Active IQ Unified Manager for VMware vSphere, Linux, and Microsoft Windows versions prior to 9.11P1 are susceptible to a vulnerability which allows administrative users to perform a Stored Cross-Site Scripting (XSS) attack.

CVE-2022-23239

Active IQ Unified Manager for VMware vSphere, Linux, and Microsoft Windows versions prior to 9.11P1 are susceptible to a vulnerability which allows unauthorized users to update EMS Subscriptions via unspecified vectors.

CVE-2022-23240

The framework-as-a-service signals an intensification of the cat-and-mouse game between defenders detecting lateral movement, and cybercriminals looking to go unnoticed.

The post-exploitation tools market has chalked up a newcomer with the emergence of Exfiltrator-22. An upstart alternative to Cobalt Strike, the Exfiltrator-22 framework-as-a-service (FaaS) tool set, first seen in December, was "likely" developed by ex-affiliates of the notorious LockBit ransomware gang, according to researchers.

According to a Cyfirma report on Feb. 28, Ex-22 possesses advanced post-exploit capabilities that include elevated reverse shell, remote file download and upload, screenshot and live session monitoring of infected devices, privilege elevation capabilities and LSASS credential dumping, and persistence capabilities. Buyers get access to an administration panel through a $1,000 monthly subscription. The researchers say they're moderately certain this crew is operating out of Asian countries and engaged in an ambitious buildout of its own affiliate program, along with an "aggressive" marketing campaign. 

Meanwhile, recent samples of LockBit 3.0 campaigns show they utilize the same command-and-control (C2) infrastructure as Exiltration-22.

The Ex-22 creators claim their framework is "fully undetectable" by every antivirus and endpoint detection and response (EDR) vendor. While that's not totally true, "as of 13th February 2023, the malware still has 5/70 detections on Online Sandboxes, even after multiple dynamic scans being performed," the report explains. "This tells us that the threat actors are skilled at anti-analysis and defense evasion techniques."

The analysis points to what some security pundits see as a slight shift in the winds of post-exploit activity. While Cobalt Strike still remains the dominant tooling of choice for the bad guys, security tooling capable of picking up on activity stemming from this framework is mounting, and the criminal marketplace is spinning up to provide a more stealthy alternative. Last year's most notable example of this movement was the increased adoption of Brute Ratel C4 for malicious post-exploit activity.

"With continuous improvements and support, Ex-22 becomes a go-to alternative for any threat actors planning to purchase tools for the post exploitation phase but do not want to go with the traditional tools due to high detection rates," the report explained.

**Post-Exploitation Options Proliferate**

Interestingly, Ex-22 is actually the second high-profile, highly evasive post-exploitation framework uncovered by security researchers this month. Earlier in February, researchers with Zscaler ThreatLabZ published an analysis of a campaign they observed targeting a government organization using a C2 framework called Havoc.

"While C2 frameworks are prolific, the open source Havoc framework is an advanced post-exploitation command and control framework capable of bypassing the most current and updated version of Windows 11 defender due to the implementation of advanced evasion techniques, such as indirect syscalls and sleep obfuscation," wrote Zscaler researchers Niraj Shivtarkar and Shatak Jain in a Feb. 14 analysis.

Meantime, in January researchers with Cybereason detailed recent campaigns utilizing the C2 framework Sliver for post-exploitation activity. This follows up on work done by Microsoft and Team Cymru tracking the rise of Sliver. An open source alternative, Sliver is also cross-platform, offering support for action on OS X, Linux, and Windows.

Exfiltrator-22: The Newest Post-Exploitation Toolkit Nipping at Cobalt Strike's Heels

Three different cybercriminal groups claimed access to internal networks at communications giant T-Mobile in more than 100 separate incidents throughout 2022, new data suggests. In each case, the goal of the attackers was the same: Phish T-Mobile employees for access to internal company tools, and then convert that access into a cybercrime service that could be hired to divert any T-Mobile user's text messages and phone calls to another device.

Image: Shutterstock.com

Three different cybercriminal groups claimed access to internal networks at communications giant **T-Mobile** in more than 100 separate incidents throughout 2022, new data suggests. In each case, the goal of the attackers was the same: Phish T-Mobile employees for access to internal company tools, and then convert that access into a cybercrime service that could be hired to divert _any_ T-Mobile user’s text messages and phone calls to another device.

