A critical security bug could lead to remote device control, altered lab results, and more, putting patients in danger, agency warns.

Healthcare providers and lab workers using Illumina genetic sequencing instruments are advised to immediately patch the device software against a new vulnerability that the Food and Drug Administration says could put patients in danger. 

Affected devices include Illumina NextSeq 550Dx, MiSeqDx, NextSeq 500, NextSeq 550, MiSeq, iSeq, and MiniSeq next-generation sequencing instruments, the FDA said. 

The medical devices are used to test for genetic conditions and genetic sequencing, and the FDA said the bug, first detected on May 3, could be exploited by threat actors to take over the Illumina instruments. That would allow them to alter the operating system, access a customer's network, tamper with test results, or even steal data. The flaw affects the Local Run Manager software, the FDA added. 

So far, there are no reports of the bug being exploited, the FDA said in a cybersecurity alert to health care providers; however, the agency asks "users to report any adverse events or suspected adverse events experienced with Illumina’s next-generation sequencing instruments." 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

FDA: Patch Illumina DNA Sequencing Instruments, Stat

The latest iteration of CMD-based ransomware is sophisticated and tricky to detect – and integrates token theft and worming capabilities into its feature set.

A new CMD-based ransomware variant is still under development, but researchers warn that its poisonous combination of multiple layers of obfuscation and the sneaky integration of legitimate service links into its attack make it a potentially formidable threat. 

YourCyanide traces its roots back to the GonnaCope ransomware family first discovered in April, a new report from the Trend Micro threat hunting team explains. It doesn't actually encrypt anything yet (researchers say that's likely coming soon), but it does rename all targeted files, steal information, and pilfer access tokens from popular applications like Chrome, Discord, and Microsoft Edge. It also self-propagates.

YourCyanide includes a few new tactics, including using PasteBin, Discord, and Microsoft links to download its payload in stages, and hiding behind Enable Delayed Expansion functionality, the analysts note. 

"While YourCyanide and its other variants are currently not as impactful as other families, it represents an interesting update to ransomware kits by bundling a worm, a ransomware, and an information stealer into a single mid-tier ransomware framework," the the ransomware variant report says. "It is also likely that these ransomware variants are in their development stages, making it a priority to detect and block them before they can evolve further and do even more damage." 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

YourCyanide Ransomware Propagates With PasteBin, Discord, Microsoft Links

DataLenz delivers real-time, machine learning-based breach detection with user behavior modeling for IBM zSystems.

NORMAN, Okla., June 3, 2022 /PRNewswire-PRWeb/ -- Iconium Software, the leading provider of geospatial security monitoring for IBM mainframe data, has announced the release of DataLenz 1.3 providing immediate access to indicators of compromise (IOCs) potentially saving IBM zSystems customers millions of dollars per year caused by security breaches. By presenting multiple complex data access points through a simple to use graphical interface, DataLenz quickly brings clarity to potential data threats permitting security personnel to act swiftly. Gone are the days of having to laboriously wade through reports trying to determine if a security breach occurred or not, let alone quickly take action.

Organization's mission-critical IBM mainframe data is constantly at risk from bad actors, often masquerading as insiders from remote geographies. DataLenz provides the CISO, DPO and SOC security professional with real-time awareness of and automatic response to anomalous and out-of-bounds threats against critical mainframe data assets.

"Many large enterprises are under attack from bad actors often from remote locations, as evidenced by increased frequency and severity of breaches," said Rick Jones co-founder and CEO, of Iconium Software. "Our customers are forward-thinking organizations that are looking to provide the most robust security for their IBM mainframe data. Our DataLenz solution, addresses these challenges by giving IBM mainframe professionals, security teams, and compliance-focused professionals the best set of tools available to deal with these new threats."

"As the geopolitical and overall security landscape becomes more fractured, enterprises are reevaluating their security posture. The DataLenz solution is perfectly placed to address the emerging threat vectors facing those enterprises looking to secure vital mainframe-based data. The latest enhancements in V1.3 further strengthen the DataLenz solution and more closely aligns with the most stringent requirements of highly regulated mainframe customers" – Steven Dickens, Senior Analyst, Futurum Research

With DataLenz 1.3, new innovation provides the following:

\-- Real-time alerts, intelligent analytics with customizable thresholds, and management for anomalous threats and out-of-bounds data and resource access, alteration, replication, and movement to, from, and on the IBM Z mainframe platform.

