Like other tech giants, the company used its event to make important announcements in generative AI to help accelerate its enterprise adoption with Red Hat OpenShift AI, as well as several new capabilities in its automation platform Ansible.

The company is also focusing on simplifying management for Red Hat Enterprise Linux and securing the software supply chain.

Let’s look at the more notable announcements from the Raleigh, North Carolina-based tech firm’s announcements at its Red Hat Summit event in Boston, Mass.:

Red Hat OpenShift AI and Generative AI

According to Red Hat, the company is building and expanding upon the capabilities of OpenShift and OpenShift Data Science with OpenShift AI to give IT operations leaders, data scientists and developers a unified solution to train, serve, monitor and manage the lifecycle of artificial Intelligence (AI) and machine learning (ML) models and applications.

The company says Red Hat OpenShift AI underpins the generative AI services of IBM watsonx.ai, IBM’s new AI platform designed to scale intelligent applications and services across all aspects of the enterprise.

Red Hat says OpenShift AI solves a few key issues: the infrastructure-intensive training of AI models and requirement of specialized platforms and tools before serving, tuning and managing the model. OpenShift AI provides the infrastructure consistency across training, deployment and difference, the company says.

OpenShift AI provides a standardized foundation for creating production AI/ML models, as well as running the resulting applications, along with the ease-of-use and cloud-to-edge deployment options of OpenShift, the company says.

OpenShift AI provides several technology partner offerings, including Anaconda, IBM Watson Studio, Intel OpenVINO and AI Analytics Toolkit, NVIDIA AI Enterprise and Starburst, as well as 30 additional certified partners as part of the OpenShift ecosystem.

Customers with regulatory and compliance requirements, including air-gapped and disconnected environments can use OpenShift AI on -premises, while customers can also develop models in the public cloud and deploy them on-premises or at the edge, the company says. This provides a unique hybrid MLOps environment that enables collaboration between IT, data science and application developers, the company says.

According to Red Hat, new enhancements to OpenShift AI include deployment pipelines for AI/ML experiment tracking and automated ML workflows, model serving with GPU support for inference and custom model serving runtimes, and model monitoring to help organizations manage performance.

Ansible Lightspeed with IBM Watson Code Assistant

OpenShift AI, Red Hat says, is the base of IBM’s new AI enhancements including IBM Watson Code Assistant, to deliver domain-specific AI to IT organizations and developer teams.

This is done by bringing IBM Watson Code Assistant to Ansible, giving users the ability to write Ansible Playbooks with AI-generated recommendations. This new service is designed to help drive consistent and accurate automation adoption across an organization, the company says.

According to Red Hat, Ansible Lightspeed is the next phase of its Project Wisdom initiative, making it available to users, contributors, customers and Red Hat’s partner ecosystem. The service integrates with Watson Code Assistant, which will be available later this year. This allows access to IBM foundational models to quickly build automation code.

Event-Driven Ansible

Sticking with the IT automation theme, Red Hat also announced Event-Driven Ansible, a scalable solution designed to expand how organizations activate automation as a reliable strategy across the hybrid cloud.

The solution, slated for availability in June, is for Red Hat Ansible Automation Platform 2.4 customers; is designed to connect infrastructure and application observability tools with enterprise-grade Ansible automation, helping IT teams to pre-determine and define rules to initiate automated responses to situations like unresponsive system processes or unauthorized access requests.

When an event is trigged, the solution automatically executives the desired action via Ansible Playbooks or direct execution modules, with the ability to chain multiple events together into more complex automation actions, Red Hat says.

Event-Driven Ansible integrates with event sources form third-party monitoring, observability and IT tools, including Cisco ThousandEyes, CyberArk, Dynatrace, F5, IBM Instana, IBM Turbonomic, Palo Alto Networks, with additional partner integrations to follow.

Supplementary Red Hat-developed content is available for Red Hat OpenShift, Red Hat Insights, AWS, Microsoft Azure, Google Cloud Platform and ServiceNow, the company says.

Red Hat Enterprise Linux management

To help organizations better manage Red Hat Enterprise Linux, Red Hat is launching new capabilities in Red Hat Insights to give IT teams more insight and management tools to find and resolve IT issues much faster across the hybrid cloud. The tools are available through any browser via console.redhat.com and are designed to unify the management of Red Hat Enterprise Linux deployments in a single user interface, the company says.

According to Red Hat, these expanded capabilities build on the information provided by existing Red Hat Insights’ predictive analytics, which can detect potential bugs, misconfigurations or security vulnerabilities using Red Hat’s expertise in running Linux platforms in critical production environments.

The enhancements allow IT administrators to fix bugs without needing Red Hat Satellite Server and act on server groups simultaneously using patch templates, as well as build standardized operating system images that comply with organization-specific requirements.

