The Curricula platform uses behavioral science with a simplified approach to train and educate users — and marks another step forward in Huntress’ mission to secure the 99%.

ELLICOTT CITY, Md., July 19, 2022 (GLOBE NEWSWIRE) -- Huntress, the managed security platform for small and mid-market businesses (SMBs), today announced it has acquired Curricula, a fun, story-based security awareness training platform that empowers employees to better defend themselves against hackers.

As cybercriminals continue to prey on individuals with little or no security training, the acquisition adds another critical layer to Huntress’ growing Managed Security Platform — delivered through an interactive eLearning experience that empowers employees to become their own line of defense in the fight against attackers.

“Delivering education and rallying the community have always been a core part of our mission,” said Kyle Hanslovan, Huntress CEO and Co-Founder. “Employees today need relatable and effective learning — not just more uninspired content that punishes learners and sets SMBs up for failure.Our team had already seen Curricula’s results internally, so it seemed criminal to not bring it to our partner ecosystem. Together, we're combining Curricula's creativity with Huntress' offensive expertise to address the demand for memorable and actionable threat training.”

In addition to its core platform, Curricula offers a number of additional features to help businesses build a positively focused security culture — including a gamified phishing simulator, story-based training episodes, custom content creation tools, compliance reporting and more.

“Curricula is already embraced by thousands of organizations across the globe simply because our training content is second to none,” said Curricula CEO Nick Santora. “Our animation studio creates security awareness content that is fun, memorable, and, most importantly, effective. Now under Huntress, we’re able to scale our global reach to resellers and service providers, setting the tone for what a remarkable security awareness program should be for every organization.”

More information can be found about Curricula’s training at www.curricula.com/cyber-security-awareness-training.

Today, Huntress partners with more than 3,000 service providers that in turn protect more than 1.2 million endpoints across more than 68,000 businesses.

**About Huntress**  
Hackers are constantly evolving, exploiting new vulnerabilities and dwelling in IT environments,—,until they meet Huntress.

Huntress protects small and mid-market businesses from modern cyberattackers. Founded by former NSA Cyber Operators—and backed by a team of 24/7 threat hunters — our managed security platform defends businesses from persistent footholds, ransomware and other attacks.

We're on a mission to secure the 99%. Learn more at www.huntress.com and follow us on social @HuntressLabs.

**About Curricula**  
Founded in 2015, Curricula is a fun security awareness training platform that uses story-based learning to communicate cyber risk to employees. Curricula’s mission is to fix boring security awareness programs by empowering employees to defend themselves against hackers. For more information visit: www.Curricula.com.

Huntress Acquires Curricula for $22M to Disrupt Security Training Market, Elevate Cyber Readiness for SMB Employees

An issue was discovered in Poly EagleEye Director II before 2.2.2.1. os.system command injection can be achieved by an admin.

DATE

ID#

TITLE

03-07-22

PLYTV21-09

Studio X50 – Improper Neutralization of Special Elements used in an OS Command

03-07-22

PLYPL21-12

EEDII – Multiple Security Vulnerabilities

02-23-22

PLYGN21-08

Poly Systems – Apache Log4j

09-29-21

Security Advisory Version 1.0

Plantronics Hub – Local Privilege Escalation

09-07-21

Security Bulletin Version 1.0

CX5100/CX5500 Authenticated Command Injection

04-30-21

Security Advisory Version 1.0

Information Disclosure Vulnerability Poly VOIP Phones

02-24-21

Security Advisory Version 1.0

Information Disclosure Vulnerability Poly VOIP Phones

02-24-21

Security Bulletin Version 1.1

Increased SIP Provisioning Attacks

02-22-21

Security Advisory Version 1.0

Information Disclosure Vulnerability Poly ZTP Service

01-20-21

Security Bulletin Version 1.0

Cybersecurity and Infrastructure Security Agency (CISA) Alert AA20-352A

04-24-20

Security Bulletin Version 1.0

Poly Recommended Best Security Practices for Unified Communications

04-01-20

Security Advisory Version 1.0

Poly Voice Endpoints – XSS and CSRF Vulnerabilities

02-07-20

Security Bulletin Version 1.0

CCX500 - UI Vulnerability Allows Access to Android Settings

01-15-20

Security Bulletin Version 1.6

Worldwide H.323 and SIP Botnet Calling Video Systems

01-10-20

Security Advisory Version 1.2.0

Remote Code Execution Vulnerability in UCS Software

01-10-20

Security Advisory Version 1.0.0

Vulnerabilities in VxWorks Operating System and Poly Products

09-04-19

Security Advisory Version 1.0.0

Plantronics Hub - Local Privilege Escalation Vulnerability

08-06-19

Security Advisory Version 1.0

Remote Code Execution Vulnerability in Obihai OBi1022

06-19-19

Security Advisory Version 1.1

Insufficient Authentication Resulting in Information Leakage on VVX Products

06-14-19

Security Advisory Version 1.1

Hard Coded Credentials Vulnerability in VVX Products

04-26-19

Security Advisory Version 1.0

Multiple Vulnerabilities in HDX Products Older than 3.1.14

02-20-19

Security Bulletin Version 1.0

HDX (versions older than 3.1.13) can be affected by multiple Botnets

01-24-19

Security Advisory Version 1.1

Cyber Threats Targeting Default Passwords

11-30-18

Security Bulletin Version 1.1

TLS 1.2 and Microsoft O365 Impacts to Polycom Products

11-05-18

Security Bulletin Version 1.0

Bluetooth Authentication Weakness Found in Trio

11-05-18

Security Bulletin Version 1.0

Stored Cross-Site Scripting Found in Trio

11-01-18

Security Bulletin Version 1.0

Remote Code Execution Vulnerability Found in Group Series

08-10-18

Security Bulletin Version 1.1

HDX SoftwareVersions Older than 3.1.12 and Omni Botnet

07-12-18

Security Advisory Version 1.9

Processor Based "Speculative Execution" Vulnerabilities AKA "Spectre" and "Meltdown" on Polycom Products

07-11-18

Security Advisory Version 1.2

Vulnerabilities in Polycom VVX Phones and UC Software

07-03-18

Security Advisory Version 1.0

Polycom UCS Software Vulnerabilities

06-26-18

Security Advisory Version 1.1

RealPresence Web Suite Vulnerability

05-10-18

Security Advisory Version 1.0

RealPresence Debut Vulnerabilities

03-05-18

Security Advisory Version 1.0

QDX 6000 Vulnerabilities

12-20-17

Security Advisory Version 1.2

"Krack" Vulnerability with Polycom Products

11-24-17

Security Advisory Version 1.2

Remote Code Execution on HDX Endpoints

10-18-17

Security Advisory Version 1.1

BlueBorne Bluetooth Vulnerabilities

08-28-17

Security Advisory Version 1.0

Information Disclosure on Multiple Polycom Products

08-11-17

Security Bulletin Version 1.1

WannaCry Vulnerability and Polycom Products

06-14-17

Security Bulletin Version 1.0

Relating to CVE-2017-7494 "SambaCry" Vulnerability and Polycom Products

03-22-17

Security Bulletin Version 1.0

Relating to CVE-2017-5638 "Apache Struts" Vulnerability and Polycom Products

10-26-16

Security Advisory Version 1.1

Relating to CVE-2016-5195 "Dirty COW" Vulnerability

09-20-16

Security Advisory Version 2.0

Relating to a Cross-site Scripting (XSS) Vulnerability in Polycom HDX Video Endpoints

09-13-16

Security Advisory Version 1.0

Relating to an XML External Entity (XXE) Vulnerability in Polycom HDX Video Endpoints)

04-06-16

Security Advisory Version 1.2

Relating to a GNU glibc DNS Vulnerability (CVE-2015-7547)

03-08-16

Security Bulletin Version 1.0

Relating to CVE-2016-0800 “DROWN” Vulnerability and Polycom Products

02-09-16

Security Office Update 2.0

Security Update Relating to H.323 and SIP AES Media Encryption on Polycom Products

12-16-15

Security Advisory Version 1.0

Relating to RealPresence Capture Server and RealPresence Media Suite Appliance Editions

12-09-15

Security Advisory Version 1.0

Relating to Path Traversal Vulnerabilities in Polycom VVX Business Media Phones

10-23-15

Security Advisory Version 2.0

Relating to GHOST glibc Vulnerability

10-23-15

Security Advisory Version 1.6.1

Relating to Logjam Vulnerability

06-29-15

Security Bulletin Version 1.0

RealPresence Resource Manager 8.4 security fixes summary

06-23-15

Security Advisory Version 1.0

Relating to Command Shell Vulnerability in Polycom Group Series Video Endpoints

06-23-15

Security Advisory Version 1.0

Relating to Inadequate SSH Restrictions Vulnerability in Polycom Group Series Video Endpoints

06-23-15

Security Advisory Version 1.0

Relating to Software Update Vulnerability in Polycom Group Series Video Endpoints

06-23-15

Security Advisory Version 1.0

Relating to Weak Entropy Vulnerability in Polycom Group Series Video Endpoints Web Cookies

06-17-15

Security Bulletin Version 1.0

Relating to "Tomcat Denial of Service"

06-15-15

Security Bulletin Version 1.0

Relating to Leap Second Insertion

04-20-15

Security Bulletin Version 1.6

Relating to SSLv3 "POODLE" Vulnerability and Polycom Products

10-24-14

Security Advisory Version 1.7

Relating to Bash shell arbitrary code execution on Various Polycom Products

10-06-14

Security Bulletin Version 1.2

Relating to Multiple OpenSSL Vulnerabilities on Various Polycom Products

06-05-14

Security Advisory Version 1.12

Relating to OpenSSL Vulnerability “Heartbleed” on Various Polycom Products

12-20-13

Security Bulletin 5471

Relating to JBoss Application Server on RealPresence Resource Manager

03-14-13

Security Bulletin 102404

Security Advisory relating to telnet shell authorization bypass on Polycom HDX Video Endpoints

03-14-13

Security Bulletin 107522

Security Advisory Relating to the Firmware Update Command Injection Vulnerability on Polycom HDX Video Endpoints

03-14-13

Security Bulletin 107523

Security Advisory Relating to the Command Shell Vulnerability on Polycom HDX Video Endpoints

03-14-13

Security Bulletin 107524

Security Advisory Relating to the H.323 Format String Vulnerability on Polycom HDX Video Endpoints

03-14-13

Security Bulletin 107525

Security Advisory Relating to the H.323 CDR Database SQL Injection on Polycom HDX Video Endpoints

03-14-13

Security Bulletin 107526

Security Advisory Relating to the PUP File Header MAC Signature Bypass on Polycom HDX Video Endpoints

CVE-2022-26482: Security Center

Phishing retained its place as the top root cause of data compromises, according to new data from the Identity Theft Resource Center (ITRC).

Ransomware attacks leading to data breaches fell 20% in the second quarter of 2022 compared with the first quarter and dropped quarter over quarter, according to new data from the Identity Theft Resource Center.

"Security researchers believe that the decline in ransomware attacks is due to a combination of factors, including the ongoing conflict in Ukraine and the collapse of cryptocurrencies favored by cybercriminals," the ITRC report notes. "All of these trends – fewer compromises, fewer victims, few ransomware attacks – can be reversed quickly with just a handful of large breaches or a series of smaller ones."  

The ITRC report also says that phishing remained the No. 1 root cause of data compromises in the first half of 2022. Data compromises rose slightly in the second quarter of the year, although the pace of data compromises for the first half of 2022 is down 4% compared with the same period in 2021.

But the ITRC study also shows that the data indicating a downward trend in breaches and ransomware numbers could be an illusion, masked by the nearly 40% of data breach notices that don't include basic information, such as attack vector or a victim count. This is the first time that "unknown" topped the list of data breach causes since the ITRC began tracking data breaches.

So far in 2022, there have been 817 publicly reported data breaches with 53,350,425 victims, down from the record-high 851 recorded by the ITRC in 2021. This includes 802 data breaches with 46,209,107 victims, 10 data exposures affecting 7,136,948 victims, and 5 unknown events numbering 4,370 victims, according to ITRC data.  

In the first half of 2022, 367 entities were affected by 44 third-party/supply chain attacks, including 10 attacks reported in the two previous years. Among those singled out by the report were the Illuminate Education, Ciox Health, and Eye Care Leaders supply chain attacks.

System errors and human errors also contributed to data exposures and included failures to configure cloud security, misconfigured firewalls, and email correspondence containing sensitive information. Physical attacks, which include device theft and improper disposal, resulted in 13 breaches in the second quarter of 2022, for a total of 115,395 victims.

**Ransomware, Phishing Threat to Businesses Still Acute**

As malicious actors move their focus away from individuals, organizations are bearing the brunt of attacks, with global ransomware incidents targeting everything from enterprise servers to grounding an airline.

Data pulled from incident response cases by Unit 42 earlier in the year showed cyber-extortion attacks jumped by 85% as ransomware attackers demanded dramatically higher ransom fees in 2021.

A February report by the ITRC showed phishing is also one of the primary data-breach causes at many organizations in 2021. According to the ITRC, 537 out of 1,613 publicly disclosed breaches in 2021 — or one-third — involved phishing, smishing, or business email compromise.

Malicious actors are moving their focus to small businesses, which are likely to have fewer security resources to combat such attacks — a QuickBooks vishing scam targeting SMBs was just the latest in a string of incidents.

