Categories: Business
Categories: News
Many have been calling attention to supply chain attacks for years. Is your business ready to listen?



(Read more...)




The post How to protect your business from supply chain attacks appeared first on Malwarebytes Labs.

Threat actors know that attacking the supply chain is not just a smart strategy but also a winning one.

When American store Target found a Trojan designed to steal card details on its POS (point-of-sale) systems in 2013, no one expected that the route into its secure environment was its heating, ventilation, and air conditioning (HVAC) supplier, Fazio Mechanical Services. Because a smaller, less secure company like Fazio has access to a bigger, more secure company's system, attackers took the path of least resistance to install malware and steal credentials. As a result, 40 million credit and debit card details were stolen, and Target spent a total of $202 million to recover from the hack.

This attack was a watershed moment in securing against supply chain attacks.

**What is a supply chain attack?**

A supply chain attack is, essentially, another way for attackers to compromise their target company. Instead of them attacking their target—which systems might be secured to the bone—directly, they go for the weakest link in that company’s supply chain: a vendor that may not have as secure a system as their main target. Several threat actor groups, including those that use ransomware, have been pivoting to this attack scheme before 2013, and occurrences of such attacks have only gone up exponentially through the years.

Many high-profile attacks that happened during the last two years have been supply chain attacks. A sophisticated hacking group was in SolarWinds' production environment as early as 2019 before affecting 18,000 of its clients, which include private companies like FireEye and Microsoft and several US federal agencies, via an embedded backdoor to updates of its network monitoring software, Orion.

A malformed software update also affected Kaseya's clients in 2021. VSA, the company's remote monitoring and management software, distributed a patch that pushed REVil ransomware onto the systems of several managed service providers (MSPs), which then further infected their clients' systems.

Breaches on SolarWinds and Kaseya are examples of what can be generally termed as a **_software supply chain attack_**, wherein a weakness in software was found and exploited by threat actors to affect and reach as many organizations as they can using only a single point of entry. This type of attack is very difficult to detect as it exploits the trust that organizations have in the software they use coming from their legitimate suppliers. Attackers who typically go this route usually have a strong technical aptitude and the means to pull such an attack off, such as advanced persistent threat (APT) actors.

Software supply chain attacks have three common techniques, according to CISA (Cybersecurity and Infrastructure Security Agency):

*   Hijacking updates
*   Undermining code signing
*   Compromising open-source code

The Target breach, on the other hand, can be classed as, in MITRE terms, a "trusted relationship" attack, wherein attackers infiltrate a less secure third party in the supply chain to abuse an established connection between the third party (in this case, Fazio) and the target company (Target).

If there are software-based supply chain attacks, there are also such attacks based on hardware. A **_hardware supply chain attack_** is very rare as it's difficult to pull off and can require millions of dollars in investment. As the name suggests, this type of attack can be carried out by tampering with physical and hardware components like network devices, servers, and any portable computing device, such as laptops, mobile phones, tablets, or smartwatches.

A hardware supply chain attack was reportedly unveiled by Bloomberg in 2018. Dubbed by the news outlet as "the most significant supply chain attack known to have been carried out against American companies," China's military had reportedly implanted a microchip "no bigger than a grain of rice" on the motherboards of Supermicro, a world supplier in the industry. According to investigators that Bloomberg journalists spoke with, the microchip is used to provide long-term access—a backdoor, if you will—to organizations that bought the servers. Immediately following the bombshell report, multiple companies that had previously relied on Supermicro's technology, and Supermicro itself, denied the veracity of the claims. A few years later, Bloomberg stood by its reporting with an additional piece that dug deeper into the history of China's alleged cyber-espionage. 

For the purpose of this blog, we're excluding hardware supply chain attack mitigations. We're also focusing on risks to businesses from their vendors, not risks passed on to their customers.

**Securing your supply chain**

Here's how you can protect your organization from risks your suppliers might pose:

**1\. Know who your vendors are.**

It all starts here because if organizations aren't aware of who their suppliers are and how their own supply chains work, they won't be able to look for possible risks and/or vulnerabilities in the chain that threat actors might exploit. 

**2\. Incorporate a holistic approach to securing your systems.**

Any threats coming from the internet must be stopped at the endpoint. Securing these endpoints isn't optional if you want to fight off supply chain attacks. So think about investing in an effective endpoint detection and response (EDR) system and a way to monitor suspicious activities in the network like a managed detection response (MDR) solution.

Segmenting your network limits attackers from moving laterally in your network and preventing unauthorized access to more sensitive data.

**3\. Develop an incident response (IR) plan/disaster recovery plan.**

Putting an IR together may seem intimidating and overwhelming, but it doesn't have to be overly complicated. Thankfully, there are ready frameworks an organization can adapt that would suit its needs. If you don't know what framework to build upon, have a look at this incident handling guide from NIST (National Institute of Standards and Technology).

Include transparent and timely communication between your stakeholders and customers when something happens, so your business can provide steps to mitigate the problem if needed.

**4\. Have a plan for patching.**

Come up with a patching strategy in your organization. For example, before a downloaded patch is scheduled for deployment in production, have an expert or a group of experts assess the risks and test the patch first before signing off. And while approval is pending, a separate group creates offline backups of essential files that are needed in the event of an error and affected systems need restoring.

**5\. Create and test offline backups**

Speaking of backups, never assume they work. To be sure they do, you have to test them, which means doing a full restore into another environment.

**6\. Apply the principle of least privilege.**

Not every supplier requires administration access to your business environment and systems. That said, businesses should look into all their supplier/vendor privileges and decide whether they should grant them less (or more) access. When in doubt, granting them the least amount of privilege should be a good start.

**7\. Make multi-factor authentication (MFA) a norm.**

Supply chain attackers have been known to use stolen credentials to usher themselves into systems they usually have no right to. They know business systems trust credentials, regardless of who uses them. To further protect systems from credential abuse and misuse, require MFA access, especially to resources and services that are deemed too sensitive for anyone in the office to have access to.

**8\. Train your employees.**

Gaps in security hygiene practices can open up opportunities that threat actors can take advantage of. This potentially stems from a lack of awareness of supply chain attacks. It is important to keep employees and partners aware of possible risks and the red flags associated with them so organizations can be alerted easily and something can be done quickly.

**9\. Use a code signing service.**

77 percent of businesses in the US use open-source software. But as we've seen in several use cases of software supply chain attacks, open source is both a blessing and a bane. Many businesses struggle to come up with ways to vet code, ensuring it is safe to deploy and not introduce problems in the supply chain.

Enter Sigstore, a free tool for signing and verifying code—a first step to securing the integrity of open-source code. Think of it as Let's Encrypt for code signing. Sigstore is a product of collaboration among big names in the industry, including OpenSSF, Chainguard, Linux, and GitHub.

To learn more about software supply chain attacks in general, we interviewed Kim Lewandowski, founder and head of product at Chainguard, on our Lock and Code podcast.

**Supply chain attacks are here to stay**

We can see that software is everywhere to the point that, as one of the most notable venture capitalists put it in 2011, it's eating the world. But the hyper-digitized businesses of today have already been eaten up by software—and at such a fast pace, too. They cannot function normally without technology, systems, and open-source code anymore. Securing these components has become a must.

The risk to the supply chain is already on the uptick and will only grow, and as long as organizations continue to rely on them, the risk is here to stay. It is essential for businesses and their suppliers to work together to harden their defenses to minimize the risk of having their supply chain compromised. It is also high time for policymakers to start improving the baseline of software security for all organizations and coming up with more ways to secure code.

Lastly, while companies are attempting to keep up with the pace of addressing modern-day supply chain attacks, it won't hurt to look into other areas where supply chain attacks could take place, such as the cloud and firmware. On our podcast, Lewandowski also spoke about the need for more automated tools to look into code and stressed the importance of training.

"I really think the solution sort of lies in the tooling and the best practices and making that so easy that no one has an excuse not to adopt it in their own systems," she said.

**We don't just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

How to protect your business from supply chain attacks

Potential vulnerabilities have been identified in the system BIOS of certain HP PC products, which might allow arbitrary code execution, escalation of privilege, denial of service, and information disclosure. HP is releasing BIOS updates to mitigate these potential vulnerabilities.

CVE-2022-27537: HP PC BIOS August 2022 Additional Updates for Potential SMM and TOCTOU Vulnerabilities

A potential Time-of-Check to Time-of-Use (TOCTOU) vulnerability has been identified in the BIOS for certain HP PC products which may allow arbitrary code execution, denial of service, and information disclosure. HP is releasing BIOS updates to mitigate the potential vulnerability.

HP Elite Mini 600 G9 Desktop PC

BIOS

02.06.00

Rev 1

SP143258

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143258.exe

HP Elite Mini 800 G9 Desktop PC

BIOS

02.06.00

Rev 1

SP143258

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143258.exe

HP Elite SFF 600 G9 Desktop PC

BIOS

02.06.00

Rev 1

sp143123

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143123.exe

HP Elite SFF 800 G9 Desktop PC

BIOS

02.06.00

Rev 1

sp143123

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143123.exe

HP Elite Slice

BIOS

02.59

Rev 1

SP143216

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143216.exe

HP Elite Slice for Meeting Rooms

BIOS

02.59

Rev 1

SP143216

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143216.exe

HP Elite Slice G2 - Audio Ready with Zoom Rooms

BIOS

02.59

Rev 1

SP143216

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143216.exe

HP Elite Slice G2 - Partner Ready with Microsoft Teams Rooms

BIOS

02.59

Rev 1

SP143216

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143216.exe

HP Elite Slice G2 with Microsoft Teams Rooms

BIOS

02.59

Rev 1

SP143216

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143216.exe

HP Elite Slice G2 with Intel Unite

BIOS

02.59

Rev 1

SP143216

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143216.exe

HP Elite Slice G2 with Zoom Rooms

BIOS

02.59

Rev 1

SP143216

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143216.exe

HP Elite Tower 600 G9 Desktop PC

BIOS

02.06.00

Rev 1

sp143123

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143123.exe

HP Elite Tower 680 G9 Desktop PC

BIOS

02.06.00

Rev 1

sp143123

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143123.exe

HP Elite Tower 800 G9 Desktop PC

BIOS

02.06.00

Rev 1

sp143123

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143123.exe

HP Elite Tower 880 G9 Desktop PC

BIOS

02.06.00

Rev 1

sp143123

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143123.exe

HP EliteDesk 705 G4 Desktop Mini PC

BIOS

02.20.00

Rev 1

SP143221

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143221.exe

HP EliteDesk 705 G4 Microtower PC

BIOS

02.20.00

Rev 1

SP143360

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143360.exe

HP EliteDesk 705 G4 Small Form Factor PC

BIOS

02.20.00

Rev 1

SP143193

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143193.exe

HP EliteDesk 705 G5 Desktop Mini PC

BIOS

02.15.00

Rev 1

SP143211

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143211.exe

HP EliteDesk 705 G5 Small Form Factor PC

BIOS

02.15.00

Rev 1

SP142686

https://ftp.hp.com/pub/softpaq/sp142501-143000/sp142686.exe

HP EliteDesk 800 35W G3 Desktop Mini PC

BIOS

02.44

Rev 1

sp142728

https://ftp.hp.com/pub/softpaq/sp142501-143000/sp142728.exe

HP EliteDesk 800 35W G4 Desktop Mini PC

BIOS

02.21.00

Rev 1

SP143306

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143306.exe

HP EliteDesk 800 65W G3 Desktop Mini PC

BIOS

02.44

Rev 1

sp142728

https://ftp.hp.com/pub/softpaq/sp142501-143000/sp142728.exe

HP EliteDesk 800 65W G4 Desktop Mini PC

BIOS

02.21.00

Rev 1

SP143306

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143306.exe

HP EliteDesk 800 95W G4 Desktop Mini PC

BIOS

02.21.00

Rev 1

SP143306

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143306.exe

HP EliteDesk 800 G3 Small Form Factor PC

BIOS

02.44

Rev 1

SP143373

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143373.exe

HP EliteDesk 800 G3 Tower PC

BIOS

02.44

Rev 1

SP143373

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143373.exe

HP EliteDesk 800 G4 Small Form Factor PC

BIOS

02.21.00

Rev 1

SP143335

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143335.exe

HP EliteDesk 800 G4 Tower PC

BIOS

02.21.00

Rev 1

SP143335

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143335.exe

HP EliteDesk 800 G5 Desktop Mini PC

BIOS

02.15.00

Rev 1

SP142789

https://ftp.hp.com/pub/softpaq/sp142501-143000/sp142789.exe

HP EliteDesk 800 G5 Small Form Factor PC

BIOS

02.15.00

Rev 1

SP143308

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143308.exe

HP EliteDesk 800 G5 Tower PC

BIOS

02.15.00

Rev 1

SP143308

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143308.exe

HP EliteDesk 800 G6 Desktop Mini PC

BIOS

02.13.00

Rev 1

SP143177

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143177.exe

HP EliteDesk 800 G6 Small Form Factor PC

BIOS

02.13.00

Rev 1

Sp143278

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143278.exe

HP EliteDesk 800 G6 Tower PC

BIOS

02.13.00

Rev 1

Sp143278

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143278.exe

HP EliteDesk 800 G8 Desktop Mini PC

BIOS

02.10.00

Rev 1

SP143361

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143361.exe

HP EliteDesk 800 G8 Small Form Factor PC

BIOS

02.10.00

Rev 1

SP143417

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143417.exe

HP EliteDesk 800 G8 Tower PC

BIOS

02.10.00

Rev 1

SP143417

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143417.exe

HP EliteDesk 805 G6 Desktop Mini PC

BIOS

02.10.00

Rev 1

SP143181

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143181.exe

HP EliteDesk 805 G6 Small Form Factor PC

BIOS

02.10.00

Rev 1

SP143179

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143179.exe

HP EliteDesk 805 G8 Desktop Mini PC

BIOS

02.06.00

Rev 1

SP143183

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143183.exe

HP EliteDesk 805 G8 Small Form Factor PC

BIOS

02.06.00

Rev 1

SP143312

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143312.exe

HP EliteDesk 880 G3 Tower PC

BIOS

02.44

Rev 1

SP143373

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143373.exe

HP EliteDesk 880 G4 Tower PC

BIOS

02.21.00

Rev 1

SP143335

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143335.exe

HP EliteDesk 880 G5 Tower PC

BIOS

02.15.00

Rev 1

SP143308

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143308.exe

HP EliteDesk 880 G6 Tower PC

BIOS

02.13.00

Rev 1

Sp143278

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143278.exe

HP EliteDesk 880 G8 Tower PC

BIOS

02.10.00

Rev 1

SP143417

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143417.exe

HP EliteOne 1000 G1 23.8-in All-in-One Business PC

BIOS

02.44

Rev 1

SP142689

https://ftp.hp.com/pub/softpaq/sp142501-143000/sp142689.exe

HP EliteOne 1000 G1 23.8-in Touch All-in-One Business PC

BIOS

02.44

Rev 1

SP142689

https://ftp.hp.com/pub/softpaq/sp142501-143000/sp142689.exe

HP EliteOne 1000 G1 27-in 4K UHD All-in-One Business PC

BIOS

02.44

Rev 1

SP142689

https://ftp.hp.com/pub/softpaq/sp142501-143000/sp142689.exe

HP EliteOne 1000 G1 34-in Curved All-in-One Business PC

BIOS

02.44

Rev 1

SP142689

https://ftp.hp.com/pub/softpaq/sp142501-143000/sp142689.exe

HP EliteOne 1000 G2 23.8-in All-in-One Business PC

BIOS

02.21.00

Rev 1

SP143212

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143212.exe

HP EliteOne 1000 G2 23.8-in Touch All-in-One Business PC

BIOS

02.21.00

Rev 1

SP143212

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143212.exe

HP EliteOne 1000 G2 27-in 4K UHD All-in-One Business PC

BIOS

02.21.00

Rev 1

SP143212

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143212.exe

HP EliteOne 1000 G2 34-in Curved All-in-One Business PC

BIOS

02.21.00

Rev 1

SP143212

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143212.exe

HP EliteOne 800 G3 23.8 Non-Touch Healthcare Edition All-in-One Business PC

BIOS

02.44

Rev 1

SP142724

https://ftp.hp.com/pub/softpaq/sp142501-143000/sp142724.exe

HP EliteOne 800 G3 23.8-inch Non-Touch All-in-One PC

BIOS

02.44

Rev 1

SP142724

https://ftp.hp.com/pub/softpaq/sp142501-143000/sp142724.exe

HP EliteOne 800 G3 23.8-inch Non-Touch GPU All-in-One PC

BIOS

02.44

Rev 1

SP142724

https://ftp.hp.com/pub/softpaq/sp142501-143000/sp142724.exe

HP EliteOne 800 G3 23.8-inch Touch All-in-One PC

BIOS

02.44

Rev 1

SP142724

https://ftp.hp.com/pub/softpaq/sp142501-143000/sp142724.exe

HP EliteOne 800 G3 23.8-inch Touch GPU All-in-One PC

BIOS

02.44

Rev 1

SP142724

https://ftp.hp.com/pub/softpaq/sp142501-143000/sp142724.exe

HP EliteOne 800 G4 23.8-in Healthcare Edition All-in-One Business PC

BIOS

02.21.00

Rev 1

SP143222

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143222.exe

HP EliteOne 800 G4 23.8-inch Non-Touch All-in-One PC

BIOS

02.21.00

Rev 1

SP143222

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143222.exe

HP EliteOne 800 G4 23.8-inch Non-Touch GPU All-in-One PC

BIOS

02.21.00

Rev 1

SP143222

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143222.exe

HP EliteOne 800 G4 23.8-inch Touch All-in-One PC

BIOS

02.21.00

Rev 1

SP143222

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143222.exe

HP EliteOne 800 G4 23.8-inch Touch GPU All-in-One PC

BIOS

02.21.00

Rev 1

SP143222

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143222.exe

HP EliteOne 800 G5 23.8-in Healthcare Edition All-in-One

BIOS

02.15.00

Rev 1

SP143218

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143218.exe

HP EliteOne 800 G5 23.8-inch All-in-One

BIOS

02.15.00

Rev 1

SP143218

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143218.exe

HP EliteOne 800 G6 24 All-in-One PC

BIOS

02.13.00

Rev 1

SP143213

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143213.exe

HP EliteOne 800 G6 27 All-in-One PC

BIOS

02.13.00

Rev 1

SP143213

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143213.exe

HP EliteOne 800 G8 24 All-in-One PC

BIOS

02.10.00

Rev 1

SP143346

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143346.exe

HP EliteOne 800 G8 27 All-in-One PC

BIOS

02.10.00

Rev 1

SP143346

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143346.exe

HP EliteOne 840 23.8 inch G9 All-in-One Desktop PC

BIOS

02.06.00

Rev 1

SP143270

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143270.exe

HP EliteOne 870 27 inch G9 All-in-One Desktop PC

BIOS

02.06.00

Rev 1

SP143270

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143270.exe

HP Pro Mini 400 G9 Desktop PC

BIOS

02.06.00

Rev 1

SP143259

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143259.exe

HP Pro SFF 400 G9 Desktop PC

BIOS

02.06.00

Rev 1

sp143124

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143124.exe

HP Pro Tower 400 G9 Desktop PC

BIOS

02.06.00

Rev 1

sp143124

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143124.exe

HP Pro Tower 480 G9 Desktop PC

BIOS

02.06.00

Rev 1

sp143124

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143124.exe

HP ProDesk 400 G3 Desktop Mini PC

BIOS

02.44

Rev 1

sp142730

https://ftp.hp.com/pub/softpaq/sp142501-143000/sp142730.exe

HP ProDesk 400 G4 Desktop Mini PC

BIOS

02.21.00

Rev 1

SP143318

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143318.exe

HP ProDesk 400 G4 Small Form Factor PC

BIOS

02.44

Rev 1

SP142713

https://ftp.hp.com/pub/softpaq/sp142501-143000/sp142713.exe

HP ProDesk 400 G5 Desktop Mini PC

BIOS

02.15.00

Rev 1

SP142788

https://ftp.hp.com/pub/softpaq/sp142501-143000/sp142788.exe

HP ProDesk 400 G5 Microtower PC

BIOS

02.21.00

Rev 1

SP143354

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143354.exe

HP ProDesk 400 G5 Small Form Factor PC

BIOS

02.21.00

Rev 1

SP142731

https://ftp.hp.com/pub/softpaq/sp142501-143000/sp142731.exe

HP ProDesk 400 G6 Desktop Mini PC

BIOS

02.13.00

Rev 1

SP143232

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143232.exe

HP ProDesk 400 G6 Microtower PC

BIOS

02.15.00

Rev 1

SP143328

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143328.exe

HP ProDesk 400 G6 Small Form Factor PC

BIOS

02.15.00

Rev 1

SP143347

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143347.exe

HP ProDesk 400 G7 Microtower PC

BIOS

02.13.00

Rev 1

SP143290

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143290.exe

HP ProDesk 400 G7 Small Form Factor PC

BIOS

02.13.00

Rev 1

SP143344

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143344.exe

HP ProDesk 405 G4 Desktop Mini PC

BIOS

02.20.00

Rev 1

SP143220

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143220.exe

HP ProDesk 405 G6 Desktop Mini PC

BIOS

02.10.00

Rev 1

SP143182

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143182.exe

HP ProDesk 405 G6 Small Form Factor PC

BIOS

02.10.00

Rev 1

SP143189

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143189.exe

HP ProDesk 405 G8 Desktop Mini PC

BIOS

02.06.00

Rev 1

SP143184

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143184.exe

HP ProDesk 405 G8 Small Form Factor PC

BIOS

02.06.00

Rev 1

SP143307

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143307.exe

HP ProDesk 480 G4 Microtower PC

BIOS

02.44

Rev 1

SP143381

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143381.exe

HP ProDesk 480 G5 Microtower PC

BIOS

02.21.00

Rev 1

SP143354

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143354.exe

HP ProDesk 480 G6 Microtower PC

BIOS

02.15.00

Rev 1

SP143328

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143328.exe

HP ProDesk 480 G7 PCI Microtower PC

BIOS

02.13.00

Rev 1

SP143290

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143290.exe

HP ProDesk 600 G3 Desktop Mini PC

BIOS

02.44

Rev 1

sp142729

https://ftp.hp.com/pub/softpaq/sp142501-143000/sp142729.exe

HP ProDesk 600 G3 Microtower PC

BIOS

02.44

Rev 1

SP143379

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143379.exe

HP ProDesk 600 G3 Small Form Factor PC

BIOS

02.44

Rev 1

SP142708

https://ftp.hp.com/pub/softpaq/sp142501-143000/sp142708.exe

HP ProDesk 600 G4 Desktop Mini PC

BIOS

02.21.00

Rev 1

SP143315

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143315.exe

HP ProDesk 600 G4 Microtower PC

BIOS

02.21.00

Rev 1

SP143339

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143339.exe

HP ProDesk 600 G4 Small Form Factor PC

BIOS

02.21.00

Rev 1

SP142727

https://ftp.hp.com/pub/softpaq/sp142501-143000/sp142727.exe

HP ProDesk 600 G5 Desktop Mini PC

BIOS

02.15.00

Rev 1

SP142790

https://ftp.hp.com/pub/softpaq/sp142501-143000/sp142790.exe

HP ProDesk 600 G5 Microtower PC

BIOS

02.15.00

Rev 1

SP143326

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143326.exe

HP ProDesk 600 G5 Microtower PC (with PCI slot)

BIOS

02.15.00

Rev 1

SP143326

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143326.exe

HP ProDesk 600 G5 Small Form Factor PC

BIOS

02.15.00

Rev 1

SP143345

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143345.exe

HP ProDesk 600 G6 Desktop Mini PC

BIOS

02.13.00

Rev 1

SP143227

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143227.exe

HP ProDesk 600 G6 Microtower PC

BIOS

02.13.00

Rev 1

SP143288

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143288.exe

HP ProDesk 600 G6 PCI Microtower PC

BIOS

02.13.00

Rev 1

SP143288

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143288.exe

HP ProDesk 600 G6 Small Form Factor PC

BIOS

02.13.00

Rev 1

SP143337

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143337.exe

HP ProDesk 680 G3 Microtower PC

BIOS

02.44

Rev 1

SP143379

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143379.exe

HP ProDesk 680 G4 Microtower PC (With PCI slot)

BIOS

02.21.00

Rev 1

SP143329

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143329.exe

HP ProDesk 680 G6 PCI Microtower PC

BIOS

02.13.00

Rev 1

SP143288

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143288.exe

HP ProOne 400 G3 20-inch Non-Touch All-in-One PC

BIOS

02.44

Rev 1

SP142699

https://ftp.hp.com/pub/softpaq/sp142501-143000/sp142699.exe

HP ProOne 400 G3 20-inch Touch All-in-One PC

BIOS

02.44

Rev 1

SP142699

https://ftp.hp.com/pub/softpaq/sp142501-143000/sp142699.exe

HP ProOne 400 G4 20-inch Non-Touch All-in-One Business PC

BIOS

02.21.00

Rev 1

sp143176

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143176.exe

HP ProOne 400 G4 23.8-inch Non-Touch All-in-One Business PC

BIOS

02.21.00

Rev 1

sp143176

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143176.exe

HP ProOne 400 G5 20-inch All-in-One Business PC

BIOS

02.15.00

Rev 1

sp143178

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143178.exe

HP ProOne 400 G5 23.8-inch All-in-One Business PC

BIOS

02.15.00

Rev 1

sp143178

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143178.exe

HP ProOne 400 G6 20 All-in-One PC

BIOS

02.13.00

Rev 1

SP143224

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143224.exe

HP ProOne 400 G6 24 All-in-One PC

BIOS

02.13.00

Rev 1

SP143224

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143224.exe

HP ProOne 440 23.8 inch G9 All-in-One Desktop PC

BIOS

02.06.02

Rev 1

SP143679

https://ftp.hp.com/pub/softpaq/sp143501-144000/sp143679.exe

HP ProOne 440 G4 23.8-inch Non-Touch All-in-One Business PC

BIOS

02.21.00

Rev 1

sp143176

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143176.exe

HP ProOne 440 G5 23.8-in All-in-One Business PC

BIOS

02.15.00

Rev 1

sp143178

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143178.exe

HP ProOne 440 G6 24 All-in-One PC

BIOS

02.13.00

Rev 1

SP143224

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143224.exe

HP ProOne 480 G3 20-inch Non-Touch All-in One PC

BIOS

02.44

Rev 1

SP142699

https://ftp.hp.com/pub/softpaq/sp142501-143000/sp142699.exe

HP ProOne 600 G3 21.5-inch Non-Touch All-in-One PC

BIOS

02.44

Rev 1

SP142696

https://ftp.hp.com/pub/softpaq/sp142501-143000/sp142696.exe

HP ProOne 600 G4 21.5-inch Touch All-in-One Business PC

BIOS

02.21.00

Rev 1

sp143176

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143176.exe

HP ProOne 600 G5 21.5-in All-in-One Business PC

BIOS

02.15.00

Rev 1

sp143178

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143178.exe

HP ProOne 600 G6 22 All-in-One PC

BIOS

02.13.00

Rev 1

SP143224

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143224.exe

HP Z1 G8 Tower Desktop PC

BIOS

02.10.00

Rev 1

SP143417

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143417.exe

HP ZHAN 66 Pro G3 22 All-in-One PC

BIOS

02.13.00

Rev 1

SP143224

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143224.exe

HP ZHAN 66 Pro G3 24 All-in-One PC

BIOS

02.13.00

Rev 1

SP143224

https://ftp.hp.com/pub/softpaq/sp143001-143500/sp143224.exe

HP ZHAN 99 Pro 23.8 inch G9 All-in-One Desktop PC

BIOS

02.06.02

Rev 1

SP143679

https://ftp.hp.com/pub/softpaq/sp143501-144000/sp143679.exe

CVE-2022-27538: HP PC BIOS December 2022 Security Update (TOCTOU)

HPSFViewer might allow Escalation of Privilege. This potential vulnerability was remediated on July 29th, 2022. Customers who opted for automatic updates should have already received the remediation.

HPSFViewer might allow Escalation of Privilege. This potential vulnerability was remediated on July 29th, 2022. Customers who opted for automatic updates should have already received the remediation.

Severity

High

HP Reference

HPSBHF03821 Rev. 2

Release date

December 6, 2022

Last updated

December 6, 2022

Category

PC

**Relevant Common Vulnerabilities and Exposures (CVE) List**

Reported by: Ammarit Thongthua, Nattapol Puknah, and Wirapong Petshagun (Secure D Research team).

List of CVE IDs     

CVE ID

CVSS

Severity

Vector

Vendor ID

CVE-2022-3990

8.8

High

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

HP

PSR-2022-0097

**Resolution**

HP strives to address all security issues with HP apps at best possible speed and make the latest version available with the fixes. HP recommends that you update to the latest version of HP Support Assistant v9.20 or higher from the Microsoft Store and recommends keeping Microsoft Store updates turned on so that the application is always kept up to date.

Alternately, you can also get the latest version at https://support.hp.com/help/hp-support-assistant.

HP recommends keeping your system up to date with the latest firmware and software.

Note:

This bulletin might be updated when new information and/or SoftPaqs are available. Sign up for HP Subscriptions to be notified and receive:

*   Product support eAlerts
    
*   Driver updates
    
*   Security Bulletin updates
    

**Affected products**

Identify the affected products.

*   HPSFViewer versions lower than 8.6.3.1
    

**Revision history**

This document has been revised according to the information below.

List of versions   

Version

Description

Date

2

Added list of individuals who reported the issue under Relevant common vulnerabilities and exposures (CVE) list.

December 6, 2022

1

Initial Release

December 6, 2022

**Additional information**

Follow these links for additional information.

Third-party security patches

Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.

Support

For issues about implementing the recommendations of this Security Bulletin, visit http://www.hp.com/go/contacthp to learn about your HP support options.

Report

To report a potential security vulnerability with any HP supported product, send email to: hp-security-alert@hp.com.

Subscribe

To initiate a subscription to receive future HP Security Bulletin alerts via email, visit https://h41369.www4.hp.com/alerts-signup.php?lang=en&cc=US&jumpid=hpsc\_profile.

Security bulletin archive

To view released Security Bulletins, visit https://support.hp.com/security-bulletins.

It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.

Download HP’s security-alert PGP key

**Legal information**

System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.

HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Security Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Security Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement.

© Copyright 2022 HP Development Company, L.P.

HP Inc. (HP) shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP nor its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. "HP Inc.," "HP" and the names of HP products referenced herein are trademarks of HP Inc. or its affiliates in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.

CVE-2022-3990: Privilege escalation via HPSFViewer | HP® Customer Support

Potential security vulnerabilities have been identified in the BIOS (UEFI Firmware) for certain HP PC products, which might allow arbitrary code execution. HP is releasing firmware updates to mitigate these potential vulnerabilities.

HP Elite Slice for Meeting Rooms

BIOS

2.55

Rev 1

SP136953

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136953.exe

HP Elite Slice G2 - Audio Ready with Zoom Rooms

BIOS

2.55

Rev 1

SP136953

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136953.exe

HP Elite Slice G2 - Partner Ready with Microsoft Teams Rooms

BIOS

2.55

Rev 1

SP136953

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136953.exe

HP Elite Slice G2 with Microsoft Teams Rooms

BIOS

2.55

Rev 1

SP136953

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136953.exe

HP Elite Slice G2 with Intel Unite

BIOS

2.55

Rev 1

SP136953

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136953.exe

HP Elite Slice G2 with Zoom Rooms

BIOS

2.55

Rev 1

SP136953

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136953.exe

HP EliteDesk 705 G3 Desktop Mini PC

BIOS

02.38

Rev 1

SP139824

https://ftp.hp.com/pub/softpaq/sp139501-140000/sp139824.exe

HP EliteDesk 705 G3 Microtower PC

BIOS

02.38

Rev 1

SP139855

https://ftp.hp.com/pub/softpaq/sp139501-140000/sp139855.exe

HP EliteDesk 705 G3 Small Form Factor PC

BIOS

02.38

Rev 1

SP139855

https://ftp.hp.com/pub/softpaq/sp139501-140000/sp139855.exe

HP EliteDesk 705 G4 Desktop Mini PC

BIOS

02.17.00

Rev 1

SP136818

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136818.exe

HP EliteDesk 705 G4 Microtower PC

BIOS

02.17.00

Rev 1

SP137054

https://ftp.hp.com/pub/softpaq/sp137001-137500/sp137054.exe

HP EliteDesk 705 G4 Small Form Factor PC

BIOS

02.12.00

Rev 1

SP137069

https://ftp.hp.com/pub/softpaq/sp137001-137500/sp137069.exe

HP EliteDesk 705 G4 Workstation Edition

BIOS

02.17.00

Rev 1

SP137054

https://ftp.hp.com/pub/softpaq/sp137001-137500/sp137054.exe

HP EliteDesk 705 G5 Desktop Mini PC

BIOS

02.11.00

Rev 1

SP136520

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136520.exe

HP EliteDesk 705 G5 Small Form Factor PC

BIOS

02.11.00

Rev 1

SP136508

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136508.exe

HP EliteDesk 800 35W G3 Desktop Mini PC

BIOS

02.40

Rev 3

SP139781

https://ftp.hp.com/pub/softpaq/sp139501-140000/sp139781.exe

HP EliteDesk 800 35W G4 Desktop Mini PC

BIOS

02.18.00

Rev 1

SP136969

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136969.exe

HP EliteDesk 800 65W G3 Desktop Mini PC

BIOS

02.40

Rev 3

SP139781

https://ftp.hp.com/pub/softpaq/sp139501-140000/sp139781.exe

HP EliteDesk 800 65W G4 Desktop Mini PC

BIOS

02.18.00

Rev 1

SP136969

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136969.exe

HP EliteDesk 800 95W G4 Desktop Mini PC

BIOS

02.18.00

Rev 1

SP136969

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136969.exe

HP EliteDesk 800 G3 Small Form Factor PC

BIOS

02.40

Rev 1

SP139852

https://ftp.hp.com/pub/softpaq/sp139501-140000/sp139852.exe

HP EliteDesk 800 G3 Tower PC

BIOS

02.40

Rev 1

SP139852

https://ftp.hp.com/pub/softpaq/sp139501-140000/sp139852.exe

HP EliteDesk 800 G4 Small Form Factor PC

BIOS

02.17.00

Rev 1

SP136495

https://ftp.hp.com/pub/softpaq/sp136001-136500/sp136495.exe

HP EliteDesk 800 G4 Tower PC

BIOS

02.17.00

Rev 1

SP136495

https://ftp.hp.com/pub/softpaq/sp136001-136500/sp136495.exe

HP EliteDesk 800 G4 Workstation Edition

BIOS

02.17.00

Rev 1

SP136495

https://ftp.hp.com/pub/softpaq/sp136001-136500/sp136495.exe

HP EliteDesk 800 G5 Desktop Mini PC

BIOS

02.11.00

Rev 1

SP136572

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136572.exe

HP EliteDesk 800 G5 Small Form Factor PC

BIOS

02.11.00

Rev 1

SP136499

https://ftp.hp.com/pub/softpaq/sp136001-136500/sp136499.exe

HP EliteDesk 800 G5 Tower PC

BIOS

02.11.00

Rev 1

SP136499

https://ftp.hp.com/pub/softpaq/sp136001-136500/sp136499.exe

HP EliteDesk 880 G3 Tower PC

BIOS

02.40

Rev 1

SP139852

https://ftp.hp.com/pub/softpaq/sp139501-140000/sp139852.exe

HP EliteDesk 880 G4 Tower PC

BIOS

02.17.00

Rev 1

SP136495

https://ftp.hp.com/pub/softpaq/sp136001-136500/sp136495.exe

HP EliteDesk 880 G5 Tower PC

BIOS

02.11.00

Rev 1

SP136499

https://ftp.hp.com/pub/softpaq/sp136001-136500/sp136499.exe

HP EliteOne 1000 G1 23.8-in All-in-One Business PC

BIOS

02.40

Rev 1

SP139698

https://ftp.hp.com/pub/softpaq/sp139501-140000/sp139698.exe

HP EliteOne 1000 G1 23.8-in Touch All-in-One Business PC

BIOS

02.40

Rev 1

SP139698

https://ftp.hp.com/pub/softpaq/sp139501-140000/sp139698.exe

HP EliteOne 1000 G1 27-in 4K UHD All-in-One Business PC

BIOS

02.40

Rev 1

SP139698

https://ftp.hp.com/pub/softpaq/sp139501-140000/sp139698.exe

HP EliteOne 1000 G1 34-in Curved All-in-One Business PC

BIOS

02.40

Rev 1

SP139698

https://ftp.hp.com/pub/softpaq/sp139501-140000/sp139698.exe

HP EliteOne 1000 G2 23.8-in All-in-One Business PC

BIOS

02.18.00

Rev 1

SP136988

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136988.exe

HP EliteOne 1000 G2 23.8-in Touch All-in-One Business PC

BIOS

02.18.00

Rev 1

SP136988

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136988.exe

HP EliteOne 1000 G2 27-in 4K UHD All-in-One Business PC

BIOS

02.18.00

Rev 1

SP136988

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136988.exe

HP EliteOne 1000 G2 34-in Curved All-in-One Business PC

BIOS

02.18.00

Rev 1

SP136988

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136988.exe

HP EliteOne 800 G3 23.8 Non-Touch Healthcare Edition All-in-One Business PC

BIOS

02.40

Rev 1

SP139797

https://ftp.hp.com/pub/softpaq/sp139501-140000/sp139797.exe

HP EliteOne 800 G3 23.8-inch Non-Touch All-in-One PC

BIOS

02.40

Rev 1

SP139797

https://ftp.hp.com/pub/softpaq/sp139501-140000/sp139797.exe

HP EliteOne 800 G3 23.8-inch Non-Touch GPU All-in-One PC

BIOS

02.40

Rev 1

SP139797

https://ftp.hp.com/pub/softpaq/sp139501-140000/sp139797.exe

HP EliteOne 800 G3 23.8-inch Touch All-in-One PC

BIOS

02.40

Rev 1

SP139797

https://ftp.hp.com/pub/softpaq/sp139501-140000/sp139797.exe

HP EliteOne 800 G3 23.8-inch Touch GPU All-in-One PC

BIOS

02.40

Rev 1

SP139797

https://ftp.hp.com/pub/softpaq/sp139501-140000/sp139797.exe

HP EliteOne 800 G4 23.8-in Healthcare Edition All-in-One Business PC

BIOS

02.18.00

Rev 1

SP137015

https://ftp.hp.com/pub/softpaq/sp137001-137500/sp137015.exe

HP EliteOne 800 G4 23.8-inch Non-Touch All-in-One PC

BIOS

02.18.00

Rev 1

SP137015

https://ftp.hp.com/pub/softpaq/sp137001-137500/sp137015.exe

HP EliteOne 800 G4 23.8-inch Non-Touch GPU All-in-One PC

BIOS

02.18.00

Rev 1

SP137015

https://ftp.hp.com/pub/softpaq/sp137001-137500/sp137015.exe

HP EliteOne 800 G4 23.8-inch Touch All-in-One PC

BIOS

02.18.00

Rev 1

SP137015

https://ftp.hp.com/pub/softpaq/sp137001-137500/sp137015.exe

HP EliteOne 800 G4 23.8-inch Touch GPU All-in-One PC

BIOS

02.18.00

Rev 1

SP137015

https://ftp.hp.com/pub/softpaq/sp137001-137500/sp137015.exe

HP EliteOne 800 G5 23.8-in Healthcare Edition All-in-One

BIOS

2.11.01

Rev 1

SP136705

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136705.exe

HP EliteOne 800 G5 23.8-inch All-in-One

BIOS

2.11.01

Rev 1

SP136705

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136705.exe

HP ProDesk 400 G3 Desktop Mini PC

BIOS

02.40

Rev 3

SP139783

https://ftp.hp.com/pub/softpaq/sp139501-140000/sp139783.exe

HP ProDesk 400 G4 Desktop Mini PC

BIOS

02.18.00

Rev 1

SP136964

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136964.exe

HP ProDesk 400 G4 Microtower PC

BIOS

02.40

Rev 1

SP139854

https://ftp.hp.com/pub/softpaq/sp139501-140000/sp139854.exe

HP ProDesk 400 G4 Small Form Factor PC

BIOS

02.40

Rev 1

SP139796

https://ftp.hp.com/pub/softpaq/sp139501-140000/sp139796.exe

HP ProDesk 400 G5 Desktop Mini PC

BIOS

02.11.00

Rev 1

SP136574

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136574.exe

HP ProDesk 400 G5 Microtower PC

BIOS

02.17.00

Rev 1

SP136497

https://ftp.hp.com/pub/softpaq/sp136001-136500/sp136497.exe

HP ProDesk 400 G5 Small Form Factor PC

BIOS

2.17

Rev 1

SP136532

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136532.exe

HP ProDesk 400 G6 Microtower PC

BIOS

02.11.00

Rev 1

SP136501

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136501.exe

HP ProDesk 400 G6 Small Form Factor PC

BIOS

02.11.00

Rev 1

SP136515

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136515.exe

HP ProDesk 405 G4 Desktop Mini PC

BIOS

02.17.00

Rev 1

SP136824

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136824.exe

HP ProDesk 405 G4 Small Form Factor PC

BIOS

02.12.00

Rev 1

SP137069

https://ftp.hp.com/pub/softpaq/sp137001-137500/sp137069.exe

HP ProDesk 480 G4 Microtower PC

BIOS

02.40

Rev 1

SP139854

https://ftp.hp.com/pub/softpaq/sp139501-140000/sp139854.exe

HP ProDesk 480 G5 Microtower PC

BIOS

02.17.00

Rev 1

SP136497

https://ftp.hp.com/pub/softpaq/sp136001-136500/sp136497.exe

HP ProDesk 480 G6 Microtower PC

BIOS

02.11.00

Rev 1

SP136501

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136501.exe

HP ProDesk 600 G3 Desktop Mini PC

BIOS

02.40

Rev 3

SP139782

https://ftp.hp.com/pub/softpaq/sp139501-140000/sp139782.exe

HP ProDesk 600 G3 Microtower PC

BIOS

02.40

Rev 1

SP139853

https://ftp.hp.com/pub/softpaq/sp139501-140000/sp139853.exe

HP ProDesk 600 G3 Small Form Factor PC

BIOS

02.40

Rev 1

SP139795

https://ftp.hp.com/pub/softpaq/sp139501-140000/sp139795.exe

HP ProDesk 600 G4 Desktop Mini PC

BIOS

02.18.00

Rev 1

SP136957

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136957.exe

HP ProDesk 600 G4 Microtower PC

BIOS

02.17.00

Rev 1

SP136496

https://ftp.hp.com/pub/softpaq/sp136001-136500/sp136496.exe

HP ProDesk 600 G4 Microtower PC (with PCI slot)

BIOS

02.17.00

Rev 1

SP136496

https://ftp.hp.com/pub/softpaq/sp136001-136500/sp136496.exe

HP ProDesk 600 G4 Small Form Factor PC

BIOS

02.18.00

Rev 1

SP136961

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136961.exe

HP ProDesk 600 G5 Desktop Mini PC

BIOS

02.11.00

Rev 1

SP136573

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136573.exe

HP ProDesk 600 G5 Microtower PC

BIOS

02.11.00

Rev 1

SP136500

https://ftp.hp.com/pub/softpaq/sp136001-136500/sp136500.exe

HP ProDesk 600 G5 Microtower PC (with PCI slot)

BIOS

02.11.00

Rev 1

SP136500

https://ftp.hp.com/pub/softpaq/sp136001-136500/sp136500.exe

HP ProDesk 600 G5 Small Form Factor PC

BIOS

02.11.00

Rev 1

SP136514

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136514.exe

HP ProDesk 680 G3 Microtower PC

BIOS

02.40

Rev 1

SP139853

https://ftp.hp.com/pub/softpaq/sp139501-140000/sp139853.exe

HP ProDesk 680 G4 Microtower PC

BIOS

02.17.00

Rev 1

SP136496

https://ftp.hp.com/pub/softpaq/sp136001-136500/sp136496.exe

HP ProDesk 680 G4 Microtower PC (With PCI slot)

BIOS

02.17.00

Rev 1

SP136498

https://ftp.hp.com/pub/softpaq/sp136001-136500/sp136498.exe

HP ProOne 400 G3 20-inch Non-Touch All-in-One PC

BIOS

02.40

Rev 3

SP140061

https://ftp.hp.com/pub/softpaq/sp140001-140500/sp140061.exe

HP ProOne 400 G3 20-inch Touch All-in-One PC

BIOS

02.40

Rev 3

SP140061

https://ftp.hp.com/pub/softpaq/sp140001-140500/sp140061.exe

HP ProOne 400 G4 20-inch Non-Touch All-in-One Business PC

BIOS

02.17.00

Rev 1

SP136516

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136516.exe

HP ProOne 400 G4 23.8-inch Non-Touch All-in-One Business PC

BIOS

02.17.00

Rev 1

SP136516

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136516.exe

HP ProOne 400 G5 20-inch All-in-One Business PC

BIOS

02.11.01

Rev 1

SP136660

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136660.exe

HP ProOne 400 G5 23.8-inch All-in-One Business PC

BIOS

02.11.01

Rev 1

SP136660

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136660.exe

HP ProOne 440 G4 23.8-inch Non-Touch All-in-One Business PC

BIOS

02.17.00

Rev 1

SP136516

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136516.exe

HP ProOne 440 G5 23.8-in All-in-One Business PC

BIOS

02.11.01

Rev 1

SP136660

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136660.exe

HP ProOne 480 G3 20-inch Non-Touch All-in One PC

BIOS

02.40

Rev 3

SP140061

https://ftp.hp.com/pub/softpaq/sp140001-140500/sp140061.exe

HP ProOne 600 G3 21.5-inch Non-Touch All-in-One PC

BIOS

02.40

Rev 3

SP140060

https://ftp.hp.com/pub/softpaq/sp140001-140500/sp140060.exe

HP ProOne 600 G4 21.5-inch Touch All-in-One Business PC

BIOS

02.17.00

Rev 1

SP136516

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136516.exe

HP ProOne 600 G5 21.5-in All-in-One Business PC

BIOS

02.11.01

Rev 1

SP136660

https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136660.exe

CVE-2021-3809: HP PC BIOS - May 2022 Security Updates

Microsoft on Tuesday said it took steps to disable fake Microsoft Partner Network (MPN) accounts that were used for creating malicious OAuth applications as part of a malicious campaign designed to breach organizations' cloud environments and steal email.
"The applications created by these fraudulent actors were then used in a consent phishing campaign, which tricked users into granting

Enterprise Security / Authentication

Microsoft on Tuesday said it took steps to disable fake Microsoft Partner Network (MPN) accounts that were used for creating malicious OAuth applications as part of a malicious campaign designed to breach organizations' cloud environments and steal email.

"The applications created by these fraudulent actors were then used in a consent phishing campaign, which tricked users into granting permissions to the fraudulent apps," the tech giant said. "This phishing campaign targeted a subset of customers primarily based in the U.K. and Ireland."

Consent phishing is a social engineering attack wherein users are tricked into granting permissions to malicious cloud applications, which can then be weaponized to gain access to legitimate cloud services and sensitive user data.

The Windows maker said it became aware of the campaign on December 15, 2022. It has since alerted affected customers via email, with the company noting that the threat actors abused the consent to exfiltrate mailboxes.

On top of that, Microsoft said it implemented additional security measures to improve the vetting process associated with the Microsoft Cloud Partner Program (formerly MPN) and minimize the potential for fraud in the future.

The disclosure coincides with a report released by Proofpoint about how threat actors have successfully exploited Microsoft's "verified publisher" status to infiltrate the cloud environments of organizations.

What's notable about the campaign is that by mimicking popular brands, it was also successful at fooling Microsoft in order to gain the blue verified badge. "The actor used fraudulent partner accounts to add a verified publisher to OAuth app registrations they created in Azure AD," the company explained.

These attacks, which were first observed on December 6, 2022, employed lookalike versions of legitimate apps like Zoom to deceive targets into authorizing access and facilitate data theft. Targets included financial, marketing, managers, and senior executives.

Proofpoint noted the malicious OAuth apps had "far-reaching delegated permissions" such as reading emails, adjusting mailbox settings, and gaining access to files and other data connected to the user's account.

It also said that unlike a previous campaign that compromised existing Microsoft verified publishers to take advantage of OAuth app privileges, the latest attacks are designed to impersonate legitimate publishers to become verified and distribute the rogue apps.

Two of the apps in question were named "Single Sign-on (SSO)," while the third app was called "Meeting" in an attempt to masquerade as video conferencing software. All three apps, created by three different publishers, targeted the same companies and leveraged the same attacker-controlled infrastructure.

"The potential impact to organizations includes compromised user accounts, data exfiltration, brand abuse of impersonated organizations, business email compromise (BEC) fraud, and mailbox abuse," the enterprise security firm said.

The campaign is said to have come to an end on December 27, 2022, after Proofpoint informed Microsoft of the attack on December 20 and the apps were disabled.

The findings demonstrate the sophistication that has gone into mounting the attack, not to mention bypass Microsoft's security protections and misuse the trust users place in enterprise vendors and service providers.

This is not the first time bogus OAuth apps have been used to target Microsoft's cloud services. In January 2022, Proofpoint detailed another threat activity dubbed OiVaVoii that targeted high-level executives to seize control of their accounts.

Then in September 2022, Microsoft revealed that it dismantled an attack that made use of rogue OAuth applications deployed on compromised cloud tenants to ultimately seize control of Exchange servers and distribute spam.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Hackers Abused Microsoft's "Verified Publisher" OAuth Apps to Hack Corporate Email Accounts

An arbitrary file write vulnerability in Serenissima Informatica Fast Checkin v1.0 allows unauthenticated attackers to upload malicious files in the web root of the application to gain access to the server via the web shell.

L’ **Offensive Security Team** di **Swascan** ha identificato **3** vulnerabilità sul prodotto.

**Serenissima Informatica SpA**

_Serenissima Informatica è un’azienda che si occupa dello sviluppo di soluzioni per la gestione di PMI, Hotel e catene alberghiere, ristoranti e GDO._

**FastCheckIn – descrizione prodotto**

_Il prodotto FastCheckin (Web Check-In)_ in particolare aiuta gli utenti di Hotel e catene alberghiere nella compilazione dei propri dati e nella gestione delle proprie prenotazione online.

**Technical summary**

L’Offensive Security Team di Swascan ha identificato importanti vulnerabilià su: _FastCheckIn_:

**Vulnerabilità**

**CWE-ID**

**CVSSv3.1 Vector String**

**CVSSv3.1 Base Score**

**Arbitrary File Write (non autenticato)**

CWE-22

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

**9.8 – Critical**

**SQL Injection (non autenticato)**

CWE-89

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**9.8 – Critical**

**Absolute/Relative Path Traversal (non autenticato)**

CWE-22

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

**8.6 – High**

 Swascan ha scelto di non divulgare i dettagli tecnici della vulnerabilità.

Nella sezione seguente la Proof-of-Concept con evidenze offuscate sulle vulnerabilità riscontrate.

**Arbitrary File Write (non autenticato) – CVE-2022-47769****Descrizione**

L’applicazione risulta vulnerabile ad Arbitrary File Write. 

Un attaccante, remotamente e in modalità non autenticata, potrà scrivere nella web root dell’applicazione, qualsiasi file dal contenuto arbitrario per alterare e/o bloccare il funzionamento dell’applicativo oppure per ottenere l’accesso al server tramite web shell.

**Proof of Concept**

Si mostra di seguito come sia stato possibile scrivere una web shell nella web root dell’applicazione web ed ottenere accesso al server.

Per ottenere tale risultato sono stati effettuati i seguenti passaggi:

1.  Esecuzione di una HTTP Post Request per scrivere una WebShell (nell’esempio con il nome _70347276-ee93-4366-b396-e1496f67ed6d.aspx_ ) all’interno della web root;
2.  Esecuzione di comandi sul server tramite WebShell.

Evidenza 1 Richiesta HTTP contenente la WebShell

Il file C:\\\\FastCheckIn\\\\FastCI\\\\70347276-ee93-4366-b396-e1496f67ed6d.aspx è stato quindi creato con successo e raggiungibile dal web come mostrato nell’evidenza successiva:

Evidenza 2  Esecuzione tramite webshell del comando “whoami”

**Riferimenti**

https://cwe.mitre.org/data/definitions/20.html

http://cwe.mitre.org/data/definitions/22.html

https://owasp.org/www-community/attacks/Path\_Traversal

https://cheatsheetseries.owasp.org/cheatsheets/Input\_Validation\_Cheat\_Sheet.html

**SQL Injection (non autenticato) – CVE-2022-47770****Descrizione**

L’applicazione web è vulnerabile ad attacchi di tipo SQL Injection non autenticati.

Un potenziale attaccante sarà in grado accedere remotamente, completamente ed in maniera non autenticata alle informazioni contenute nella banca dati ed effettuare operazioni come esfiltrazione e modifica di account utente ed amministrativi, dati personali di utenti ed altre informazioni in essa contenute.

**Proof of Concept**

Si mostrano di seguito le evidenze della vulnerabilità e di come sia possibile estrarre informazioni sensibili dall’interno della banca dati.

Di seguito l’evidenza dell’enumerazione del DMBS, Microsoft SQL Server e la lista offuscata) di tutti i database presenti sul server:

Evidenza 4 SQLMap Lista database

Ciò conferma la presenza della vulnerabilità.

A fronte della corretta exploitation di questo tipo di vulnerabilità, un attaccante potrebbe acquisire i diritti di amministratore dell’applicativo web, con conseguente accesso a tutte le funzionalità del portale.

**Riferimenti**

https://www.owasp.org/index.php/SQL\_Injection

https://cwe.mitre.org/data/definitions/89.html

https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/SQL\_Injection\_Prevention\_Cheat\_Sheet.md

https://owasp.org/Top10/A03\_2021-Injection/

https://www.cve.org/CVERecord?id=CVE-2022-47770

**Path Traversal (non autenticato) – CVE-2022-47768****Descrizione**

La vulnerabilità Path Traversal (Relative e Absolute) consente l’accesso a file presenti nel sistema operativo che risiedono al di fuori della web root dell’applicazione. Manipolando le variabili che richiedono i file, attraverso l’uso dei caratteri “../” o di un path assoluto (eg. C:\\…) è possibile accedere arbitrariamente ai file e/o cartelle contenuti nel sistema operativo come il codice sorgente dell’applicazione o file sensibili che risiedono nella macchina.

**Proof of Concept**

Di seguito vengono mostrate le evidenze di come è possibile leggere il contenuto di file sul filesystem. Nell’esempio viene mostrata la possibilità di leggere il file c:\\windows\\win.ini:

Evidenza 5 Richiesta e Risposta HTTP della vulnerabilità Absolute Path Traversal

**Riferimenti**

https://cwe.mitre.org/data/definitions/22.html

https://cwe.mitre.org/data/definitions/23.html

https://owasp.org/Top10/A01\_2021-Broken\_Access\_Control/

https://owasp.org/www-community/attacks/Path\_Traversal

https://www.cve.org/CVERecord?id=CVE-2022-47768

**Remediation**

Swascan consiglia di non esporre l’applicativo su Internet o, qualora fosse necessario, di accedervi esclusivamente tramite connessione VPN in attesa che il vendor rilasci una patch o un aggiornamento.

**Disclosure Timeline**

*   07-08-2022: Scoperte le vulnerabilità
*   07-08-2022: Vendor contattato tramite mail (1° tentativo, nessuna risposta)
*   22-09-2022: Vendor contattato tramite mail (2° tentativo, con risposta)
*   22-09-2022: Invio del report contenente le vulnerabilità
*   11-01-2023: Swascan ricontatta il vendor per eventuale review del documento (nessuna risposta)
*   18-01-2023: Swasacan ricontatta il vendor per eventuale review (nessuna risposta)
*   31-01-2023: Swascan pubblica la vulnerabilità

CVE-2022-47769: Security Advisory: Serenissima Informatica – FastCheckIn (CVE-2022-47768/CVE-2022-47769/ CVE-2022-47770)

本ブログは、Microsoft Investigation – Threat actor consent phishing campaign abusing the verified publisher process の抄訳版です。最新の情報は原文を参照してくださ

Microsoft の調査 – 検証済みの発行者確認を悪用する脅威アクターの同意フィッシング キャンペーンについて

Everyone on Twitter wants a blue check mark. But Microsoft Azure's blue badges are even more valuable to a threat actor stealing your data via malicious OAuth apps.

Late last year, a group of threat actors managed to obtain "verified publisher" status through the Microsoft Cloud Partner Program (MCPP). This allowed them to surpass levels of brand impersonation ordinarily seen in phishing campaigns, as they distributed malicious applications bolstered by a verified blue badge only ever given to trusted vendors and service providers in the Microsoft ecosystem.

The MCPP is Microsoft’s channel partner program, inhabited by 400,000-plus companies that sell and support its enterprise products and services and also build their own solutions and software around them. Members include managed services providers, independent software vendors, and business app developers, among others.

Researchers from Proofpoint first discovered this activity on Dec. 6 of last year. A report published on Jan. 31 outlines how threat actors used their bogus status as verified app publishers within the MCPP program to infiltrate UK- and Ireland-based organizations' cloud environments. The fake solutions partners targeted employees in finance and marketing, as well as managers and executives, via malicious applications. Users who fell for the badge potentially exposed themselves to account takeover, data exfiltration, and business email compromise (BEC), and their organizations were laid open to brand impersonation.

Overall, the campaign "used unprecedented sophistication to bypass Microsoft’s security mechanisms," the researchers tell Dark Reading. "This was an extremely well-thought-out operation."

**How the Hackers Duped Microsoft**

To become a verified publisher, Microsoft Cloud Partners must meet a set of eight criteria. These criteria are largely technical and, as Microsoft outlined in its documentation, passing the bar "doesn't imply or indicate quality criteria you might look for in an app." But threat actors abusing the system to distribute malicious apps? That's not supposed to happen.

The trick in this case was that, before phishing end users, the attackers tricked Microsoft itself.

To wit: They registered as publishers under "displayed" names that mimicked legitimate companies. Meanwhile, their associated "verified publisher" names were hidden and slightly different. The example given by the researchers is that a publisher masquerading as "Acme LLC" might have a verified publisher name "Acme Holdings LLC."

Evidently, this was enough to skate by the systems' verification process. In fact, researchers noted, "in two cases, the verification was granted one day after the creation of the malicious application."

When reached for comment on the failure of the verification process, Proofpoint did not offer further details, and a Microsoft spokesperson merely noted, _“_Consent phishing is an ongoing, industrywide issue, and we’re continuously monitoring for new attack patterns. We've disabled these malicious apps and are taking additional steps to harden our services to help keep customers secure.” 

The spokesperson added, "The limited number of customers who were impacted by the campaign described in the Proofpoint blog have been notified."

**How the Hackers Duped Enterprise Users**

Having obtained their verified status, the threat actors began spreading malicious OAuth apps, an increasingly popular vehicle for cyberattackers in recent years. They rigged these apps to request broad access to victims' accounts.

"The actor used fraudulent partner accounts to add a verified publisher to OAuth app registrations they created in Azure AD," according to an advisory published Jan. 31. "The applications created by these fraudulent actors were then used in a consent phishing campaign, which tricked users into granting permissions to the fraudulent apps."

OAuth — short for "open authorization" — is a token-based framework that enables users to authorize certain data sharing between third-party applications, without needing to divulge their login credentials in the process. A common example is the "log in with Google" or "log in with Facebook" options that many websites offer to avoid having to create a new set of credentials to use with the sites. OAuth dialogues are common enough that users typically just hit "Accept," without digging into the fine details of what they're agreeing to.

Snuffing out this consent phishing campaign would have required a great deal more vigilance than that.

Beyond the "verified publisher" stamp of approval, the attackers gave vague and innocuous names to the apps requesting permissions: Two were called, simply, "Single Sign-on (SSO)," and one "Meeting." And though publishing under the guise of other impersonated organizations, the attackers chose a household name to display to users at the requested permissions stage.

"The attacker(s) used different data fields to fool targeted users," the Proofpoint researchers said. "They used one name, identical to the impersonated org's name, as the visible publisher name. The other name was used as a hidden parameter, not visible in the malicious app's consent page."

In one case, "they used an outdated version of the well-recognized Zoom icon," the Proofpoint authors explained in the report, "and redirected to Zoom-resembling URLs, as well as a genuine Zoom domain, to increase their credibility."

To conclude, they put it bluntly: "End users are likely to fall prey to the advanced social engineering methods outlined in this blog."

Victims who fell for the gambit granted their attackers permission to access special areas of their accounts, like their mailboxes and calendars. The permissions also included offline access, enabling the hackers to do what they wished entirely out of view.

**Bogus OAuth Apps: Takeaways for Business**

After learning about the campaign on Dec. 15, Microsoft disabled the malicious applications and associated publisher accounts. It then enlisted its Digital Crimes Unit to investigate further.

According to Microsoft, "We have implemented several additional security measures to improve the MCPP vetting process and decrease the risk of similar fraudulent behavior in the future."

To defend against future campaigns of this kind, Proofpoint researchers recommended deploying effective cloud security solutions to help detect malicious applications, and pointed readers to Microsoft's advisory regarding consent phishing. Their most important bit of advice was "to exercise caution when granting access to third-party OAuth apps, even if they are verified by Microsoft."

"Do not," they wrote, "trust and rely on OAuth apps based on their verified publisher status alone."

Phishers Trick Microsoft Into Granting Them 'Verified' Cloud Partner Status

Demand for skilled professionals will remain high, but cyber budgets will be eaten away.

We've recently seen substantial layoffs across the tech sector, to the tune of around 140,000 redundancies made by big names such as Amazon, Salesforce, Microsoft, and Tesla. As the recession bites, falling stock prices and further contraction in the market, together with merger and acquisition activity, are expected to force businesses to reduce head count further still. Yet the cybersecurity sector, thus far, has remained relatively unscathed with respect to cyber professionals (it’s a different story with vendors, which are subject to the mores of the market). The question is why, and will it continue to buck the trend?

Much of the reason why the security industry remains so buoyant is down to the fact that there simply isn't the fat to cut from security teams. Most businesses are struggling to recruit sufficient staff due to a widening skills gap — the ISC2 "2022 Cybersecurity Workforce Study" reports that while there is a global workforce of 4.7 million, the gap is almost as big at 3.4 million — and that means teams are often short-handed, leading to job creep, whereby staff have to take on extra responsibilities. "The State of Security 2022" report found that 76% of cybersecurity staff had to take on responsibilities they were not ready for in an attempt to fill the void. 

**Is My Job Safe?**

Yet despite professionals being in demand, the wider cybersecurity sector is beginning to feel the pain. Budgets themselves remain robust, with analyst houses such as Gartner predicting strong investment in cloud security, application security, and other information security software. But even if cybersecurity spending increases in 2023, it's being eroded by rising inflation and increasing solution/licensing costs, and the majority (70%) believe budgets will be cut or frozen this year, according to ESG Research.

So, what are the implications for the year ahead? First, cybersecurity talent will remain in short supply, while the annual shortfall, together with an exodus of talent, will see the gap widen, increasing demand still further. Jobs will, therefore, largely be safe, although this doesn't apply across the board.

The shortages are focused, with those with three to four years or more of experience most in demand, according to the Department for Digital, Culture, Media, and Sport, as well as those with experience in emerging or nascent technologies, such as cloud security, security operations center (SOC) analysts, and security admin and security architects, according to Fortinet's "2022 Cybersecurity Skills Gap" report. Those findings broadly tally with ISACA's "State of Cybersecurity 2022" report, which lists the top five skill sets as cloud computing, data protection, identity access management, incident response and DevSecOps. However, positions further down the hierarchy are likely to prove less recession-proof. 

**Investment in Tech**

Second, shrinking budgets could slow investment in automation, which many had hoped would alleviate the skills shortage and improve retention rate by providing security teams with some much-needed assistance. That's bad news for the industry, as it will stifle progress, but it could also see organizations become more exposed. The ISACA report found 69% of those businesses that suffered an attack last year were somewhat or significantly understaffed, and it's a problem that is turning out to be something of a self-fulfilling prophecy. Half of staff say they are much more likely to quit following a cyberattack, and job candidates are far less likely to want to work for a business that has suffered from cyberattacks, according to "The True Cost of Cyber."

However, the jury is still out on just how affected cyber spending will be. According to "The 2023 State of IT" report, cybersecurity is expected to increase its take out of IT budgets with respect to software (11%), hardware (7%), cloud (6%), and managed services (11%). Furthermore, the "2023 Global Tech Outlook" report found cybersecurity is now viewed as a higher-priority spend than innovation in digital transformation projects. IT security (44%) came out top as a spending priority for the next 12 months, followed by cloud infrastructure (36%) and IT/cloud management (35%).

**Wage Walkouts**

Third, we're unlikely to see salaries continue to escalate as they did pre- and post-pandemic, when some salaries experienced double-digit percentage growth. The Harvey Nash Hot Skills & Salary Report found that certain cybersecurity roles have plateaued, with 67% not receiving a pay rise. Realistically, this will make retention more difficult, and businesses are going to have to work to hang on to their hard-won talent (60% of businesses have already had staff poached, according to ISACA). That said, with the market contracting, some cybersecurity professionals may opt for job security over salary.

It looks unlikely that the cybersecurity sector will escape entirely the ravages of the recession. Demand for skilled professionals will remain high, but with cyber budgets being eaten away, there will be less cash to go round, forcing businesses to prioritize. In a bid to do more with less, workloads are likely to go up, in turn increasing staff turnover, jeopardizing business continuity. That means the one certainty we do seem to have is that businesses will be understaffed — and overexposed.

Tag

#microsoft