Red Hat Advanced Cluster Security Cloud Service

According to the company, Red Hat Advanced Cluster Security Cloud Service is a new service that brings together Kubernetes-native security capabilities with a fully Red Hat-managed offering to help organizations take a security-forward approach to building, deploying and maintaining cloud-native applications regardless of the underlying Kubernetes platform.

The managed service supports both Red Hat OpenShift on private and public clouds and non-Red Hat Kubernetes services across major cloud providers, including Amazon EKS, Google GKE and Microsoft AKS, bringing security coverage to containerized applications regardless of where they are deployed.

Organizations can scale security capabilities across multiple clusters, whether on-prem or in the cloud while lowering operational costs by reducing the learning curve for implementing Kubernetes-native security without sacrificing necessary capabilities or enforcement, the company says.

Red Hat Trusted Software Supply Chain

Red Hat announced its Trusted Software Supply Chain Solution designed to protect against software supply chain vulnerabilities. The company says two new cloud services, Red Hat Trusted Application Pipeline and Red Hat Trusted Content, are joining in preview mode the existing Red Hat software and cloud services, including Quay and Advanced Cluster Security (ACS), to advance the successful adoption of DevSecOps practices, and embed security into the software development lifecycle.

Essentially, Red Hat Trusted Software Supply Chain allows customers to more efficiently code, build and monitor software using proven platforms, trusted content and real-time security scanning and remediation.

The solution allows customers to import git repositories and configure container-native continuous build, test, and deployment pipelines via a cloud service; inspect source code and transitive dependencies auto-generate Software Bills of Materials and verify and promote container images via a release criteria policy.

Visit the Red Hat Summit newsroom to learn more about these announcements and others.

The post Red Hat Summit 2023 Releases: AI, Automation, IT Management, Security appeared first on My TechDecisions.

According to the company, Zerto 10 offers a new replication architecture for scale-out efficiency and native protection of Azure Virtual Machines. In addition, it provides new support for multi-disk consistency for VMs in Microsoft Azure to help protect data both to and from Azure as well as across Azure regions within the cloud, the company says.

The company says Zerto 10 coordinates replication across all the virtual disks associated with a virtual machine in Azure to maintain data consistency for failover and recovery. The new cloud-based architecture is designed to enable easier scale out to “thousands of VMs,” reduce management complexity and enable data movers to scale out or back based on I/O levels between production and disaster recovery to, from or within Azure.

Specifically, Zerto 10 includes a new tool for ransomware resilience and real-time detection of encryption, which  monitors and reports on encryption as data streams in and can detect anomalous activity “within minutes” to alert users of suspicious activity.

According to the company, a new Zerto Cyber Resilience Vault is an air-gapped recovery vault designed to bring another layer of security with a real-time early warning system built on three pillars: replicate and detect, isolate and lock, and test and recover.

According to Zerto, combined with the vault’s zero trust architecture, the pillars enable rapid air-gapped recovery in a highly secure environment, allowing enterprises to architect and customize a recover vault to help mitigate ransomware attacks.

Zerto 10 also offers the new Linux-based Zerto Virtual Manager Appliance, a new tool that replaces the legacy Windows-based Virtual Manager designed to be easier to deploy, secure and maintain as part of regular Zerto product updates. Upgrading from legacy ZVMs will have their existing settings be migrated to the new appliance, the company says.

Zerto for Microsoft Azure will be available in the Azure Marketplace in July.

The post Zerto Launches Zerto 10 for Enhanced Disaster Recovery, Ransomware Mitigation appeared first on My TechDecisions.

According to the cybersecurity giant, these tools are specifically designed to affect VMware’s ESXi vSphere hypervisor. The company’s research into these kind of attacks date back to February 2021, when CrowdStrike began what is now a three-part blog series looking into this trend, which it says is continuing so far in 2023.

The company says RaaS platforms such as Alphv, Lockbit and Defray are being leveraged in attacks against ESXi, which CrowdStrike says does not support third-party agents or antivirus software.

“This, combined with the popularity of ESXi as a widespread and popular virtualization and management system, makes the hypervisor a highly attractive target for modern adversaries,” write CrowdStrike researchers in a new blog.

These attacks on ESXi servers have even led to the U.S. Cybersecurity and Infrastructure Agency issuing several warnings and releasing in February a recovery guide and script designed to help organizations recover from the ESXiArgs ransomware attacks.

CrowdStrike cites several vulnerabilities that have been exploited in the wild in the last few years, including:

• CVE-2020-3992 – an ESXi OpenSLP remote code execution vulnerability resulting form a user-after-free issue.
• CVE-2021-21974 – an ESXi OpenSLP heap-overflow vulnerability that could result in remote code execution.
• CVE-2019-5544 – an ESXi OpenSLP heap overwrite vulnerability.
• CVE-2021-44228 (Log4Shell) – a remote code execution vulnerability in Log4J that has been used to compromise VMware Horizon instances
• CVE-2016-7463, CVE-2017-4940 and CVE-2020-3955 – cross site scripting vulnerabilities used for privilege escalation.
• CVE-2021-22043  – privilege escalation vulnerability

New threats against VMware ESXi security

Due to VMWare’s prominence in IT infrastructure, ESXi servers remain an attractive target, with an increasing amount of threat actors leveraging these vulnerabilities in their attacks. Just recently, CrowdStrike has identified a new RaaS program that provides affiliates with ransomware binaries targeting Windows and ESXi/Linux systems, researchers write.

In addition, CrowdStrike and other researchers have identified many other new hacking groups and attack methods targeting ESXI over the past few years, as targeting virtual infrastructure gives attacks many advantages, including multiplying the impact of a single compromise or subverting detection and prevention mechanisms, as targeted components are often not sufficiently protected by security solutions.

“Because VMware products have been subject to critical vulnerabilities in the past, adversaries will likely continue to target any potential weaknesses, as successful compromises typically provide access to high-value resources,” CrowdStrike researchers write.

CrowdStrike says organizations should be aware of two main attack vectors when it comes to VMware ESXi servers: credential theft and virtual machine access.

Researchers call credential theft the “most straightforward attack vector against an ESXi hypervisor.” Following credential theft, an adversary can simply authenticate against the server to advance the attack based on their goal. With sufficient privileges to enable and access the SSH console, attackers can execute arbitrary code directly, even on the most recent ESXi versions.

If a VM can be accessed directly, CrowdStrike says poor segregation from the rest of the internal network can lead the VM facilitating lateral movement, which gives attackers more flexibility to choose a vulnerable system. A properly segregated VM, however, will require an attacker to directly target the ESXi hypervisor to run code at the hypervisor level and perform a VM escape exploit. However, this is a complicated process and most adversaries don’t have the capabilities to do so, researchers say.

How to secure VMware ESXi

To protect VMware hypervisors, CrowdStrike urges organizations to:

• Avoid direct access to ESXi hosts. It is recommended to use the vSphere Client to administer ESXi hosts managed by a vCenter Server. Direct access to managed hosts using the VMware Host Client or changing hosts from the Direct Console User Interface (DCUI) should be avoided.
• Use a hardened jump server with multifactor authentication (MFA). If direct access to an ESXi host is necessary, it should be limited to a jump server with MFA enabled. The jump server should be dedicated to administrative or privileged purposes, have full auditing capabilities, and restrict SSH, Web UI, and API access to ESXi or vCenter only from the jump server. SSH access should be disabled, and any attempt to enable it should trigger alerts and be investigated urgently.
• Not expose vCenter to the internet over SSH or HTTP. Adversaries have been observed gaining access to vCenter by exploiting vulnerabilities or using valid accounts. To mitigate this risk, vCenter services should not be exposed to the internet.
• Regularly back up ESXi datastore volumes. It is essential to back up virtual machine disk images and snapshots stored in ESXi datastores on a daily basis, or more frequently if possible. Backups should be stored offsite to enable system restoration during a ransomware event, while ensuring the backups themselves are not compromised.
• Consider physical disconnection of storage or power to ESXi host during encryption. In situations where encryption is suspected or known to be in progress and access to kill malicious processes is not possible, physically disconnecting the storage from the ESXi host or cutting power to the host can be an option. This can prevent ransomware from continuing to encrypt virtual machine disk files (VMDKs). Shutting down guest VMs will not help as the encryption occurs on the hypervisor itself. However, it’s important to note that physical disconnection may cause potential issues or data loss if data has not been written to backend storage.

Read VMware’s ESXi security recommendations to learn more.

The post CrowdStrike: VMware ESXi in the RaaS Crosshairs appeared first on My TechDecisions.

According to Google, the Cybersecurity Certificate is designed and taught by the company’s cybersecurity experts and is designed to prepare learners for entry-level cybersecurity jobs in less than six months.

No cybersecurity experience is required, as the company’s goal is to fill the growing number of open cybersecurity jobs and help people make the transition to cybersecurity from other fields.

By some metrics, the U.S. alone is short about 700,000 cybersecurity professionals, which is alarming given that the frequency and sophistication of cyberattacks continues to increase.

Google’s Cybersecurity Certificate program

According to Google, the cybersecurity program builds on the company’s existing Career Certificates in other technology fields, such as data analytics, digital marketing and e-commerce, IT support, project management and user experience design.

The program will teach learners how to identity common risks, threats and vulnerabilities, as well as the techniques and tools used to mitigate them. Learners will get hands-on experience with industry-standard tools, such as Python, Linux and an array of security tools like security information and event management (SIEM) platforms.

Google’s Cybersecurity Certificate program will also help prepare job seekers for the CompTIA Security+ exam, which the company calls “the industry-leading certification for cybersecurity roles.” Learners will earn a dual credential upon completing both, the company says.

Partnerships with leading companies, universities

Google’s nonprofit grantees that help promote diversity in tech will also be offering the Cybersecurity Certificate and provide learners with additional support such as coaching, interview pre and job placement assistance.

In order to validate the effectiveness of its certification program, Google in 2018 launched the Google Career Certificates Employer Consortium that includes more than 150 employers, such as American Express, Mandiant, T-Mobile, Walmart, and Google itself. The company leaned on the consortium to beta test the content in the Cybersecurity Certificate program.

Education institutions such as Purdue University, the University of Texas System, Syracuse University and Northern Virginia Community College will offer the Cybersecurity Certificate to their students.

Employers that would like to hire the company’s Certificate graduates or use the Certificate for reskilling their employees can join Google’s employer consortium.

The post Google Launches New Cybersecurity Certificate Program appeared first on My TechDecisions.

DPU-based Acceleration

Highlighting the company’s announcement on the first day of the RSA Conference are features to help strengthen lateral security for multi-cloud environments, including a DPU-based acceleration using SmartNICs. According to the company, this allows customers to run NSX networking and security services on DPUS, providing accelerated NSX networking and security performance for applications that need high throughput, low latency and security.

According to VMWare, DPU-based accelerated was previously only available as a tech preview but is now generally available with VMWare NSX 4.1. Included are new enhancements to VMware NSX Advanced Load Balancer to help organizations deploy application security faster and at scale across all apps and hybrid multi-clouds. The solution also provides a single elastic load balancing solution done entirely in software as well as a new VMware NSX Advanced Load Balancer Pulse service that now includes a live threat intelligence feed, a central dashboard and the ability to build custom dashboards with API support.

New Workspace ONE Security features for phishing protection, secure access, patch management

The Palo Alto, Calif.-based IT giant also announced new features in unified endpoint management solution Workspace ONE designed to secure hybrid workforces. These new features include phishing and content protection, secure access and patch management capabilities.

Phishing and content protection capabilities will be integrated into the platform  via Mobile Threat Defense, which provides phishing protections across email, SMS, general web content and messaging and social apps. Protections are applied to all traffic, both external and internal, via an integration with Workspace One Tunnel, the company says.

In addition, VMware Workspace ONE Tunnel will enable secure access without device management on all major operating systems, including iOS, Linux, Android, macOS and Windows. This enables zero trust protection on unmanaged devices by leveraging Tunnel to limit access to specific applications. Organizations can also layer on additional authentication leveraging MFA with SAML 2.0 and gain insights via Workspace ONE Intelligence.

VMware is also expanding the cloud-native patch management capabilities of Workspace ONE, with new features including an updated data-driven user interface that dynamically updates patch management controls independent of console releases and new device equerry and sampling capabilities via Intelligent Hub that facilitate direct data collection and evaluation to inform update plans.

VMware Carbon Black Workload and Cloud Configuration

The company is also introducing VMware Carbon Black Workload and Cloud Configuration to help address the issue of rapid cloud migrations and keeping those environments secure.

According to VMware, VMware Carbon Black Workload and Cloud Configuration delivers security designed for cloud-native architecture and enables customers to view security as a continuous process across a workload’s lifecycle.

The solution combines VMware Carbon Black Workload and VMware Aria Automation for Secure Clouds and leverages VMware Contexa to analyze threats and provide better visibility on workload posture, compliance, automated workflows and reduced complexity.

A new feature in VMware Carbon Black Workload provides an enhanced way for organizations to evaluate CIS compliance and understand hardening status of the compute infrastructure in workload environments from the VMware Carbon Black Cloud console, the company says.

In addition, VMware is introducing a Sensor Gateway for Linux in VMware Carbon Black Workload that enables VMware Carbon Black Cloud for air-gapped systems. This directs all communication to and from VMware Carbon Black Cloud through the Sensor Gateway, an additional control that helps organizations keep workloads secure while insulating them from internet traffic while helping them pass compliance audits.

VMware Secure App IX

Also new is VMware Secure App IX, a new offering designed to help organizations achieve governance and compliance by more securely connecting applications in multi-cloud environments. This is aimed at helping application teams and lines of business accelerate digital innovation initiatives by providing capabilities to standardize and enforce consistent secure application connectivity policies.

With real-time visibility and insights, this  new offering helps protect application end users, apps/APIs and sensitive data in transit, according to VMware.

Enhanced Edge Firewall

VMware is also releasing its Enhanced Firewall Service offering, which the company says brings NSX Security capabilities to existing SD-WWAN physical and virtual appliances. Like other VMware SASE services, this too will be integrated into the VMware SASE Orchestrator for simplified operations.

This also allows customers to eliminate legacy firewalls at the branch and benefit from simplified networking and security operations while leveraging VMware’s investments in threat intelligence, the company says.

The post VMware Launches New Solutions for Multi-Cloud Security appeared first on My TechDecisions.

The San Francisco-based company bills the mobile device management (MDM) solution as more accessible and cost-effective, but also scalable and customizable for the specific needs of an organization without having to pay additional fees.

According to FleetDM, the MDM solution has out-of-the-box support for macOS, Windows, Linux and ChromeOS, and it can be configured to share data across teams and can be integrated with third-party platforms and DevOps processes via a REST API. That allows IT engineers and admins to run queries, access data and customize application development and delivery processes.

In addition, FleetDM’s new solution provides bidirectional transparency so end users have visibility into what is being monitored to help establish employee trust.

The company says the GitOps-driven consensus model enables close collaboration among security, developer and operations teams while ensuring a secure roll out of dedicated write operations.

The Fleet MDM solution also features bring-your-own capabilities for scripting and packaging tools to enable IT to use the tools the regular tools to ensure organizational requirements are met.

A closed-loop feedback on deployments means IT never needs to worry about whether the configuration made it to the machine, the company says.

According to FleetDM, an intuitive dashboard features one-click visibility and control, enabling IT to  manage devices from any location or platform. It enables automatic enrollment of new employees with Okta or any identity provider, IT management of software updates and patching with any software manager (Puppet, Munki, Chef, etc.), disk encryption (for macOS) using Apple FileVault, remote locks and wipes and includes all of the CIS critical security controls for Mac and Windows.

The company also says the solution supports multiple user accounts and in-depth activity auditing so teams can share data across different departments without security risks or privacy concerns.

In a statement, FleetDM co-founder and CTO Zach Wasserman says Fleet is built for programmatic automation, and automating audit logs with third-party platforms like Splunk becomes easier with Fleet.

“In addition, other platforms let you push updates to computers and turn on disk encryption, but if you want to see whether it actually worked you can’t – there’s no feedback mechanism for that and no way to see what’s actually happening,” Wasserman says. “With Fleet, you can say, ‘Turn on FileVault,’ and then run a query that says ‘how many computers have FileVault turned on?’ and you’ll see that it was 100% successful.”

According to the company, Fleet is based on the open source project osquery, co-developed in 2014 by Wasserman, then working at Meta. Wasserman co-founded Kolide in 2016 and created Fleet, an open source platform that made it easier for enterprises to use osquery. The Fleet community took over maintenance of the open source project in 2019, with Wasserman serving as lead maintainer. Wasserman partnered with FleetDM CEO Mike McNeil in 2020, announcing the transition to a stand-alone entity in November of that year.

In a statement, McNeil says Fleet is built for results and gives both security and IT teams the tools and features they need.

“We empathize with the leaders we speak to everyday who are stuck having to choose between out-of-the-box legacy MDMs or building their own on-top of a hodgepodge of unsupported open-source libraries,” McNeil says. “We built Fleet to bridge this chasm. We first built a battle-tested open-source platform that security teams trust, and then layered on top of it the configuration and APIs that IT teams want to see. We see the future of IT being unlocked by a devops mindset, and we aim to be at the forefront of that revolution.”

The post Fleet Launches Open-Source, Cross-Platform MDM Solution appeared first on My TechDecisions.

However, new research shows that some organizations are prioritizing defending against those trending, newsworthy threats at the expense of the threats actually facing their organization.

According to Mike DeNapoli, director of cybersecurity architecture at security posture management platform Cymulate, organizations are focusing on those headline-grabbing threats too often.

While staying current on new and emerging attack techniques is essential for any IT and security professional, organizations are doing so at the expense of the threats they are more likely to encounter on a daily basis, DeNapoli says.

Citing the company’s “2022 Cybersecurity Effectiveness Report,” DeNapoli says 40% of the exploits vulnerability managers are discovering are over two years old. New attacker tools and techniques such as AI-assisted polymorphic ransomware attacks should of course garner attention, but not at the expense of proven attack vectors.

“(Polymorphic ransomware) is not something we should be ignoring in any way, but at the same time, ProxyShell and ProxyNotShell vulnerabilities are still visible on Exchange Server,” DeNapoli says. “Attackers…are going to go for the low-hanging fruit when it’s available.”

What organizations are testing for vs. what is actually being exploited

According to Cymulate’s research, 40% of the top CVEs identified most by vulnerability management platforms were over two years old, and a significant number of organizations are not testing against more widely recognized threats such as those Exchange Server vulnerabilities and malware such as Emotet.

Other known vulnerabilities in organizations’ environments include poorly configured identity and access management and privileged access management, as well as reliance on legacy infrastructure.

However, the top 10 immediate threats simulated last year share many characteristics, including being carried out by known threat actors; using phishing, watering hole and supply chain attacks; using known attack tools; having a clear motive; and being highly sophisticated and evasive.

Another top characteristic is that they were all abundantly reported on in specialized and mainstream press.

According to Cymulate, the top 10 most tested threats include:

• Manjusaka: a cyber-attack framework of Chinese origin, likely created for criminal use, it includes Windows and Linux implants and a ready-made command and control server.
• Powerless Backdoor: a cyber threat popular among Iranian hackers, designed to avoid detection by PowerShell, and can download a browser info stealer, keylogger, encrypt and decrypt data, execute arbitrary commands, and kill processes.
• APT 41 targeting U.S. State Governments: a Chinese state-sponsored hacking group that has been targeting US state governments using various tools and techniques such as Acunetix, Nmap, and SQLmap, and attack methods like phishing, watering hole attacks, and supply-chain attacks.
• Lazarus Phishing Attack on DoD Industry: a phishing campaign carried out by the North Korean hacking group Lazarus, targeting job applicants in the US defense sector with malicious documents containing macros.
• Industroyer 2: An APT-style malware that specifically targets industrial control systems (ICS) and critical infrastructure. A spinoff of the 2016 attack on Ukraine power grid.
• Spring4Shell: Exploiting the Spring Framework vulnerability (CVE-2022-22965), it allows for remote code execution without authentication.
• Follina Office Attack: Weaponizing Microsoft vulnerability (CVE-2022-30190), it allows for remote code execution without authentication.
• Ransomexx: A ransomware-as-a-service (RaaS) model, financially motivated and believed to be related to the sprite Spider ransomware group based in Russia.
• Quantum Ransomware: One of the fastest cases of time-to-ransom ever observed with initial access to domain-wide ransomware in just 3 hours and 44 minutes. The initial access vector for this attack was an IcedID payload delivered via email.
• Mikubot: A new variant of bot malware that is being offered for sale in threat actor forums, written in C++ and works on Windows operating systems from Vista to Windows 11. The malware is standalone and is being sold for $1300 for 1.5 months of access or $2200 for a three-month subscription.

However, the company’s list of most detected vulnerabilities configured by vulnerability management tools includes bugs that keep making appearances in threat research, such as Exchange Server vulnerabilities, PrintNightmare, and others.

• CVE-2022-30190 – Microsoft Windows Support Diagnostic Tool (MSDT) remote code execution vulnerability. Used in Follina attacks.
• CVE-2021-34527 – A remote code execution (RCE) vulnerability that allows threat actors to remotely inject DLLs. Used in conjunction with CVE-2021-1675 in PrintNightmare attacks
• CVE-2013-3900 – A WinVerifyTrust signature validation vulnerability that allows remote attackers to execute arbitrary code via specially crafted portable executables by appending the malicious code snippet while still maintaining the validity of the file signature.
• CVE-2022-2190 – Microsoft HTTP protocol stack remote code execution vulnerability
• CVE-2021-1675 – Allows an attacker with low access privileges to use a malicious DLL file to escalate privilege. Used in conjunction with CVE-2021-34527 in PrintNightmare Attacks.
• CVE-2021-31956 – Windows NTFS Elevation of Privilege Vulnerability
• CVE-2018-0798 – A Microsoft Office memory corruption vulnerability that allows remote code execution due to the way objects are handled in memory.
• CVE-2018-0802 – A Microsoft Office memory corruption vulnerability that allows remote code execution due to the way objects are handled in memory.
• CVE-2017-11882 – A Microsoft Office memory corruption vulnerability that allows an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory.
• CVE-2022-3786 – A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the character (decimal 46) on the stack and cause a denial of service.

Assess your environment first

When IT and security professionals see these new attacks making headlines, they should first assess whether they have the vulnerable assets in their environment, and if they would be a target of the threat actor, if one was identified.

According to DeNapoli, that means getting a handle on shadow IT and cloud sprawl, which is admittedly difficult to do.

“But, it’s necessary, because if there is something like a Log4J, you don’t know what is running within the environment and it becomes incredibly difficult to determine if you could be attacked by that type of technique,” DeNapoli says. “Having those sort of catalogs or inventories of what’s there and what could be a target is going to help a lot.”

However, organizations should not be ignoring the things that came before, as threat actors have proven that leveraging old vulnerabilities–some of which are more than a decade old–is still successful.

The U.S. Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog is a prime example of this issue, as 481 of the 914 vulnerabilities on the list are from before 2020.

“Nation-state actors are using this backlog to successfully attack organizations,” DeNapoli says. “Always compare what’s coming out in the news to what you’ve got running to determine if this is something you should deal with immediately, or if it can be put on the backburner in favor of something much more likely to happen.”

The post Is Your Organization Testing Against the Right Cyber Threats? appeared first on My TechDecisions.

This is made possible by a partnership with global technology company Alludo and its virtualization solution Parallels Desktop for Mac. This allows the use of Arm versions of Windows 11 Pro and Enterprise installed in a virtual machine with Parallels Desktop for Mac customers on Mac with Apple silicon.

According to Alludo, this allows IT administrators to enable their users to run Windows 11 on Arm on the Parallels platform, with the support from Alludo and assurance that Microsoft has authorized the solution.

In a Microsoft support document, the company calls Parallels Desktop version 18 an authorized solution for running Arm versions of Windows 11 Pro and Enterprise in a virtual environment on its platform on Apple M1 and M2 computers.

In addition, users can securely stream their full Windows 11 experience to many devices via Microsoft’s Windows 365 Cloud PC service.

According to Alludo, the latest version of Parallels Desktop for Mac is optimized for the latest Mac lineup with Apple silicon, including MacBook Air, MacBook Pro, iMac, Mac mini, and Mac Studio.

Parallels Desktop users can download, install and configure Windows 11 in just one click, while the virtual TPM chip paired with the strong security capabilities designed into Apple silicon and Secure Boot provide a high level of security for customers, the company says.

In its own blog, VMware says the company is finally able to move “full-speed ahead in offering world-class support for Windows on Mac computers with Apple silicon with VMware Fusion via a new partner program.”

“Going forward we’ll be able to get insight and development guidance directly from Microsoft to help us leapfrog the competition and deliver the type of Windows-on-Mac experience that our users would expect from the worlds leader in virtualization,” VMware says in the blog.

However, Microsoft says there are some limitations that can impact the use of hardware, games and apps, such as those relying on DirectX 12 or OpenGL3.3 or greater, per Microsoft’s document.

The Arm version of Windows 11 has limitations that can impact your ability to use various types of hardware, games, and apps, including those that rely on DirectX 12 or OpenGL3.3 or greater.

Experiences that depend on an additional layer of virtualization (nested virtualization) are not supported, including:

• Windows Subsystem for Android, which enables your Windows 11 device to run Android applications that are available in the Amazon Appstore
• Windows Subsystem for Linux, which enables a GNU/Linux environment on Windows 11
• Windows Sandbox, a lightweight desktop environment to safely run applications in isolation
• Virtualization-based Security (VBS), which enables customers to create and isolate a secure region of memory from the normal operating system

DirectX 12, a suite of multimedia technologies frequently used in Windows games and other apps, is not supported.

32-bit Arm apps available from the Store in Windows are not supported by Mac computers with M1 and M2 chips. 32-bit Arm apps are in the process of being deprecated for all Arm versions of Windows. The preferred customer experience is to run 64-bit Arm apps, but customers can also use apps in x64 or x86 emulation on Mac M1 and M2 computers.

The post Microsoft Now Supports Arm Versions of Windows 11 on Apple M1 and M2 Macs appeared first on My TechDecisions.

According to cybersecurity firm Blackberry, the new ransomware, ESXiArgs, is targeting unpatched VMware ESXi servers connected to the internet, leveraging a remote code execution bug from 2021 to cause a heap overflow in the OpenSLP service.

The threat actor is targeting victims globally, with much of the activity centered on North America and Europe, the firm’s researchers say in a blog.

French cybersecurity authorities issued an advisory late last week, saying they became aware of attack campaigns targeting unpatched VMware ESXi hypervisors with the goal of deploying ransomware. The SLP service in particular seems to be the target. The service was the subject of several patches in recent years, and vulnerabilities could allow an attacker to remotely exploit arbitrary code, according to CERT-FR.

The systems currently targeted include ESXi hypervisors in version 6.x and prior to 6.7, but CERT-FR says vulnerabilities affecting SLP concern these systems:

• ESXi 7.x versions earlier than ESXi70U1c-17325551
• ESXi versions 6.7.x earlier than ESXi670-202102401-SG
• ESXi versions 6.5.x earlier than ESXi650-202102101-SG

Once servers are compromised, a shell scrip is used to execute the encryptor and deliver the ransom note, with a requested amount for about $480,000 worth of Bitcoin.

The vulnerability being exploited in this ransomware campaign is tracked as CVE-2021-21974, a critical-rated remote code execution bug that VMware patched in 2021.

A spokesperson from the U.S. Cybersecurity & Infrastructure Security Agency (CISA) says the agency is working with public and private sector partners to assess the impacts of the reported incidents and provide assistance where needed.

“Any organization experiencing a cybersecurity incident should immediately report it to CISA or the FBI,” the spokesperson says. “Organizations should continue taking urgent steps to reduce the risk of ransomware incidents, including by adopting the guidance on stopransomware.gov and implementing basic cyber hygiene such as multi-factor authentication, which can drastically reduce your risk of being hacked.”

VMware’s guidance

In its own update on the matter, VMware says it is aware of the exploits and ransomware attacks and that it has not found evidence of another undisclosed vulnerability being exploited.

To protect against exploitation, VMware suggests customers upgrade to the latest available supported releases of vSphere components to address currently known vulnerabilities. The company also recommends disabling the OpenSLP service in ESXi. The says it began in 2021 shipping ESXi 7.0 U2c and ESXi 8.0 GA with the service disabled by default.

Prioritize security and safety over convenience and patch your systems

At the time of VMware’s advisory on the vulnerability in late February 2021, the bug wasn’t under active exploitation. That has changed nearly two years later, which is an alarming testament to the patching practices of many organizations, says Bernard Montel, EMEA technical director and security strategist at vulnerability management software provider Tenable.

“The sad truth is that we often see known vulnerabilities, with an exploit available, left unpatched,” Montel says. “This puts organizations at incredible jeopardy of being successfully penetrated. In this case, with the two-year old VMWare vulnerability, the threat is immense given the active exploitation.”

According to Montel, virtualization is critical to most organizations’ cloud strategy, with the hypervisor representing a big target for attackers.

“If threat actors are able to gain access, they can push malware to infiltrate the hypervisor level and cause mass infection,” Montel says.

Perhaps leading to these systems remaining unpatched for nearly two years is an evaluation of uptime versus security. Threat actors prioritize vulnerabilities impacting popular software that can help them spread ransomware, including VMware and other widely-used tools such as ManageEngine, Exchange, Print Spooler and more.

“Threat actors target these flaws knowing they can abuse admin rights to traverse the network and inflict damage, even holding sensitive information systems and data to ransom,” Montel says. “For business continuity, its imperative security teams determine how to address exploited vulnerabilities while minimizing the impact to the organization instead of leaving known flaws unaddressed.”

Barmak Meftah, co-founder and general partner of Ballistic Ventures, a venture capital firm dedicated to early-stage funding for cybersecurity firms, and the former president of AT&T Cybersecurity, says organizations should shift from preventing ransomware to making ransomware obsolete by implementing disaster recovery plans and context-switched data.

However, he also stresses how patching systems–especially for critical vulnerabilities like the one being exploited here–is the first step.

“The importance of simple patch management cannot be overstated. Unpatched vulnerabilities can have dire consequences — threat actors prove this over and over, and we’re seeing the fallout plainly with this attack,” Meftah says. “Companies that have been impacted are now wrestling with the question of whether to pay the ransom. Those organizations without appropriate mitigating measures should consult a breach response company immediately.”

The post Critical VMware Vulnerability From 2021 Leveraged in Mass Ransomware Campaign appeared first on My TechDecisions.

The Ontario-based intelligent security software and services provider’s first Global Intelligence Report on the fourth quarter of 2022 find that the company’s AI-driven prevention-first technology stopped more than 1.75 million malware-based attacks.

According to BlackBerry, the most common tools used in attacks include the Emotet botnet, the Qakbot phishing threat and an increase in infostealers such as GuLoader.

Other highlights from the report include threats targeting macOS systems. Despite the prevailing opinion, BlackBerry says macOS is not a safer platform due to it being used less among enterprise systems. That opinion could be giving IT managers a false sense of security, the company says.

According to Blackberry, the most malicious application on macOS was Dock2Master, which collects users’ data from its own surreptitious ads. More than a third of BlackBerry’s client organizations using macOS had Dock2Master on their network, the report finds.

In addition, BlackBerry’s report explores the increasing number of attacks against Linux platforms and how less mainstream programming languages such as GoLang are being used to develop cross-platform malware.

The report also found that RedLine, an infostealer capable of stealing credentials from browsers, crypto wallets, FTP and VPN software, and other targets was the most active and widespread infostealer last quarter. RedLine preys upon technology used to support remote and hybrid employees, and threat actors are using RedLine to steal credentials to sell to other threat actors for initial access.

For 2023, the company expects these trends to continue, but also says ransomware and other attacks will continue to target medical organizations and critical infrastructure. In addition, attacks against Linux systems and cloud infrastructure will increase as threat actors look to install backdoors on target systems and gain visibility into organizations for further activities.

Ismael Valenzuela, vice President of threat research and intelligence at BlackBerry, says threat reports can help provide insight into overall trends and help organizations make informed decisions about their security.

“Our public and private reports are written by our top threat researchers and intelligence analysts, world-class experts that not only understand the technical threats but also the global and local geopolitical situation, and how it affects organizational threat models in each region,” Valenzuela says. “This expertise allows us to provide actionable and contextualized threat intelligence to increase cyber resilience and to enable mission and business objectives.”

The post BlackBerry: Cyberattacks Are Being Launched Once Every Minute appeared first on My TechDecisions.