The conclusions above are based on an extensive analysis of **Telegram** chat logs from three distinct cybercrime groups or actors that have been identified by security researchers as particularly active in and effective at “**SIM-swapping**,” which involves temporarily seizing control over a target’s mobile phone number.

Countless websites and online services use SMS text messages for both password resets and multi-factor authentication. This means that stealing someone’s phone number often can let cybercriminals hijack the target’s entire digital life in short order — including access to any financial, email and social media accounts tied to that phone number.

All three SIM-swapping entities that were tracked for this story remain active in 2023, and they all conduct business in open channels on the instant messaging platform Telegram. KrebsOnSecurity is not naming those channels or groups here because they will simply migrate to more private servers if exposed publicly, and for now those servers remain a useful source of intelligence about their activities.

Each advertises their claimed access to T-Mobile systems in a similar way. At a minimum, every SIM-swapping opportunity is announced with a brief “_Tmobile up!”_ or “_Tmo up!_” message to channel participants. Other information in the announcements includes the price for a single SIM-swap request, and the handle of the person who takes the payment and information about the targeted subscriber.

The information required from the customer of the SIM-swapping service includes the target’s phone number, and the serial number tied to the new SIM card that will be used to receive text messages and phone calls from the hijacked phone number.

Initially, the goal of this project was to count how many times each entity claimed access to T-Mobile throughout 2022, by cataloging the various “Tmo up!” posts from each day and working backwards from Dec. 31, 2022.

But by the time we got to claims made in the middle of May 2022, completing the rest of the year’s timeline seemed unnecessary. The tally shows that in the last seven-and-a-half months of 2022, these groups collectively made SIM-swapping claims against T-Mobile on 104 separate days — often with multiple groups claiming access on the same days.

The 104 days in the latter half of 2022 in which different known SIM-swapping groups claimed access to T-Mobile employee tools.

KrebsOnSecurity shared a large amount of data gathered for this story with T-Mobile. The company declined to confirm or deny any of these claimed intrusions. But in a written statement, T-Mobile said this type of activity affects the entire wireless industry.

“And we are constantly working to fight against it,” the statement reads. “We have continued to drive enhancements that further protect against unauthorized access, including enhancing multi-factor authentication controls, hardening environments, limiting access to data, apps or services, and more. We are also focused on gathering threat intelligence data, like what you have shared, to help further strengthen these ongoing efforts.”

**TMO UP!**

While it is true that each of these cybercriminal actors periodically offer SIM-swapping services for other mobile phone providers — including **AT&T**, **Verizon** and smaller carriers — those solicitations appear _far_ less frequently in these group chats than T-Mobile swap offers. And when those offers do materialize, they are considerably more expensive.

The prices advertised for a SIM-swap against T-Mobile customers in the latter half of 2022 ranged between USD $1,000 and $1,500, while SIM-swaps offered against AT&T and Verizon customers often cost well more than twice that amount.

To be clear, KrebsOnSecurity is not aware of specific SIM-swapping incidents tied to any of these breach claims. However, the vast majority of advertisements for SIM-swapping claims against T-Mobile tracked in this story had two things in common that set them apart from random SIM-swapping ads on Telegram.

First, they included an offer to use a mutually trusted “middleman” or escrow provider for the transaction (to protect either party from getting scammed). More importantly, the cybercriminal handles that were posting ads for SIM-swapping opportunities from these groups generally did so on a daily or near-daily basis — often teasing their upcoming swap events in the hours before posting a “Tmo up!” message announcement.

In other words, if the crooks offering these SIM-swapping services were ripping off their customers or claiming to have access that they didn’t, this would be almost immediately obvious from the responses of the more seasoned and serious cybercriminals in the same chat channel.

There are plenty of people on Telegram claiming to have SIM-swap access at major telecommunications firms, but a great many such offers are simply four-figure scams, and any pretenders on this front are soon identified and banned (if not worse).

One of the groups that reliably posted “Tmo up!” messages to announce SIM-swap availability against T-Mobile customers also reliably posted “Tmo down!” follow-up messages announcing exactly when their claimed access to T-Mobile employee tools was discovered and revoked by the mobile giant.

A review of the timestamps associated with this group’s incessant “Tmo up” and “Tmo down” posts indicates that while their claimed access to employee tools usually lasted less than an hour, in some cases that access apparently went undiscovered for several hours or even days.

**TMO TOOLS**

How could these SIM-swapping groups be gaining access to T-Mobile’s network as frequently as they claim? Peppered throughout the daily chit-chat on their Telegram channels are solicitations for people urgently needed to serve as “callers,” or those who can be hired to social engineer employees over the phone into navigating to a phishing website and entering their employee credentials.

**Allison Nixon** is chief research officer for the New York City-based cybersecurity firm Unit 221B. Nixon said these SIM-swapping groups will typically call employees on their mobile devices, pretend to be someone from the company’s IT department, and then try to get the person on the other end of the line to visit a phishing website that mimics the company’s employee login page.

Nixon argues that many people in the security community tend to discount the threat from voice phishing attacks as somehow “low tech” and “low probability” threats.

“I see it as not low-tech at all, because there are a lot of moving parts to phishing these days,” Nixon said. “You have the caller who has the employee on the line, and the person operating the phish kit who needs to spin it up and down fast enough so that it doesn’t get flagged by security companies. Then they have to get the employee on that phishing site and steal their credentials.”

In addition, she said, often there will be yet another co-conspirator whose job it is to use the stolen credentials and log into employee tools. That person may also need to figure out how to make their device pass “posture checks,” a form of device authentication that some companies use to verify that each login is coming only from employee-issued phones or laptops.

For aspiring criminals with little experience in scam calling, there are plenty of sample call transcripts available on these Telegram chat channels that walk one through how to impersonate an IT technician at the targeted company — and how to respond to pushback or skepticism from the employee. Here’s a snippet from one such tutorial that appeared recently in one of the SIM-swapping channels:

> “Hello this is James calling from Metro IT department, how’s your day today?”
> 
> (yea im doing good, how r u)
> 
> i’m doing great, thank you for asking
> 
> i’m calling in regards to a ticket we got last week from you guys, saying you guys were having issues with the network connectivity which also interfered with \[Microsoft\] Edge, not letting you sign in or disconnecting you randomly. We haven’t received any updates to this ticket ever since it was created so that’s why I’m calling in just to see if there’s still an issue or not….”

**TMO DOWN!**

The TMO UP data referenced above, combined with comments from the SIM-swappers themselves, indicate that while many of their claimed accesses to T-Mobile tools in the middle of 2022 lasted hours on end, both the frequency and duration of these events began to steadily decrease as the year wore on.

T-Mobile declined to discuss what it may have done to combat these apparent intrusions last year. However, one of the groups began to complain loudly in late October 2022 that T-Mobile must have been doing something that was causing their phished access to employee tools to die very soon after they obtained it.

One group even remarked that they suspected T-Mobile’s security team had begun monitoring their chats.

Indeed, the timestamps associated with one group’s TMO UP/TMO DOWN notices show that their claimed access was often limited to less than 15 minutes throughout November and December of 2022.

Whatever the reason, the calendar graphic above clearly shows that the frequency of claimed access to T-Mobile decreased significantly across all three SIM-swapping groups in the waning weeks of 2022.

**SECURITY KEYS**

T-Mobile US reported revenues of nearly $80 billion last year. It currently employs more than 71,000 people in the United States, any one of whom can be a target for these phishers.

T-Mobile declined to answer questions about what it may be doing to beef up employee authentication. But **Nicholas Weaver**, a researcher and lecturer at University of California, Berkeley’s International Computer Science Institute, said T-Mobile and all the major wireless providers should be requiring employees to use physical security keys for that second factor when logging into company resources.

A U2F device made by Yubikey.

“These breaches should not happen,” Weaver said. “Because T-Mobile should have long ago issued all employees security keys and switched to security keys for the second factor. And because security keys provably block this style of attack.”

The most commonly used security keys are inexpensive USB-based devices. A security key implements a form of multi-factor authentication known as Universal 2nd Factor (U2F), which allows the user to complete the login process simply by inserting the USB key and pressing a button on the device. The key works without the need for any special software drivers.

The allure of U2F devices for multi-factor authentication is that even if an employee who has enrolled a security key for authentication tries to log in at an impostor site, the company’s systems simply refuse to request the security key if the user isn’t on their employer’s legitimate website, and the login attempt fails. Thus, the second factor cannot be phished, either over the phone or Internet.

**THE ROLE OF MINORS IN SIM-SWAPPING**

Nixon said one confounding aspect of SIM-swapping is that these criminal groups tend to recruit teenagers to do their dirty work.

“A huge reason this problem has been allowed to spiral out of control is because children play such a prominent role in this form of breach,” Nixon said.

Nixon said SIM-swapping groups often advertise low-level jobs on places like **Roblox** and **Minecraft**, online games that are extremely popular with young adolescent males.

“Statistically speaking, that kind of recruiting is going to produce a lot of people who are underage,” she said. “They recruit children because they’re naive, you can get more out of them, and they have legal protections that other people over 18 don’t have.”

For example, she said, even when underage SIM-swappers are arrested, the offenders tend to go right back to committing the same crimes as soon as they’re released.

In January 2023, T-Mobile disclosed that a “bad actor” stole records on roughly 37 million current customers, including their name, billing address, email, phone number, date of birth, and T-Mobile account number.

In August 2021, T-Mobile acknowledged that hackers made off with the names, dates of birth, Social Security numbers and driver’s license/ID information on more than 40 million current, former or prospective customers who applied for credit with the company. That breach came to light after a hacker began selling the records on a cybercrime forum.

In the shadow of such mega-breaches, any damage from the continuous attacks by these SIM-swapping groups can seem insignificant by comparison. But Nixon says it’s a mistake to dismiss SIM-swapping as a low volume problem.

“Logistically, you may only be able to get a few dozen or a hundred SIM-swaps in a day, but you can pick _any_ customer you want across their entire customer base,” she said. “Just because a targeted account takeover is low volume doesn’t mean it’s low risk. These guys have crews that go and identify people who are high net worth individuals and who have a lot to lose.”

Nixon said another aspect of SIM-swapping that causes cybersecurity defenders to dismiss the threat from these groups is the perception that they are full of low-skilled “script kiddies,” a derisive term used to describe novice hackers who rely mainly on point-and-click hacking tools.

“They underestimate these actors and say this person isn’t technically sophisticated,” she said. “But if you’re rolling around in millions worth of stolen crypto currency, you can buy that sophistication. I know for a fact some of these compromises were at the hands of these ‘script kiddies,’ but they’re not ripping off other people’s scripts so much as hiring people to make scripts for them. And they don’t care what gets the job done, as long as they get to steal the money.”

Hackers Claim They Breached T-Mobile More Than 100 Times in 2022

Plus: Microsoft fixes several zero-day bugs, Google patches Chrome and Android, Mozilla rids Firefox of a full-screen vulnerability, and more.

February has been a big month for security updates, with the likes of Apple, Microsoft, and Google releasing patches to fix serious vulnerabilities. Meanwhile, a number of enterprise bugs have been squashed by firms that include VMware, SAP, and Citrix. 

The flaws fixed during the month include several that were being used in real-life attacks, so it’s worth checking that your software is up to date.

Here’s everything you need to know about the security updates released this month. 

Apple iOS and iPadOS 16.3.1

Just weeks after the release of iOS 16.3, Apple issued iOS and iPadOS 16.3.1—an emergency patch to fix vulnerabilities that included a flaw in the browser engine WebKit that was already being used in attacks.

Tracked as CVE-2023-23529, the already exploited bug could lead to arbitrary code execution, Apple warned on its support page. “Apple is aware of a report that this issue may have been actively exploited,” the firm added. Another flaw patched in iOS 16.3.1 is in the Kernel at the heart of the iPhone operating system. The bug, which is tracked as CVE-2023-23514, could allow an attacker to execute arbitrary code with Kernel privileges.

Later in the month, Apple documented another vulnerability fixed in iOS 16.3.1, CVE-2023-23524. Reported by David Benjamin, a software engineer at Google, the flaw could enable a denial of service attack via a maliciously crafted certificate.

Apple also released macOS Ventura 13.2.1, tvOS 16.3.2, and watchOS 9.3.1 during the month.

Microsoft 

In mid-February, Microsoft warned that its Patch Tuesday has fixed 76 security vulnerabilities, three of which are already being used in attacks. Seven of the flaws are marked as critical, according to Microsoft’s update guide.

Tracked as CVE-2023-21823, one of the most serious of the already exploited bugs in the Windows graphics component could allow an attacker to gain System privileges.

Another already exploited flaw, CVE-2023-21715, is a feature bypass issue in Microsoft Publisher, while CVE-2023-23376 is a privilege escalation vulnerability in Windows common log file system driver.

That’s a lot of zero-day flaws fixed in one release, so take it as a prompt to update your Microsoft-based systems as soon as possible.

Google Android 

Android’s February security update is here, fixing multiple vulnerabilities in devices running the tech giant’s smartphone software. The most severe of these issues is a security vulnerability in the Framework component that could lead to local escalation of privilege with no additional privileges needed, Google noted in an advisory. 

Among the issues fixed in the Framework, eight are rated as having a high impact. Meanwhile, Google has squashed six bugs in the Kernel, as well as flaws in the System, MediaTek, and Unisoc components.

During the month, Google patched multiple privilege escalation flaws, as well as information disclosure and denial of service vulnerabilities. The company also released a patch for three Pixel-specific security issues. The Android February patch is already available for Google’s Pixel devices, while Samsung has moved quickly to issue the update to users of its Galaxy Note 20 series.

Google Chrome 

Google has released Chrome 110 for its browser, fixing 15 security vulnerabilities, three of which are rated as having a high impact. Tracked as CVE-2023-0696, the first of these is a type confusion bug in the V8 JavaScript engine, Google wrote in a security advisory. 

Meanwhile, CVE-2023-0697 is a flaw that allows inappropriate implementation in full-screen mode, and CVE-2023-0698 is an out-of-bounds read flaw in WebRTC. Four medium-severity vulnerabilities include a use after free in GPU, a heap buffer overflow flaw in WebUI, and a type confusion vulnerability in Data Transfer. Two further flaws are rated as having a low impact.

Apple Users Need to Update iOS Now to Patch Serious Flaws

At Microsoft, we invest a lot of time researching and investigating possibilities in our journey to memory safety. Because the massive majority of existing codebases are written in unsafe programming languages, the task of protecting legacy code is very important.
Hardware solutions are an attractive approach because they introduce very powerful security properties with low overheads compared to purely software solutions.

First steps in CHERIoT Security Research

By Deeba Ahmed
What's worse, in the new campaign, ChromeLoader malware evades detection by security software.
This is a post from HackRead.com Read the original post: Fake ROBLOX and Nintendo game cracks drop ChromeLoader malware

Beware of fake ROBLOX, Steam and Nintendo game cracks that may contain the ChromeLoader malware. Learn more about the threat and how to protect your device from this malicious software.

The cybersecurity researchers at AhnLab Security Emergency response Center (ASEC) have discovered a new ChromeLoader malware campaign in which hackers managed to bypass antivirus programs and other cybersecurity mechanisms. This campaign is dubbed uncommon due to the file type attackers have used to evade detection.

**Hackers Using VHD Files As Popular Games Cracks**

According to AhnLab researchers, the ChromeLoader malware campaign is distributed via VHD (virtual hard disk) files, which is a different choice because, usually, ISO optical disc image format files are used in such campaigns.

However, in this case, attackers have used VHD files, which are distributed with filenames that seem like cracks or hacks for Steam and Nintendo games. The objective is to modify browser settings by infecting web browsers, such as Google Chrome, and diverting traffic to bogus advertising websites. A VHD file can be easily mounted on a Windows device and works with most virtualization software as well.

One of the malicious websites (Screenshot credit: ACSE)

“When a VHD file is downloaded through this process, the user can easily mistake the malicious VHD file for a game-related program,” ASEC researchers said. “Disguising malware as game hacks and crack programs is a method employed by many threat actors,” researchers said in a blog post.

**What is ChromeLoader?**

ChromeLoader, also known as ChromeBack and Choziosi, surfaced first as a browser-hijacking credential stealer in January 2022. In May 2022, ChromeLoader malware was pushed into pirated games and QR codes.

Eventually, it evolved into a multi-faceted, potent threat capable of stealing sensitive user data, deploying ransomware, and dropping decompression bombs.

ChromeLoader can also conduct click fraud by leveraging browser extensions to monetize clicks. Many of its new versions can invade both macOS and Windows devices. The shift from ISO to VHD files indicates that ChromeLoader has undergone another round of upgrades.

**Numerous Websites Promoting Fake Game Cracks/Hacks**

Researchers noticed that several malicious websites were marketing cracked versions of famous games, including the following:

*   ROBLOX
*   Elden Ring
*   Dark Souls 3
*   Need for Speed
*   Mario Kart 8 Deluxe
*   Super Mario Odyssey
*   Call of Duty and more
*   Red Dead Redemption 2
*   The Legend of Zelda: Breath of the Wild

Additionally, software versions such as Adobe Photoshop and Microsoft Office are also marketed in this campaign.

Although the malicious websites hosting fraudulent game hacks and software versions have been taken offline, gamers and unsuspecting users should beware of this campaign.

Instead of downloading the game, they may receive ChromeLoader malware that can launch unwanted ads on their devices and steal credentials from web browsers and other saved data.

Users looking for pirated video game hacks and software are the key targets of attackers, who are lured into downloading VHD files from compromised websites appearing in search results.

1.  Malicious pirated games disable Windows Defender
2.  This malware hides in VPN, pirated security software
3.  Pirated software drop cryptomining malware on Macbook
4.  Pirated Version of Fire and Fury Book Loaded with Malware
5.  Inmates pirated movies from computers built with spare parts

Fake ROBLOX and Nintendo game cracks drop ChromeLoader malware

First steps in CHERIoT Security Research First steps in CHERIoT Security Research At Microsoft, we invest a lot of time researching and investigating possibilities in our journey to memory safety. Because the massive majority of existing codebases are written in unsafe programming languages, the task of protecting legacy code is very important.

Vulnerabilities impact each industry differently, so each sector needs to think about its defenses and vulnerability management differently.

Common vulnerabilities and exposures (CVEs) have been rising for the past few years, and they show no sign of stopping. New vulnerabilities are added to the National Vulnerability Database at an alarming rate — and the incredible volume makes tracking them increasingly difficult.

In 2000, there were only about 1,000 disclosed vulnerabilities. With this lower volume, security teams could review and remediate them efficiently: The systems were less complex and more easily siloed, and the sheer number was lower than today. Now, the number of disclosed vulnerabilities has exploded to over 23,000 in 2022 — a 2,200% increase in 22 years. And based on our Seasonal ARIMA model that builds on 10 years of data, Coalition anticipates more than 1,900 new CVEs per month in 2023, including 270 high-severity and 155 critical-severity CVEs.

For CISOs everywhere, this massive amount of information can be daunting since good cybersecurity hygiene is necessary for an organization to survive. However, not all CVEs are even exploitable, and there are varying degrees of difficulty in creating exploits for CVEs.

The situation can be even more overwhelming for industries with different technical and digital requirements, in which cyber may not be a focus area. Further, these security flaws also do not impact every industry in the same way. For example, a vulnerability may need to be prioritized differently for the consumer sector versus the healthcare or real estate sectors.

Below we'll dive into findings from Coalition's Cyber Threat Index 2023, which examines how today's security vulnerabilities impact various industries. The analysis stems from aggregations created entirely from underwriting scans run on these companies during the insurance quoting process.

**Healthcare and Real Estate CVEs Tend to Be Less Serious**

The healthcare sector is particularly vulnerable to cyberattacks, given the volume of personally identifiable information (PII) that ransomware attackers can exploit if they get into the network. The real estate industry is also a premium target because of the sensitive renter and owner application data managed.

Both have become appealing targets with digitization. Hospitals were forced to move to virtual doctor's appointments during the pandemic. Real estate has experienced the rise of smart buildings that use Internet of Things (IoT) devices to analyze building data and improve operations. Both these digital evolutions have expanded the attack surface into the cloud.

But while healthcare and real estate tend to have more security vulnerabilities or issues detected per asset or technology services, we found that they are often targeted with _less harmful_ CVEs. (A silver lining!)

Healthcare also has one of the lowest numbers of distinct breaches on average, demonstrating the smaller impact of these less harmful CVEs.

This lower level of exploitation may be because real estate and healthcare tend to use less technology on average. And when they do use it, they usually opt for more reliable and stable tech stacks compared to other industries, reducing their overall attack surface.

Just because healthcare and real estate have less-serious CVEs doesn't mean organizations shouldn't be patching. But it does point toward the need to take a more holistic view of gaps in their security posture to better understand which vulnerabilities are most important to prioritize and how vulnerabilities may affect them differently.

**Consumer Services and Technology at Higher Risk**

Unlike healthcare and real estate, technology and consumer services have complex, digitally oriented tech stacks. The technology industry uses the largest number of disparate technologies, such as developer favorites jQuery, Microsoft IIS, NGINX, and Cloudflare. The increase in cloud-hosted technologies expands the technology industry's attack surface.

The saving grace for the technology sector may be that it is more acutely aware of security and, thus, more likely to patch issues quickly. This is likely why the technology sector has the lowest rate of distinct data leaks per company at 5.59 average breaches in 2022.

According to our analysis, the consumer services industry stores the highest percentage of assets in the cloud. This is surprising because the industry processes and stores customers' PII. Storing PII in the cloud is a significant security risk because, if not done correctly, it can be exposed for anyone to view and download. Consumer services need to be on guard against vulnerabilities in the cloud and increase awareness around how a threat actor might exploit data stored in the cloud.

When you look at the CVEs impacting each industry, the consumer services and technology sectors have the highest average severity of the industries we analyzed during 2022. Over the last year, the consumer services sector had an average CVE criticality of 9.36 out of 10, and technology had an average of 9.29 out of 10. (Real estate had a much lower score of 7.78 out of 10, for context). This higher severity means that the CVEs impacting these two sectors have much more significant impacts and have the potential to cause the most damage.

**Respond to Threats Accordingly**

Understanding how security vulnerabilities impact these different industries can help cybersecurity vendors, including cyber insurers, make smarter decisions when assessing risk. It also helps companies improve their security posture by patching issues and flaws according to their particular risk. Organizations should look beyond the criticality of a vulnerability. Security teams also need to consider the context in which the vulnerability exists, the type of asset it exists on, and the types of losses that could result.

This difference in the breakdown of average attacks, severity, and attack surface size all dictate how organizations in different industries need to prioritize vulnerabilities differently. Consequently, it shows how they need to allocate technology defenses and human resources, too.

All CVEs Are Not Created Equal

The second part of our password manager series looks at business-grade tech to handle API tokens, login credentials, and more

The second part of our password manager series looks at business-grade tech to handle API tokens, login credentials, and more

Modern enterprises run dozens (and sometimes hundreds) of servers, services, applications, APIs, containers, and other technologies.

To secure these resources, enterprises need tools to manage secrets, including passwords, encryption keys, SSH (secure shell) keys, API tokens, certificates, and more.

The problem is that these resources are often spread across many platforms, including on-premise (on-prem) servers, cloud\-based services, serverless applications, and container orchestration tools, making it very difficult to manage secrets in an efficient way.

Liked this article? Sign up to our new newsletter – Daily Swig Deserialized

Not infrequently, this leads to employees using ad hoc and insecure methods to manage authorization, such as storing secrets in plaintext files, hardcoding tokens in source code files uploaded to GitHub repositories, and storing encryption keys in unprotected S3 buckets.

This results in ‘secrets sprawl’ – logins and other credentials stored in many places – a practice that is often a contributory factor in data breaches.

One way to avoid secrets sprawl is to use a ‘secrets manager’, a tool that securely stores and manages secrets throughout their lifecycle. Secret managers can store all sorts of secrets (passwords, API tokens, certificates, etc.) and control how humans, devices, and services access them.

There are a few key features to look for in secrets managers:

*   Support for various IT configurations: A good secrets manager should equally support cloud, multi-cloud, on-prem, and hybrid IT systems.
*   Support for range of authentication protocols: Aside from passwords, the solution must support certificates, encryption keys, API tokens, and other kinds of authentication systems that constitute the security backbone of your IT system.
*   Support for various authentication organizations: The technology should enable you to adjust your secrets access policy based on your organizational structure using roles, groups, etc.
*   Support for different types of users: Many IT systems must regulate not only human access but also how machines and services access digital resources.
*   Integration: Any product or service must provide various tools such as plugins, APIs, and CLIs to automate the storage and retrieval of secrets.
*   Centralized management: A secrets management installation should provide real-time visibility and control on how users, services, and devices access secrets across the enterprise.

Here is a quick evaluation of a few popular secrets management products.

**HashiCorp Vault**

HashiCorp Vault is a popular enterprise solution for managing and securing passwords, tokens, encryption keys, certificates, API keys, and various other secrets.

Vault integrates with your main identity provider, such as Active Directory, LDAP, or your chosen cloud platform. The technology can manage secrets for more than 100 different systems, including public and private clouds, databases, messaging queues, and SSH endpoints.

Among the strengths of Hashicorp Vault is support for dynamically generated secrets. The product also provides granular control over access to different resources and a facility for administrators to revoke permissions as soon as something goes wrong.

Vault has a strong API that is easily integrated into applications to retrieve secrets, which discourages developers from relying on hardcoded passwords and tokens.

However, the benefits of Hashicorp Vault do not come without tradeoffs. The user interface is far from intuitive and has a steep learning curve. Most functionality is controlled through a CLI interface, which is good for automation but awkward for manual use.

HashiCorp Vault is open source, giving you the option to host it yourself. Alternatively, you can use a cloud-hosted instance of the secrets manager at $0.03/hour.

