wild**

Though the security researcher with the Shadow Chaser Group first notified Microsoft Security Response Center about the bug more than a month ago, the vuln only received broad attention over the weekend when a researcher spotted a malicious Word document attempting to exploit the issue. Security researcher Kevin Beaumont analyzed the document and found that it was using the remote template feature in Word to retrieve a HTML file from a remote Web server. The retrieved file in turn used the MS-MSDT URL protocol to load code for executing a PowerShell script. Beaumont discovered the document was executing code even with macros disabled. The security researcher found at least two other malicious Word documents in the wild attempting to exploit Follina going back to April.

Significantly, Beaumont and other researchers found that the attack technique allowed threat actors a way to bypass the "Protected View" mechanism in Office that alerts users about content downloaded from the Internet and requires an additional click from them to open. According to Malwarebytes, the warning can be bypassed simply by changing the document to a Rich Text Format (RTF) file. By doing so, code can run without the user even needed to open the document via the preview tab in Explorer, Malwarebytes said.

"RTF files are a special format that allows for documents to be previewed inside of Windows Explorer," says Jerome Segura, senior director of threat intelligence at Malwarebytes. "When that happens, Explorer will call out the msdt process which is being exploited without any warning or prompts," he says. In fact, the Preview pane is a risky feature because it enables zero-click attacks, Segura says. "We recommend users to disable it within Explorer as well as email clients like Outlook."

**Potentially Widespread Impact**

Johannes Ullrich, dean of research at the SANS Institute, says by itself the vulnerability in MSDT wouldn’t be a big deal. But the fact that it can be triggered via Microsoft Office is troubling. All that a user needs to do is to open a specially crafted Word document, or in some cases just previewing it to enable remote code execution, he says. This sets the stage for potentially widespread compromises especially considering that numerous exploits have been available in the wild for a month now.

"There are multiple scripts, examples and tutorials explaining how to exploit this vulnerability. Applying these techniques is easy, Ullrich says. He points to one malicious document to exploit Follina that SANS discovered recently, which purported to contain quotes for mobile phone prices from a reseller. The exploit worked though it appears to have been compiled by a relatively unskilled threat actor. "It appears to have been created by a novice attacker as it doesn't even remove some of the comments added to the malicious document," Ullrich says.  

He recommends that organizations immediately follow Microsoft's guidance and disable the MSDT URL protocol. "This will break the link between Office and the diagnostic tool," he says. Though the vulnerability in MSDT will still be present, it can no longer be triggered when opening a malicious document, he says. SANS recommends that organizations disable the Preview Pane in Windows Explorer.

Dray Agha, ThreatOps analyst at Huntress, which did a deep dive on the vulnerability, says attackers can use Follina to escalate privileges and travel across environments to create havoc. "Hackers can go from being a low-privilege user to an admin extremely easily," Agha says. "The vulnerability can be easily triggered by users simply choosing to “preview” a specifically crafted, maliciously supplied document. It’s that simple."

New Microsoft Zero-Day Attack Underway

With rising fraud, businesses are seeking authentication methods that are security- and user-friendly. But with that comes a few complications.

Pattie Dillon remembers a story from her time as a consultant before becoming product manager of antifraud solutions at SpyCloud. At that time, her call-center client used voice recognition technology to identify a caller who was pretending to be someone else.

"It was a little comical because it was a gentleman that was calling in trying to sound like a woman," Dillon recalls. "Coincidentally, they had had several of these phone calls from this same individual, and \[the software\] was actually able to find those voice patterns and identify it as the same person."

Biometric authentication, such as face ID, voice biometrics, fingerprints, or some combination thereof, is becoming an essential part of the cybersecurity toolbox as organizations try to block adversaries from taking over online accounts and to prevent fraud. However, companies must safeguard biometric data to prevent it from being exploited or stolen.

**How to Secure Biometric Data**

Though biometric authentication can be user-friendly, its critical flaw is that biometric data can't be updated once it is compromised, says Gerald Alston, associate partner and leader of the US security practice for Infosys Consulting. Passwords, PINs, and other identification methods can be replaced, but there's no way to replace a thumbprint, for example, once it is compromised, he says — which is another reason why protecting this type of data is so important.