\-- An intuitive advanced dashboard with real-time and historical views, allows users to filter specific types and sources (including graphical paradigms such as geopolitical and satellite maps), and then expand into every relevant form of drill-down and analytical detail needed to recognize, understand, and respond to threats arising from inappropriate data and resource access anywhere in the world.

\-- Advanced methods of notification of any potential breach of access with a wide range of user responses including issuing administrative commands such as terminating and blocking apparent threat actors and issuing RACF® administrative commands (as authorized).

\-- Detailed historical tracking, analysis, and response to anomalous and threatening events, plus exporting and forwarding of custom-specifiable data for processing by the full range of tools from spreadsheets to real-time event management systems (SIEMs).

\-- Advanced and intuitive filters, heat maps, geographical zoom-in, score cards, and highly configurable widgets create a fully immersive environment for maximum awareness and control.

\-- Datalenz strengthens your data protection and in conjunction with RACF,  
ACF2, Top Secret. Today's CISOs and DPOs demand truly comprehensive, reliable, real-time and compelling awareness of and resolution of all potential threats to their mission-critical mainframe data and legal and regulatory compliance.

More than just ensuring compliance with ever-more-exacting audits, immediate responsiveness to potential breaches of critical data must be dealt with using automation and advanced analytical tools for the briefest possible Mean Time to Repair (MTTR). Remote accesses must be properly managed to prevent, alert, terminate and block out-of-bounds interaction with sensitive data and related resources, employing real-time and historical graphical searching, filtering, reporting, drill-down and response to anomalous events.

The advanced monitoring, historical intelligence, proactive alerting and actions and versatile dashboard functionality of DataLenz 1.3 make it the definitive solution for extending the security of your critical mainframe data against threats anywhere in the world. See DataLenz v1.3 in action and discover how quickly DataLenz can bring your mainframe data access into sharp focus. See DataLenz v1.3 in action and discover how quickly DataLenz can bring your mainframe data access into sharp focus.

To learn more about Iconium and today's news, visit the website: https://www.iconiumsoftware.com

**About Iconium Software**

Iconium Software was formed in 2017 to serve customers and offer high-performance quality software products that are customer-driven by design. The Founders, Executive Team, and employees at Iconium Software are committed to providing the highest quality software to achieve the greatest advantage for each of our customers. For more information \[email protected\].

Iconium Software Releases DataLenz v1.3 for IBM zSystems

The attack on Israeli organizations is the latest in a long line of attempts to compromise supply chains, as the APT looks to leverage that access to target a multitude of potential victims.

After detecting a Lebanese hacking group it calls Polonium abusing its OneDrive personal storage service, Microsoft says it was able to disable the group, which could have links to the Iranian government.

In its latest effort, the advanced persistent threat (APT) targeted more than 20 Israeli organizations and one intergovernmental organization. The Microsoft Threat Intelligence Center (MSTIC) says it suspended more than 20 malicious OneDrive applications created by Polonium actors in the campaign.

Among the targeted organizations were those involved in critical manufacturing, transportation systems, financial services, IT, and Israel’s defense industry, the software giant says – all of which offer an avenue to carry out downstream supply chain attacks.

"In at least one case, Polonium’s compromise of an IT company was used to target a downstream aviation company and law firm in a supply-chain attack that relied on service provider credentials to gain access to the targeted networks," according to MSTIC. "Multiple manufacturing companies they targeted also serve Israel’s defense industry, indicating a Polonium tactic that follows an increasing trend by many actors, including among several Iranian groups, of targeting service provider access to gain downstream access."

**Polonium's Infection Routine**

In 80% of the observed cases, the group exploited a flaw in Fortinet VPN appliances (likely via CVE-2018-13379 vulnerability) to gain initial access. Then they installed a custom PowerShell implant called CreepySnail on the target networks, according to Microsoft. From there, the actors deployed a set of tools named CreepyDrive and CreepyBox to abuse legitimate cloud services for command-and-control (C2) across most of their victims. 

MSTIC says with “moderate confidence” that the attacks were likely carried out with help from Iran’s Ministry of Intelligence and Security (MOIS).