*   Pros: Large support for different cloud and on-prem technology stacks, dynamic secret generation, strong API support, open source
*   Cons: Steep learning curve, poor UI

Secrets managers securely store and manage secrets throughout their lifecycle

**CyberArk Conjur**

CyberArk Conjur is a secrets management solution for centralized identity and access management across an enterprise.

Conjur supports various secret types, including passwords, service account tokens, and API tokens. It also supports integration with popular cloud infrastructures including GCP (Google Cloud Platform), AWS, and Azure, as well as a range of database types, CI/CD platforms, and container orchestration tools.

Like HashiCorp, Conjur supports integration with existing authentication solutions, including OAuth, LDAP, and other identity providers.

Conjur has a centralized management system where administrators can define their resources and the users, roles, devices, scripts, services, and other entities that want to access secrets. They can also define the enterprise’s secrets along with rules such as password rotation and auditing.

Application managers and developers use plugins and APIs to integrate Conjur into their CI/CD, cloud applications, or other resources that want to grant access the secrets store.

Conjur is open source and you can self-host the application. Like HashiCorp, one of the downsides of Conjur is the difficulty of both initial set-up and ongoing management.

*   Pros: Versatile support for various applications, cloud providers, container orchestration tools, etc; plugins and APIs for different types of integrations.
*   Cons: Complex setup and administration

Password manager security: Which is the right option for me?

  
**Enterprise password managers**

While secrets managers are useful tools, they might be overkill for smaller organizations or other entities that operate without a complex digital footprint. Given the high technical barrier of entry for secrets managers, companies without a dedicated IT team might not be equipped to use them.

For these businesses, a password manager might be a better option. Password managers only serve to securely store, access, and share passwords. They lack the integration, programming, and automation features of secrets managers, but can be great tools for securing credentials across an organization.

The Daily Swig reviewed personal and family-focused password managers in a previous article. In addition to the features of a personal password manager, a business password manager should provide the following:

*   Centralized management: The administrator should be able to obtain reports on employee password health, usage, sharing, etc.
*   Integration with identity providers: Businesses should be able to use their current identity provider (AD, Azure, Okta, etc) to log into their password manager.

Here are two popular business-focused password managers that are worth considering.

**1Password**

1Password is a popular password manager supported across all major platforms, including macOS, Windows, Linux, Android, and iOS. 1Password also has a Chrome extension for auto-filling login information on websites and storing new credentials in their vault.

1Password users can create multiple vaults to store passwords, credit card information, API tokens, crypto wallet recovery seeds, and other sensitive documents or data. 1Password also allows you share to secrets with other users and can limit password-sharing through expiry dates, limited views, and specific email addresses that can access a shared link.

A Watchtower feature monitors for reused passwords, vulnerable passwords, and potentially compromised accounts.

The business edition provides administrators with a zoomed-out view of password security across an organization. It also provides granular-access features, enabling administrators to configure permissions, groups, roles, and vault access at scale.

Previously, 1Password did not support single sign-on (SSO). But it has recently added beta support for SSO login through Okta, with Azure and Duo to be added soon. The vendor is also adding integration with Azure AD, Google Workspace, Okta, OneLogin, and Slack.

1Password Business costs $7.99 per user per month. As a bonus, each 1Password Business user gets a free Families account, which they can share with five family members.

*   Pros: Flexible password sharing, admin dashboard for organization-wide health report, mass assignment, bonus Family plan
*   Cons: SSO currently only available as beta preview

**NordPass**

NordPass is an easy-to-use service that includes the basic features you would expect from a password manager, including cross-platform support, auto-fill, and the storage of different types of credentials.

NordPass also has a breach monitoring feature that scans the web for security incidents that involve the credentials of your organization.

NordPass Business provides a security dashboard that enables you to get company-wide reports on password health and activity logs. Users can share passwords and credit card data among team members.

The technology also provides centralized administration tools, including the ability to set company-wide multi-factor authentication (MFA) and password policies, and granting or revoking employees’ access to password vaults.

NordPass Business costs $3.59 per user per month. An Enterprise plan (price not listed) supports SSO with Okta, Azure AD, and Microsoft AD as well as user provisioning via AD (Active Directory).

*   Pros: Centralized administration, company-wide policies, centralized granting and revoking of employee access
*   Cons: Basic Business plan does not support SSO

YOU MAY ALSO LIKE ‘Most web API flaws are missed by standard security tests’ – Corey J Ball on securing a neglected attack vector

Tag

#microsoft