Data Breaches Linked to Ransomware Declined in Q2 2022

Upgrades to the Exostar platform promote secure, compliant collaboration and handling of controlled unclassified information.

**HERNDON, VA, July 12, 2022 –** Exostar, a leader in trusted, secure business collaboration in highly regulated industries including aerospace and defense, today announced the availability of updates to The Exostar Platform that allow small and medium-sized businesses (SMBs) to overcome the technology, time, and cost obstacles of preparing for and demonstrating compliance with Department of Defense (DoD) cybersecurity requirements.

Firms throughout the Defense Industrial Base (DIB), including SMBs deep in the DoD supply chain, will have to acquire Cybersecurity Maturity Model Certification (CMMC) 2.0 certification as soon as May 2023 to participate in subsequent DoD contract solicitations. According to CMMC version 2.0, any member of the DIB that stores or handles Controlled Unclassified Information (CUI) during program execution must meet the 110 practices defined at CMMC Maturity Level 2. Many SMBs simply do not possess the expertise, bandwidth, or budget to go it alone.

Exostar’s Managed Microsoft 365 for CMMC directly addresses these challenges. This managed solution, based on Microsoft Teams and hosted in a Microsoft 365 Government Cloud Computing (GCC) High environment, is designed specifically for SMBs and delivers benefits including:

*   A secure workspace for SMB users within GCC High – without the expense and burden of acquiring, setting up, and managing their own tenant.
*   Rapid onboarding – subscribe today and be working tomorrow.
*   Implementation of the security controls necessary to properly protect CUI – and facilitate compliance with CMMC 2.0 and other DoD cybersecurity standards.
*   Enterprise-grade security at a price SMBs can afford, with room to grow for an enterprise license.

In addition to the launch of Exostar’s Managed Microsoft 365 for CMMC, the company has updated and upgraded its CMMC Ready Suite within The Exostar Platform to provide out-of-the-box support to accelerate SMBs throughout their CMMC 2.0 accreditation journeys:

*   Certification Assistant – Offers plainspoken descriptions of CMMC practices at all three Maturity Levels, helping SMBs to conduct compliance self-assessments and scoring, gather documentation, and prepare for any necessary third-party audits ahead of accreditation.
*   Exostar PolicyPro – Evaluates existing policies (including gap analysis) and/or generates new ones in accordance with all policy requirements defined in CMMC 2.0 practices.
*   CMMC 2.0 Basic Assessment – Provides expert guidance from Exostar-vetted cybersecurity compliance specialist partners who use Exostar’s CMMC Ready Suite to address an SMB’s unique circumstances and accelerate the accreditation process.

“SMBs are the lifeblood of the DIB. While they must improve their cybersecurity capabilities to better protect CUI throughout the DoD supply chain, CMMC 2.0 represents a heavy lift for many of these companies,” said Tony Farinaro, Exostar’s Chief Revenue Officer. “We continue to enhance and expand our CMMC offerings to make it easier and more cost effective for SMBs to meet their obligations so they can stay in the DIB, win business, and keep innovating on behalf of the DoD.”

In addition to SMBs, enterprises also can subscribe to Exostar’s Managed Microsoft 365 for CMMC, as well as purchase the other applications and services in The Exostar Platform’s CMMC Ready Suite, today.

**About Exostar**

The Exostar Platform supports exclusive communities within highly regulated industries where organizations securely collaborate, share information, and operate compliantly. Within these communities, we build trust. More than 150,000 companies and agencies in 175 countries trust Exostar to strengthen security, reduce expenditures, raise productivity, and help them achieve their digital transformation initiatives. Nearly half of the Defense Industrial Base, including 98 of the top 100, transact business over The Exostar Platform. Eleven of the top twenty global biopharmaceutical companies rely on The Exostar Platform to help them speed new medicines and therapies to market. Exostar is a Gartner Cool Vendor. For more information, please visit www.exostar.com, and follow Exostar on LinkedIn and Twitter.

Exostar Empowers SMBs with Enhanced, Low-Cost, Easy-to-Use Microsoft 365 and CMMC 2.0 Solutions

Implemented protections on AWS credentials that were not properly protected.

**WDC Tracking Number:** WDC-22009  
**Published:** July 11, 2022

**Last Updated:** July 11, 2022

**Description**

My Cloud Home Firmware 8.7.0-107 is a major release containing updates to help improve the security of your My Cloud Home devices. Numerous changes were made to the operating system to comprehensively improve its security and to upgrade the user experience to support our latest technologies.

The base operating system has been upgraded from an Android based operating system to the Linux operating system to align with security and stability updates from Debian 10 “Buster”.

Additionally, the Linux kernel has been updated to 4.9.266.

Your My Cloud Home device will be automatically updated to reflect the latest firmware version.    

**Product Impact**

**Minimum Fix Version**

**Last Updated**

My Cloud Home

8.7.0-107

July 8, 2022

My Cloud Home Duo

8.7.0-107

July 8, 2022

For more information on the latest security updates, see the release notes.

**Advisory Summary**

A vulnerability in the Linux kernel’s cgroup\_release\_agent\_write was addressed that could lead to escalation of privileges and bypass namespace isolation unexpectedly.  

Addressed an issue in OpenSSL that would make it possible to trigger an infinite loop by crafting a certificate that has invalid elliptic curve parameters. Since certificate parsing takes place before the certificate signature verification process, this could lead to a denial-of-service attack.

**CVE Number:** CVE-2022-0778  

Addressed a memory copy vulnerability in the Linux Wi-Fi driver.  

Addressed a command injection attack that could allow a malicious attacker on the same LAN to carry out a DNS spoofing attack via an unsecured HTTP call. This was done by removing the affected code from the product.

**CVE Number:** CVE-2022-22991, CVE-2022-22994

Reported By: Martin Rakhmanov (@mrakhmanov) working with Trend Micro’s Zero Day Initiative  

A vulnerability was discovered within the parsing of extended attributes (EA) metadata when opening a file in smbd. This vulnerability can be exploited by unauthenticated users if they are allowed write access to file extended attributes. This vulnerability was addressed by removing the "fruit" VFS module from the list of configured VFS objects and by changing EA support configurations.

**CVE Number:** CVE-2021-44142

Reported By: Nguyen Hoang Thach (@hi\_im\_d4rkn3ss) and Billy Jheng Bing-Jhong (@st424204) working with Trend Micro’s Zero Day Initiative  

Addressed multiple FFmpeg vulnerabilities by updating the version to 7:4.1.8-0+deb10u1.

**CVE Number:** CVE-2020-20445, CVE-2020-20446, CVE-2020-20453, CVE-2020-21041, CVE-2020-22015, CVE-2020-22016, CVE-2020-22017, CVE-2020-22019, CVE-2020-22020, CVE-2020-22021, CVE-2020-22022, CVE-2020-22023, CVE-2020-22025, CVE-2020-22026, CVE-2020-22027, CVE-2020-22028, CVE-2020-22029, CVE-2020-22030, CVE-2020-22031, CVE-2020-22032, CVE-2020-22033, CVE-2020-22034, CVE-2020-22035, CVE-2020-22036, CVE-2020-22037, CVE-2020-22049, CVE-2020-22054, CVE-2020-35965, CVE-2021-38114, CVE-2021-38171, CVE-2021-38291  

Addressed multiple FFmpeg vulnerabilities by updating the version to 7:4.1.9-0+deb10u1.  

Implemented firmware signing to prevent malicious modifications to the firmware and verify the firmware’s authenticity and integrity.  

Transitioned to Go’s crypto/tls library for secure communications.  

Enabled several kernel hardening options to make exploits of kernel and userland security bugs more difficult to develop.  

Addressed a remote code execution vulnerability by resolving a command injection vulnerability and closing an AWS S3 bucket that potentially allowed an attacker to execute unsigned code on My Cloud Home devices. Implemented protections on AWS credentials that were not properly protected..

**CVE Number:** CVE-2022-22997, CVE-2022-22998

Western Digital would like to thank Viettel Cyber Security for reporting this issue.  

Addressed multiple libtiff null pointer dereference vulnerabilities by updating the version to 4.4.0.

**CVE Number:** CVE-2022-0562, CVE-2022-0561, CVE-2022-0865  

Addressed an improper input validation and out-of-bounds write vulnerability in TensorFlow which is an open-source platform for machine learning. An attacker could pass negative values to cause a segmentation fault-based denial-of-service attack. Certain components also did not validate input arguments which could also trigger a denial-of-service attack.

**CVE Number:** CVE-2022-29191, CVE-2022-29213, CVE-2022-29208

CVE-2022-22998: WDC-22009 My Cloud Home Firmware Version 8.7.0-107 | Western Digital

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between July 1 and July 8. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics,...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

Threat Roundup for July 1 to July 8

Cybersecurity researchers are drawing attention to an ongoing wave of attacks linked to a threat cluster tracked as Raspberry Robin that's behind a Windows malware with worm-like capabilities. 
Describing it as a "persistent" and "spreading" threat, Cybereason said it observed a number of victims in Europe.
The infections involve a worm that propagates over removable USB devices containing

Cybersecurity researchers are drawing attention to an ongoing wave of attacks linked to a threat cluster tracked as Raspberry Robin that's behind a Windows malware with worm-like capabilities.

Describing it as a "persistent" and "spreading" threat, Cybereason said it observed a number of victims in Europe.

The infections involve a worm that propagates over removable USB devices containing malicious a .LNK file and leverages compromised QNAP network-attached storage (NAS) devices for command-and-control. It was first documented by researchers from Red Canary in May 2022.

Also codenamed QNAP worm by Sekoia, the malware leverages a legitimate Windows installer binary called "msiexec.exe" to download and execute a malicious shared library (DLL) from a compromised QNAP NAS appliance.

"To make it harder to detect, Raspberry Robin leverages process injections in three legitimate Windows system processes," Cybereason researcher Loïc Castel said in a technical write-up, adding it "communicates with the rest of \[the\] infrastructure through TOR exit nodes."

Persistence on the compromised machine is achieved by making Windows Registry modifications to load the malicious payload through the Windows binary "rundll32.exe" at the startup phase.

The campaign, which is believed to date back to September 2021, has remained something of a mystery so far, with no clues as to the threat actor's origin or its end goals.

The disclosure comes as QNAP said it's actively investigating a new wave of Checkmate ransomware infections targeting its devices, making it the latest in a series of attacks after AgeLocker, eCh0raix, and DeadBolt.

"Preliminary investigation indicates that Checkmate attacks via SMB services exposed to the internet, and employs a dictionary attack to break accounts with weak passwords," the company noted in an advisory.

"Once the attacker successfully logs in to a device, they encrypt data in shared folders and leave a ransom note with the file name "!CHECKMATE\_DECRYPTION\_README" in each folder."

As precautions, the Taiwanese company recommends customers to not expose SMB services to the internet, improve password strength, take regular backups, and update the QNAP operating system to the latest version.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Warn of Raspberry Robin's Worm Targeting Windows Users

Dark Reading's digest of the other don't-miss stories of the week, including a new ransomware targeting QNAP gear, and a destructive attack against the College of the Desert that lingers on.

Cybercrime never sleeps — but editors do. To cap off this short Fourth of July week, Dark Reading's editors are collecting all of the interesting threat intelligence and cyber-incident stories that we just didn't get to earlier but would be remiss to not cover.  

We're talking a critical Cisco vulnerability, a Microsoft alert on upgrades to the Hive ransomware, QNAP issues, and a pair of cyberattacks.

In this week's "in case you missed it" (ICYMI) digest, read on for more about the following:

*   **Critical Cisco Security Vulnerability Allows Root Access to OS**
*   **Hive Ransomware Gets a Rust-y Upgrade**
*   **QNAP Warns on "Checkmate" Ransomware Attacks**
*   **"SHI-eesh": IT Giant Knocked Offline in Coordinated Cyberattack**
*   **California College Remains Offline After Ransomware Hit**

**Critical Cisco Security Vulnerability Allows Root Access to OS**

Cisco has rolled out patches for 10 security bugs, including a critical flaw that could allow cyberattackers to manipulate application source code, or configuration and critical system files.

The critical issue (CVE-2022-20812, CVSS severity score of 9.0) is a path-traversal vulnerability affecting the Cisco Expressway Series software and Cisco TelePresence VCS software, if they are in the default

"A vulnerability in the cluster database API of Cisco Expressway Series and Cisco TelePresence VCS could allow an authenticated, remote attacker with Administrator read-write privileges on the application to conduct absolute path traversal attacks on an affected device and overwrite files on the underlying operating system as a root user," according to the advisory, the latest since Cisco's last bug disclosure in May.

The vulnerability arises thanks to insufficient input validation of user-supplied command arguments, the networking giant noted.

"An attacker could exploit this vulnerability by authenticating to the system as an administrative read-write user and submitting crafted input to the affected command."

**Hive Ransomware Gets a Rust-y Upgrade**

The ransomware-as-a-service (RaaS) offering known as Hive has overhauled its infrastructure, using the programming language Rust.

That's the buzz from Microsoft, whose security researchers noted that Hive is an exemplar of adapting to the rapid change found in the underground economy.

"With its latest variant carrying several major upgrades, Hive also proves it’s one of the fastest-evolving ransomware families, exemplifying the continuously changing ransomware ecosystem," researchers said in a post this week. "The most notable changes include a full code migration to another programming language \[from GoLang to Rust\] and the use of a more complex encryption method."

Rust, a language also used by the BlackCat ransomware, allows advances in coding control, memory usage, resistance to reverse engineering, and access to a range cryptographic libraries, the researchers said.

As for the encryption, "the new Hive variant uses string encryption that can make it more evasive," according to the advisory. “The constants that are used to decrypt the same string sometimes differ across samples, making them an unreliable basis for detection.”

**QNAP Warns on "Checkmate" Ransomware Attacks**

QNAP, the network-attached storage (NAS) vendor, is flagging activity against its devices that results in the execution of the Checkmate ransomware.

The cyberattackers are specifically targeting SMB file-sharing services exposed to the Internet, using a dictionary attack to break accounts with weak passwords.

"Once the attacker successfully logs in to a device, they encrypt data in shared folders and leave a ransom note with the file name '!CHECKMATE\_DECRYPTION\_README' in each folder," according to QNAP's advisory this week. It added, "We are thoroughly investigating the case and will provide further information as soon as possible."

Customers of the Taiwan-based appliance maker have been suffering ongoing, relentless ransomware activity — which Dark Reading broke down earlier this week (along with potential defenses) in an extensive roundtable of experts.

To protect their businesses and avoid a ransomware checkmate, users should avoid exposing the SMB service to the internet and should employ strong passwords in any event.

**"SHI-eesh": IT Giant Knocked Offline in Coordinated Cyberattack**

IT-supplier bigwig SHI International said this week that it was the target of "a coordinated and professional malware attack."

The New Jersey-based vendor, which has 5,000 employees and 15,000 customers around the world, said that it moved quickly to stop the infection and minimize the impact on SHI’s systems and operations. That meant that some systems, such as SHI’s public websites and email, were knocked offline "while the attack was investigated and the integrity of those systems was assessed."

The SHI staff regained access to email, but as of Thursday the main website was still not operational. The company said in a website notice that IT teams continue to work to bring other systems back online.

It's unclear what the cyberattackers' goal was, but some researchers noted that a supply chain compromise attempt is a real possibility.

“Apart from being a large enterprise, SHI is a major software and hardware provider to several Fortune 500 companies, and while there is no evidence regarding third-party suppliers getting breached or customer data getting exfiltrated, this is certainly too close for comfort for many of their customers," Rajiv Pimplaskar, CEO at Dispersive Holdings, said via email.

**California College Remains Offline After Ransomware Hit**

As the latest example of what happens when IT isn't prepared for a hit, the 12,500-student College of the Desert, a community college in Palm Desert, Calif., remains offline after suffering which researchers suspect was a ransomware attack.

The cyberattack brought down the school's online services and campus phone lines on July 4. As of late Thursday, the school's website still returned a notice that it "is currently experiencing a system-wide outage of most services," including the ability for students to request transcripts, add or drop classes, or register for classes.

"Educational institutions have continued to be a prime target for ransomware groups over the last couple of years," says Josh Rickard, senior security solutions architect at Swimlane, noting that this is the second time College of the Desert has been hit with a malware attack; the first incident took place in August 2020. "To prevent similar attacks in the future and ensure that operations continue to run smoothly, education institutions such as College of the Desert need to devote more resources to information security teams, tools, processes, and products."

Rickard suspects the incident was ransomware due to the severe operational disruption, but it should be noted that College of the Desert has not confirmed that, admitting only to a "computer network disruption."

ICYMI: Critical Cisco RCE Bug, Microsoft Breaks Down Hive, SHI Cyberattack

Authentication shortcomings leave sensitive data at risk

Authentication shortcomings leave sensitive data at risk

Fewer than half of small and medium-sized businesses are using multi-factor authentication (MFA) to secure critical data, according to new research.

The Cyber Readiness Institute's Global Small Business Multi-Factor Authentication (MFA) study found that most are still relying only on usernames and passwords to secure employee, customer, and partner data. Only 46% have implemented MFA, with just 13% requiring its use for most account or application access by employees.

Catch up on the latest authentication news

Meanwhile, of those that do use MFA, only 39% have a process for prioritizing critical hardware, software, and data, with 49% merely “encouraging the use of MFA when it is available”.

"Using a strong password is important, but complexity alone isn’t enough; adding a second layer of protection with multi-factor authentication is the best way to secure access to personal accounts," said Meg Anderson, vice president-chief information security officer at Principal Financial Group.

"MFA makes it more difficult for potential cybercriminals to gain access and steal company data – even if they have, or guess, your password."

**What’s the benefit?**

Lack of awareness appears to be the main reason for the low take-up of more advanced authentication options. Indeed, 55% of small and medium-sized businesses surveyed said they were “not very aware” of MFA and its security benefits, and only 40% have discussed it with their employees. Meanwhile, of those that haven't implemented MFA, 47% said they either didn’t understand it or didn’t see its value.

Karen Evans, managing director of CRI, told The Daily Swig: "Unfortunately, I’m not surprised. Some small businesses hear a term like ‘multi-factor authentication’ and think it doesn’t apply to them or they don’t need to worry about it."

Evans continued: "With good security practices and office cultures supporting proactive measures, we can assist the SMBs to reduce their risks, rather than simply convincing people it won’t be hard to implement and costly to utilize."

**Blockers**

Other barriers to the use of MFA cited in the study include a lack of funding for tools, implementation resources, and maintenance costs, as well as a lack of technical expertise.

These issues, though, shouldn't be barriers, according to Evans.

"Many of the products and services have two-factor and multi-factor capabilities already built in. It is assisting SMBs to understand how to take advantage of the capabilities they have already purchased," she said.

"There are also changes coming in the future as it relates to going passwordless in operating systems allowing security to be built in up front, making the services more affordable for their customers."

RELATED Cloudflare CTO John Graham-Cumming envisages a frictionless future for website Turing tests

SMEs slow to adopt MFA – study

Avaya, a communications company for SMBs, was left in the dark for years as insiders stole and sold its license keys.
The post Insider Threat: Employees indicted for stealing $88 million of license keys appeared first on Malwarebytes Labs.

Two insiders and an accomplice were indicted on Tuesday for multiple counts of fraud. According to documents unsealed by the Wester District of Oaklahoma, a grand jury charged Raymond Bradley Pearce (aka Brad Pearce), a former employee of Avaya; Dusti O. Pearce, his wife; and Jason M. Hines (aka Joe Brown, aka Chad Johnson, aka Justin Albaum), a former Avaya authorized reseller, with conspiracy to commit wire fraud and 13 counts of wire fraud. The court also charged the Pearces with one count of conspiracy to commit money laundering, and money laundering.

Avaya is a business-to-business (B2B) communications company catering to small- and medium-sized businesses. It sold a product called IP Office, a kind of telephone system, that depended on software licenses to fully use its features, such as voicemail or more telephones.

These licenses were generated within Avaya and sold via authorized distributors and resellers. Avaya required each software license to be linked to a physical flash memory card with a unique serial number. This card had to be plugged into a computer to activate the license.

Avaya introduced Avaya Cloud Office in 2020 and replaced IP Office. However, many businesses worldwide continue to use the latter through license renewals.

Per the indictment, Brad Pearce, a former Avaya customer service employee, abused his administrator privileges to create software license keys and sell them to Jason Hines, a de-authorized reseller, and other customers. They then sold the keys to other resellers and end-users globally.

Pearce also hijacked accounts of former Avaya employees to generate more license keys and draw suspicion away from him. He also used his privileges to conceal evidence that such accounts were generating keys, leaving Avaya in the dark for years.

Dani Pearce allegedly took the accountant and financial manager role in their illegal business operation.

Hines, who operated Direct Business Services International (DBSI), presumably sold the licenses at a much lower price than Avaya’s standard wholesale price. This caused an estimated $88 million in financial damage to Avaya.

All money the Pearces received went to multiple PayPal accounts, bounced to different bank accounts, and then routed to investment accounts. The document further revealed the couple invested in valuable items and large quantities of gold bullion.

According to the fourth installment of the annual insider threats report released by Proofpoint and the Ponemon Institute, insider threat incidents have increased in frequency and cost. Of the more than 6,000 incidents they looked into, 26 percent of them are criminal insiders, the category Pearce and Hines might belong to.

The report, if anything, paints a harrowing picture of the increased risk of insider threats. And non-enterprise organizations aren’t immune to it. More than ever, it is essential for companies of all sizes to take action to reduce this risk.

**Combatting insider threats**

Every organization should acquaint itself with the differet types of insider threats they might have to deal with. Controlling insider threats includes (but is not limited to):

*   Identifying risks that may be unique to your industry.
*   Assigning access rights according to the principle of least privilege.
*   Propper logging and auditing of user activity.

Lastly, organizations should also refer to the common sense guide to mitigating insider threats. A thorough but non-exhaustive list of insider threat references on the same site.

Stay safe!

Tag

#samba