"The observed activity was coordinated with other actors affiliated with Iran's \[MOIS\], based primarily on victim overlap and commonality of tools and techniques," the MSTIC assessment states. “The tactic of leveraging IT products and service providers to gain access to downstream customers remains a favorite of Iranian actors and their proxies.”

**Cyber Operations in Support of State Objectives**

Sherrod DeGrippo, Proofpoint’s vice president of threat research and detection, explains that Iran, specifically MOIS, uses a variety of organizations and affiliates to conduct cyber operations in support of Iranian government interests.

“This activity, which spans the spectrum of state responsibility, mirrors Iran’s material support to various organizations,” she says.

From DeGrippo’s perspective, this report demonstrates another example of how Iran and Israel are engaged in cyber conflict and comes amid rising gray zone tensions between Iran and its adversaries.

In March 2021, for example, Proofpoint reported on how the Iran-aligned threat actor TA453 had targeted Israeli and American medical researchers in late 2020. TA453 has historically aligned with Islamic Revolutionary Guard Corps (IRGC) priorities, targeting dissidents, academics, diplomats, and journalists.

“While this campaign may have been a one-off requirement, TA453 targeting Israeli organizations and individuals is consistent with these ever-increasing geopolitical tensions between the two countries,” she noted.

**Defense Should Focus on Authentication Activity**

Mike Parkin, senior technical engineer at Vulcan Cyber, a provider of SaaS for enterprise cyber-risk remediation, says that while knowing Polonium’s exact motivation is impossible, given the known animosity between the states involved, it’s a “reasonably safe bet” they are trying to do as much damage to their targets as possible as part of a larger agenda.

“State and state-sponsored threat actors compound the problems presented by common cybercriminal groups,” he explains to Dark Reading. “Where criminals are typically after information for sale, data to hold for ransom, or resources to use for further attacks, state-level actors often have additional, much deeper motivations,” such as cyber-espionage or destructive attacks.

Because of the overlap in techniques and tools, it can be difficult to tell the two apart, which can complicate the matter for targeted organizations, he adds.

**Fending Off State-Sponsored Cyberattacks**

To thwart attacks like these, Microsoft advises that organizations should review all authentication activity throughout their remote access infrastructure and VPNs. A particular focus should be fixed on accounts configured with single-factor authentication, to confirm authenticity and investigate any anomalous activity.

Parkin points out that access and authentication logs can easily reveal suspicious activity and keep an attempted breach from turning into a newsworthy incident.

“There is an old saying from system administration about the uselessness of keeping logs that are never reviewed,” he says. “With access logs, regular reviews for suspicious activity should be happening regularly. If not, why keep them?”

In addition to patching known vulnerabilities, Proofpoint’s DeGrippo also notes that a basic best practice for defense is ensuring that all remote-access accounts are required to enable multifactor authentication (MFA).

“Those accounts that require only single-factor authentication do not have the protection MFA provides, allowing an attacker to successfully phish or social engineer a user’s password without encountering a secondary authentication,” she adds.

**VPNs: Taking a Page From Fancy Bear**

Phil Neray, vice president of cyber-defense strategy at CardinalOps, a threat coverage optimization company, tells Dark Reading that Russian threat actor Fancy Bear (aka APT28 and Strontium) also targeted VPNs on a large scale in 2018 with the VPNFilter campaign, which similarly targeted critical infrastructure.

MITRE ATT&CK categorizes this approach as T1133 External Remote Services, with recommended mitigations including creating security information and event management (SIEM) detection queries that examine authentication logs for unusual access patterns, windows of activity, and access outside of normal business hours.

“Exploiting vulnerable VPNs as the initial access point, as in this campaign, is also attractive since VPNs are Internet-exposed on one side and provide direct access to the victim network on the other,” Neray says. “We recommend ensuring your SIEM has specific detections for it, such as monitoring for suspicious logins.”

Microsoft Disables Iran-Linked Lebanese Hacking Group Polonium

An remote code execution (RCE) vulnerability in all versions of the popular Confluence collaboration platform can be abused in credential harvesting, cyber espionage, and network backdoor attacks.

UPDATE

A critical security vulnerability in Atlassian Confluence is under active attack, opening servers to full system takeover, security researchers warned.

The bug (CVE-2022-26134) is a command-injection issue that allows unauthenticated remote code execution (RCE), affecting all supported versions of Confluence Server and Confluence Data Center. According to a forensic investigation of two zero-day attacks by Volexity, it can be exploited without needing credentials or user interaction, simply by sending a specially crafted Web request to the Confluence system.

No Atlassian Cloud sites have been impacted.

Confluence is a remote working and corporate workspace suite used for project management and collaboration among teams. As such, it houses sensitive data on projects, specific users, and potentially partners and customers; also, it tends to be integrated with other corporate resources, servers, and systems. A successful exploit would allow attackers to vacuum up data from the platform as well as pivot to burrowing deeper into an organization's network as a prelude to, say, a ransomware attack.

"By exploiting this kind of vulnerability, attackers can gain direct access to highly sensitive systems and networks," Volexity researchers noted.

Researchers have advised administrators to remove external access to their Confluence servers immediately until patches have been applied. In the meantime, Atlassian confirmed in its advisory that has rushed a fix, with patches rolling out towards the close of business ET on June 3.

A spokesperson told Dark Reading that the company has "contacted all potentially vulnerable customers directly to notify them of the fix."

**Zero-Day Atlassian Confluence Attacks**

During its investigation, Volexity followed the path of attackers in two instances, which was the same in both. To start, the culprits exploited the vulnerability to create an interactive webshell (by writing a malicious class file in memory), which gave them persistent backdoor access to the server without having to write anything to disk.

After that, the firm observed that the threat actors dropped the Behinder implant on the server, which is an open source tool for creating flexible memory-only webshells. It also allows integration with Meterpreter and Cobalt Strike, two tools that are most often used for lateral movement. Meterpreter allows users to fetch various Metasploit modules (i.e., working exploits for known bugs), while Cobalt Strike is a pen-testing tool that's often used by the bad guys to probe for and compromise new targets on the network.

Once Behinder was in place, Volexity found that the adversaries went on to install two additional webshells to disk: China Chopper and a custom file upload shell. China Chopper is a tool that's been around for a decade, which allows attackers to retain access to an infected Web server using a client-side application. The client contains all the logic required to control the target, which makes it very easy to use.

Once this basic infection setup was in place, the attackers ran several commands, including those aimed at reconnaissance (checking the operating system, looking for password repositories); stealing information and user tables from the local Confluence database; and altering Web access logs to remove evidence of exploitation, Volexity said.

While the firm detected two zero-day attacks, it's likely that the activity is more widespread. "Volexity has reason to believe this exploit is currently in use by multiple threat actors and that the likely country of origin of these attackers is China," researchers said.

**How to Prevent Confluence Compromise**

The best option beyond patching to prevent compromise is simply to disable Confluence Server and Confluence Data Center instances, remove all external access, or use IP address safelisting rules to restrict access to only trusted endpoints, researchers noted. Organizations can also add Java deserialization rules that defend against RCE injection vulnerabilities to their Web application firewalls (WAFs).

It's also important to uncover signs of any compromise, given that an infection can persist beyond patching.

"The presence of a webshell provides an attacker with the ability to maintain access to a compromised system even after a vulnerability like this one has been patched," notes Satnam Narang, senior staff research engineer at Tenable. "We observed the same following exploitation of the ProxyShell vulnerability last year, where attackers implanted webshells onto vulnerable Microsoft Exchange Server instances."

However, "these systems can often be difficult to investigate, as they lack the appropriate monitoring or logging capabilities," Volexity pointed out.

Volexity researchers offered the following advice:

*   Ensure Internet-facing Web services have robust monitoring capabilities and log retention policies to assist in the event of an incident
*   Send relevant log files from Internet-facing web servers to a SIEM or Syslog server
*   Monitor child processes of Web application processes for suspicious processes (in this case, the Python shell is a good example of this)

If past is prologue, it's good to be vigilant on this one: Attackers see Confluence as a popular target, as shown by the mass exploitation of another RCE flaw last fall, in volumes that were large enough to trigger a CISA alert.

"While there are currently no exploitation details or proof-of-concept for this vulnerability, we know from history that attackers relish the opportunity to target Atlassian products like Confluence," Narang tells Dark Reading. "We strongly encourage organizations to review their mitigation options until patches are available."

Greg Fitzgerald, co-founder at Sevco Security, also cautions organizations to take proactive steps to generally prevent zero-day attacks.

“Organizations vulnerable to this exploit cannot simply sit back and assume that this will be resolved through their typical patch management process," he tells Dark Reading. "When Atlassian releases a patch, that will be the first step for most organizations. But while patching vulnerabilities works great for the systems that you know about, the vast majority of enterprises simply don’t know the entirety of their attack surface. This is because maintaining an accurate IT asset inventory in a dynamic environment is exceptionally difficult. Threat actors figured that out a long time ago and work around the clock to exploit it. The first step to combating threats like this one is to establish a continuously updated, accurate inventory of all enterprise assets to serve as a foundational control for your security program.”

**_This post was updated at 4:45 ET to reflect that the bug is no longer unpatched._**

Actively Exploited Atlassian Zero-Day Bug Allows Full System Takeover

If you want your IT and security administrators to get buried in trivial workloads and productivity bottlenecks, having poor network object management is a great way to accomplish that.

With needs around data privacy and application management changing rapidly, many businesses have yet to master the implementation of new security standards. The challenge becomes more complex when managing objects within a multivendor security network. Each vendor has its own management platform, which often forces network security admins to define objects multiple times, resulting in a counter-effect.

First, this can be an inefficient use of valuable resources and cause workload bottlenecks. Second, it creates naming inconsistency and introduces myriad unexpected errors, leading to security flaws and connectivity problems. This raises the question: Are businesses doing enough to ensure their network objects are synchronized in legacy and greenfield environments?

**What Is Network Object Management, and Why Should We Talk About It?**

If you want your IT and security administrators to get buried in trivial workloads and productivity bottlenecks, having poor network object management is a great way to achieve it. Inconsistent or incorrect naming of network objects can introduce a seemingly limitless number of problems for your organization, from connectivity woes to gaps in network security that you can't see. In this regard, poor network object management could actually be one of the biggest "insider threats" to an organization's overall cybersecurity efforts; if object names are incorrectly paired with a particular security policy due to inconsistent naming, everything will look fine on paper until a breach occurs, and even then it might be difficult to find the vulnerability.

This is why intelligent and proactive network object management is so crucial to a multicloud strategy. On a basic level, organizations might only need to name things such as servers, IP addresses, and groups of similar objects to which fairly simple security rules might be applied. But as an organization grows, it tends to end up with more network objects than it can count, sometimes running into the tens of thousands. Even a team of dedicated IT and security professionals wouldn't be able to monitor and update such a large number of objects, and mistakes due to avoidable human error would go through the roof. It's easy to see how things could go wrong with a manual or legacy approach to naming network objects — and they do.

**Why Network Object Management Is More Important With a Multicloud Approach**

For network security policies to work effectively, so-called "objects" on the network, such as servers or groups of IP addresses, need to be named so they can be included in the policies applicable to them. One of the biggest challenges that emerges with multicloud solutions is that businesses typically end up using network traffic-filtering solutions from multiple cloud vendors. Each solution will usually have its own vendor-specific platform, forcing network and security administrators to define the objects on their network multiple times. Not only does this waste a lot of time that could be spent elsewhere in the business, but it can lead to costly errors and security gaps.

Furthermore, this opens the door to another problem — that is, name duplication. On a small scale, this is quite easily rectified by a team that knows what to look for. But for bigger organizations, name duplication can spiral into a much larger problem. It's not uncommon for two copies of the same name to end up with two distinctly separate definitions.

For instance, let's say we have a group of database servers containing three IP addresses that we name "DB1" and the relevant security policy is applied. Then somebody takes the "DB1" name and uses it to define data servers in another network environment, this time containing only two IP addresses. In this example, the security policy rule using the name "DB1" would look fine to even a well-trained eye because the names and definitions it contained would seem identical. But we're now in a situation where one of these groups would apply to two IP addresses rather than three, and that will cause more problems the more the definition is used.

**Best Practices**

It's always good to have a set of maintenance guidelines that can help you achieve a higher standard of cyber hygiene. To help you get there, below are some general best practices that can serve as your cleanup checklist for network object management.

*   Remove duplicate objects.
*   Delete expired and unused rules and objects.
*   Break up long rule sections into readable chunks.
*   Enforce object naming conventions.
*   Delete old and unused policies.
*   Document rules, objects and policy revisions.

**The Takeaway**

Network object management might not be big or exciting, but it's fundamental to the safe and secure running of multicloud network environments. If a business achieves 100% accuracy in its approach to network object management, perhaps by leveraging automation and monitoring tools, there's very little reason it can't go on to achieve 100% network performance and efficiency.

Why Network Object Management Is Critical for Managing Multicloud Network Security

Someone interested in putting together a ransomware campaign has to consider several factors. The LockBit group touts its speed over competing families to attract potential buyers for its ransowmare-as-a-service.

Recent research has suggested that modern ransomware operations run much like legitimate businesses. Both have a management structure, different teams specializing in different aspects of the operation, and they outsource work when necessary. Many ransomware crews even have a PR team to draw attention to their latest victims and success stories. Recent research from Splunk suggests some groups are branching out into marketing, as well.

Earlier this year, the LockBit group posted a table listing encryption speeds for more than 30 ransomware families, highlighting the fact that LockBit 2.0 was the fastest. Measuring how long different ransomware takes to encrypt the files in victim environments is an interesting exercise from a technical perspective, but for LockBit, it was a marketing ploy to attract potential customers for its ransomware-as-a-service (RaaS) offering, says Shannon Davis, staff security strategist on Splunk’s SURGe research team.

The barrier to entry to launch a ransomware campaign is much lower, thanks to the availability of RaaS. LockBit and other “service providers” need to attract people who want to use the tool. By listing the encryption speeds on its site, LockBit is telling customers, “We are fast, use us, we are better,” Davis says.

Davis attempted to verify LockBit’s tests and claims about being the fastest. While Davis found that LockBit was faster than other ransomware families, there were some notable differences. For example, the “latest and greatest” version, LockBit 2.0, was actually slower at encrypting files than the original LockBit 1.0. And Splunk found that PwndLocker was the second fastest – though the LockBit group had ranked it 15th out of 30.

The 10 fastest families include some very well-known names. Conti, which has been in the headlines recently, was the fourth fastest in Splunk’s tests, while LockBit placed it 19th.

There is no way to tell whether the LockBit group fudged the numbers a bit to make certain groups look worse in the analysis than they actually performed, but Davis acknowledges that there are rivalries between crews as they go “head-to-head” competing for victims. The difference in results is most likely because of differences in testing methodologies, he says.

**We Aren’t That Fast**

While the rankings themselves are interesting (and good for ransomware marketing), security teams should note just how quickly ransomware performs its job. LockBit 1.0 takes 2.33 _minutes._ Conti takes a little over a minute longer, at 3.6 minutes.

“This is faster than any network defender can handle,” says Ryan Kovar, distinguished security strategist and leader of Splunk’s SURGe research team.

    

Encryption speeds for the 15 fastest ransomware families. The full list is available on Splunk's blog.

While the slowest, Avos, takes 132 minutes – or a little over two hours – the median is about 23 minutes. That’s still much faster than many organizations can act. Enterprise defense can’t “win” during the encryption phase, so their best chance for foiling a ransomware attack is to detect the intrusion before the encryption process kicks off, Kovar says.

Mandiant’s "M-Trends 2022" report notes that ransomware families tend to spend three to five days in the victim environment collecting information before kicking off the encryption process.

“We are not going to beat \[them\] in three minutes. We need more time,” Kovar says. “We need to be acting during those three to five days.”

Back to marketing, people often underestimate the extent to which ransomware is run like a business, Kovar says. Someone analyzed and measured the encryption speeds, but more than that, someone spent the time to create a graphic and put together a post discussing its research – and Kovar notes that all of this takes many hours to do. The fact that a ransomware crew has “top-tier marketing” and is thinking in terms of “value add” shows ransomware’s maturity, Kovar says.

“APT28 doesn’t have a marketing guy,” Kovar says.

For Ransomware, Speed Matters

U.S. cybersecurity services firm expands security and identity management services with woman-owned business.

Scottsdale, Ariz., June 02, 2022 -- Cerberus Cyber Sentinel Corporation (NASDAQ: CISO), a cybersecurity consulting and managed services firm based in Scottsdale, Ariz., announced that it has completed the acquisition of Creatrix, Inc., a woman-owned cybersecurity and information technology company based in Tennessee and Maryland.