Traditionally, IT and cybersecurity teams store images containing biometric data in one place after capturing them, but some are starting to explore tokenization. Tokenization is a process in which the images are divided and kept in different locations, reuniting them from their respective databases when the biometric authentication method is used, Alston explains. If an unauthorized intruder enters the system, they need to find where the other components of the biometric images are, but that only delays the inevitable breach, he says.

To better protect tokenized data, Alston suggest implementing a mature encryption key management system, instituting data discipline, and knowing where you currently use tokenization. In other words, make sure you have established processes and procedures for your encryption keys, stay abreast of where your data is, and understand what data you have tokenized and where it's stored, he says.

To that point, another issue to consider is where the data is stored. The FIDO Alliance describes how to securely gather, store, and transmit biometric samples between devices or servers, says Mitek Systems CTO Stephen Ritter. Instead of just saving the biometric image directly on the device or sending it to a central server, the FIDO approach generates a unique cryptographic key pair. When the device is set up for biometric authentication, the private key is saved on the device, usually in the device's secure enclave so that it can't be readily stolen by attackers. The public key is registered with the application or service. During authentication, the client device signs the action — by providing a fingerprint or taking a selfie, for example — with the private key to verify its validity. The secure enclave is designed to be protected space from the rest of the device, and its contents are not readily accessible from outside.

**Legal and Business Requirements**

Besides following industry guidelines, Ritter also recommends that IT and cybersecurity teams watch for data privacy regulations, including the General Data Protection Regulation (GDPR) in the European Union, the California Consumer Privacy Act (CCPA), and the Biometric Information Privacy Act (BIPA) in Illinois.

BIPA contains rules for the retention, disclosure, collection, and destruction of biometric data. CCPA requires companies that collect consumers' personal information, including biometric data, to disclose and control the use of the data collected. The European Data Protection Board, which facilitates the consistent application of the GDPR, is soliciting public comments regarding the guidelines for law enforcement use of facial recognition.

"Whenever you are going to collect biometric data and you are going to use it for authentication, you need to be very clear to the user, before they sign up for that service, that that's what you're going to do. And you have to get their consent in writing," Ritter says.

Third-party vendors that handle outsourced biometric authentication are a centralized hub for "mountains of identity data," making them a ripe target for threat actors, Ritter says. Companies should evaluate vendors to ensure the data is secured properly to the extent they are comfortable. Mitek enters into data protection agreements with its clients, complies with ISO 27001 standards, generates System and Organization Controls 2 Type 2 reports, and offers source code reviews, he adds.

"It takes work to go and identify the right vendor and ensure that they have the right security and control in place, but that is almost always better than building these things on your own," Ritter says.

Biometric Data Offers Added Security —  But Don't Lose Sight of These Important Risks

New research finds a rise in TCP acknowledgement (ACK) DDoS attacks, which rely on a smaller amount of traffic to disrupt targets.

In terms of straight numbers, there were fewer distributed denial-of-service (DDoS) attacks in 2021, and the average size of attacks also dropped. But the fact that there were 13% fewer DDoS attacks in 2021 over the previous year is not a lot to cheer about when cybersecurity teams are still grappling with attack volumes far above pre-pandemic levels, according to new research.

Nexusguard analysts say that in 2021 the top DDoS attack vectors were user datagram protocol (UDP) attacks, domain name system (DNS) amplification attacks, and transmission control protocol protocol acknowledgement (ACK) attacks.

Notably, ACK attacks are on the rise, accounting for 9.7% of DDoS attacks in 2021, up from 3.7% in 2020. Numbers for DNS and UDP DDoS attacks were still high enough to keep them in the top two, but both accounted for a smaller percentage of attacks compared with 2020, according to Nexusguard.

While the average attack size fell by 50% over 2021, the maximum attack size nearly tripled, so really large attacks are still a problem.

"Attack vectors are also in flux, because while UDP attacks are still the most common, TCP ACK, which can exponentially amplify the effect of a DDoS event with a small amount of traffic, rose significantly," Juniman Kasman, chief technology officer of Nexusguard, said about the new DDoS research. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading