First in our series addressing the top 10 unanswered questions in security: What's going to replace EDR?

Endpoint detection and response (EDR) is a cybersecurity staple. The EDR market is still growing at an impressive rate, with a compound annual growth rate projected to exceed 20% through 2027. Additionally, EDR leaders CrowdStrike and SentinelOne's latest ARR growth rates are at 59% and 122%, respectively.

However, at the same time, security professionals are realizing that endpoint detection alone isn't enough. True end-to-end visibility requires accounting for all devices, servers, containers, cloud platforms, and network data flows. Incidents like the Black Basta ransomware attacks have made the point loud and clear that organizations need to be constantly watching what is happening on the network.

In addition to the limited scope of EDR visibility and protection, there are operational challenges. Tool sprawl and complexity make it difficult for EDR to scale and increase the chances of human error that can lead to security oversights.

Extended detection and response (XDR) and managed detection and response (MDR) are rapidly emerging as more holistic solutions for security-conscious organizations. XDR expands on the capabilities of EDR by providing visibility into other attack vectors on the corporate network, rapidly growing cloud resources, sensitive identities, and unmanaged data. XDR enables SOCs to detect, proactively hunt for threats, and contain sophisticated threats from a centralized user interface.

MDR — which involves a third party providing threat hunting, alert triaging, and incident response — is useful for organizations that don't have a dedicated security operations center (SOC) or sufficient in-house cybersecurity expertise. By providing XDR-like functionality while offloading the operational complexity, MDR platforms can help these organizations drastically improve their security posture quickly.

MDR and XDR both provide the holistic threat detection and response capabilities EDR lacks, and we can expect to see more and more organizations adopt MDR or XDR instead of EDR-only in the years to come. That's good news for key players in the XDR/MDR market, like Cisco, Microsoft, CrowdStrike, SentinelOne, and Cybereason.

**Beyond XDR**

What's even more interesting than the evolution from EDR to XDR/MDR is the general consolidation of functionality we're seeing with XDR/MDR and other security tooling. For example, by aggregating network security data, XDRs are effectively competing with existing security information and event management (SIEM) tools.

This "federated logging" trend, where the tool aggregating the data also analyzes it, is becoming more popular. That may be bad news for legacy SIEMs, but it is an opportunity for vendors that can get it right. Performing the aggregation and analysis of cloud, network, and endpoint data in a single platform, these next-gen tools are paving the way for life after EDR for what remains of this year and beyond.

Uptycs' unified XDR and CNAPP platform is a prime example and inspiration of where we can expect the XDR market to go. Windows, macOS, and Linux endpoints are just one piece of the puzzle. What used to take multiple discrete tools for EDR, cloud security posture management (CSPM), cloud infrastructure entitlement management (CIEM), asset management, and compliance can all be managed with one data model.

In the years to come, we can expect to see more vendors attempt to consolidate functionality into XDR-like tools and MDR services. While integrations aren't going away anytime soon, the solutions that do the best job of limiting tool sprawl without limiting functionality will be well-positioned to become market leaders in the mid-2020s.

Now That EDR Is Obvious, What Comes Next?

With the vast majority of business leaders expecting a recession in 2023, cybersecurity firms are bolstering their operations and cash flow by laying off workers.

Cybersecurity firms Snyk and Cybereason separately announced significant layoffs during the last week of October, cutting their workforces by 198 and 200 workers and representing 14% and 17% of their workforces, respectively.

The two companies are the latest cybersecurity vendors to join a growing list of more than three dozen firms to pare their workforces in the past six months, as the global economy continues to flash signs of a slowdown and possible recession. On Oct. 24, for example, Snyk CEO Peter McKay announced that, while the developer security firm continues to grow, the company "must operate even more efficiently in order for Snyk to effectively withstand the continued headwinds facing the global economy."

Cybereason CEO and co-founder Lior Div also claimed strong operations but stressed its need to move away from aggressive investments in research and development, sales, and marketing and instead focus on customer retention and innovating in its core market of extended detection and response (XDR).

"While we are making significant traction in these areas and our growth remains strong, we are seeing significant volatility in the global financial markets that require us to prioritize profitability over growth," he said in an Oct.26 blog post.

Snyk and Cybereason are not alone. In June, privacy and security firm OneTrust announced it would lay off 950 employees, or 25% of its workforce. In late May, cloud security firm Lacework announced it would layoff approximately 300 workers, or 20% of its head count. Last week, cybersecurity automation firm Forescout announced it would be cutting costs but did not release the specific number of layoffs, instead saying the company intended to "optimize our cost base to prepare for difficult economic times over the next period to ensure the future success."

In total, 32 cybersecurity firms have announced layoffs or restructuring since early May, according to layoff tracking site Layoffs.FYI, most citing the tightening market and need to protect the longevity of the business.

"While we do not have control of the environment around us, we do have a responsibility to control how we operate our business and make changes as needed to best position the company for continued and long-term success," Jay Parikh, CEO of Lacework, said in a May update. "We have adjusted our plan to increase our cash runway through to profitability and significantly strengthened our balance sheet so we can be more opportunistic around investment opportunities and weather uncertainty in the macro environment."

**Investments Become Scarcer**

Cybersecurity vendors' retrenchment is not without cause. The vast majority (83%) of companies expect to contend with a recession in 2023, and most of those businesses are taking steps to prepare, according to the "2023 State of IT" report. IT budgets will likely stagnate: While half of businesses (51%) expect to increase IT budgets in 2023, a significant portion of those increases are due to inflation, not expanding purchases and services, the report stated.

Investments are drying up as well, leaving startup companies more reliant on their actual cash flow to fuel future operations. Venture capital financing totaled $3.1 billion in the third quarter of 2022, down from $7.9 billion for the same quarter in 2021, according to cybersecurity-focused venture capital firm Momentum Cyber.

"It's at that point where investors can be much more scrutinizing with valuations, because if they feel like the whole economy is slowing down, they might not feel like they want to take that go-to-market risk," Eric McAlpine, managing partner at Momentum Cyber, said in the company's "Cybersecurity Market Review Q3 2022" report.

It should be said that not every company says layoffs are the result of economic realities. In August, for example, security software firm Malwarebytes reportedly sacked at least 125 employees, or about 14% of its global workforce, maintaining the company was not trying to achieve profitability but shifting to a different strategy. A month later, Malwarebytes announced a $100 million investment and a strategic shift to the managed detection and response (MDR) market.

Yet for the most part, companies appear to be hunkering down, cutting spending, and making sure they can survive as long as possible if market conditions worsen. Privacy and security firm OneTrust, for example, pointed to a potential poor economy as the reason for the paring of its workforce.

"My responsibility is to ensure OneTrust thrives and is positioned for sustained growth, and unfortunately, reducing our headcount and adapting to the capital markets sentiment is what is needed to keep us in our leadership position," Kabir Barday, the firm's CEO, said in a blog post. 

**Cybersecurity Jobs Still Strong**

While specific cybersecurity vendor companies are cutting workers, overall the job market for cyber pros continues to be strong — a good sign for those workers who have been laid off. Businesses continue to look for cybersecurity experts, with the workforce growing 6% to 1.34 million in North America over the past 12 months, according to (ISC)2, a cybersecurity professional organization.

And job listings for tech jobs in general on jobs site Indeed.com have climbed 49% above the pre-pandemic baseline as of Oct. 21.

Meanwhile, the continued shortfall in cybersecurity workers and the increasing adoption of cloud services will result in more organizations gaining their cybersecurity expertise delivered as a service. (ISC)2 expects greater adoption, especially by small businesses, that do not have the need or budget to fund a permanent on-site team.

"We have seen a greater demand for cybersecurity skills to defend, protect, and secure our trail of personal data as threats become increasingly complex and our digital footprint continues to grow," says Clar Rosso, CEO of (ISC)2, urging organizations to not drop their collective guard.

"As organizations navigate increased economic pressures, I encourage them to continue to prioritize their cybersecurity needs," Rosso says. "Bad actors and exploits will not go away if the economy worsens; in fact, one might argue the threat landscape worsens during challenging times."

Layoffs Mount as Cybersecurity Vendors Hunker Down

The OpenSSL project has rolled out fixes to contain two high-severity flaws in its widely used cryptography library that could result in a denial-of-service (DoS) and remote code execution.
The issues, tracked as CVE-2022-3602 and CVE-2022-3786, have been described as buffer overrun vulnerabilities that can be triggered during X.509 certificate verification by supplying a specially-crafted email

The OpenSSL project has rolled out fixes to contain two high-severity flaws in its widely used cryptography library that could result in a denial-of-service (DoS) and remote code execution.

The issues, tracked as CVE-2022-3602 and CVE-2022-3786, have been described as buffer overrun vulnerabilities that can be triggered during X.509 certificate verification by supplying a specially-crafted email address.

"In a TLS client, this can be triggered by connecting to a malicious server," OpenSSL said in an advisory for CVE-2022-3786. "In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects."

OpenSSL is an open source implementation of the SSL and TLS protocols used for secure communication and is baked into several operating systems and a wide range of software.

Versions 3.0.0 through 3.0.6 of the library are affected by the new flaws, which has been remediated in version 3.0.7. It's worth noting that the commonly deployed OpenSSL 1.x versions are not vulnerable.

Per data shared by Censys, about 7,062 hosts are said to run a susceptible version of OpenSSL as of October 30, 2022, with a majority of those located in the U.S., Germany, Japan, China, Czechia, the U.K., France, Russia, Canada, and the Netherlands.

While CVE-2022-3602 was initially treated as a Critical vulnerability, its severity has since been downgraded to High, citing stack overflow protections in modern platforms. Security researchers Polar Bear and Viktor Dukhovni have been credited with reporting CVE-2022-3602 and CVE-2022-3786 on October 17 and 18, 2022.

The OpenSSL Project further noted the bugs were introduced in OpenSSL 3.0.0 as part of punycode decoding functionality that's currently used for processing email address name constraints in X.509 certificates.

Despite the change in severity, OpenSSL said it considers "these issues to be serious vulnerabilities and affected users are encouraged to upgrade as soon as possible."

Version 3.0, the current release of OpenSSL, is bundled with Linux operating system flavors such as Ubuntu 22.04 LTS, CentOS, macOS Ventura, and Fedora 36, among others. Container images built using affected versions of Linux are also impacted.

According to an advisory published by Docker, roughly 1,000 image repositories could be affected across various Docker Official Images and Docker Verified Publisher images.

The last critical flaw addressed by OpenSSL was in September 2016, when it closed out CVE-2016-6309, a use-after-free bug that could result in a crash or execution of arbitrary code.

The OpenSSL software toolkit was most notably impacted by Heartbleed (CVE-2014-0160), a serious memory handling issue in the implementation of the TLS/DTLS heartbeat extension, enabling attackers to read portions of a target server's memory.

"A critical vulnerability in a software library like OpenSSL, which is so widely in use and so fundamental to the security of data on the internet, is one that no organization can afford to overlook," SentinelOne said.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

OpenSSL Releases Patch for 2 New High-Severity Vulnerabilities

The Chinese state-sponsored threat actor known as Stone Panda has been observed employing a new stealthy infection chain in its attacks aimed at Japanese entities.
Targets include media, diplomatic, governmental and public sector organizations and think-tanks in Japan, according to twin reports published by Kaspersky.
Stone Panda, also called APT10, Bronze Riverside, Cicada, and Potassium, is a

The Chinese state-sponsored threat actor known as **Stone Panda** has been observed employing a new stealthy infection chain in its attacks aimed at Japanese entities.

Targets include media, diplomatic, governmental and public sector organizations and think-tanks in Japan, according to twin reports published by Kaspersky.

Stone Panda, also called APT10, Bronze Riverside, Cicada, and Potassium, is a cyber espionage group known for its intrusions against organizations identified as strategically significant to China. The threat actor is believed to have been active since at least 2009.

The latest set of attacks, observed between March and June 2022, involve the use of a bogus Microsoft Word file and a self-extracting archive (SFX) file in RAR format propagated via spear-phishing emails, leading to the execution of a backdoor called LODEINFO.

While the maldoc requires users to enable macros to activate the killchain, the June 2022 campaign was found to drop this method in favor of an SFX file that, when executed, displays a harmless decoy Word document to conceal the malicious activities.

The macro, once enabled, drops a ZIP archive containing two files, one of which ("NRTOLF.exe") is a legitimate executable from the K7Security Suite software that's subsequently used to load a rogue DLL ("K7SysMn1.dll") via DLL side-loading.

The abuse of the security application aside, Kaspersky said it also discovered in June 2022 another initial infection method wherein a password-protected Microsoft Word file acted as a conduit to deliver a fileless downloader dubbed DOWNIISSA upon enabling macros.

"The embedded macro generates the DOWNIISSA shellcode and injects it in the current process (WINWORD.exe)," the Russian cybersecurity company said.

DOWNIISSA is configured to communicate with a hard-coded remote server, using it to retrieve an encrypted BLOB payload of LODEINFO, a backdoor capable of executing arbitrary shellcode, take screenshots, and exfiltrate files back to the server.

The malware, first seen in 2019, has undergone numerous improvements, with Kaspersky identified six different versions in March, April, June, and September 2022.

The changes include enhanced evasion techniques to fly under the radar, halting execution on machines with the locale "en\_US," revising the list of supported commands, and extending support for Intel 64-bit architecture.

"LODEINFO malware is updated very frequently and continues to actively target Japanese organizations," the researchers concluded.

"The updated TTPs and improvements in LODEINFO and related malware \[...\] indicate that the attacker is particularly focused on making detection, analysis and investigation harder for security researchers."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Chinese Hackers Using New Stealthy Infection Chain to Deploy LODEINFO Malware

The sophisticated and ever-evolving threat known as LodeInfo is being deployed against media, diplomatic, government, public sector, and think-tank targets.

Chinese-speaking threat actor APT10 has been using a sophisticated and sometimes fileless backdoor to target media, diplomatic, governmental, public sector, and think-tank targets, since at least March, researchers have found.

Researchers at Kaspersky have been tracking the LodeInfo malware family since 2019, they said in one of two blog posts  published Monday that lay out a two-part investigation on the emerging threat. The group is bent on espionage, primarily against Japanese targets to date.

However, as threat actors are constantly updating and modifying LodeInfo — particularly with anti-detection features and varying infection vectors — it's been difficult to stay on top of its use and deployment, the researchers said.

"LodeInfo and its infection methods have been constantly updated and improved to become a more sophisticated cyber-espionage tool while targeting organizations in Japan," the researchers wrote in one of their posts. "The LodeInfo implants and loader modules were also continuously updated to evade security products and complicate manual analysis by security researchers."

JPCERT/C first named LodeInfo in a blog post in February 2020, when it was the payload in a spear-phishing campaign targeting Japan, according to Kaspersky. The following year, Kaspersky researchers also shared new findings during the HITCON 2021 conference that covered LodeInfo activities from 2019 to 2020. At the time they attributed the malware to APT10 — also known as the "Cicada" group — with "high confidence," the researchers said.

Kaspersky's latest intelligence on LodeInfo in the first half of their report focuses on their identification of current versions of the malware — in which researchers detected v0.6.6 and v0.6.7 — and their various infection methods tracked between March and September in use against targets in Japan. The second part unveils an investigation of new versions of LodeInfo shellcode — including v0.5.9, v0.6.2, v0.6.3 and v0.6.5 — identified in March, April, and June, respectively, the researchers said.

**Varied Infections Methods**

Researchers outlined four different infection methods that threat actors are using to get the LodeInfo backdoor on victim systems.

The first, identified in March and used in previous attacks observed by Kaspersky, started with a spear-phishing email that included a malicious attachment installing malware persistence modules, the researchers said. These modules were comprised of a legitimate EXE file from the K7Security Suite software used for DLL sideloading, as well as a malicious DLL file loaded via the DLL sideloading technique.

The malicious DLL file includes a loader for the LodeInfo shellcode that contains a 1-byte XOR-encrypted LodeInfo shellcode internally identified by version 0.5.9, the researchers said.

Another infection method uses a self-extracting archive (SFX) file in RAR format that contains three files with self-extracting script commands. When a targeted user executes this SFX file, the archive drops other files opens a .docx containing just a few Japanese words as a decoy, the researchers said.

While this decoy file is being shown to the user, archive script executes a malicious DLL via DLL sideloading that start a process that eventually deploys LodeInfo v0.6.3, they said.

A third infection vector uses another SFX file, first seen spread via a spear-phishing campaign in June, that exploits the name of a well-known Japanese politician and uses self-extracting script and files similar to the previous vector. This initial infection method also includes an additional file that decrypts shellcode for the LodeInfo v0.6.3 backdoor, the researchers said.

"The file name and the decoy document suggest the target was the Japanese ruling party or a related organization," they explained, adding that they observed another SFX file with a similar method and payload on July 4.

The fourth infection vector that researchers outlined was observed in June and appears to be a brand-new method that threat actors added this year, they said. This vector uses a fileless downloader shellcode — dubbed "DOWNIISSA" by the researchers — delivered by a password-protected Microsoft Word file. The file includes malicious macro code completely different from previously investigated samples of LodeInfo, the researchers said.

"Unlike past samples … where the malicious VBA macro was used to drop different components of the DLL sideloading technique, in this case the malicious macro code injects and loads an embedded shellcode in the memory of the WINWORD.exe process directly," they explained. "This implant was not present in past activities, and the shellcode is also a newly discovered multi-stage downloader shellcode for LodeInfo v0.6.5."

**Advanced Evasion Tactics**

Kaspersky researchers also outlined the various advanced evasion tactics displayed in new versions of the malware's shellcode, demonstrating how threat actors are evolving the malware to increase the chances they won't be caught, the researchers said.

"These modifications may serve as a confirmation that the threat actors track publications by security researchers and learn how to update their TTPs \[tactics, techniques, and procedures\] and improve their malware," they wrote.

For example, the LodeInfo v0.5.6 shellcode demonstrates several enhanced evasion techniques for certain security products, as well as three new backdoor commands implemented by the developer, researchers said.

It also contains a hardcoded key, NV4HDOeOVyL, used later by an antiquated Vigenere cipher, and it generates random junk data "possibly to evade beaconing detection based on packet size," they noted.

Another shellcode, in LodeInfo v0.5.6, uses revised crypto-algorithms and backdoor command identifiers — obfuscated with a 2-byte XOR operation that that was defined as 4-byte hardcoded values in previous LodeInfo shellcodes, the researchers said.

"We also observed the actor implementing new backdoor commands such as 'comc,' 'autorun,' and 'config' in LodeInfo v0.5.6 and later versions," they explained. "Twenty-one backdoor commands, including three new commands, are embedded in the LodeInfo backdoor to control the victim host."

Other LodeInfo shellcodes, v0.6.2 and later versions specifically, include a curious geographic identifying feature that looks for the “en\_US” locale on the victim’s machine in a recursive function and halts execution if that locale is found, the researchers said, indicating that the threat actors are avoiding US targets.

Another core modification of the LodeInfo shellcode observed by Kaspersky was support for Intel 64-bit architecture, which expands the type of victim environments that threat actors can target, they said.

Overall, the updated TTPs and improvements in LodeInfo and related malware "indicate that the attacker is particularly focused on making detection, analysis, and investigation harder for security researchers," the researchers wrote.

Kaspersky shared various indicators of compromise in part two of its post on LodeInfo. The firm is encouraging other security researchers and the overall community in general to collaborate on identifying LodeInfo and related malware attacks in victim environments to prevent and mitigate further attacks.

China-Backed APT10 Supercharges Spy Game With Custom Fileless Backdoor

Categories: News
Tags: fake accounts

Tags:  social media platform

Tags:  LinkedIn

Tags:  AI

Tags:  deep learning

Tags:  reporting

After a deluge of fake or bot accounts these past few months, LinkedIn says it is starting to roll out some new security features.



(Read more...)




The post LinkedIn introduces new security features to combat fake accounts appeared first on Malwarebytes Labs.

Posted: November 1, 2022 by

LinkedIn knows it has a problem with bots and fake accounts, and has acknowledged this on more than one occasion. For years, it has been aware of spam, fake job offers, phishing, fraudulent investments, and (at times) malware, and has been trying to combat those issues.

In 2018, LinkedIn rolled out a way to automatically detect fake accounts. It also gave users an inside look into what's going on behind the scenes: A dedicated team constantly analyzing abusive behavior, risk signals, and patterns of abuse; tools that are continuously improving; and the company investing in AI technologies aimed at detecting communities of fake accounts.

Now, LinkedIn is rolling out new security features to support its cause further. As Oscar Rodriguez said in his post on the LinkedIn blog:

> "I am eager to share that as part of our ongoing commitment to keeping LinkedIn a trusted professional community, we are rolling out new features and systems to help you make more informed decisions about members that you are interacting with and enhancing our automated systems that keep inauthentic profiles and activity off our platform. Whether you are deciding to accept an invitation, learning more about a business opportunity, or exchanging contact information, we want you to be empowered to make decisions having more signals about the authenticity of accounts."

**What's new?**

**The "About this profile" feature.** This new section in a LinkedIn profile will contain information about when the profile was first created, when it was updated last, and indications of whether the account is associated with a verified phone number or work email address. This feature has already been rolled out.

(Source: LinkedIn)

**Tech that analyzes profile pictures.** As AI-based synthetic image generation technology—often called deepfake—has grown in sophistication, tech has become indispensable in helping us filter genuine profile photos from AI creations. LinkedIn's deep-learning tech looks for subtle image artifacts, which may be invisible to the naked eye, associated with images created using AI. Accounts with positive detections will be removed before they can be used to reach out to members.

**Flags that alert users of suspicious behavior.** One known tactic of those with ill intent is encouraging their potential victim to continue their conversation away from the social platform they first met in favor of another communication medium, usually via email or IM. Scammers and fraudsters have employed this same tactic on LinkedIn. The platform now warns potential targets when the person they're talking to suggests they move elsewhere.

(Source: LinkedIn)

"This sender appears to be trying to move the conversation off LinkedIn. We recommend you review these safety tips before proceeding." reads the warning. Clicking "View message anyway" displays the sender's message, which LinkedIn initially blocks unless the receiver wants to view it.

**Stronger together**

While we see the tools grow that keep users safe and give them confidence in their decision-making regarding online safety, the community's involvement remains a powerful and effective deterrence against cybercriminals. LinkedIn encourages its users to be wary and report anything strange they see within the platform, such as:

*   People asking for money (in the form of cryptocurrency or gift cards) so you can claim a prize or other winnings
*   People expressing their romantic interest in you (this is generally frowned upon and is considered highly inappropriate on the platform)
*   A job posting that sounds too good to be true
*   A job posting that asks for an upfront fee for anything.

Keep in mind these red flags, too:

*   Profiles with abnormal profile images
*   Profiles with inconsistencies in their work history and education
*   Profiles with bad grammar. Question the credibility and legitimacy of such profiles
*   New profiles with no common connections, generic names, or few connections

Stay safe!

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

**RELATED ARTICLES**

LinkedIn introduces new security features to combat fake accounts

Containers and their supporting infrastructure are too important to ignore.

How will threat actors attack and utilize containers? This is a question I constantly think about. I've been working in this area for more than two decades now, and I feel like I should have an answer. But I don't.

Instead, I have a lot of different ideas, none of which I can really pinpoint as correct. Part of this indecision is because of all the time I spent learning security in the "legacy" world. Containers do not really have an analog. Sure, virtual machines (VMs) are often conflated with containers, but they were never able to scale like containers. They are also used for completely different purposes than containers. It's taken a while to adjust my thinking and understand where containers actually fit into the attack surface.

The public examples of attacks against containerized environments are very limited. The breaches almost always are cryptomining related, which are serious attacks, but the incident responder in me finds them underwhelming. Another commonality is they are mostly the result of a misconfiguration, whether that be in Kubernetes or a cloud account. The combination of the motives and the tactics have not been very inspiring so far.

**The Old Way**

Remote code execution (RCE) vulnerabilities have been the main concern in computer security for a long time. They are still, but how does this way of thinking apply to containers? It's easy to immediately jump to RCE as the primary threat, but it doesn't seem to be the right way to approach containers. For one thing, containers are often very short lived – 44% of containers live less than five minutes – so an intruder would have to be quick.

This approach also assumes that the container is exposed to the Internet. Certainly some containers are set up this way, but they often are very simple and use well-tested technologies, like NGINX. There may be zero-days out for these applications, but they would be extremely valuable and hard to come by. My experience has shown me that a lot of containers are used internally and don't connect directly to the Internet. The RCE scenario gets a lot more difficult in that case. I should mention Log4j, though these sorts of vulnerabilities have the potential of being exploited remotely even if the vulnerable system isn't on the edge.

**The New Way**

If RCE isn't the biggest threat facing containers, then what is? Are containers even on the radar of threat actors? Yes, containers and their supporting infrastructure are too important to ignore. Container orchestration software has allowed containerized workloads to be scaled to unimaginable numbers. The usage trend is also increasing, so you can be sure they will be a target. They just can't be thought of like servers you get at through RCE vulnerabilities.

Instead, the reverse is actually true. Instead of attacking containers from the outside in, they need to be attacked from the inside out. This is essentially what supply chain attacks do. Supply chain is an extremely effective attack vector against containers when you start to understand how they are built. A container starts with a definition file, such as Dockerfile, which defines everything that will be in the container when it runs. It is turned into an image once built, and that image is what may be spun up into a workload an innumerable amount of times. If anything in that definition file is compromised, then every single workload that runs is compromised.

Containers are often, but not always, purpose-built with an application that does something and exits. These applications can be almost anything — the important thing to understand is how much is built using libraries, either closed source or open source, written by other people. GitHub has millions of projects, and that's not the only repository of code out there. As we saw with SolarWinds, closed source is vulnerable to supply chain attacks as well.

A supply chain attack is a great way for threat actors to get into a target's container environment. They can even let the customer's infrastructure scale their attack for them if the compromise goes unnoticed. This type of scenario is already playing itself out, as we saw with the Codecov breach. But it is difficult to detect due to how new all of this is and how our thinking is still rooted in the problems of the past.

**A Way Forward**

As with fixing most problems, visibility is usually a great place to start. It's hard to fix what you can't see. To secure your containers you need to have visibility into the containers themselves, as well as the whole pipeline that builds them. Vulnerability management is one type of visibility that must be integrated into the build pipeline. I would also include other static analysis tools, such as ones that look for leaked secrets to that as well. Since what a supply chain attack looks like can't really be predicted, runtime monitoring becomes critical so you know exactly what your containers are doing.

Where Are All of the Container Breaches?

FitStack offers a SaaS-based platform — supporting both cloud native and on-prem environments — to take risk and vulnerability out of application development.

**MADISON, Wis., Nov. 1, 2022 /PRNewswire/ —** Today Varsity Venture Studio – a collaborative venture studio between the University of Wisconsin-Madison, the Wisconsin Alumni Research Foundation (WARF) and venture builder High Alpha Innovation – announced the public launch of FitStack (www.fitstack.dev), a proactive risk management solution for application development teams to address the ongoing challenges in managing software supply chain security.

To address these issues, co-founders Roger Cummings (CEO) and Dr. Mohannad Alhanahnah, Ph.D. (CTO) are positioning FitStack to streamline the overall DevSecOps process. Unlike passive tools that merely identify code and container vulnerability and configuration issues, the FitStack platform proactively addresses them, shows developers the changes that have been made, and ensures that modified applications will execute at runtime.

"In today's environment, it's essential for development teams to gain control, limit exposure, and reduce overall risk," explains Cummings. "FitStack is proactively driving security best practices into the earliest stages of the application development lifecycle. We are building FitStack to make sure our solution can fit into everyone's CICD pipeline in the most efficient manner. By reducing application attack surfaces, exposing application vulnerabilities, and generating compliance reports, we are protecting organizations from malicious events and delivering the insight they need to run their business."  