Under the terms of the agreement, Creatrix will become a wholly owned subsidiary of Cerberus Sentinel. The company was co-founded by Anna Fleeman, founder and managing director, and Sami Elhini, co-founder and president. Creatrix is recognized for its expertise in identity management as well as systems integration and software engineering, and it specializes in biometrics, vetting, credentialing, and case management.

"Creatrix is a great fit for us at Cerberus Sentinel, as we both ascribe to creating a culture of cybersecurity for our customers," said David Jemmett, CEO and founder, Cerberus Sentinel. "We welcome co-founders Anna Fleeman and Sami Elhini and their team members, who all will become Cerberus Sentinel stakeholders. This is an innovative organization that collaborates with customers to secure their operations. Their expertise pairs very well with that of our extended Cerberus Sentinel team."

“Creatrix is honored to join Cerberus Sentinel,” said Elhini. “We believe our shared vision creates great and immediate value for our customers and shareholders. Through expanded service delivery capacities and future innovation, we will be better able to address the identity and security challenges of businesses and organizations in a rapidly changing world.”

**About Cerberus Sentinel**

Cerberus Sentinel is an industry leader in managed cybersecurity and compliance (MCCP) services with its exclusive MCCP+ managed compliance and cybersecurity services plus culture program. The company is rapidly expanding by acquiring world-class cybersecurity, secured managed services, and compliance companies with top-tier talent that utilize the latest technology to create innovative solutions to protect the most demanding businesses and government organizations against continuing and emerging security threats and compliance obligations.

**Safe Harbor Statement**

This news release contains certain statements that may be deemed to be forward-looking statements under federal securities laws, and we intend that such forward-looking statements be subject to the safe-harbor created thereby. Such forward-looking statements include, among others, our belief that Creatrix is a great fit for Cerberus, as we both ascribe to creating a culture of cybersecurity for our customers; our belief that Creatrix is an innovative organization that collaborates with customers to secure their operations; our belief that Creatrix’s expertise pairs very well with that of our extended Cerberus Sentinel team; the belief that the Creatrix and Cerberus Sentinel shared vision creates great and immediate value for customers and shareholders; and the belief that through expanded service delivery capacities and future innovation, we will be better able to address the identity and security challenges of businesses and organizations in a rapidly changing world. These statements are often, but not always, made through the use of words or phrases such as "believes," "expects," "anticipates," "intends," "estimates," “predict,” "plan," “project,” “continuing,” “ongoing,” “potential,” “opportunity,” "will," "may," "look forward," "intend," "guidance," "future" or similar words or phrases. These statements reflect our current views, expectations, and beliefs concerning future events and are subject to substantial risks, uncertainties, and other factors that could cause actual results to differ materially from those reflected by such forward-looking statements. Such factors include, among others, risks related to our ability to raise capital; our ability to increase revenue and cash flow and become profitable; our ability to recruit and retain key talent; our ability to identify and consummate acquisitions; our ability to acquire, attract, and retain clients; and other risks detailed from time to time in the reports filed with the Securities and Exchange Commission, including the Annual Report on Form 10-K for the fiscal year ended December 31, 2021. You should not place undue reliance on any forward-looking statements, which speak only as of the date they are made. Except as required by law, we assume no obligation and do not intend to update any forward-looking statements, whether as a result of new information, future developments, or otherwise.

Cerberus Sentinel Completes Acquisition of Creatrix, Inc.

79% of CISOs say continuous runtime vulnerability management is an essential capability to keep up with the expanding complexity of modern multi-cloud environments.

WALTHAM, Mass.--(BUSINESS WIRE)--Software intelligence company Dynatrace (NYSE: DT) announced today the findings of an independent global survey of 1,300 chief information security officers (CISOs) in large-size organizations. The research reveals that the speed and complexity created by using multicloud environments, multiple coding languages, and open source software libraries are making vulnerability management more difficult. 75% of CISOs say that despite having a multi-layered security posture, persistent coverage gaps allow vulnerabilities into production. This highlights the growing need for observability and security to converge, paving the way toward AISecDevOps practices. This will empower organizations with a more effective way of managing vulnerabilities at runtime, and the ability to detect and block attacks in real time. The complimentary report, _Observability and security must converge to enable effective vulnerability management_, is available for download.

