AT&T SASE with Cisco Meraki offers fully integrated network and security tools for convenient, high-performing, and protected access from anywhere

DALLAS, May 5, 2022

https://about.att.com/story/2022/sase-cisco-meraki.html

**What’s the news?**

AT&T\* is introducing AT&T SASE with Cisco Meraki designed to provide businesses of nearly any size and industry with a powerful networking and security offering. This new managed service helps organizations improve network performance, enable resilient access and defend sensitive data. The service also helps protect against unauthorized use and loss. It does this while delivering flexibility for customers as their networking environments evolve due to business growth, location expansion and changes in strategy.

**Why is this important?**

The need for reliable, high-performance connectivity has never been greater. The growth of hybrid work environments means organizations are connecting people, places and devices, enabling users to connect and collaborate at nearly any time, from nearly anywhere.

Organizations also rely on a wide range of Internet of Things (IoT) devices to drive efficiency, from security cameras to medical devices and manufacturing equipment. This explosion of connectivity makes preparing for and addressing cybersecurity threats a critical challenge, especially for sophisticated enterprises.

But small and medium-sized businesses are also common targets for cybercriminals, and a lack of expertise and resources make them particularly vulnerable. In fact, 60% of SMBs cease operations within 6 months following a cyberattack.

AT&T SASE with Cisco Meraki combines leading services to provide businesses of nearly any size with an effective way to achieve highly secure and reliable access and with cloud-based security and SD-WAN capabilities to help protect users from malicious web-based threats.

These services include AT&T Business Wi-Fi with Cisco Meraki for a cloud-managed networking solution; AT&T Secure Remote Access with Cisco for zero-trust network access; and AT&T Secure Web Gateway with Cisco for secure internet and cloud app access.

**What makes AT&T SASE with Cisco Meraki different?**

AT&T SASE with Cisco Meraki further expands the AT&T SASE portfolio, creating a solution that also includes indoor/outdoor access points, network switches, cellular gateways, and teleworker appliances.

The managed security service allows almost any business to connect, protect, manage, and scale its network without the in-house expertise typically needed to achieve this level of security. The scalability of the solution is critical for growing businesses that need to rapidly expand to different data centers and branch locations or add more devices to their network. This solution also helps businesses defend their sensitive data against unauthorized use and theft.

Customers also receive access to the leading AT&T Managed Services and our specialists who can assist with deployment, policy design, configuration, and 24/7 monitoring and support.

**Where can I get it?**

AT&T SASE with Cisco Meraki is available today. For more information, please visit here.

**What are people saying?**

“In network connectivity and security, there is often little margin for error. For many businesses, the expertise to get it right is hard to come by. AT&T SASE with Cisco Meraki is a completely managed service that puts our experts in the driver’s seat giving growth-oriented businesses an integrated solution that can address their needs today, and scale up right alongside them going forward.”- **Danessa Lambdin, Vice President, AT&T Cybersecurity**

“Businesses looking to deploy cloud security across distributed locations must be able to do so in a simple, scalable, and reliable way. The AT&T SASE with Cisco Meraki service offers customers a seamless onramp to their SASE journey with a fully integrated networking and security offering, ultimately protecting users against internet-based threats both on and off the network.” - **Lawrence Huang, Vice President, Product Management at Cisco Meraki**

**_\*About AT&T Communications_**

_We help family, friends and neighbors connect in meaningful ways every day. From the first phone call 140+ years ago to mobile video streaming, we @ATT innovate to improve lives. AT&T Communications is part of AT&T Inc. (__NYSE:T__). For more information, please visit us at_ _att.com__._

AT&T Expands Access to Advanced Secure Edge and Remote Workforce Capabilities

For most of us, passwords are the most visible security control we deal with on a regular basis, but we are not very good at it.

Whether we as a whole are doing better or worse in terms of password security is still unclear, but one thing is certain: We are clearly overconfident in our perceptions about our security activities.  

With adversaries increasingly targeting passwords to break into online accounts or gain access to corporate networks, people are both more aware about password security yet not doing enough to secure their credentials. Two-thirds of respondents (66%) in a recent password security survey conducted by Ipsos on behalf of Google said they use completely random passwords with a mix of characters, but 65% also said they reuse passwords for different online accounts.

There is some indication that users are using technology to improve password security: Sixty-one percent of respondents said they sign into sites using another service (such as Apple ID or Google accounts), according to the Google/Ipsos survey, and 44% said they use a password manager service. Yet 63% said they track passwords by writing them down on paper or making a note on their mobile devices.   

**Who Has 2FA?  
**Two-factor authentication (2FA) is another head-scratcher. Almost three-quarters (73%) of respondents say they use 2FA at least some of the time, but the adoption numbers from individual services tell a different story. Just 2.5% of active Twitter accounts had at least one 2FA method enabled as of June 2021, according to the social media company’s transparency report. Only 16.5% of active GitHub users and 6.44% of npm users have enabled one or more forms of 2FA on their accounts, according to Microsoft-owned GitHub. 

Perhaps the figures indicating a high rate of adoption for multifactor authentication (MFA) are skewed by the gamers on platforms that offer incentives to enable them. In a 2019 study on adoption rates for 2FA, 56.7% of the respondents had a Blizzard account, of which 43.1% had activated 2FA authentication; 88.1% had a Steam account, of which 62.6% had activated 2FA; and 65.6% had a Guild Wars 2 account, of which 55% had activated 2FA. Compare that to 87.7% of respondents who had a Reddit account, but only 11.5% had activated 2FA.

There is a bit of a disconnect on the corporate side, too. In a recent study on identity management by ESG, 58% of organizations said they have implemented MFA, while 23% ranked MFA as the most effective identity and access management solution. Yet Microsoft said in its Cyber Signals report earlier this year that only 22% of all its Azure Active Directory customers use MFA.

In the same ESG report, 32% of organizations said they make MFA optional for employees, and 27% treat MFA as optional for third-party contractors and workers.

The post-mortem investigation of the ransomware incident at Colonial Pipeline found the attack succeeded because the compromised account did not have MFA enabled, says Bojan Simic, CEO and CTO of HYPR. In fact, while defense contractors should have also implemented MFA five years ago, many have not fully implemented it.

“MFA projects frequently exist on a planning chart only,” Simic says.

Passwords: Do Actions Speak Louder Than Words?

The incident was a devastating attack, but it exposed gaps in cybersecurity postures that otherwise would have gone unnoticed.

The Colonial Pipeline ransomware attack that took place exactly one year ago sent shockwaves across the nation that are still being felt today. A cyberattack with such massive real-world implications had never been seen before, let alone an attack on one of the largest critical infrastructure assets in the US that was initially started via an exposed virtual private network (VPN) password. During the attack, threat actors stole nearly 100GB of data, and not long after, the Colonial Pipeline took its systems offline for several days to prevent the further spread of ransomware. The Colonial Pipeline’s shutdown affected oil and fuel supplies in many states, and as a result, the US government declared a state of emergency.

Critical infrastructure, such as the infrastructure technology and operational technology systems managed by Colonial Pipeline, is often a prime target for cybercriminals. These national assets not only store highly valuable government, company, and consumer data in their systems but could also dramatically disrupt society if compromised. The fact that the Colonial Pipeline attack was due to a security lapse served as a wake-up call for companies all over the world to rethink their cybersecurity postures.

In the wake of the attack, President Biden immediately signed an Executive Order on "Improving the Nation’s Cybersecurity," which emphasized that incremental improvements are not enough; bold change and significant investments in cybersecurity must be made to defend critical infrastructure. Federal agencies and organizations were provided with a timeline and steps to advance their cybersecurity strategies and infrastructure. However, in the months following Colonial Pipeline, the US also witnessed several other critical incidents that made national headlines, including the Kaseya ransomware attack and the discovery of the Log4j vulnerability that was baked within the foundations of the world’s software applications. Thus, it is evident that many true changes have yet to be made. Let’s take a deeper look at the developments organizations must make to their cybersecurity postures to protect the nation’s critical infrastructure.

**Further Visibility into Business-Critical Applications is Crucial**  
Recent legislation, such as the Cybersecurity Executive Order and Cyber Incident Reporting for Critical Infrastructure Act, mark improvements for the nation’s cybersecurity landscape, as they impose specific regulatory requirements and provide further transparency into organizations’ cyber events. Despite these developments, many organizations responsible for the nation’s critical infrastructure are still operating without visibility into their business-critical applications’ security, as demonstrated by the influx of attacks that succeeded the Colonial Pipeline. Organizations must understand that systems, such as enterprise resource planning (ERP), supply chain management, and logistics management, are interconnected and support mission-critical operations that can be severely disrupted if they are compromised by adversaries. A universal shift in enterprise cybersecurity strategies is crucial to ensure organizations can swiftly recover from a cyberattack as detrimental as the Colonial Pipeline one.

**Taking Actions to Defend the Nation’s Critical Systems**  
Without stronger security controls, business-critical systems will remain vulnerable to attack. Proper defenses need to be in place to ensure America’s valuable data is protected. Below are several actions organizations must take to protect their sanctioned resources:

*   **Obtain visibility into critical assets:** Enterprises must gain full visibility into all critical and connected systems to eliminate any system blind spots. By obtaining a comprehensive view of the IT and OT systems, organizations can discover internal and external threats and assess their impact in real time.

*   **Implement vulnerability management tools:** As vulnerabilities are an easy point of entry into business-critical assets, organizations should incorporate advanced vulnerability management into their cybersecurity posture that includes automated tools that can scan for system weaknesses. Automated vulnerability management technologies identify where misconfigurations, authorization issues, and missing patches exist, and automatically apply the necessary mitigations.

*   **Adopt cybersecurity best practices:** Improving threat detection and response can help close many gaps that exist in cybersecurity postures; however, adopting cybersecurity best practices is absolutely essential to mitigate unauthorized access to privileged accounts. Enterprises must ensure their employees are cognizant of all threats they may face in their day-to-day operations, such as highly targeted phishing schemes.

  
While the Colonial Pipeline incident was a devastating attack, it exposed gaps in cybersecurity postures that otherwise would have gone unnoticed. Enterprises that make active efforts to strengthen their cybersecurity strategies will be able to proactively mitigate threats as they arise, exceed regulatory compliance requirements, and ultimately foster trust with their employees, customers, and the community as a whole. Moving beyond Colonial Pipeline is possible but cannot be done without real improvement in cybersecurity defenses.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Colonial Pipeline 1 Year Later: What Has Yet to Change?

The passwordless future just became closer to reality, as Microsoft, Apple, and Google pledge to make the standard possible across operating systems and browsers.

Apple, Google, and Microsoft will expand support for FIDO Alliance's passwordless standard to make logins easier across mobile devices and desktops.

By expanding support for the password-free sign-in standard from the FIDO Alliance and the World Wide Web (W3) Consortium, Google, Microsoft, and Apple will make it possible for anyone to use their mobile device to sign into an app or website on a nearby device. More importantly, users will be able to access passkeys – their FIDO sign-in credentials – across multiple devices without having to re-enroll every account on each device. This will be a key change from the current reality, where users have to sign into each website or app with each device before they can take advantage of the passwordless feature.

"We plan to implement passwordless support for FIDO Sign-in standards in Android & Chrome. Apple and Microsoft have also announced that they will offer support for their platforms," writes Sampath Srinivas, a product management director for secure authentication at Google and the president of the FIDO Alliance. "This will simplify sign-ins across devices, websites, and applications no matter the platform — without the need for a single password. These capabilities will be available over the course of the coming year."

**Case for No More Passwords**  
Passwords do not provide sufficient security – they can be stolen or guessed if the password itself isn't very good. Weak passwords accounted for more than 80% of all data breaches, according to Verizon's annual Data Breach Investigations Report. Passwords are the single largest attack vector and the root cause of most attacks -- including account takeovers, advanced persistent threats, and ransomware, says Jasson Casey, CTO of Beyond Identity. Four out of five times adversaries rely on stolen credentials for initial access and lateral movement, he says.

"Password-based authentication has failed us. Full stop," Casey says.  

There are more than 921 password attacks every second, writes Vasu Jakkal, corporate vice president of security, compliance, identity, and management at Microsoft. That represents more than double the figure over the past 12 months.

A new Google/Ipsos survey found that one in three Americans share passwords with someone else or have access to someone else's passwords, and 65% of respondents say they reuse passwords. One in five use common words or easy-to-guess terms for passwords, and 52% say they incorporate personal information such as name and birthday into the password.

"The alternatives \[to passwords\] often are unworkable, unwieldy, or just not likely to be adopted by consumers, especially the non-tech-savvy ones or those who are on the lower end of the socio-economic scale," says John Bambenek, principal threat hunter at Netenrich.  

Passwords are still ubiquitous despite the issues because they are relatively easy to implement and people know how to use them, which is why passwords still haven't gone away. Instead, security teams rely on technologies such as multifactor authentication and password managers to provide additional protection to strengthen the security around accounts, platforms, and data. 

However, these controls have made "marginal security gains," Casey says, mainly because they still rely on passwords and the second factors can be intercepted via social engineering methods (such as one-time passwords sent over SMS).

**Cross-Platform Passwordless**  
The good news is that technology is now in place to make passwordless authentication a reality, Casey says. Secure enclaves are prevalent (and resident in nearly every device), and almost all enterprise and consumer apps can leverage secure enclaves to easily delegate passwordless authentication.

The announcement from Google, Microsoft, and Apple indicates the expanded support will be implemented in macOS and Safari, Android and Chrome, and Windows and Edge. The actions used to unlock the mobile device — such as fingerprint, face scan, and device PIN — will give access to the passkey stored on the device. Signing in with the passkey is more secure because it's based on public key cryptography, Srinivas says. Even if the device is lost, the passkeys will sync back to the mobile device from cloud backup, he says.

All of this will be cross-platform. Ideally, a user would be able to sign into a website via Google Chrome on a Windows machine using a passkey on an Apple device.

"This new approach protects against phishing and sign-in will be radically more secure when compared to passwords and legacy multi-factor technologies such as one-time passcodes sent over SMS," the FIDO Alliance said in a statement.  

Implementations that rely on secure enclaves, especially those already built into modern devices, such as the Trusted Platform Module on laptops and desktops, combined with the security posture of the device itself make passwordless authentication a reality, Casey says.

Jennifer Easterly, director of the US Cybersecurity and Infrastructure Security Agency (CISA), praises the announcement, calling it "the type of forward-leaning thinking that will ultimately keep the American people safer online."

Passwordless needs to be easy. "If you don’t consider usability, your users will create your next vulnerability," Casey warns.

Microsoft, Apple, and Google Promise to Expand Passwordless Features

The same attack that allowed a threat actor to steal data from private Heroku GitHub repositories also resulted in the compromise of customer credentials, the company now says.

Salesforce subsidiary Heroku on Thursday said that the threat actor that stole Heroku GitHub integration OAuth tokens in April also accessed an internal database containing hashed and salted passwords belonging to the company's customers.

The discovery prompted Heroku to force a reset of all compromised user passwords and rotate internal Heroku credentials as well. In a security notification, which the company has been constantly updating since April 15, Heroku said it had also put additional detection mechanisms in place to mitigate future issues, without elaborating on what they were.

"We continue to work diligently in response to this Heroku incident first announced on April 15, 2022," the platform-as-a-service vendor said. "We worked with GitHub, our threat intelligence vendors, other industry partners, and have been in touch with law enforcement to assist in our investigation."

**Refresher: The Original GitHub Repo Breach**  
GitHub on April 13 disclosed to Heroku that it had detected a threat actor downloading a subset of Heroku's GitHub private repositories, including source code, on April 9. Heroku said GitHub had notified it about the threat actor gaining access to OAuth tokens issued to the company and using them to enumerate customer accounts. Heroku described the tokens as giving the threat actor read and write access to private customer GitHub repos connected to Heroku.

In an April 15 blog, GitHub CSO Mike Hanley said the threat actor used OAuth user tokens issued to Heroku and another third-party integrator, Travis-CI, to download data from repositories belonging to dozens of organizations, including npm, the node package manager used by millions of developers worldwide.

Hanley said GitHub's investigation showed the attackers also mined the contents of the downloaded GitHub private repositories for data that could be used to attack other infrastructure. He added that the attacks appeared highly targeted because of the way the attackers used the stolen OAuth tokens: First, they listed all the impacted organizations, then selected private repositories of interest and cloned them.

Heroku's investigation of the incident showed that the threat actor had used a stolen OAuth token associated with an internal "machine account" to access a Heroku database containing OAuth tokens that are used for customer GitHub integration.

The threat actor gained access to the Heroku database on April 7 and downloaded the stored tokens — then used them to download customer data two days later, Heroku said. Following that discovery, Heroku revoked all its GitHub integration OAuth tokens to prevent customers from deploying apps via GitHub using Heroku's dashboard or automation.

**Broader Impact Than Initially Assumed**  
Heroku on Thursday said that its ongoing investigation of the breach showed the attacker had used the same machine-account OAuth token to access the internal database containing the hashed usernames and passwords belonging to the company's customers.

The incident has highlighted why organizations need to pay close attention to the security of their OAuth authentication mechanisms, security experts say.

Casey Bisson, head of product and developer relations at BluBracket, says an attack using OAuth tokens can interact with the service that issued the tokens using all the permissions that were granted to the original client. "People and companies depend on OAuth integrations to securely allow another service to access code in private repos, as is needed to support CI tests and run code coverage reports," he says, pointing to two examples.

**OAuth: Better Account Protection, As Long as Tokens Are Safe**  
Compared to the alternative of sharing passwords between services, OAuth tokens enable more secure data sharing. For example, if it had been passwords that were stolen, the level of access the attackers might have gained would likely be even greater. And the initial mitigation and long-term fix would become more complex, Bisson says.

However, OAuth tokens are commonly used to automate cloud services such as code repositories and DevOps pipelines, notes Ray Kelly, fellow at NTT Application Security. So, a malicious actor with a stolen token can steal corporate IP or modify source code in repositories such as GitHub. Or they could use it to spread malware or steal sensitive data from organizations, he says. "Special care should always be taken when it comes to protecting tokens. They should never be publicly available or shared outside of the organization," Kelly says.

GitHub itself has said that starting the end of 2023, it would require all developers who contribute code to the repository to use multifactor authentication to access their accounts. The company described it as a move designed to bolster the security of code and IP stored in GitHub repositories amid a surge in attacks targeting the software supply chain.

Heroku: Cyberattacker Used Stolen OAuth Tokens to Steal Customer Account Credentials

Amid ongoing software supply-chain jitters, the US' top tech division is offering a finalized, comprehensive cybersecurity control framework for managing risk.

The National Institute of Standards and Technology (NIST) has updated its cybersecurity guidance for addressing software supply-chain risk, offering tailored sets of suggested security controls for various stakeholders.

Software supply-chain attacks rocketed to the top of the enterprise worry list last year as the SolarWinds and Log4Shell incidents sent shockwaves through the IT security community. Security practitioners are increasingly concerned about the safety of open source components and third-party libraries that make up the building blocks of thousands of applications. Another cause of worry is the varied ways platforms can be abused, as in the Kaseya attack last year, when cybercriminals compromised a managed application, or with SolarWinds, where they hacked an update mechanism to deliver malware.

NIST's latest publication (PDF) offers specific risk-management guidance for profiles such as cybersecurity specialists, risk managers, systems engineers, and procurement officials. Each profile matches up with a set of recommended controls, such as implementing secure remote access mechanisms for tapping the software supply chain, or enacting the principle of least privilege, or taking an inventory of all software suppliers and products.

"Managing the cybersecurity of the supply chain is a need that is here to stay," said NIST publication author Jon Boyens, in a Thursday announcement. "If your agency or organization hasn't started on it, this is a comprehensive tool that can take you from crawl to walk to run, and it can help you do so immediately."

The development follows from an Executive Order issued by President Biden last year, which directs government agencies to "improve the security and integrity of the software supply chain, with a priority on addressing critical software."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

NIST Issues Guidance for Addressing Software Supply-Chain Risk

Far too many turn to Jingles, Mittens, or Bella for password inspiration, given that these are some of the easiest passwords to crack.

For all who celebrate World Password Day, here's an easy way to immediately boost online safety — stop picking your pets' names for passwords. 

An overwhelming number of Americans (39%) use their pet's name as part of their password, according to new data from Aura. That number jumps to half (50%) for pet lovers between the ages of 35 to 44, Aura added. 

"Through this campaign, Aura aims to highlight ... that while using a pet's name as a password may be a show of love and an easy-to-remember access code to your online life, pet passwords are some of the easiest for cybercriminals to guess," the company said in a statement. 

Other notable findings from the survey found 59% of pet parents have posted a picture of their pet on a social-media account, and 48% have also shared their pet's name, giving attackers a good place to start guessing online account passwords, Aura pointed out.    

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

A Third of Americans Use Easy-to-Guess Pet Passwords

Law enforcement attributes a recent 65% spike in BEC attack losses to COVID-19 restrictions and the ongoing reality of a remote workforce.

Between June 2016 and December 2021, the total losses reported by global financial institutions as a result of business email compromise (BEC) attacks clocked in at more than $43 billion.

The Federal Bureau of Investigation and Department of Justice have issued a joint announcement underlining the damage BEC attacks have done to both small businesses and large corporations alike around the world. The agencies also warned that reported losses have spiked in recent months: Between July 2019 and December 2021, worldwide losses to BEC attacks increased by 65%, the agencies noted. 

"This increase can be partly attributed to the restrictions placed on normal business practices during the COVID-19 pandemic, which caused more workplaces and individuals to conduct routine business virtually," according to the public service announcement. 

Another notable BEC shift that law enforcement noted is an increase in the use of cryptocurrency in BEC cybercrime. Those losses alone totaled more than $40 million in losses by 2021, which the statement added is expected to continue to escalate.   

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

FBI: Bank Losses From BEC Attacks Top $43B

The company will continue the development of Comae’s memory analysis platform and seek to incorporate its capabilities into existing solutions

WATERLOO, Ontario--(BUSINESS WIRE)--Magnet Forensics (TSX: MAGT), a developer of digital investigation solutions for more than 4,000 enterprises and public safety organizations in over 100 countries, today announced the acquisition of the strategic IP assets of Comae Technologies, a cybersecurity firm that specializes in incident response and memory analysis. As part of the acquisition, Comae founder Matt Suiche will lead a memory analysis and incident response research and development team at Magnet Forensics, where he will further develop a memory analysis platform and integrate the technology into the company’s existing solutions. Suiche’s team at Comae will also work closely with Magnet Forensics going forward.

Comae is a UAE-based cybersecurity company that specializes in cloud-based memory analysis used to recover evidence from the volatile memory of devices. The acquisition will allow Magnet Forensics to accelerate the development of the memory analysis platform within the Magnet Idea Lab, an incubator made up of hundreds of investigators and analysts from leading police agencies and enterprises.

“Memory analysis plays a critical role in incident response investigations because it allows enterprises and public safety agencies to recover buried evidence and understand what happened on devices involved in cyber incidents," said Adam Belsher, chief executive officer of Magnet Forensics. “Very few organizations have the expertise and knowledge to develop memory analysis solutions. With Comae’s platform and the help of its memory analysis experts, Magnet Forensics can address a growing need for our customers while continuing to build on our comprehensive digital investigation platforms.”

Enterprises and police agencies are both looking to use memory analysis to respond to increases in the volume and complexity of cyber incidents. For enterprises, memory analysis can be the key to identifying the compromised devices in a malware or ransomware attack. In a digital investigation, analysts will often examine memory first because it can reveal the infection vectors and post-compromise activities of cyber incidents. It can also help analysts identify modern malware variants. Memory analysis can provide the same benefits to police agencies in their cybercrime investigations and give them another avenue to recover evidence from devices involved in cyber enabled crimes such as homicides, human trafficking, terrorism and organized crime.

Comae was founded in 2016 by Suiche, one of the world’s leading experts on memory analysis and incident response. Prior to founding Comae, Suiche founded two other firms: CloudVolumes, an application virtualization company that was acquired by VMware in 2014 and MoonSols, a digital forensics and incident response enterprise. Suiche, who began regularly presenting at international security conferences as a teenager, has also held a research position with the Netherlands Forensic Institute, which works alongside public safety agencies to combat cybercrime.

“Magnet Forensics is widely recognized in the digital forensics and incident response industry for its innovative solutions, which are proving to be increasingly pivotal in protecting public safety, and the leading talent developing them,” said Suiche, Magnet Forensics’ director, memory and incident response research and development. “My team and I are thrilled to be continuing our work alongside the team at Magnet Forensics, where the incident response technology can help protect thousands of enterprises and communities from cybercrime.”

**About Magnet Forensics**

Founded in 2010, Magnet Forensics is a developer of digital investigation software that acquires, analyzes, reports on, and manages evidence from digital sources, including computers, mobile devices, IoT devices and cloud services. Magnet Forensics’ software is used by more than 4,000 public and private sector customers in over 100 countries and helps investigators fight crime, protect assets and guard national security.

Magnet Forensics Acquires Cybersecurity Software Firm Comae Technologies

The vendor also disclosed two other security vulnerabilities that would allow remote, unauthenticated attackers to inject commands as root and snoop on sensitive user information.

Make plans to patch as soon as possible: A critical security vulnerability in Cisco's Enterprise NFV Infrastructure Software (NFVIS) opens the door to complete takeover of a host.

Cisco's Enterprise NFVIS combines network functions virtualization (NFV) and software-defined networking (SDN) to allow enterprises to provision and manage virtual network services, applications, virtual machines (VMs), and hardware devices. As such, it sits in the middle of organizations' internal networks and offers a perfect pivot point for an attacker to move laterally within an enterprise environment.

The bug (CVE-2022-20777) carries a score of 9.9 out of 10 on the CVSS vulnerability-severity scale, and specifically exists in the Next Generation Input/Output (NGIO) feature of the software. According to Cisco's advisory this week, it stems from insufficient guest restrictions— someone signed onto a guest VM on a host machine is able to escape from that guest VM to gain unauthorized root-level access on the underlying host.

"An attacker could exploit this vulnerability by sending an API call from a VM," according to Cisco's advisory. "A successful exploit could allow the attacker compromise the NFVIS host completely."

The networking giant rolled out a patch for the issue late Tuesday.

JJ Guy, CEO and co-founder of Sevco Security, tells Dark Reading that enterprises need to take this one seriously, given that enterprises rely on guest VMs to separate workloads, enable different levels of permissions for different applications and users, segregate applications that pose more security risk than others, and more.

"VM escape bugs that allow a user with access to the host from the guest are always critical, regardless of the caveats of having to be authenticated," he says, noting that private companies should take the same approach to preventing escapes as the big cloud providers do.

"The entire public cloud infrastructure is based on the virtual machine being a reliable security boundary," he says. "When a public cloud provider sells compute on one physical box to multiple different clients via virtual machines, it must be able to guarantee those clients cannot impact each other. Any failure in that undermines what is fast becoming a critical part of computing."

**Two Unauthenticated Cisco Bugs to Patch Quickly  
**Cisco also addressed two other vulnerabilities in the advisory. The first (CVE-2022-20779, CvSS 8.8) is a high-severity command-injection issue in the image-registration process. A successful exploit would allow an unauthenticated, remote attacker to inject commands that execute at the root level on the NFVIS host.

"This vulnerability is due to improper input validation," according to the advisory. "An attacker could exploit this vulnerability by persuading an administrator on the host machine to install a VM image with crafted metadata that will execute commands with root-level privileges during the VM registration process."

The other bug (CVE-2022-20780, CVSS 7.4) could allow an unauthenticated, remote attacker to leak system data from the host to any configured VM, including files containing sensitive user data. Even worse, an authenticated attacker could obtain access to confidential system information directly.

"This vulnerability is due to the resolution of external entities in the XML parser," according to Cisco. "An attacker could exploit this vulnerability by persuading an administrator to import a crafted file that will read data from the host and write it to any configured VM."

As always, to avoid falling victim to a successful cyberattack, patching quickly is the key, along with enforcing strong password hygiene to prevent attacks requiring authentication and account takeovers. Cisco software is no stranger to active targeting from cybercriminals — to the point where, in February, the US National Security Agency (NSA) issued fresh guidance for organizations on selecting strong passwords for Cisco devices, citing an increase in the number of compromises involving poorly protected network infrastructure.

Source

DARKReading