The judges appreciated the scale of the problem the startup set out to solve: protecting the integrity of AI systems.

RSA CONFERENCE 2023 – San Francisco – CEO Chris Sestito started his three-minute pitch at Innovation Sandbox on Monday, April 25, with a deepfake video of himself telling the judges not to vote for HiddenLayer, the company he co-founded. Not only did the judges not accede to his request, they crowned the AI security startup as the "Most Innovative Startup 2023" at this year's RSA Conference.

HiddenLayer beat out second-place Pangea and eight other finalists in what host Hugh Thompson called "the most competitive contest yet." One of the judges, Shlomo Kramer, CEO and co-founder of Cato Networks, praised Pangea as addressing the "central category of security" with its block-based application security platform.

But the judges were won over by the importance of securing artificial intelligence (AI). Another judge, Christopher Young, Microsoft's executive vice president, called HiddenLayer's focus area "_the_ problem we're going to face in the next few years."

**What HiddenLayer Digs Up**

That problem is ensuring the health of a company's AI assets.

AI is being used in mission-critical, even life-or-death situations, such as autonomous driving and military analysis. However, AI can only learn from the data it is fed, which means attackers can feed it purposely bad data to get the AI to behave in an unexpected, unwanted manner. And once that training data pool has been poisoned, it's difficult or impossible to scrub — just ask Microsoft, which had to pull the plug on its chatbot Tay when some Twitter users purposely fed it objectionable content.

To guard against insidious techniques, such as data poisoning and adversarial transferability, HiddenLayer relies on AI to protect AI. It employs machine learning (ML) to monitor an ML system's inputs and outputs in order to discern anomalies that suggest adversarial attacks. Sestito called the approach "MLDR" — endpoint detection and response, but for machine learning.

**Judging the Top Competitors**

The competition's judging criteria is as follows: the problem a company sets out to solve, the originality of the solution, the strength of its team, and whether the approach has been validated by the market — that is, is the company making money?

The judges were almost all veterans of the contest: Kramer and Young both served last year, as did Niloofar Razi Howe, senior operating partner at Energy Impact Partners, and Paul Kocher, independent researcher and founder of Cryptography Research. New this year was Barmak Meftah, co-founder and general partner at Ballistic Ventures.

The 10 finalists this year (in reverse alphabetical order): Zama, Valence Security, SafeBase, Relyance AI, Pangea, HiddenLayer, Endor Labs, Dazz, Astrix Security, and AnChain.AI.

Pangea CEO and founder Oliver Friedrichs faced some pointed questions. Kocher flat out asked Friedrichs, "Can your team execute?"

Kocher, who Thompson calls "the Simon Cowell of Innovation Sandbox," asked AnChain.AI CEO and co-founder Victor Fang whether his company's focus on blockchain defense was betting on Web3 succeeding or being an "endless series of disasters."

Endor Labs CEO and co-founder Varun Badhwar earned laughs when he compared the use of open source in enterprise with his surprise twins: in both cases, you have more than you think you do, but at least his twins, unlike open source code, "weren't conceived by strangers on the Internet."

HiddenLayer Nabs Most Innovative Startup Crown at RSAC

Researchers find 250 million artifacts and 65,000 container images exposed in registries and repositories scattered across the Internet.

Many organizations, including some of the world's largest companies, are at heightened risk of compromise and data theft from misconfigured and poorly secured software registries and artifact repositories, a new study has shown.

Research that cloud-security vendor Aqua Security recently conducted uncovered some 250 million software artifacts and more than 65,000 container images lying exposed and Internet-accessible in thousands of registries and repositories. Some 1,400 hosts allowed access to secrets, keys, passwords, and other sensitive data that an attacker could use to mount a supply chain attack, or to poison an enterprise software development environment.

**Wide Registry Exposure**

Aqua discovered 57 registries with critical misconfigurations, including 15 that enabled an attacker to gain admin privileges with just the default password; 2,100 artifact registries offered upload permissions, which potentially gave anonymous users a way to upload malicious code to the registry.

In all, Aqua found nearly 12,800 container image registries that were accessible over the Internet of which 2,839 permitted anonymous user access. On 1,400 hosts, Aqua researchers found at least one sensitive data element such as keys, tokens, and credentials; on 156 hosts the company found private addresses of endpoints such as MongoDB, Redis, and PostgreSQL.

Among the thousands of affected organizations were several Fortune 500 companies. One of them was IBM, which had exposed an internal container registry to the Internet and put sensitive data at risk of access. The company addressed the issue after Aqua's researchers informed it of their discovery. Other notable organizations that had potentially put their data at similar risk included Siemens, Cisco, and Alibaba. In addition, Aqua found software secrets in registries belonging to at least two cybersecurity firms exposed to the Internet. Aqua's data is based on an analysis of container images, Red Hat Quay container registries, JFrog Artifactory, and Sonatype Nexus artifact registries.

"It's critical that organizations of all sizes around the world take a moment to verify that their registries — whether public or private — are secure," advises Assaf Morag, lead threat intelligence and data analyst at Aqua Security. Organizations that have code in public registries or have connected their registries to the Internet and allow anonymous access should ensure their code and registries don't contain secrets, intellectual property, or sensitive information, he says.

"The hosts belonged to thousands of organizations around the world – ranging by industry, size, and geography," Morag notes. "That means the benefits for an attacker could also range."

**Risky Registries & Repositories**

Aqua's research is the latest to highlight the risks to businesses from data in software registries, repositories and artifact management systems. Development teams use software registries to store, manage, and distribute software, libraries, and tools and use repositories for centrally storing and maintaining specific software packages from within the registry. The function of artifact repositories is to help organizations store and manage the artifacts of a software project such as source code, binary files, documentation, and build artifacts. Artifact management systems can also include Docker images and packages from public repositories such as Maven, NPM, and NuGet.

Often, organizations using open source code in their projects — an almost ubiquitous practice at this point —connect their internal registries and artifact management systems to the Internet and allow anonymous access to certain portions of the registry. For instance, a software development team using JFrog Artifactory as an internal repository could configure external access so customers and partners can share its artifacts.

Threat actors seeking to compromise enterprise software development environments have increasingly begun targeting software registries and repositories in recent years. Some of the attacks have involved attempts by threat actors to introduce malicious code into development and build environments directly or via poisoned packages planted on NPM, PyPI, and other widely used public repositories. In other instances, threat actors have targeted these tools to gain access to the sensitive information such as credentials, passwords, and APIs stored in them.

Aqua's research showed that, in many cases, organizations are inadvertently making it easier for attackers to carry out these attacks by mistakenly connecting registries containing sensitive information to the Internet, posting secrets in public repositories, using default passwords for access control, and granting overly excessive privileges to users.

In one instance, Aqua uncovered a bank with an open registry featuring online banking applications. "An attacker could have pulled the container, then modified it and pushed it back," Morag says.

In another instance, Aqua discovered two misconfigured container registries belonging to the development and engineering team of a Fortune 100 technology company. Aqua found the registries to contain so much sensitive information and afford so much access and privileges for doing damage, that the company decided to halt its research and inform the technology company of the issue. In this case, the security snafu resulted from a development engineer opening up the environment while working on an unapproved side project.

Millions of Artifacts, Misconfigured Enterprise Software Registries Are Ripe for Pwning

Getting a handle on the new risks facing AppSec by low-code/no-code development patterns

As low-code and no-code application development platforms gain more currency among business groups seeking speedy workarounds to long development backlogs, concerns about application security loom.

The low-code movement increases software engineering agility by speeding up the work of developers and enabling nontechnical business users to create their own applications and add new features to existing tools without needing to engage the engineering team. Low-code development offers the kind of elegant simplicity that’s irresistible to executives with big digital transformation aspirations.

But that kind of "it just works" opacity sends shudders down the spines of cybersecurity veterans. Any security professional with experience with emerging tech cycles instinctually understands that there be dragons in the waters that lie ahead for low-code/no-code — even if they’ve not yet mapped out exactly what kind of monsters they’re dealing with or where they are just yet.

Michael Bargury, author of the Low-Code/No-Code OWASP Top 10, will explain the exact nature of some of low-code/no-code's biggest security risks at the RSA Conference in San Francisco. Chief among them are patterns of permissioning that could throw many of the investments that organizations have made in role-based access control and identity management right out the window.

**Low-Code's Expected Explosion**

Low-code and no-code technologies provide graphical user interface (GUI) environments that make it possible to design and deploy applications and new features for fast-evolving business use cases without intensive hand-coding. These technologies include low-code application platforms (LCAP), robotic process automation (RPA), and business process automation (BPA), among others. Recent forecasting by Gartner shows that by next year the LCAP market will have doubled its revenue from 2021 and the broader low-code segment will reach nearly $32 billion.

These low-code technologies are being used by development teams to speed up and scale their work, by teams of developers and business stakeholders to improve collaboration on fast-moving digital initiatives, and by a new class of citizen developers who create their own apps without waiting for development resources.

It's that last group that’s fueling the explosion of low-code and no-code platforms and the use of low-code functionality within broader software-as-a-service (SaaS) application ecosystems. Gartner predicts that the overall low-code market will increase by 19.6% in 2023, with the fastest-growing segment being citizen automation development platforms, which are set to increase by over 30%. Analysts with the firm say that developers outside of formal IT departments already make up well over 60% of the low-code user base, and by 2026 citizen developers and other nontraditional application designers are going to make up 80% low-code users.

"Business technologists and citizen technologist personas are developing lightweight solutions to meet business unit needs for enhanced productivity, efficiency, and agility — often as fusion teams," said Jason Wong, distinguished VP analyst for Gartner in a recent low-code forecast by the firm.

**Low-Code's IAM Bombshell**

In the face of all this growth in low-code technology, Bargury is on a mission to warn security executives of the risks it poses to application security and cybersecurity postures in the near- and long-term. One of the biggest risks is the fact that these platforms are rampantly sharing credentials in order to work around strict access controls built by organizations over the years, says Bargury, co-founder and CTO of Zenity, a startup focused on low-code/no-code security.

"Let's say that you already have a SaaS platform and you've built this low-code platform on top of SaaS. Now business users can create their own applications and share those applications with their teams and other employees to use as well. So what would be the number one thing that would stop them from being able to do that in the enterprise?" Bargury says. "The answer is permissions."

As he explains, if a business user wants to create their own app, they need to get permissions granted to that app to give it access to data stores and to get it to integrate with other systems. And to get that, these citizen developers would traditionally need to wait for somebody from IT to grant that. Not only would these app designers probably hear a lot of "nos" from these teams, but just waiting for the provisioning process to run its course would essentially neutralize the whole agility value proposition of using low-code in the first place.

So, to get around this problem, many low-code/no-code platforms allow business users to build applications using their own credentials and identities. When they share those applications to other users for broader use, those credentials are shared by everyone.

"Let's say I work in finance. I build an application, and I implicitly embed my own identity within that application, and now I'm sharing that application with you," Bargury says. "You are using the app and everything works, and it's fine, you have access to data. But the underlying application is actually still using my identity to provide that access. I call this credential-sharing-as-a-service."

And as he puts it, this is a feature that low-code development platforms are proud of and actively marketing because they enable productivity. But obviously from a security perspective it can quickly turn into a nightmare. It could undermine the integrity of role-based access controls, throw off user and entity behavioral analytics, and create huge compliance risks in the future, says Morey Haber, CSO for privileged access management firm BeyondTrust

"Credential-sharing-as-a-service would impact an organization's ability to accurately provide attestation reporting for all identities utilizing the service," Haber says. "Accounts present from a low-code development platform environment would provide an unknown for accurately who has access, including foreign identities."

Chris Hughes, CISO and co-founder of Aquia, says he has a hard time seeing how low-code platforms that handle permissions in this way could possibly be used in secure coding environments.

"They are just not compatible," he says. "In fairness, this is a new risk that is now being exposed for these solutions, and now that this information is public, it needs to be amplified for all organizations to measure the risk and determine if they are violating any laws by using this type of software."

**Yet Another BYOD Scenario**

For his part, Bargury doesn't believe that blocking low-code development is the answer to these risks.

Security professionals who were around during the advent of the iPhone and other consumer-class devices and cloud services will understand that this wave of low-code development will mirror the same challenges they faced in the first days of bring-your-own-device hype. While AppSec pros have to seek ways to effectively manage these risks, there is no way that they're going to do that by stopping the low-code freight train.

"It's like when people started using mobile, and security teams were like, 'Yeah, nobody will ever use mobile with our company data.' We tried to block it, but it didn't work," says Bargury.

Low-code/no-code technology is already more pervasive in the enterprise than many security professionals even realize, he adds

"There are multiple vendors that are pushing this space forward, but some of them are the SaaS vendors, which are building low-code/no-code into their existing offerings," explains Bargury, pointing to vendors like ServiceNow, Salesforce, Microsoft, and many others that have already pushed these features into their enterprise offerings. "This is a crucial point because it means that nobody gets to choose if they will have low-code/no-code or not because it's already there."

Not to mention the fact that business users and executive sponsors love low-code technologies. Low-code platforms are helping them overcome lengthy application feature request backlogs that have plagued their digital transformation efforts for years. The agility and ROI of low-code is something that security practitioners cannot discount. Just like with BYOD, this is a political battle they can't win, Bargury says.

Much of Bargury's talk at RSA Conference will focus on helping AppSec practitioners understand the kinds of security guardrails they can institute around low-code platforms to make them more compatible with broader security and compliance needs of the business.

This includes better vetting of which low-code technologies are in use within the organization, more scrupulous development of policies and configuration around how low-code platforms orchestrate the provisioning of access within the applications they produce, and more robust black-box testing of applications produced by low-code technology.

"I think the worst approach would be to try and block low code because people will just use something else," he says. "The best approach would be to say, 'Here's a few approved platforms. You can do whatever you want in them. There are automated guidelines to help protect you. We got your back. Don't think about security. You are in finance, you are in sales, do your thing.' That's something that we as security practitioners need to be proactive about."

Are Low-Code Apps a Ticking Access Control Time Bomb?

Code property graphs and a threat feed powered by artificial narrow intelligence help developers incorporate AppSec into DevOps.

RSA CONFERENCE 2023 – San Francisco – Application security company Qwiet AI has announced a new threat intelligence feed for its real-time code security analysis tool PreZero to help security teams focus on remediating the fixes that will have the most impact on application security.

The data feed, called Blacklight, analyzes information about exploits that are deployed in the wild. Developers can use the data to see which vulnerabilities to address right away and which ones can wait. Just like a physical black light can reveal where that smell is coming from, Blacklight "exposes what you can't see visually," says Qwiet AI CEO Stuart McClure.

Narrowing the scope of patching is vital, considering the sheer volume of vulnerabilities reported. There were 3,239 high-severity vulnerabilities found in 2022, according to NIST's National Vulnerability Database, putting security teams in the position of having to remediate about 10 a day, every calendar day, to fix just the most serious vulnerabilities. But past research has shown that not all vulnerabilities need to be fixed right away. Only 15% of vulnerabilities get loaded into memory, which suggests 85% aren't reachable by an attacker, according to Sysdig. And of those reachable vulnerabilities, even less are exploitable in practice. In 2022 Qwiet AI, then called ShiftLeft, announced that only 3% of open source vulnerabilities were attackable.

The trick, of course, lies in identifying the 3%. PreZero asks a series of questions to whittle down vulnerabilities to a shorter list of those requiring immediate action: Does the application load the package containing the CVE? Is that package in use by the application? Can an attacker reach that package? And how can the developer mitigate the vulnerability?

A survey of PreZero users found that the new threat feed reduces the average cost per finding by nearly 25%, according to the company.

**Putting Artificial Narrow Intelligence to Work**

PreZero builds a deep neural net out of code property graphs (CPGs), which analyze JavaScript — 58 billion lines of it so far, according to McClure. The CPG is made up of three kinds of data graphs: abstract syntax trees that classify code according to syntax, data flow graphs that map variables from input through to the outputs to see how the data changes, and control flow graphs that track who controls the data and what changes are made.

The artificial narrow intelligence system uses those CPGs to build a model of what good code looks like versus vulnerable code, which it then can apply to new code that's entered into the tool.

"We're gonna go through the typical path, which is the code property graph based on these human-written policies, but we're also going to send that same code sample through our AI model and be able to determine if there's an additional vulnerability in there that the humans didn't catch or the signatures didn't catch," McClure says. "And so that's what really differentiates us."

Qwiet AI shared with Dark Reading a screenshot of a report Blacklight generated on Log4j 2.9.1, one of many versions of the logging utility affected by the Log4Shell vulnerability, to demonstrate the kind of information the feed provides. Potentially the most useful section is remediation advice, which counsels, "Users who want to avoid attacker-controlled JNDI lookups but cannot upgrade to 2.16.0 must ensure that no such lookups resolve to attacker-provided data and ensure that the JndiLookup class is not loaded."

"I've spent my time in the trenches," says Bruce Snell, Qwiet AI director of technical and product marketing. "There's something more visceral about attaching an actual exploit or a threat actor to a vulnerability."

Another interesting feature in PreZero is security insights, which flags code that would open the door to vulnerabilities if it were deployed. That's clearly useful for developers trying to write more secure code, but McClure says the security side also benefits from PreZero.

"The AppSec, cybersecurity, and CISOs would use \[PreZero\] to understand the current state of risk to the business, but then developers use it to actually get the line of code that they need to go fix," he says.

**AI Is Good Business**

Competition does abound. For example, Snyk uses AI in vulnerability scanning, as does GitHub — although the Spider Artificial Intelligence Vulnerability Scanner (SAIVS) falls into the machine learning category.

"We've had this skill shortage for as long as I can remember now, and I think it's actually worse on the AppSec side than it is in the InfoSec side," Snell says. "So having this AI that can, instead of trying to find the needle in a haystack, just produce a stack of needles and say, 'Here's the things that you need to deal with' is going to be huge. And it's really going to be the only way I think that the industry can keep up."

Getting away from signatures is something McClure has been working on since he co-founded Cylance, which he sold to BlackBerry for $1.4 billion in 2018; he's been planning out his vision of the future of AI since at least 2016. To demonstrate his hacking philosophy in action, McClure is co-presenting a technical session "Hacking Exposed — Hacking the Sec into DevOps" with Qwiet AI CTO Chetan Conikee on Wednesday April 26 at 1:15 p.m.

Qwiet AI Builds a Neural Net to Catch Coding Vulnerabilities

**SAN FRANCISCO****,** **April 24, 2023** **/PRNewswire/ --** **RSA CONFERENCE 2023 --** Cisco (NASDAQ: CSCO), the leader in enterprise networking and security, unveiled the latest progress towards its vision of the Cisco Security Cloud, a unified, AI-driven, cross-domain security platform. Cisco's new XDR solution and the release of advanced features for Duo MFA will help organizations better protect the integrity of their entire IT ecosystem.

**Threat Detection and Response****

Cisco's XDR strategy converges its deep expertise and visibility across the network and endpoints into one turnkey, risk-based solution. Now in Beta with General Availability coming in July 2023, Cisco XDR simplifies investigating incidents and enables security operations centers (SOCs) to immediately remediate threats. The cloud-first solution applies analytics to prioritize detections and moves the focus from endless investigations to remediating the highest priority incidents with evidence-backed automation.

"The threat landscape is complex and evolving. Detection without response is insufficient, while response without detection is impossible. With Cisco XDR, security operations teams can respond and remediate threats before they have a chance to cause significant damage," said Jeetu Patel**, Executive Vice President and General Manager of Security and Collaboration at Cisco.** "Cisco continues to ensure that 'if it's connected, you're also protected.' We are uniquely positioned to deliver integrated solutions that simplify securing today's increasingly complex, hybrid multi-cloud environments without compromising user experience."

While traditional Security Information and Event Management (SIEM) technology provides management for log-centric data and measures outcomes in days, Cisco XDR focuses on telemetry-centric data and delivers outcomes in minutes. It natively analyzes and correlates the six telemetry sources that Security Operations Center (SOC) operators say are critical for an XDR solution: endpoint, network, firewall, email, identity, and DNS. On the endpoint specifically, Cisco XDR leverages insight from 200 million endpoints with Cisco Secure Client, formerly AnyConnect, to provide process-level visibility of where the endpoint meets the network.

"The true measure of XDR is its ability to deliver actual security outcomes, real and measurable benefit to organizations — early detection, impact prioritization, and effective and efficient response," said Frank Dickson**, Group Vice President, Security & Trust, IDC.** "True results need to be quantifiable numerically and not just qualitatively described with words. Cisco XDR delivers a clear framework for enabling organizations to achieve such tangible outcomes."

In addition to Cisco's native telemetry, Cisco XDR integrates with leading third-party vendors to share telemetry, increase interoperability, and deliver consistent outcomes regardless of vendor or technology. The initial set of out-of-the-box integrations at general availability include:

*   **Endpoint Detection and Response (EDR)**: CrowdStrike Falcon Insight XDR, Cybereason Endpoint Detection and Response, Microsoft Defender for Endpoint, Palo Alto Networks Cortex XDR, SentinelOne Singularity, Trend Vision One
*   **Email Threat Defense:** Microsoft Defender for Office, Proofpoint Email Protection
*   **Next-Generation Firewall (NGFW):** Check Point Quantum, Palo Alto Networks Next-Generation Firewall
*   **Network Detection and Response (NDR):** Darktrace DETECT™ and Darktrace RESPOND™,  ExtraHop Reveal(x)
*   **Security Information and Event Management (SIEM):** Microsoft Sentinel

"Throughout Logicalis' decades-long pursuit to becoming a world class integrator; we have recognized the impact extensibility can have on the viability and efficacy of any solution," said Brad Davenport**, Vice President of Technical Architecture, Logicalis**. "With the launch of Cisco XDR, we can finally provide our customers with XDR outcomes as a solution or managed offering. We see this as a natural progression for us along the security maturity journey. Logicalis is very excited to put our combined expertise to work for our clients and offer Cisco XDR to help them achieve their business outcomes."

**Zero Trust and Access Management**

As attackers increasingly target gaps in weaker multi-factor authentication (MFA) implementations, Cisco is redefining what is essential for access management. Every business needs three key pillars for its access management strategy: enforcing strong authentication, verifying devices, and reducing the number of passwords in use. This is why, beginning on May 1st, Cisco is adding Trusted Endpoints to all its paid Duo Editions. Previously just available in Duo's highest tier, Trusted Endpoints allows only registered or managed devices to access resources. By delivering Trusted Endpoints alongside Single Sign On, MFA, Passwordless, and Verified Push within the entry-level Duo Essentials edition, Cisco is delivering the most secure, cost-effective, and user-friendly access management solution on the market.

To learn more, visit Cisco.com/go/security.   

**Supporting Quotes**

"Darktrace DETECT and RESPOND, parts of the Darktrace Cyber AI Loop, can quickly contain and disarm threats, whether known or unknown, and with a high degree of fidelity. Our collaboration with Cisco will provide our mutual customers with added visibility into security incidents and actions across cloud, network and OT," said Mattheus Bovbjerg**, Vice President of Integrations, Darktrace.** We look forward to expanding this collaboration to additional coverage areas including email and SaaS applications in the future."

"As organizations embrace the network as the essential source for cybertruth, our partnership with Cisco offers enterprises the ability to integrate ExtraHop with best-of-breed products for a more comprehensive view of their IT environments," said Jesse Rothstein**, Chief Technology Officer and Co-Founder, ExtraHop**. "Joint customers will benefit from ExtraHop's enterprise-grade, high–fidelity detections with network decryption and support for more than 80+ protocols, while also seamlessly integrating with log and endpoint solutions to achieve more streamlined investigations."

"SentinelOne is excited to team with Cisco to deliver market-leading solutions that allow our joint customers to push the boundaries of security," said Akhil Kapoor**, Vice President of Technology Partnerships and Business Development, SentinelOne**. "We look forward to integrating our EDR and Cloud Workload Protection (CWPP) solutions with Cisco to help organizations of all sizes secure tomorrow today."

"Our vision for XDR is to provide customers with a comprehensive, consolidated view of their security posture, enabling them to respond to threats quickly and effectively," said Mike Gibson**, Senior Vice President of Global Services and Customer Success, Trend Micro**. "The integration with Cisco XDR is a significant step forward in the evolution of cybersecurity. By leveraging the strength of both solutions, we are able to offer our customers a unified solution that expands telemetry insights to gain a greater perspective of their security environment enabling them to detect threats faster and respond more effectively."

**Additional Resources**

*   **Blog**: XDR and the Importance of Cross-Domain Correlated Telemetry
*   **Blog**: Simplify Your Security Operations with Cisco XDR, Launching at RSAC
*   **Blog**: Raising the Bar: Duo Redefines What is Essential for Access Management 

**About Cisco** 

Cisco (NASDAQ: CSCO) is the worldwide leader in technology that powers the Internet. Cisco inspires new possibilities by reimagining your applications, securing your data, transforming your infrastructure, and empowering your teams for a global and inclusive future. Discover more on The Newsroom and follow us on Twitter at @Cisco. 

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. 

SOURCE Cisco Systems, Inc.

**

Cisco Unveils Solution to Rapidly Detect Advanced Cyber Threats and Automate Response

The issue could then allow the malicious actor to generate arbitrary logs which can trigger malicious commands to be run with elevated privileges.

Monday, April 24, 2023 10:04

_Tim Brown of Cisco Security Advisory EMEA discovered these vulnerabilities and contributed to this blog post._

A Cisco security researcher recently discovered two vulnerabilities in the IBM AIX Unix platforms that could be exploited to inject commands and logs into targeted systems with elevated privileges.

AIX is a more than 20-year-old set of operating systems for Unix that run on various IBM platforms.

TALOS-2023-1690 (CVE-2023-26286) is a vulnerability in AIX’s errlog() syscall functionality that can be triggered if an adversary sends a specially crafted syscall. This could then allow the malicious actor to generate arbitrary logs which can trigger malicious commands to be run with elevated privileges. An adversary could also exploit TALOS-2023-1690 to gain out-of-bounds memory access.

TALOS-2023-1691 (CVE-2023-28528) exists in AIX’s invscout setUID binary. In this case, the adversary could send a specially crafted command line argument to gain the ability to inject arbitrary commands.

While the vulnerability in invscout is relatively run-of-the mill, the vulnerability with errlog() is more notable. In this case, the malicious input is supplied by user via a non-privileged syscall resulting in the AIX kernel writing the data to a privileged device (/dev/error). From there, a privileged service (errdaemon) runs as root and reads from the device and misprocesses it, resulting in command execution and/or memory corruption. The vulnerability is notable for the following reasons:

*   The errlog() syscall does not limit who can access it, nor which kernel and user-land errors it can be used to raise.
*   The same configurable mechanism by which errdaemon handles events written to /dev/error, could also be used by adversaries to construct a persistence mechanism, with errdaemon being configured to perform malicious activities when an appropriately constructed message is logged by a user.

*   On systems where the errors are collected and fed to a SIEM or other network monitoring solution, this presents opportunities for detection beyond on-device telemetry, as can be seen with the related Snort rule.

Cisco Talos worked with IBM to ensure these vulnerabilities are resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update these affected products as soon as possible: IBM Corporation AIX, version 7.2. Talos tested and confirmed this version of AIX could be exploited by these vulnerabilities.

The following Snort rules will detect exploitation attempts against the TALOS-2023-1690 vulnerability: 61154 and 61155. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall Management Center or Snort.org.

Vulnerability Spotlight: Vulnerabilities in IBM AIX could lead to command injection with elevated privileges

Integrated platform enables enterprises to seamlessly execute their mobile-first security strategy.

**SAN FRANCISCO, Calif., RSAC 2023 - April 24, 2023** \-- Zimperium, the leading mobile security solution for endpoints and apps, today announced the launch of the Zimperium Mobile-First Security Platform™. This single platform unifies Zimperium Mobile Threat Defense (MTD)\-_formerly known as zIPS_\- and Mobile Application Protection Suite (MAPS), unleashing powerful new features designed for teams who bear security responsibility across the entire mobile security spectrum. Through a ‘single pane of glass’, customers now have centralized access to and management of both Zimperium’s mobile application security and endpoint security solutions, providing them full mobile coverage to dynamically adapt to emerging threats.

“Today’s CISOs need to prioritize a mobile-first security strategy to stay ahead of attacks. There are a host of point solutions on the market for securing devices and applications, but none come together to provide an end-to-end platform to unlock the power of a mobile-powered business strategy,” said Shridhar Mittal, Chief Executive Officer at Zimperium. “The Zimperium Mobile-First Security Platform uniquely provides the most comprehensive mobile capabilities for risk reduction, global visibility, threat detection and response for both endpoints and apps.”

The launch of the platform comes at a time when attacks against mobile devices and apps are increasing exponentially. As an example, recent changes in the forthcoming iOS 17 will purportedly allow for the sideloading of third party apps, putting mobile devices at even greater risk. Our world is becoming increasingly mobile, and the Bring Your Own Device (BYOD) trend that exploded during the pandemic has become a staple of business operations. At the same time, mobile applications are being used for everything from banking to managing medical devices and have become a critical part of many enterprise's business models. Unfortunately, this has opened the door to new attack vectors across devices and apps and has created an expanded, distributed attack surface for enterprises to manage and secure. According to recent research, half of organizations suffered a mobile-related compromise in 2022. 

The Zimperium Mobile-First Security Platform uniquely combines capabilities across mobile threat defense (MTD) and mobile app security (MAPS) such as:

*   **Centralized management and access** to device and app security through a single interface on any cloud and on-premises.
*   **Protection for all devices** against critical mobile threats such as phishing, spyware, and rogue networks.
*   **Privacy-by-design** to protect employee privacy on both corporate and BYOD devices as they work from anywhere, anytime.
*   **Pervasive risk management for apps** to find risks in apps you develop and third-party apps used by employees. 
*   **Advanced in-app protection** to prevent reverse engineering, protect cryptographic keys, and create self-defending apps.
*   **An enhanced mobile ecosystem** with enterprise integrations including SIEMS, IAM**,**XDR**,**DevOps workflows, ticketing systems, GitHub action and, fraud systems.
*   **Deep forensics** and enhanced search capabilities to enable advanced threat hunting.

All of this is made possible by the unification of the platform and its key security solutions:

*   Zimperium Mobile Application Protection Suite (MAPS) helps enterprises build secure and compliant mobile applications. It's the only unified solution that offers comprehensive in-app protection and threat visibility across the entire lifecycle of an application.

*   Zimperium Mobile Threat Defense (MTD), with its unique, dynamically adapting, on- device protection is the only MTD solution that can protect users against known and unknown threats. Zimperium MTD offers zero-touch activation and privacy-first design, providing users with a trustworthy and seamless experience. In addition, MTD now offers new customizable branding for a company’s logo and color scheme, enabling trust and improved end-user adoption.

"The Zimperium Mobile-First Security Platform protects mobile applications and devices for today’s mobile-powered business. Its real-time threat visibility and response uniquely provides continuous protection against known and unknown threats," said Ayush Patidar, Analyst, Quadrant Knowledge Solutions. "With on-device protection and real-time app security including app scanning, app shielding, runtime protection, and protection of cryptographic keys, the platform provides protection against phishing, spyware, rogue networks, and malicious app attacks. Owing to these capabilities, Zimperium has scored strong overall ratings across the performance parameters of the technology excellence and the customer impact in SPARK MatrixTM for Mobile Threat Management (MTM) and In-App Protection market and has been placed as a technology leader in 2022."

To learn more about how the Zimperium Mobile-First Security Platform can solve your enterprise’s biggest mobile and application security challenges, click here. To access Zimperium MTD on the App Store, click here. To access Zimperium MTD on Google Play, click here.

Zimperium will also be onsite at the upcoming RSA Conference in San Francisco from April 24–27, please visit our booth #1727 South Hall.

**About Zimperium**

Zimperium provides the only mobile-first security platform purpose-built for enterprise environments. With machine learning-based protection and a single platform that secures everything from endpoints to applications, Zimperium provides on-device mobile threat defense and in-app protection to address today’s growing and evolving mobile security threats. environments. Zimperium is headquartered in Dallas, Texas and backed by Liberty Strategic Capital and SoftBank. For more information, follow Zimperium on Twitter (@Zimperium) and LinkedIn (https://www.linkedin.com/company/zimperium), or visit www.Zimperium.com.

Zimperium Launches Unified Mobile Security Platform for Threat Detection, Visibility, and Response

Powered by Cribl, a CrowdStrike Falcon Fund partner, and available to CrowdStrike Falcon platform customers.

**AUSTIN, Texas and RSA Conference 2023, SAN FRANCISCO, April 24, 2023** – CrowdStrike (Nasdaq: CRWD) today introduced CrowdStream, powered by open observability company Cribl, which transforms how customers can get any data, from any security or IT source, directly into the CrowdStrike Falcon platform to solve XDR, log management and AI-based analytics challenges in a rapid, cost effective way.

Organizations struggle to get the complete visibility across the security and IT data sources needed to effectively stop increasingly sophisticated adversaries as they move across attack surfaces to breach organizations. Collecting and routing this siloed data is creating a heavy burden of complexity and cost, especially as data volumes continue to exponentially grow across ever-multiplying data sources.

CrowdStream is a new native platform capability that directly connects any data source into the CrowdStrike Falcon platform using Cribl’s observability pipeline technology. By sitting between data sources and their destination, CrowdStream provides an elegant and cost-effective way to get data into the CrowdStrike Falcon platform to greatly accelerate the adoption of XDR and log management, as well as aggregating the required data to train advanced AI/ML models.

CrowdStream transforms an organization’s ability to unify siloed security and IT data by:

• **Easily connect and rout****e** data from any source into the CrowdStrike Falcon platform, accelerating the adoption of XDR and log management by minimizing the complexity and cost of onoboarding data sources.

• **Unify data within the CrowdStrike Falcon platform for insights** and near-instant search at petabyte scale to provide the rich visibility and aggregated telemetry needed to eliminate threats, run deep analytics and hunt for adversaries.

• **Cut log management costs** by sending the right data (and only the right data) to a modern log management solution such as CrowdStrike Falcon LogScale. Recently, a large financial institution switched to CrowdStrike Falcon LogScale and saved at least $5 million dollars over three years in infrastructure and licensing costs.

• **Consolidate** point products by centralizing and normalizing data within the CrowdStrike Falcon platform to continuously address new security and IT use cases with fully integrated capabilities built on a unified data model.

“Cybersecurity is ultimately a data problem. Today’s adversary techniques are growing more sophisticated including the use of initial access, lateral movement, privilege escalation, defense evasion and data extortion. However, organizations are still struggling to effectively and efficiently collect the right data from a variety of security and IT point products they deploy to root out and shut down threats from adversaries,” said Michael Sentonas, president at CrowdStrike. “For organizations to stay ahead of these threats, it is imperative they have real-time visibility and data at their fingertips. We see the CrowdStream technology as a game-changer that significantly improves our customer’s ability to get the right data, from any source, directly into the CrowdStrike Falcon platform to solve the hardest security and IT challenges in an elegant, cost-effective way.”

“Cribl is a proud CrowdStrike Falcon Fund partner, as we were one of CrowdStrike’s first investments. We see this expanded strategic partnership with CrowdStrike as another step to solving the massive data problem that cybersecurity teams face today,” said Clint Sharp, co-founder and CEO, Cribl. “By making the process of data collection for the CrowdStrike Falcon platform easier, CrowdStream will revolutionize the way that organizations quickly gain value from XDR and log management.”

**Additional Resources**

• For more information on CrowdStream, please visit the CrowdStrike blog and Cribl website.

**About Cribl**

Cribl makes open observability a reality for today’s tech professionals. The Cribl product suite defies data gravity with radical levels of choice and control. Wherever the data comes from, wherever it needs to go, Cribl delivers the freedom and flexibility to make choices, not compromises. It’s enterprise software that doesn’t suck, enables tech professionals to do what they need to do, and gives them the ability to say “Yes.” With Cribl, companies have the power to control their data, get more out of existing investments, and shape the observability future. Founded in 2017, Cribl is a remote-first company with an office in San Francisco, CA. For more information, visit www.cribl.io or our LinkedIn, Twitter, or Slack community.

**About CrowdStrike**

CrowdStrike (Nasdaq: CRWD), a global cybersecurity leader, has redefined modern security with one of the world’s most advanced cloud-native platforms for protecting critical areas of enterprise risk – endpoints and cloud workloads, identity and data.

Powered by the CrowdStrike Security Cloud and world-class AI, the CrowdStrike Falcon® platform leverages real-time indicators of attack, threat intelligence, evolving adversary tradecraft and enriched telemetry from across the enterprise to deliver hyper-accurate detections, automated protection and remediation, elite threat hunting and prioritized observability of vulnerabilities.

Purpose-built in the cloud with a single lightweight-agent architecture, the Falcon platform delivers rapid and scalable deployment, superior protection and performance, reduced complexity and immediate time-to-value.

CrowdStrike: We stop breaches.

CrowdStrike Introduces CrowdStream to Accelerate and Simplify XDR Adoption

A new "all-in-one" stealer malware named EvilExtractor (also spelled Evil Extractor) is being marketed for sale for other threat actors to steal data and files from Windows systems.
"It includes several modules that all work via an FTP service," Fortinet FortiGuard Labs researcher Cara Lin said. "It also contains environment checking and Anti-VM functions. Its primary purpose seems to be to

A new "all-in-one" stealer malware named **EvilExtractor** (also spelled Evil Extractor) is being marketed for sale for other threat actors to steal data and files from Windows systems.

"It includes several modules that all work via an FTP service," Fortinet FortiGuard Labs researcher Cara Lin said. "It also contains environment checking and Anti-VM functions. Its primary purpose seems to be to steal browser data and information from compromised endpoints and then upload it to the attacker's FTP server."

The network security company said it has observed a surge in attacks spreading the malware in the wild in March 2023, with a majority of the victims located in Europe and the U.S. While marketed as an educational tool, EvilExtractor has been adopted by threat actors for use as an information stealer.

Sold by an actor named Kodex on cybercrime forums like Cracked since October 22, 2022, it's continually updated and packs in various modules to siphon system metadata, passwords and cookies from various web browsers as well as record keystrokes and even act as a ransomware by encrypting files on the target system.

The malware is also said to have been used as part of a phishing email campaign detected by the company on March 30, 2023. The emails lure recipients into launching an executable that masquerades as a PDF document under the pretext of confirming their "account details."

The "Account\_Info.exe" binary is an obfuscated Python program designed to launch a .NET loader that uses a Base64-encoded PowerShell script to launch EvilExtractor. The malware, besides gathering files, can also activate the webcam and capture screenshots.

"EvilExtractor is being used as a comprehensive info stealer with multiple malicious features, including ransomware," Lin said. "Its PowerShell script can elude detection in a .NET loader or PyArmor. Within a very short time, its developer has updated several functions and increased its stability."

The findings come as Secureworks Counter Threat Unit (CTU) detailed a malvertising and SEO poisoning campaign used to deliver the Bumblebee malware loader via trojanized installers of legitimate software.

Bumbleebee, documented first a year ago by Google's Threat Analysis Group and Proofpoint, is a modular loader that's primarily propagating through phishing techniques. It's suspected to be developed by actors associated with the Conti ransomware operation as a replacement for BazarLoader.

UPCOMING WEBINAR

Zero Trust + Deception: Learn How to Outsmart Attackers!

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

The use of SEO poisoning and malicious ads to redirect users searching for popular tools like ChatGPT, Cisco AnyConnect, Citrix Workspace, and Zoom to rogue websites hosting tainted installers has witnessed a spike in recent months after Microsoft began blocking macros by default from Office files downloaded from the internet.

In one incident described by the cybersecurity firm, the threat actor used the Bumblebee malware to obtain an entry point and move laterally after three hours to deploy Cobalt Strike and legitimate remote access software like AnyDesk and Dameware. The attack was ultimately disrupted before it proceeded to the final ransomware stage.

"To mitigate this and similar threats, organizations should ensure that software installers and updates are only downloaded from known and trusted websites," Secureworks said. "Users should not have privileges to install software and run scripts on their computers."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New All-in-One "EvilExtractor" Stealer for Windows Systems Surfaces on the Dark Web

The transition from traditional logins to cryptographic passkeys is getting messy. But don’t worry—there’s a plan.

There was never a question that it would take years to transition the world away from passwords. The digital authentication technology, though deeply flawed, is pervasive and inveterate. Over the last five years, though, the secure-authentication industry association known as the FIDO Alliance has been making real progress promoting “passkeys,” a password-less alternative for signing into applications and websites. And yet, you probably still use a lot of passwords every day. In fact, you may not have any accounts protected by a passkey at all, despite broad adoption from Microsoft, Google, Apple, and many more.  

At the RSA security conference in San Francisco next week, Christiaan Brand, co-chair of the FIDO2 technical working group and an identity and security product manager at Google, will present a talk on new features and growth in passkey adoption. He also plans to examine the current challenges that passkeys face in countering the inertia passwords have built up over decades—and the long game of slowly grinding down the password's dominance.

“What I want to highlight is how far we’ve come, but which problems still remain unsolved,” Brand says. “Passwords are everywhere, and they are bad, but everyone is accustomed to them. Users don’t want to be surprised, and they don’t like change. So it’s very important to think about passkeys as an augmentation. We need to kind of push users toward the thing that will be easier and more secure."

Over the past year, Brand says, FIDO has made significant progress rolling out features to support its password-less vision. The infrastructure is now in place to back up passkeys so they can sync between devices, get services to prompt users about passkeys rather than always defaulting to username and password, and use Bluetooth-based proximity sensing to share passkey authentication between devices. All three of these points address major usability issues that FIDO publicly set out to improve a year ago.

In practice, though, there are still hurdles, and developing these solutions has taken time. For example, Brand says the new Bluetooth-based proximity-sensing protocol was carefully engineered to avoid the security issues that often plague Bluetooth implementations. The idea was to strip away most of Bluetooth's functionality and exclusively use the protocol for proximity checks rather than any data transfers. This approach has allowed passkeys to bypass many of Bluetooth's quirks and reliability issues when attempting to pair devices. 

Developing a coherent “user experience” (UX) for passkeys across different operating systems and web services is an ongoing challenge, though. If you, say, log into your Google account from a Mac using traditional passwords, your credentials still get checked against what Google has on file for your account on one of the company's servers. But the security and phishing-resistant benefits of passkeys come from the fact that they work differently. If you use a passkey to log into your Google account from a Mac, the cryptographic check happens locally and Apple is never directly involved—everything the user experiences during the interaction is facilitated by macOS, not Google.

“If I'm Google implementing passkeys, I cede a lot of control to Apple if my user is on an Apple device, I cede a lot of control to Microsoft if the user is on a Windows device, I cede a lot of UX control to Android and browsers,” Brand says. “So I think we’re in the technology infancy, where all of these different platforms have come up with different UX patterns and UX paradigms. Stitching all of that together is kind of tricky, and that’s probably going to take another nine to 12 months for the industry to support.”

Another big challenge with establishing consistency and continuity will be the long transition to passkeys alone. For the foreseeable future, services must continue to support username and password logins and make sure those systems are as secure and up-to-date as possible while primarily supporting the growth and evolution of passkeys. As password login systems fade from prominence and are neglected, they could produce new types of security exposures in their disrepair.

For now, though, the tech industry is still in the early stages of this long haul transition.

“Part of the problem is that all the stuff that I have in my presentation, we haven’t really seen this put into practice yet,” Brand says. “There are passkey implementations out there, and some folks have dipped their toe in the water, but a lot of the stuff isn’t really in the mainstream consciousness of developers, and certainly not for users. The mass, super-scale adoption is still something that we’re working to make happen.”

Tag

#cisco