Findings from the research include:

*   69% of CISOs say vulnerability management has become more difficult as the need to accelerate digital transformation has increased.
*   More than three-quarters (79%) of CISOs say that automatic, continuous runtime vulnerability management is key to filling the gap in the capabilities of existing security solutions. However, just 4% of organizations have real-time visibility into runtime vulnerabilities in containerized production environments.
*   Only 25% of security teams can access a fully accurate, continuously updated report of every application and code library running in production in real time.

“These findings underscore that there are always opportunities for vulnerabilities to slip past security teams, regardless of how robust their defenses might be. Both new applications and stable legacy software are prone to vulnerabilities that are more reliably detected in production. Log4Shell was the poster child for this problem, and there will undoubtedly be other scenarios like it in the future,” said Bernd Greifeneder, Chief Technology Officer at Dynatrace. “It’s also clear that most organizations still lack real-time visibility into runtime vulnerabilities. The problem stems from the growing use of cloud-native delivery practices, which enable greater business agility, but also introduce new complexity for vulnerability management, attack detection, and blocking. The rapid pace of digital transformation means that already overstretched teams are bombarded by thousands of security alerts that make it impossible to see through the noise and focus on what matters. Teams find it impossible to respond manually to every alert, and organizations are exposed to unnecessary risk by allowing vulnerabilities to escape into production.”

Additional findings include:

*   On average, organizations receive 2,027 alerts of potential application security vulnerabilities each month.
*   Less than a third (32%) of the application security vulnerability alerts organizations receive each day require action, compared to 42% last year.
*   On average, application security teams waste 28% of their time on vulnerability management tasks that could be automated.

“Organizations realize that to manage vulnerabilities in the cloud-native era effectively, security must become a shared responsibility. The convergence of observability and security is critical to providing development, operations, and security teams with the context needed to understand how their applications are connected, where the vulnerabilities lie, and which need to be prioritized. This accelerates risk management and incident response,” continued Greifeneder. “To be truly effective, organizations should look for solutions that have AI and automation capabilities at their core, enabling AISecDevOps. These solutions empower their teams to quickly identify and prioritize vulnerabilities at runtime, block attacks in real time, and remediate software flaws before they can be exploited. This means teams can stop wasting time in war rooms or chasing false positives and potential vulnerabilities that will never make it into production. Instead, they confidently deliver better, more secure software faster.”

The report is based on a global survey of 1,300 CISOs in large-size organizations with more than 1,000 employees, conducted by Coleman Parkes and commissioned by Dynatrace in April 2022. The sample included 200 respondents in the U.S., 100 each in the UK, France, Germany, Spain, Italy, the Nordics, the Middle East, Australia, and India, and 50 each in Singapore, Malaysia, Brazil, and Mexico.

**About Dynatrace**

Dynatrace (NYSE: DT) exists to make the world’s software work perfectly. Our unified software intelligence platform combines broad and deep observability and continuous runtime application security with the most advanced AIOps to provide answers and intelligent automation from data at an enormous scale. This enables innovators to modernize and automate cloud operations, deliver software faster and more securely, and ensure flawless digital experiences. That is why the world’s largest organizations trust the Dynatrace® platform to accelerate digital transformation.

Curious to see how you can simplify your cloud and maximize the impact of your digital teams? Let us show you. Sign up for a free 15-day Dynatrace trial.

Research Reveals 75% of CISOs Are Worried Too Many Application Vulnerabilities Leak Into Production, Despite a Multi-Layered Security Approach

Conti threat actors are betting chipset firmware is updated less frequently than other software — and winning big, analysts say.

Leaked communications from within the Conti threat group reveal the Moscow-backed cybercrime group has honed its firmware attack skills and is actively targeting Intel Management Engine (ME), a microcontroller inside many iterations of the modern Intel chipset, according to a new report.

The analysis, from Eclypsium, notes that Intel chipsets aren't being targeted by Conti because they have vulnerable code, but rather the group assumes firmware patching is spotty at best. In addition, firmware attacks can evade most security tools, the analysts added.

"This can leave some of the most powerful and privileged code on a device susceptible to attack," the report detailing the Conti firmware attacks said. "The recent Conti leaks mark a critical phase in the rapidly evolving role of firmware in modern attacks."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading