Companies must enforce more security on their own third-party providers and retain the ability to conduct independent investigations, experts say.

Identity cloud provider Okta concluded its investigation into a recent breach of its systems by the Lapsus$ extortion group, which gained access to some of company's systems through a third-party contract firm and then revealed the compromise in March.

The breach impacted only two customers, with the hackers maintaining control of a single computer at contract firm Sitel for a 25-minute period, Okta said in the postmortem analysis published on Tuesday. While the identity and access management firm had initially considered as many as 366 customers at risk, the impact ended up being far less, David Bradbury, chief security officer at Okta, stated in the analysis.

The breach caused consternation within the security community because of the lack of notice from Okta and worries that access to the company's systems could undermine much of the security of its single sign-on (SSO) services — an issue of trust that Bradbury acknowledged.

"While the overall impact of the compromise has been determined to be significantly smaller than we initially scoped, we recognize the broad toll this kind of compromise can have on our customers and their trust in Okta," he said, adding: "The conclusions from the final forensic report do not lessen our determination to take corrective actions designed to prevent similar events and improve our ability to respond to security incidents."

To head off attacks in the future, Okta intends to create more stringent security requirements for third-party contractors and have processes in place to confirm compliance. The company has already cut ties with Sitel, according to the postmortem report.

The Okta breach raised the profile of attacks on software supply chains and third-party providers, adding on to lessons from previous compromises such as SolarWinds and Kaseya, says Merritt Maxim, vice president at business intelligence firm Forrester Research. Third-party firms and service providers need to have measures in place to continuously assure customers that their services are secure, he says.

"This is an issue that has to be front and center for security organizations, to push beyond doing just security questionnaires for providers, to doing actual assessments and auditing of third parties," he says. "Simulate breaches and test your incident response plans, and rather than rely on the vendors to do it perfectly, you should be determining what you can do in response to a breach."

**Conduct Your Own Investigation**  
When a breach happens in a third-party provider, such as Okta or its own third-party provider Sitel, companies either are left in the dark or must pursue their own investigation. Whether Okta knew of the breach and failed to notify customers for two months, or the company failed to understand that a contractor's computer had been compromised, businesses need to be ready to verify the details of an incident, members of Cloudflare's security team argued in a March blog post.

Cloudflare has to verify its own systems, since some of the screenshots in leaked by Lapsus$ group appeared to indicate that they may have had access to Cloudflare's instance of Okta. As soon as a provider is breached, companies should have a playbook in place to spell out the steps that need to be taken to assure the integrity of their systems, such as checking all passwords and verifying changes to multifactor authentication with special attention paid to any event initiated by the support group.

To facilitate future investigations, Cloudflare's security team recommended that companies store logs from third-party services on their own premises to have a verifiable copy.

"For years, it has been a struggle to work with different software as a service provider to get all the logs ourselves," says Joe Sullivan, chief security officer at Cloudflare. "Too many times in the past, we have thought there was a risk and we did not have the logs, so we are very proactive."

For its part, Okta maintains that the company did not know about the severity of the issue until March 17, when Sitel sent their summary report, which they then connected with the Lapsus$ screenshots a few days later. "We recognized what appeared to be a connection to the January failed takeover attempt we observed and reported to Sitel," an Okta spokesman said. "We've publicly said we didn't understand the extent of the Sitel compromise in January, and if we had, our actions would have been different."

**Cloud Rife With Single Points of Failure**  
The incident also underscores that while cloud providers typically raise their customers' level of security, the cloud attracts attacks because so much access is concentrated in a small number of providers. Companies should always start by conducting a threat assessment to understand the risks presented by any infrastructure that they move to the cloud, Sullivan says.

"You look at what is the worst that could happen, and how do you mitigate that risk," he says. "If a compromise of a system could lead to a bunch of customer data getting exposed or intellectual property being accessed, then you need to go further."

In the end, while the cloud model asserts that responsibility for security is shared, companies need to understand that that they need to take their fate into their own collective hands, says Forrester Research's Maxim.

"Don't assume that the vendor is going to take care of security and will do it all perfectly," he says. "Have the right playbooks and policies ready to go, so if there is an incident, you can take action whether the vendor is ready or not."

For its own part, Okta plans to directly manage even third-party devices that access its customer-support tools so as to maximize visibility into potential security threats, and it will limit the amount of information that support personnel can view, Bradbury said in the company's postmortem analysis. In addition, as a third-party provider itself, Okta plans to review how to better communicate incidents with its customers.

_Editor's note: This story was updated on April 21 with a quote from an Okta spokesman._

Okta Wraps Up Lapsus$ Investigation, Pledges More Third-Party Controls

Module enables apps to establish trust in new devices without adding user friction.

**Palo Alto, CA -- April 20, 2022 --** Mobile authentication pioneer Incognia, today announced the launch of a new location identity fraud detection module to support mobile app security for customers across finserv, crypto, social networks, online gaming and more. Incognia’s latest solution module is Location-based Device Authorization which prevents fraud following device change at login.

Authorization of new devices on mobile is one of the highest friction and highest risk points in the user journey. When new devices attempt a login, the challenge is determining whether this is the legitimate user, or a fraudster using social engineering to get access to the user's credentials. Traditional device fingerprinting solutions are useless in establishing trust in new devices, and as a result most organizations have been forced to employ multi-factor authentication (MFA), which increases user friction and ultimately creates a poor user experience. The Incognia Location-based Device Authorization solution is designed to address the challenges of establishing trust in new devices without adding user friction.

Incognia provides a highly accurate risk signal using anonymized location behavior and device intelligence to detect high risk devices attempting to login before fraud occurs. At login, Incognia delivers a risk assessment based on checking the device integrity and whether the current device location is consistent with the user’s historical location behavior pattern. In an internal study, Incognia identified that 89% of legitimate device authorizations occur at trusted locations, which are places that the user visits most frequently, such as home.

Key benefits and features include:

\- Reduced friction when legitimate good users change their mobile device

\- Reduction in account takeovers due to social engineering

\- Real-time validation of trusted devices with global geographic coverage

“The frequent use of one-time passwords over SMS for new device authorization in mobile apps is causing users unwanted friction and frustration, while also serving as an inadequate security measure to keep fraudsters out,” said André Ferraz, founder and CEO of Incognia. “We’re excited to expand Incognia’s fraud prevention capabilities with our new module, using anonymized location behavior and device intelligence to detect high risk devices attempting login and catch fraud before it happens. Leveraging trusted location behavior allows our customers to enable a frictionless authentication experience.”

Incognia fraud prevention modules are available now. To get started, visit www.incognia.com.

**About Incognia**

Incognia is a privacy-first location identity company that provides frictionless mobile authentication to banks, fintech and mCommerce companies, for increased mobile revenue and lower fraud losses. Incognia’s award-winning technology uses location signals and motion sensors to silently recognize trusted users based on their unique behavior patterns and is a key enabler for zero-factor authentication. Deployed in over 200 million devices, Incognia delivers a highly precise risk signal with extremely low false positive rates.

Incognia is privately held and headquartered in Palo Alto, California with teams in New York and Brazil.

Stay connected and follow Incognia on Twitter and LinkedIn.

Incognia Introduces New Location-Based Device Authorization Solution

This is the shift that companies need to make after a cyberattack.

My team recently received a call from a company in Europe that had received warnings from law enforcement that it might be targeted by hackers. We found evidence through our data forensics that an attacker had entered the company's network, taken credentials, and then left. From what we found, the attacker had just as much access and knowledge as the CISO — maybe even more.

And this was likely not the end of the story; attackers usually spend weeks or months inside networks (known as dwell time) before actually doing anything. There was a good chance the attacker would come back. That should be top of mind for any company that's dealing with the aftermath of an attack or intrusion, and the response requires a holistic, active approach even if an incident appears to be over. Often referred to as the "recovery" period, the hours, days, and weeks after a detected intrusion or attack are anything but passive. This period demands action; in fact, it should be called "post-incident response," not "recovery." Not only is this a crucial period of every cyber incident, but it can also be an important growth opportunity for cybersecurity posture and the company in general.

**Attackers** **Return, So Victims Should Study Their Enemies  
**Often when we see an intrusion like the one at this European company, organizations aren't focused enough or don't spend the required budget to make recommended changes, and the attacker comes back with something worse, such as a ransomware attack that can cause great financial and reputational harm. Many companies also fail to see the unique opportunity that is hidden in the fact that attackers often come back: The post-attack or post-intrusion phase can serve as a valuable time to learn about the enemy — where they came from, how they entered, which assets they spent the most time checking out.

Although much time is spent trying to determine who the enemy could be when preparing for possible attacks, the post-attack period offers actual evidence on who the enemy is. This improved understanding of current and possible future enemies allows for a better allocation of resources in order to protect the assets that not only matter most to business value and continuity but are also most likely to be targeted. Knowing from which geographic area an attacker originates and if there is a chance they're connected to state-backed efforts also allows companies to hire cybersecurity teams that bring the necessary talent to deal with the sorts of threats an organization is facing.

**Stopping an** **Attack Is Only the Beginning  
**Just because an attack path was blocked, or attackers may have left all the data accessible (declining to put ransomware on it, for example), they still could have obtained intellectual property and proprietary or personal data. And this could then be leaked for purposes of sabotaging a business, obtaining intelligence, or for making money on the Dark Web. Attacks with multiple stages or objectives are growing; what may initially manifest as a ransomware attack to extract money from victim organization could turn into a smear campaign when that information is leaked or used to influence public opinion. Just because one organization is able to detect or stop an attack with little obvious damage, the attacker could later target other organizations that are connected, either directly through the software supply chain or through phishing campaigns aimed at email addresses taken from the original, relatively unscathed, target. Even though an incident appears over, it probably isn't; more victims are likely to emerge.

**Deal** **With the Last Mile of an Attack on a Managerial Level  
**After an attack or signs of a security breach, companies must make sure they meet a checklist of demands, including informing the right parties, such as government and regulatory bodies, customers, clients, and business partners. All of these obligations should be an integral part of the post-incident response and involve multiple departments.

But the involvement of multiple departments and the entire C-suite should not end with these obligations. The post-incident period is one of the most important times for a holistic managerial approach; after all, if an attacker decides to leak sensitive corporate information to the public, or sell it on the Dark Web, that is not just the CISO's problem; it is also something that executives across departments must deal with. This includes public relations; in today's world, where everyone, everywhere is vulnerable to cyberattacks, an organization's reaction to an attack and how it handles it is paramount to preserving its brand integrity.

Post-incident activity is, and should be, intense. But it should not — as it unfortunately often is — be left to the CISO. We often see that while an attack or security breach is in progress, most of the company's leadership is involved, including the CEO, COO, and human resources and legal teams. It is essential that these executives and teams continue to lead the post-attack phase.

The entire company should also be involved in reviewing not just what went wrong technically, leading to a cyberattack, but how it was handled, pinpointing lessons for the future, and updating its cybersecurity response plan. Now more than ever, cybersecurity can make or break a company; this reality requires a full-fledged team effort at every stage of an attack, even when some may mistake it for being over.

If done well, a response to an attack will not only close vulnerabilities but protect the brand's reputation, operations, and customers and leave a company better prepared to ward off the next attack.

From Passive Recovery to Active Readiness

The rebranded Microsoft Purview platform integrates Microsoft 365 Compliance and Azure Purview, and adds new capabilities and products to help manage data no matter where it resides.

The shift to a hybrid workplace has forced organizations to rapidly adopt cloud technologies and remote access tools to enable ubiquitous connectivity.

That in turn has generated more data than ever before, and organizations are faced with the prospect of securing their data, managing data governance, and keeping up with compliance requirements. Collaboration tools can result in sensitive data leaks if not properly managed. Microsoft announced changes in its data governance platform to help customers see their assets across their entire data estate, along with helping to manage risks and regulatory compliance.

Microsoft has rebranded Azure Purview, which became generally available last fall, to Microsoft Purview and brought over the products that used to make up Microsoft 365 Compliance. Microsoft Purview also features new functionality in Microsoft Purview eDiscovery to improve identification of data stored in Teams; the general availability of Microsoft Purview Data Loss Prevention for macOS; and a preview of the ability to create encrypted documents for iOS and Android platforms.

Microsoft Purview will bring "that chief data officer and their team together with the risk officer, the compliance officer, and \[have\] a unified view and ability to manage data," says Alym Rayani, general manager of compliance and privacy at Microsoft.

For organizations, getting a sense of what data they have is a growing challenge, as is making sure the data isn’t leaving the organization in an unauthorized manner. Data has become the "lifeblood" of how businesses operate, says Rayani, but knowing what the organization has, or where it is even stored, is a growing challenge. The rapid adoption of cloud applications and remote access tool have expanded the data estate. An example would be how more employees are exchanging data using Microsoft Teams — not just in the chat or conversations, but also sharing files.

"Data lives everywhere. There's a lot of it," Rayani says, noting that about 93% of customers told Microsoft they store data across multiple clouds and multiple solutions.

**Understanding the Data**  
Before organizations can do anything about their data, they have to first understand it. Toward that goal, Microsoft expanded its sensitive information type catalog with more than 50 new classifiers, such as those covering patient and healthcare data. There were already 250 classifiers, for data elements such as credit card and Social Security numbers, Rayani says. These classifiers are available for DLP, Information Protection (auto-labeling), Data Lifecycle Management, Insider Risk Management, Records Management, eDiscovery, and Microsoft Priva.

The classifiers are necessary to identify sensitive data, and to allow organizations to create policies that accommodate the specific requirements for each type. There may be patient records that are considered confidential even if payment card numbers or Social Security numbers are not included.

"One of the things we've been hearing from customers is, 'Hey, I need to get a good understanding of my data environment, my data landscape. It lives across a range of systems. It lives in apps. It lives in different platforms,'" Rayani says.

**Governance to the Forefront**  
Microsoft Purview is not just about visibility or classifying data, but can give organizations governance tools that extend all across the data environment. Data leak prevention is one example, but another important area of data governance is insider risk management, Rayani says. While the idea of a malicious insider — the person trying to steal confidential information and intellectual property — is a classic example of insider threat, there is also a lot of the "inadvertent" insider — the one who accidentally exposes data while trying to do their job.

For example, a marketing employee trying to share something over Teams may violate data leak prevention policy. With Microsoft Purview, organizations have tools to warn the user in the moment that there is a policy violation, block the action, and offer an alternative method, such as a secure SharePoint site, Rayani says.

  

    

How each of the products in the Microsoft Purview family are branded. Source: Microsoft

Organizations frequently have to stitch together multiple products to give security, governance, compliance, and legal teams a clear view of what is happening in their environment. Almost 80% of IT decision-makers in the United States purchased multiple products to do so, and a majority had purchased three or more, according to a recent Microsoft survey. This patchwork of products can expose infrastructure gaps and is both costly and complex to manage, Jessica Hawk, Microsoft's corporate vice president of data, AI and mixed reality, wrote on the Azure blog. Microsoft Purview's goal is to provide a unified view to improve security, privacy, and compliance, she wrote.

The company will continue strengthening the integration between Azure products and Microsoft 365, as well as adding new capabilities. For example, sensitivity labels — which designate the data classification — will be consistent across products, and they will be viewable in both Microsoft Purview's compliance portal (formerly Microsoft 365 Compliance) and governance portal (Azure Purview).

"We believe the new way to optimize your data strategy is to deliver a unified view of data in the organization across hybrid, multicloud environments by bringing together the business users of data with the protectors of data," Hawk wrote.

Microsoft Launches Purview Platform to Govern, Protect, and Manage Sensitive Data

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

CVE-2022-21496: Oracle Critical Patch Update Advisory - April 2022

The SiteGround Security plugin for WordPress is vulnerable to authentication bypass that allows unauthenticated users to log in as administrative users due to missing identity verification on initial 2FA set-up that allows unauthenticated and unauthorized users to configure 2FA for pending accounts. Upon successful configuration, the attacker is logged in as that user without access to a username/password pair which is the expected first form of authentication. This affects versions up to, and including, 1.2.5.

On March 10, 2022 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in “SiteGround Security”, a WordPress plugin that is installed on over 400,000 sites. This flaw makes it possible for attackers to gain administrative user access on vulnerable sites when two-factor authentication (2FA) is enabled but not yet configured for an administrator.

Wordfence Premium, Wordfence Care, and Wordfence Response received a set of firewall rules on March 10, 2022 to provide protection against any attackers trying to exploit this vulnerability. Wordfence Free users will receive this same protection 30 days later on April 9, 2022

After sending the full disclosure details to the SiteGround security team on March 10, 2022 a patch was released the next day on March 11, 2022. While the plugin was partially patched immediately, it wasn’t optimally patched until April 7, 2022.

Sites hosted on the SiteGround platform have automatically been updated to the patched version while those hosted elsewhere will require a manual update, if auto-updates are not enabled for the plugin. We strongly recommend ensuring that your site has been updated to the latest patched version of “SiteGround Security”, which is version 1.2.6 at the time of this publication.

**Description:** Authentication Bypass via 2-Factor Authentication Setup  
**Affected Plugin:** SiteGround Security  
**Plugin Slug:** sg-security  
**Plugin Developer:** SiteGround  
**Affected Versions:** <= 1.2.5  
**CVE ID:** CVE-2022-0992  
**CVSS Score:** 9.8 (Critical)  
**CVSS Vector:** CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H  
**Researcher/s:** Chloe Chamberland  
**Fully Patched Version:** ​1.2.6

SiteGround Security is a plugin designed to enhance the security of WordPress installations via several features like login security including 2FA, general WordPress hardening, activity monitoring, and more. It’s also worth noting that it comes pre-installed on all SiteGround hosted WordPress sites. Unfortunately, the 2FA functionality of the plugin was insecurely implemented making it possible for unauthenticated attackers to gain access to privileged accounts.

When two-factor authentication is enabled, it requires all administrative and editor users to set-up two factor authentication. This requirement is triggered when the site’s administrative and editor users log into the site for the first time after 2FA has been enabled at which time they are prompted to configure 2FA for their account. This means that there will be a period of time between 2FA being enabled on a site and each user configuring it for the account.

During this interim period, attackers could hijack the 2FA set-up process. The plugin had a flaw that made it so that attackers could completely bypass the first step of authentication, which requires a username and password, and access the 2FA set-up page for users that had not configured 2FA yet.

It was as simple as supplying the user ID they would like to compromise via the sg-user-id parameter, along with a few other parameters to indicate that they would like to trigger the initial 2FA configuration process.

The following validate_2fa_login() function shows the process by which a user-supplied ID is validated. If the results from the check_authentication_code() function and the sg_security_2fa_configured user meta retuned false, which indicated that 2FA hasn’t yet been configured for that user, then the plugin would load the 2fa-initial-setup-form.php template which displays the QR code and 2FA secret needed to configure the authenticator app for the user supplied ID.

</pre>
<pre>public function validate\_2fa\_login( $user ) {
   // Bail if there is no valid user authentication.
   if ( ! isset( $\_POST\['sg-user-id'\] ) ) { // phpcs:ignore
      return;
   }

   $result = $this->check\_authentication\_code( wp\_unslash( $\_POST\['sgc2facode'\] ), wp\_unslash( $\_POST\['sg-user-id'\] ) ); // phpcs:ignore

   // Check the result of the authtication.
   if ( false === $result ) {
      if ( 0 == get\_user\_meta( $\_POST\['sg-user-id'\], 'sg\_security\_2fa\_configured', true ) ) { // phpcs:ignore
         // Arguments for initial 2fa setup.
         $args = array(
            'template' => '2fa-initial-setup-form.php',
            'qr'       => get\_user\_meta( $\_POST\['sg-user-id'\], 'sg\_security\_2fa\_qr', true ), // phpcs:ignore
            'secret'   => get\_user\_meta( $\_POST\['sg-user-id'\], 'sg\_security\_2fa\_secret', true ), // phpcs:ignore
            'error'    => esc\_html\_\_( 'Invalid verification code!', 'sg-security' ),
            'action'   => esc\_url( add\_query\_arg( 'action', 'sgs2fa', wp\_login\_url() ) ),
         );
      } else {
         // Arguments for 2fa login.
         $args = array(
            'template' => '2fa-login.php',
            'error'    => esc\_html\_\_( 'Invalid verification code!', 'sg-security' ),
            'action'   => esc\_url( add\_query\_arg( 'action', 'sgs2fa', wp\_login\_url() ) ),
         );
      }

      $this->load\_form( wp\_unslash( $\_POST\['sg-user-id'\] ), $args ); // phpcs:ignore
   }

   // Set the auth cookie.
   wp\_set\_auth\_cookie( wp\_unslash( $\_POST\['sg-user-id'\] ), intval( wp\_unslash( $\_POST\['rememberme'\] ) ) ); // phpcs:ignore</pre>
<pre>

_The authentication QR code and secret key displayed that would be displayed to potentially unauthorized users._

The returned QR code and secret key are the only things needed to connect the user account with an authentication mechanism, such as Google Authenticator. Attackers were able to use this to connect their authentication app with the account and successfully use a code to pass the “second factor of authentication.” This function would then set the user authentication cookies via the wp_set_auth_cookie() function using the user supplied ID from the sg-user-id parameter which effectively logs the attacker in as that user. Due to the default configuration of the plugin, this account would most likely be a privileged user like an administrator or editor. It’s also worth noting that the function returns the back-up codes which could be used via the weakness outlined in the next section.

To sum it up, there was no validation on the validate_2fa_login() function that the identity a user was claiming was in fact legitimate. As such attackers could bypass the first authentication mechanism, a username/password pair, which is meant to prove identity and successfully log in, due to a weakness in the second authentication mechanism, the 2FA process. When successful, an attacker could completely infect a site by exploiting this vulnerability.

**Description:** Authorization Weakness to Authentication Bypass via 2-Factor Authentication Back-up Codes  
**Affected Plugin:** SiteGround Security  
**Plugin Slug:** sg-security  
**Plugin Developer:** SiteGround  
**Affected Versions:** <= 1.2.4  
**CVE ID:** CVE-2022-0993  
**CVSS Score:** 8.1 (High)  
**CVSS Vector:** CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H  
**Researcher/s:** Chloe Chamberland  
**Fully Patched Version:** ​1.2.6

In addition to the above outlined vulnerability, the method in which 2FA back-up code authentication was handled made it possible for attackers to log in if they were able to brute force a back-up code for a user or compromise it via other means such as SQL Injection.

Diving deeper, the plugin registered the validate_2fabc_login() function which validated the supplied backup code through the validate_backup_login() function using the user supplied user ID from the sg-user-id parameter along with the back-up code supplied via the sgc2fabackupcode parameter. If the back-up code was found in the array of stored back-up codes for that user, then the function would use the wp_set_auth_cookie() function to set the authentication cookies for the supplied user ID. If that user ID belonged to an administrator, the attacker would effectively be logged in as an administrator.

</pre>
<pre>public function validate\_2fabc\_login() {

   $result = $this->validate\_backup\_login( wp\_unslash( $\_POST\['sgc2fabackupcode'\] ), wp\_unslash( $\_POST\['sg-user-id'\] ) ); // phpcs:ignore

   // Check the result of the authtication.
   if ( false === $result ) {
      $this->load\_form(
         wp\_unslash( $\_POST\['sg-user-id'\] ), // phpcs:ignore
         array(
            'template' => '2fa-login-backup-code.php',
            'action'   => esc\_url( add\_query\_arg( 'action', 'sgs2fabc', wp\_login\_url() ) ),
            'error'    => esc\_html\_\_( 'Invalid backup code!', 'sg-security' ),
         )
      );
   }

   // Set the auth cookie.
   wp\_set\_auth\_cookie( wp\_unslash( $\_POST\['sg-user-id'\] ), intval( wp\_unslash( $\_POST\['rememberme'\] ) ) ); // phpcs:ignore

Similarly to the previous vulnerability, the issue here is that there was no true identity validation for the authentication, which indicates an authorization weakness. The function performed no checks to verify that a user had previously authenticated prior to entering the 2FA back-up code, and as such they did not need to legitimately log in prior to being logged in while using a back-up code. This meant that there were no checks to validate that a user was authorized to use a back-up code to perform the second factor of authentication that would log them in.

Though the risk in this case is lower, the backup codes were 8 digits long and entirely numeric, so an attacker could potentially brute force one of the 8 back-up codes and automatically be logged in without knowing a username and password combination for an administrative user.

While this might not be practical to attempt on most servers, a patient adversary attacking a well-provisioned server capable of processing a large number of requests at once would have a high chance of eventually gaining access unless the brute force attempts were stopped by another mechanism, such as the Wordfence plugin’s built-in brute force protection or rate limiting rules.

Further, this vulnerability could be used in conjunction with another vulnerability, such as SQL injection, where an attacker would be able to compromise the 2FA back-up codes that are stored in the database and then subsequently use them to log in without needing to crack the password of an administrative user which would likely be significantly stronger. In both cases, the impact would be significant as an attacker could gain administrative access to the compromised WordPress site which could be used for complete site infection.

**An Important Security Reminder: Audit Your WordPress Site’s User Accounts**

This vulnerability serves as an important reminder to audit your WordPress site’s user accounts. This means identifying any old and unused user accounts that have been inactive for an extended period of time and/or are likely to never be used again and removing them or completely stripping the user’s capabilities. This vulnerability could easily be exploited on sites where the site owner enabled 2FA, which is required for all administrative and editor users, and had old inactive administrative/editor user accounts on the site that an attacker could target. Considering accounts that are no longer active are unlikely to log in after the 2FA setting has been enabled, the 2FA for those accounts would not be configured leaving the site ripe for exploitation by any attackers exploiting the vulnerability.

A situation involving a similar security issue involving insecure 2FA was reported by the CISA in conjunction with the FBI a few weeks ago, around the same time we discovered this vulnerability. In the Cybersecurity Advisory (CSA) by the CISA, it was disclosed that a threat actor was able to successfully brute force a dormant user’s account credentials, and due to a default 2FA setting that would allow dormant users to re-enroll a new device for 2FA during the next active log in, the threat actor was able to connect the 2FA secret to their own account and retrieve the code needed to pass the second factor of authentication. Once the threat actor gained initial access to the system they were able to escalate their privileges by exploiting the “PrintNightmare” vulnerability, which you can read more about here, and steal sensitive information from across the organization’s network. This goes to show that attackers are definitely looking for flaws like the one disclosed today to exploit and any site can be a target. As such, it’s important to actively maintain and validate the security of your site through regularly performed professional or self-conducted security audits and penetration tests, which is a service Wordfence provides. Security is an active and continuous process.

**Timeline**

**March 10, 2022** – Conclusion of the plugin analysis that led to the discovery of two Authentication Bypass Vulnerabilities in the “SiteGround Security” WordPress plugin. We deploy firewall rules to protect Wordfence Premium, Wordfence Care, and Wordfence Response users. We send the full disclosure details to SiteGround in accordance with their responsible disclosure policy.  
**March 11, 2022** – The CTO of SiteGround responds indicating that a patch has been released. We review the patch and inform them that it is insufficient. They release an additional patch.  
**March 11, 2022** – A patched version of the plugin is released as version 1.2.3. We suggest further security enhancements to the functionality.  
**March 16, 2022** – An update is made that reduces the security of the 2FA functionality, we follow-up again to suggest better security enhancements to the functionality. The CTO assures us that they are working on it.  
**April 6, 2022** – A fully and optimally patched version of the plugin is released as version 1.2.6.  
**April 9, 2022** – Wordfence Free users receive the firewall rules.

**Conclusion**

In today’s post, we detailed a flaw in the “SiteGround Security” plugin that made it possible for unauthenticated attackers to gain access to administrative user accounts in instances where 2-Factor Authentication was enabled, though not yet fully set up, and in cases where an attacker could successfully brute force a back-up code. This could easily be used by an attacker to completely compromise a site. This flaw has been fully patched in version 1.2.6.

We strongly recommend ensuring that your site has been updated to the latest patched version of “SiteGround Security”, which is version 1.2.6 at the time of this publication.

Wordfence Premium, Wordfence Care, and Wordfence Response received a set of firewall rules on March 10, 2022 to provide protection against attempts by attackers to exploit this vulnerability. Wordfence Free users will receive this same protection 30 days later on April 9, 2022

If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both Wordfence Care and Wordfence Response include hands-on security support that provide you with ongoing assistance from our incident response team, should you need it.

_Special thanks to the team at SiteGround, for responding swiftly and working quickly to get a patch out to protect their customers and working to further secure the 2FA component._

CVE-2022-0992: Critical Authentication Bypass Vulnerability Patched in SiteGround Security Plugin

Provides autonomous and uninterrupted monitoring of unmanned IT locations at scale.

**AUSTIN, Texas, April 19, 2022**—RF Code, a pioneer of automated, real-time physical asset lifecycle management and environmental monitoring solutions for data centers, today announced the launch of Sentry, the company's first Software-as-a-Service (SaaS) innovation for decentralized edge computing locations. Sentry provides autonomous and uninterrupted monitoring of unmanned IT locations at scale. With deep intelligence and real-time notifications, Sentry makes it easier for IT professionals to monitor all of their remote IT spaces without being on-site.

"I can honestly say the Sentry device from RF Code will be an industry game-changer," said John Fletcher, Lead Technology Analyst for a major U.S. retail IT firm. "You get three monitoring devices in one unit ... temperature, humidity, and camera monitoring. Sentry is very easy to set up and cost-effective for our team's budget. It has real-time visual access and rich data of each IT environment that we're monitoring. It also has thermal scanning so I can check any room that houses critical IT equipment for potential hotspots that would cause an outage in the future.”

With the increased adoption of IoT devices, autonomous vehicles, as well as new work-from-anywhere (WFA) models, data center functions are moving to the edge to support these compute-intensive, zero-latency applications, and the demands of an increasingly remote workforce. By implementing a decentralized architecture, organizations like retailers, hospitals, hotels, manufacturers, and banks can improve localized computing power for end-users and the applications they need to drive business.

Without real-time environmental and critical asset monitoring tools in place, these unmanned and unmonitored IT spaces can be costly. Unplanned downtime, theft, and breaches can hurt an organization's bottom line costing thousands of dollars a minute.

"We developed Sentry as a way to meet the needs of a broader, underserved edge market with a simple, scalable, and affordable real-time IT asset and environmental monitoring solution," said Dale Quayle, CEO, RF Code. "Enterprises of all sizes need the ability to see, hear, and secure these edge environments as though they're onsite and Sentry makes it easier to prevent, mitigate, or remediate IT situations that threaten to disrupt normal business operations—from air quality and overheating to unauthorized access and other potential threats."

Sentry is easy to install and can be deployed in 20 minutes—all without the need for an on-site IT team, providing real-time visibility and remote monitoring from anywhere. Sentry's SaaS model makes it more affordable for organizations to monitor several IT locations at scale.

For more information and to see how Sentry monitors and secures remote edge locations, please visit http://rfcode.com/sentry.

**About RF Code**  
RF Code is an innovator of autonomous critical asset intelligence solutions. RF Code's real-time, active RFID technology improves IT asset tracking accuracy, full lifecycle management, and inventory utilization at data centers and edge locations. Autonomous IT asset data tracking and enhancement help RF Code customers slash manual error costs, optimize processes, maintain uptime, and comply with regulatory requirements. With patented wire-free active RFID sensors, open APIs, and real-time reporting capabilities, RF Code can be easily integrated with existing IT, facilities, and business systems.

RF Code is based in Austin, TX, and serves more than 200 organizations worldwide including Fortune 500, systems integrators, and value-added resellers. Additional information can be found at http://www.rfcode.com.

  

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

RF Code Announces Sentry, a New Edge Solution for Remote Locations

From higher standards in top-level domains to increased adoption of security controls, stepped-up measures can help fight DNS abuse and protect Web domains.

When the European Union introduced General Data Protection Regulation (GDPR) guidance several years ago to address privacy concerns, it became the genesis of a worldwide movement that led to an increased focus on privacy issues. Similarly, the EU recently released guidance on a security issue that still doesn't get the focus that it should — DNS abuse.

The Domain Name System (DNS) is a hierarchical and decentralized naming system used to identify computers, services, and other resources reachable through the Internet or other Internet Protocol (IP) networks. Specifically, DNS abuse is any activity that makes use of domain names or the DNS protocol to carry out harmful or illegal activity. Malicious activities on the DNS have been a frequent and serious issue for years, affecting online security, undermining trust on the Internet, and causing harm to users and third parties. This type of abuse also includes cybersecurity threats and the distribution of illegal and harmful materials.

While many organizations are aware of traditional approaches to cybersecurity, the one area that consistently gets ignored is maintaining and protecting Web domains. Inaction leads to issues such as DNS hijacking, which redirects employees, partners, and customers to sites that put them at risk or steal sensitive data. When legitimate domains are compromised, cybercriminals bypass traditional security, making it more difficult to identify, mitigate, and block such users. Fraudsters also use malicious domains (e.g., homoglyphs or confusingly similarly named domains or subdomains) and email spoofing to commit fraud and intellectual property abuse.

To date, there is no global consensus on what should be done to prevent or fight DNS abuse, and there are no policies in place to hold domain registrars to higher validation standards in terms of ownership. Upholding and preserving a reliable, resilient, and secure DNS is a key factor in maintaining the integrity of the Internet and is essential for its continuous and stable operation, on which the digital economy and society depend.

To address this, the European Commission recently conducted a study and issued this report, which assessed the scope, impact, and magnitude of DNS abuse, and also provided input for possible policy measures based on identified gaps. Analysis was completed of the available data and the report proposed a set of recommendations to prevent, detect, and mitigate DNS abuse.

**DNS Report Takeaways  
**While this report is compelling and provides guidance to follow, there are key components of it that enterprises should home in on when looking to improve the domain security posture of their organization. Specifically, the report recommends the following:  

*   **Selecting providers with more validation standards for domain registrations.  
    **We need to hold domain registrars to higher standards. They need to take a customer validation approach that verifies who the customer is to ensure abuse isn't happening. This "know your customer" strategy is used in enterprises today to mitigate fraud, and in this instance, it can bring a level of compliance to a situation where cybercriminals are currently registering any new domain whenever they want to.

*   **Initiate prevention and remediation solutions.  
    **Free hosting and subdomains, services that were originally intended for legitimate services, are commonly exploited in phishing attacks. Companies should activate proactive detection of suspicious domain names containing targeted brand keywords. Additionally, they should monitor the domain and DNS space for brand abuse, infringement, and fraud. Trusted notifier programs should be developed so that enterprises can enforce their rights through reporting and suspending offending domains.

*   **Increase adoption of security controls.  
    **Domain name system security extensions (DNSSEC) can authenticate communication between DNS servers. However, low adoption and lack of deployment can lead to hackers taking control of an Internet browsing session and redirecting users to deceptive websites. SPF and DMARC protocols should continually be adopted as the first line of defense against business email compromise (BEC) as those protocols can mitigate email spoofing. Just as crucial to security is to enable registry locks. While **t**his area wasn't discussed in the European Commission report, it's a great way to prevent attacks, as it enables end-to-end domain name transaction security to mitigate human error and third-party risk. Most large registries in Europe, such as those in Germany, France, and Sweden, have adopted this security measure, but it's not consistent, with notable exceptions such as Italy and Spain. Unlocked domains are vulnerable to social engineering tactics, which can lead to unauthorized DNS changes and domain name hijacking.

*   **Better standards in top-level domains (TLDs).  
    **A TLD is the final component of a domain name (.org, .icu). The generic TLDs (gTLDs) are the most abused domains by volume. However, some new gTLDs and country code TLDs (ccTLDs) have a higher concentration of fraud. You can get a TLD for less than a dollar these days, and phishers love this easy accessibility. There needs to be further consideration of tools and measures that safeguard intellectual property rights and consumer safety in a cost-effective and scalable way. One example is blocking programs — leveraged by the Donuts DPML program — which could reduce DNS abuse. Donuts, a part of the gTLD program, offers a blocking service for trademark holders known as the Domain Protected Marks List, or DPML.

**Building Domain Standards  
**While the EU report provides great insights into how to better mitigate threats to domains, it should serve as a foundational piece upon which companies and countries around the world can build.

As domain standards evolve, it will be important for government and industry to develop effective policies and programs to ensure that Web users aren't at risk of crime and fraud during their daily lives. Simultaneously, limiting hackers' ability to operate and maliciously commit fraud will be vital to our society and digital economy.

How to Interpret the EU's Guidance on DNS Abuse Worldwide

Swimlane’s Asia-Pacific presence grows 173%, highlighting rising demand for low-code security automation.

DENVER--(BUSINESS WIRE)--Swimlane, the leader in low-code security automation, today announced the general availability of Swimlane Cloud in the Asia-Pacific Japan (APJ) region. This deployment is further evidence of Swimlane’s continued commitment to empowering APJ customers to enable new use cases previously not possible with traditional security orchestration, automation and response (SOAR). This includes unlocking the use of automation beyond the SOC, where Swimlane serves as the system-of-record for the entire security organization.

**Meeting the APJ Staffing Shortage Head-On with Swimlane Cloud**  
The APJ region faces a significant cybersecurity talent shortage with an estimated 2.045 million open cybersecurity roles, accounting for 66% of the total global shortage, signaling the struggle to find qualified, skilled professionals to handle increasing security alerts. Without automation, these overburdened security administrators must manually perform repetitive and time-consuming tasks needed to track, mitigate and resolve security events across multiple security platforms. Despite significant time investments, security teams cannot realistically analyze and adequately prioritize security alerts and events at the rate necessary to protect networks.

“In order to mature our security operations, we knew it was necessary to advance how we monitor and respond to threat intelligence by taking a more proactive approach to security operations,” said Tanajak Watanakij, CISO, R V Connex. “With our existing talent pool, we turned to Swimlane’s low-code security automation offering to create a centralized system of record for our Security Operations Center (SOC) and remove dependencies on a host of manual processes. Swimlane’s interactive dashboards and automated, easily customizable workflows reduced our mean time to respond and ultimately helped us ensure continuous compliance and prevent breaches across the entire R V Connex Corporation and our MSSP customers.”

“Security teams across APJ need solutions that reduce the manual operations needed to respond to security threats and speed up incident response,” said Johan Wikenstedt, Vice President of Asia Pacific and Japan (APJ) for Swimlane. “We are a customer-focused company with a powerful platform for helping companies ease the burden security teams face daily. Swimlane is fully dedicated to supporting the region’s ongoing cybersecurity challenges through the adoption of low-code security automation.”

**Demand for Low-Code Automation Continues to Climb**  
Swimlane’s current product initiatives in APJ continue to drive regional market traction highlighted by:

*   173% revenue growth of regional presence in the past four months, with more than 7x revenue growth in the past 6 months.
*   142% growth of regional employee headcount in the past six months.
*   New sales offices established in Australia, Malaysia and South Korea.
*   Net-new customer adoption in Australia, Bangladesh, India, Japan, Malaysia, Philippines, Singapore, Thailand, and New Zealand.
*   Vertical expansion of customer adoption across banking, technology, financial services, government, MSSP, and manufacturing industries.
*   8 new go-to-market partners established in the region.

Lumen Technologies turned to Swimlane after experiencing a rapid period of growth that challenged the company’s security team to capacity. Swimlane’s low-code security automation platform allowed the organization to maintain the integrity of its security operations and quickly adapt to business growth across its SecOps infrastructure. Within the first quarter of implementing the solution, Lumen achieved a 30% automation level. Today, 70% of security events hitting the Security Operations Center (SOC) can be fully automated without human intervention.

“Swimlane was a partner from the start, helping us ensure the solution was easy to manage and operate and providing technical support whenever we needed,” said Wai Kit Cheah, Director of the Security Practice at Lumen Technologies. “With Swimlane’s robust automation engine, events can be processed from any source, enabling our security team to integrate security automation with user and entity behavior analytics (UEBA) and third-party threat intelligence feeds. This allowed us to achieve a holistic look at our ecosystem and has quickly made Swimlane’s platform an essential component of our SOC.”

**Swimlane Medley Partner Program Expands to Malaysia**  
Swimlane has invested significantly in Malaysia due to the region’s robust national cybersecurity strategy and world-class talent. As part of its growth in the region, Swimlane recently announced a partnership with CyberSecurity Malaysia, the national cyber security specialist agency under the purview of the Ministry of Communications and Multimedia Malaysia (KKMM), to assist the organization on its mission to build a more resilient cyber ecosystem throughout Malaysia.

“Our strategic partnership with Swimlane comes at an exciting time for CyberSecurity Malaysia as we seek to elevate a strategic cybersecurity vision for the region,” said Dato’ Ts. Dr. Haji Amirudin Abdul Wahab, CEO of CyberSecurity Malaysia. “Together, Swimlane and Cybersecurity Malaysia will leverage our combined experience, capabilities, and products to deliver innovative cybersecurity solutions across Malaysia and ensure companies in the region have access to the world’s most-capable low-code automation technology to safeguard their networks and data.”

**Join Swimlane at the SecOps Automation Summit 2022**  
Swimlane will hold the SecOps Automation Summit 2022 in South Korea, Malaysia and Australia in late April and early May. Presenters include Co-Founder and Chief Strategy Officer Cody Cornell and other members of the Swimlane team, along with various current partners and customers, to explore new and future innovations in the dynamic field of security automation.

To learn more about the summit and Swimlane’s expansion in the APJ region, visit https://swimlane.com/swimlane-helps-address-asia-pacifics-security-skills-shortage.

**About Swimlane**  
Swimlane is the leader in cloud-scale, low-code security automation. Supporting use cases beyond SOAR, Swimlane improves the ease with which security teams can overcome process and data fatigue, as well as chronic staffing shortages. Swimlane unlocks the potential of automation beyond the SOC by delivering a low-code platform that serves as the system-of-record for the entire security organization and enables anyone within the organization to contribute their knowledge and expertise to the protection of the organization. For more information, visit swimlane.com, swimlane.com/japan and swimlane.com/korea.

Swimlane Extends Cloud-Based Security Automation into APJ Amid Momentous Growth in Region

**VANCOUVER, British Columbia and SAN JOSE, Calif. — April 14, 2022 —** Absolute Software™ (NASDAQ: ABST) (TSX: ABST), a leader in self-healing endpoint and secure access solutions, today announced the availability of Absolute Ransomware Response, enabling customers to strengthen preparedness and accelerate endpoint recovery in the face of the ever-growing threat of ransomware attacks. With this new offering, part of the company’s Secure Endpoint product portfolio, organizations have the key capabilities and services needed to assess their ransomware preparedness and cyber hygiene across endpoints; ensure mission-critical security applications, such as anti-malware and device management tools, remain healthy and capable of self-healing; and expedite the quarantine and recovery of devices if an attack occurs.

Cybersecurity Ventures predicts that organizations will face a new ransomware attack every two seconds by 2031, up from every 11 seconds in 2021. While the top priority for IT and security teams has historically been securing and restoring critical infrastructure, such as servers and business applications, the accelerated adoption of ‘work-from-anywhere’ has significantly expanded the potential ransomware attack surface – and in turn, has increased the need to extend preparedness and recovery efforts to end user devices.

“The reality is that, while organizations are very concerned about the time to recover from ransomware attacks, they often solely focus on prevention tools, without planning for the worst-case scenario: falling victim to an attack,” said Eric Hanselman, Principal Research Analyst at 451 Research, part of S&P Global Market Intelligence, in a recent webinar. “By building a plan and improving their preparedness and simplifying the endpoint recovery process for their organizations, they can accelerate businesses’ ability to recover and resume operations.”1

“Ransomware is more prevalent, more sophisticated, and more capable of disruption and damage than ever and organizations need to plan for ‘when,’ not ‘if,’ they are successfully attacked,” said John Herrema, EVP of Product & Strategy at Absolute. “When a ransomware attack occurs, organizations are often forced to weigh the risks of cutting off all communication with an infected device, losing the ability to restore or recover it, or leaving the door open for re-infection. This new offering gives them the cyber resiliency needed to mitigate ransomware deployment techniques, restore and update tools critical to recovery, and if needed, hit the ‘kill switch’ – meaning they can wipe the device while still maintaining control so it can be recovered.”

Key capabilities and benefits available with Absolute’s new Ransomware Response offering include:

*   **Assess Strategic Readiness Across Endpoints**: Empower customers to review the existing security controls deployed across their endpoints, and identify key applications (e.g., anti-virus/anti-malware, endpoint protection, or endpoint detection and response) and device management tools required to minimize ransomware exposure and accelerate recovery efforts.
*   **Establish Cyber Hygiene and Resiliency Baseline:** Enable application resilience policies that monitor and self-heal the critical controls identified during the assessment phase, to both mitigate the risk of a successful ransomware attack and ensure that tools may be restored if an attack renders them inoperable. This also includes training customer personnel on how to monitor application health and apply these baseline resilience policies to new Absolute-enabled devices.
*   **Monitor Device Security Posture and Sensitive Data**: Allow customers to report on hardware and software inventory across their endpoints and assess overall device security posture. Scan for sensitive data – such as financial information, social security numbers, personally identifiable information (PII), protected health information (PHI), and intellectual property – to identify devices most at risk for data extraction and enable proper back-up via customers’ existing tools.
*   **Expedite Device Recovery and Limit Re-Infection**: Equip customers with the capabilities needed to communicate with end users even if their devices are compromised; quarantine and freeze endpoints to limit further spread of infection and preserve evidence for litigation purposes; restore endpoint security and device management tools that have been rendered inoperable; and execute custom workflow and task automation commands to expedite device recovery. In addition, Absolute experts are available to remotely assist customers with endpoint recovery efforts leveraging Absolute’s product capabilities.

Absolute Ransomware Response is available for purchase for new customers as part of the company’s Secure Endpoint product offerings. These capabilities are also available as add-on modules for existing Absolute Control and Resilience service tier customers. To learn more, visit here.

_\[1\] 2022 Data Theft Report Webinar by Eric Hanselman, 451 Research, part of S&P Global Market Intelligence, March 31, 2022_

**_Forward-Looking Statements_**

_This press release contains certain forward-looking statements and forward-looking information (collectively, “forward-looking statements”) which relate to future events or Absolute’s future business, operations, and financial performance and condition. Forward-looking statements normally contain words like “will”, “intend”, “anticipate”, “could”, “should”, “may”, “might”, “expect”, “estimate”, “forecast”, “plan”, “potential”, “project”, “assume”, “contemplate”, “believe”, “shall”, “scheduled”, and similar terms and, within this press release, include, without limitation, the statements regarding the ever-growing threat of ransomware attacks, the speed at which a business may recover from a ransomware attack and resume operations and ‘when’ or ‘if’ an organization may face a ransomware attack. Forward-looking statements are provided for the purpose of presenting information about management’s current expectations and plans relating to the future and allowing investors and others to get a better understanding of our anticipated financial position, results of operations, and operating environment. Readers are cautioned that such information may not be appropriate for other purposes._

_Forward-looking statements are not guarantees of future performance, actions, or developments and are based on expectations, assumptions and other factors that management currently believes are relevant, reasonable, and appropriate in the circumstances. The material expectations, assumptions, and other factors used in developing the forward-looking statements set out herein include or relate to the following, without limitation: Absolute will be able to successfully execute its plans, strategies, and objectives. Although management believes that the forward-looking statements herein are reasonable, actual results could be substantially different due to the risks and uncertainties associated with and inherent to Absolute’s business, as more particularly described in the “Risk and Uncertainties” section of Absolute’s most recently filed Management’s Discussion and Analysis, which is available at www.absolute.com and under Absolute’s profile on www.sedar.com. Additional material risks and uncertainties applicable to the forward-looking statements herein include, without limitation, unforeseen events, developments, or factors causing any of the aforesaid expectations, assumptions, and other factors ultimately being inaccurate or irrelevant. Many of these factors are beyond the control of Absolute._

_All forward-looking statements included in this press release are expressly qualified in their entirety by these cautionary statements. The forward-looking statements contained in this press release are made as at the date hereof and Absolute undertakes no obligation to update publicly or to revise any of the included forward-looking statements, whether as a result of new information, future events, or otherwise, except as may be required by applicable securities laws._

**About Absolute Software**

Absolute Software (NASDAQ: ABST) (TSX: ABST) is a leading provider of self-healing endpoint and secure access solutions, delivering truly resilient zero trust for today’s distributed workforces. Absolute is the only endpoint platform embedded in more than half a billion devices, offering a permanent digital connection that intelligently and dynamically applies visibility, control and self-healing capabilities to endpoints, applications, and network connections - helping customers to strengthen cyber resilience against the escalating threat of ransomware and malicious attacks. Trusted by nearly 16,000 customers, G2 recognized Absolute as a leader in Zero Trust Networking and Endpoint Management in the Winter of 2022.

©2022 Absolute Software Corporation. All rights reserved. ABSOLUTE, the ABSOLUTE logo, and NETMOTION are registered trademarks of Absolute Software Corporation or its subsidiaries. Other names or logos mentioned herein may be the trademarks of Absolute or their respective owners. The absence of the symbols ™ and ® in proximity to each trademark, or at all, herein is not a disclaimer of ownership of the related trademark.

Tag

#intel