Cummings and Alhanahnah bring decades of leadership experience in the data, cloud, networking, and infrastructure computing industries. Cummings is a serial entrepreneur who has led five early-stage companies to successful acquisitions, assisted in raising over $1B in funding while scaling organizations worldwide. He previously served as CEO of Evidence IQ, an evidence-based data intelligence company. Alhanahnah has extensive experience in software security research with a focus on leveraging static analysis, dynamic analysis, and formal methods for securing application and machine learning. He recently completed post-doctoral research in the lab of Dr. Somesh Jha, a professor in the Department of Computer Sciences at UW-Madison and a co-founding advisor to FitStack. They have co-authored several papers on improving application safety, security and privacy.

WARF not only helped launch the company as a partner in Varsity Venture Studio, but also licensed the technology to FitStack. Greg Keenan, Senior Director of WARF Ventures, notes, "Helping campus innovators like Drs. Jha and Alhanahnah bring their patented technology to market delivers on our mission to support the commercialization of UW-Madison research for both commercial and societal impact. We are really excited about the market opportunity the company is addressing and look forward to seeing what the FitStack team accomplishes from here."

"Development teams who aren't addressing risk management are already behind the curve, but they can't do it alone," concludes Elliott Parker, CEO of High Alpha Innovation. "Roger and Mohannad's solution to such a pressing problem is the perfect fit for building a startup via Varsity Venture Studio."

**About Varsity Venture Studio**

Varsity Venture Studio, a University of Wisconsin-Madison-wide venture studio, turns ideas into funded software businesses. Varsity Venture Studio is a collaboration between the University of Wisconsin-Madison, Wisconsin Alumni Research Foundation (WARF) and venture builder High Alpha Innovation, and is the first university venture studio of its kind. Learn more about Varsity Venture Studio at varsityventurestudio.com, High Alpha Innovation at highalphainno.com, and about WARF at warf.org.

FitStack, a New Solution For Code and Container Risk Management, Launches With Support From Varsity Venture Studio

Gentoo Linux Security Advisory 202210-42 - A buffer overflow in zlib might allow an attacker to cause remote code execution. Versions less than 1.2.12-r3 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202210-42  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: zlib: Multiple vulnerabilities  
     Date: October 31, 2022  
     Bugs: #863851, #835958  
       ID: 202210-42

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A buffer overflow in zlib might allow an attacker to cause remote code  
execution.

Background  
==========

zlib is a widely used free and patent unencumbered data compression  
library.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  sys-libs/zlib              < 1.2.12-r3              >= 1.2.12-r3

Description  
===========

Multiple vulnerabilities have been discovered in zlib. Please review the  
CVE identifiers referenced below for details.

Impact  
======

Maliciously crafted input handled by zlib may result in remote code  
execution.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All zlib users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=sys-libs/zlib-1.2.12-r3"

References  
==========

[ 1 ] CVE-2018-25032  
      https://nvd.nist.gov/vuln/detail/CVE-2018-25032  
[ 2 ] CVE-2022-37434  
      https://nvd.nist.gov/vuln/detail/CVE-2022-37434

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202210-42

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202210-42

Gentoo Linux Security Advisory 202210-41 - Multiple vulnerabilities have been found in android-tools, the worst of which could result in arbitrary code execution. Versions less than 33.0.3 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202210-41  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: android-tools: Multiple Vulnerabilities  
     Date: October 31, 2022  
     Bugs: #878281  
       ID: 202210-41

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been found in android-tools, the worst of  
which could result in arbitrary code execution.

Background  
==========

android-tools contains Android platform tools (adb, fastboot, and  
mkbootimg).

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  dev-util/android-tools     < 33.0.3                    >= 33.0.3

Description  
===========

Multiple vulnerabilities have been discovered in android-tools. Please  
review the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All android-tools users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-util/android-tools-33.0.3"

References  
==========

[ 1 ] CVE-2022-3168  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3168  
[ 2 ] CVE-2022-20128  
      https://nvd.nist.gov/vuln/detail/CVE-2022-20128

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202210-41

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Tag

#mac