NordStellar launches attack surface management

Posted in Commentary with tags on February 5, 2025 by itnerd

A vulnerable attack surface exposes a company to cyberattacks. However, constantly monitoring and assessing its condition requires a great deal of time and human resources. To help security teams be more efficient, NordStellar, a next-generation threat exposure management platform, has introduced attack surface management (ASM) — a feature designed to automatically discover security gaps by constantly monitoring and evaluating all of the organization’s internet-exposed assets.

The ASM consists of two modules: automatic asset discovery and external vulnerability management. Automatic asset discovery maps infrastructure by running various domain enumeration processes that allow it to automatically identify and catalog all internet-exposed assets associated with the organization, such as web servers, applications, and other network-connected devices. External vulnerability management monitors and scans the discovered assets for known vulnerabilities, providing vulnerability intelligence for more efficient recovery efforts.

“ASM helps to reduce companies’ attack surface by identifying and mitigating vulnerabilities, minimizing the potential for successful attacks. It also offers enhanced visibility into shadow IT so the security team can discover and manage unauthorized IT resources that pose security risks,” says Noreika. “The feature increases operational efficiency because attack surface management tasks are automated, and the risks are prioritized in order to focus remediation efforts on the most critical cases.”

How it works: 

  • Implements automatic asset discovery using various techniques, including DNS enumeration, web crawling, and other OSINT techniques to identify all internet-exposed assets associated with the organization.
  • Conducts vulnerability assessments by scanning the discovered assets for known vulnerabilities using passive service fingerprinting.
  • Prioritizes identified vulnerabilities by evaluating them according to their severity, exploitability, and potential impact.
  • Provides real-time alerts about new vulnerabilities and changes to the attack surface to the organization’s security team and comprehensive reports for a detailed overview of the company’s attack surface and associated risks.

ASM is now available to all NordStellar users. More information here.

Leave a comment »

Phishers Exploit Microsoft’s ADFS to Enable Account Takeover

Posted in Commentary with tags , on February 4, 2025 by itnerd

Researchers have uncovered a sophisticated phishing campaign that exploits Microsoft’s Active Directory Federation Services (ADFS) using spoofed login pages to harvest user credentials and bypass MFA to take over accounts. You can read the research here:

https://abnormalsecurity.com/resources/targeting-microsoft-adfs-phishing-bypass-mfa-for-account-takeover  

A sophisticated phishing campaign is targeting organizations that rely on Microsoft’s Active Directory Federation Services (ADFS), exploiting the trusted environment of ADFS with spoofed login pages to harvest user credentials and bypass multi-factor authentication (MFA). This allows attackers to take over accounts and gain unauthorized access to critical systems and data, putting sensitive information and organizational security at significant risk.

Roger Grimes, data-driven defense evangelist at KnowBe4, commented:

“I’m a 36-year cybersecurity expert and author of 15 books (one on hacking MFA (https://www.amazon.com/Hacking-Multifactor-Authentication-Roger-Grimes/dp/1119650798) and over 1,500 articles. This is the first time I’ve read about fake ADFS login pages, but ADFS has been involved in bypassing MFA authentication before, so it’s not completely new to use in the hacker scene. All users should use phishing-resistant MFA whenever they can. Unfortunately, most of today’s most popular MFA solutions, including Microsoft Authenticator, Google Authenticator, Duo, push-based MFA, OTP, and SMS-based MFA are very phishable and subject to the exact type of attack reported here.”

Related to this, here’s some relevant articles in relation to MFA:

Don’t Use Easily Phishable MFA and That’s Most MFA!

https://www.linkedin.com/pulse/dont-use-easily-phishable-mfa-thats-most-roger-grimes

My List of Good, Strong MFA

https://www.linkedin.com/pulse/my-list-good-strong-mfa-roger-grimes

Why Is the Majority of Our MFA So Phishable? and US Government Says to Use Phish-Resistant MFA

https://www.linkedin.com/pulse/why-majority-our-mfa-so-phishable-roger-grimes and https://blog.knowbe4.com/u.s.-government-says-to-use-phishing-resistant-mfa

Leave a comment »

AMD Silicon Flaw Found By Security Researchers At Google

Posted in Commentary with tags , on February 4, 2025 by itnerd

Google security researchers have recently discovered CVE-2024-56161, a microprocessor vulnerability that could lead to the loss of Secure Encrypted Virtualization (SEV) protection, and allow an attacker to load malicious code. You can read the research here:

https://github.com/google/security-research/security/advisories/GHSA-4xq7-4mgh-gp6w

Google Security Team has identified a security vulnerability in some AMD Zen-based CPUs. This vulnerability allows an adversary with local administrator privileges (ring 0 from outside a VM) to load malicious microcode patches. We have demonstrated the ability to craft arbitrary malicious microcode patches on Zen 1 through Zen 4 CPUs. The vulnerability is that the CPU uses an insecure hash function in the signature validation for microcode updates. This vulnerability could be used by an adversary to compromise confidential computing workloads protected by the newest version of AMD Secure Encrypted Virtualization, SEV-SNP or to compromise Dynamic Root of Trust Measurement.

And:

Google notified AMD of this vulnerability on September 25, 2024. AMD subsequently provided an embargoed fix to its customers on December 17, 2024. To coordinate with AMD, we made a one-off exception to our standard vulnerability disclosure policy and delayed public disclosure until today, February 3, 2025. This joint disclosure occurs 46 days after AMD shared the fix with its customers and 131 days after Google’s initial report. Due to the deep supply chain, sequence and coordination required to fix this issue, we will not be sharing full details at this time in order to give users time to re-establish trust on their confidential-compute workloads. We will share additional details and tools on March 5, 2025.

Andrew Obadiaru, CISO, Cobalt had this comment:

     “The discovery of this vulnerability, along with the subsequent collaboration between AMD and Google, underscores the importance of responsible vulnerability disclosure. By proactively identifying and addressing the issue before it could be widely exploited. 

This vulnerability, tracked as CVE-2024-56161, highlights ongoing hardware security challenges. While CPU vulnerabilities are not new, they remain difficult to detect due to the complexity of modern processors. Additionally, many organizations, including major manufacturers, often prioritize performance over security when it comes to patching CPUs, as such updates can lead to performance trade-offs. Could this vulnerability be a result of that trade-off?

Organizations must ensure that users promptly apply patches through firmware updates, operating system patches, etc. More importantly, hardware manufacturers should prioritize security at the design stage rather than treating it as an afterthought once vulnerabilities are discovered.”

Gunter Ollmann, CTO, Cobalt adds this:

     “For decades flawed or absent update security validation has been a common threat. Failure to sign patches, updates, firmware, and microcode, etc. and failure to verify the signature and identify tampering have seen countless otherwise secure devices and software to fall victim to targeted attack.

Silicon-level device security is both one of the hardest to master and the most vital. The root of trust starts and ends with the secrets within the silicon layer.

If security fails at the silicon-level than all the layers above (firmware, drivers, software, data storage) are undermined and compromised.”

It’s good that this is being fixed as AMD is seeing a rise in its fortunes in the processor space. Thus it is highly likely that it will be targeted by threat actors looking for weaknesses in their silicon that they can exploit to do their evil deeds.

Leave a comment »

A Now Fixed But Critical Microsoft Accounts Authentication Vulnerability Enables Takeover 

Posted in Commentary with tags on February 4, 2025 by itnerd

Microsoft has confirmed that critical vulnerability CVE-2025-21396 could enable attackers to access Microsoft accounts and enable an authentication bypass leading to an elevation of privilege and a hacked account. More details can be found here: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21396

To be clear this vulnerability is now fixed.

Jim Routh, Chief Trust Officer at cybersecurity company Saviynt, commented:

“This new vulnerability released publicly by Microsoft is a reasonable demonstration of both responsible disclosure and effective response by the software vendor many depend on. 

“First, it is a particularly significant vulnerability that enables escalation of privilege and authentication bypass. In other words, MS accounts can be commandeered by a threat actor.

“Second, it was never exploited in the wild and is no longer possible to exploit this vulnerability according to Microsoft’s announcement. This vulnerability has already been fully mitigated by Microsoft. There is no action for users of this service to take. The purpose of this CVE is to provide further transparency.

“The level of resilience demonstrated by the response to this missing authentication function by Microsoft is a positive thing for digital consumers. This is the way technology is supposed to work and the way enterprise software vendors establish trust in the marketplace.” 

This is a great example of how things work. It got fixed. And the public was informed. Two thumbs up from me. We need to see more of this on a consistent basis.

Leave a comment »

Texas responds to “dramatic” rise in attacks with cyber command center

Posted in Commentary with tags on February 4, 2025 by itnerd

Governor Greg Abbott announced in a State of the State address on Sunday that Texas, in partnership with University of San Antonio, will soon launch the Texas Cyber Command to deploy “cutting edge capabilities” to strengthen the state’s ability to anticipate, detect and prevent cyberattacks.

  “The Texas Cyber Command will work in partnership and collaborate with all state universities and Regional Security Operation Centers, as well as local, state, and federal agencies to strengthen the state’s cybersecurity mission,” reads the press release.

The Cyber Command will create a “robust strategy” including:

  • Anticipating and detect potential cyber threats
  • Promoting cybersecurity awareness, professional training, and other workforce-oriented measures
  • Preparing for cyberattacks through exercises, pre-attack coordination and planning, and proactive collaboration with critical infrastructure partners
  • Defending against, responding effectively to, and mitigating the effects of cyberattacks when they occur, working across the state and with relevant partners
  • Providing subject matter expertise, forensic analysis, and other support to conduct post-attack investigations and recovery efforts

The move to launch the statewide cybersecurity command center comes after the state’s Matagorda County government suffered a cyberattack that forced officials from the Emergency Operation Center to declare a disaster.

In 2022, the University of San Antonio joined the US Cyber Command Academic Engagement Network, which works with the Department of Defense on cyberspace operations and capabilities, cyber expertise, and cyber warfare.

Evan Dornbush, former NSA cybersecurity expert, offers perspective on the matter:

  “From a political lens, it’s pretty fascinating that of all places Texas would be one of the first to promote a state-based government resource that the private sector can lean on, and I look forward to seeing how that plays out.

  “From the technical angle, and with a stated goal to anticipate and detect potential cyber threats, Texas is pretty qualified to pioneer this. A lot of talent is concentrated within, and pulling from its deep bench of military, academic, and private sector perspectives will be advantages to getting this off the ground.”

It’s interesting that Texas would be making a move like this as I don’t associate Texas with cybersecurity. I have to applaud them for doing this and I hope Texas does more of this.

Leave a comment »

VulnCheck Report Says Exploited CVEs Up 20% In 2024

Posted in Commentary with tags on February 4, 2025 by itnerd

New data published by VulnCheck finds a total of 768 CVEs were publicly reported as exploited in the wild, 20% higher than the record high of 2023 (639 CVEs). 23.6% of these vulnerabilities were zero days, down from 26.8% in 2023. Half of CVEs were reported as exploited within 192 days of publicly disclosure in 2024. “Despite the buzz around zero-day exploitation, these findings indicate that exploitation can happen at any time in a vulnerability’s lifecycle,” the researchers noted.

Evan Dornbush:

I’m a huge fan of VulnCheck’s overall approach. Visibility into potential risk is critical for the modern C-suite. While, as Patrick’s blog post states, exploitation can happen at any time, patch management is essentially a solved problem with tools and services providing awareness and assistance. Two years in a row we see that a quarter of all exploits occur when only the attackers were aware of the vulnerability. As a community, we have to find ways to get that number lower. So long as attackers are the only or majority possessors of vulnerability data and exploit tools, they will maintain their advantage over the defenders.

Lawrence Pingree, VP, Dispersive follows with this:

The primary reason for the shift to more zero days and an increase in vulnerabilities is fully expected as a nexus of trends in threat actor behavior, including:

  1. A rotation to automation of the discovery of vulnerabilities with AI.
  2. The use of behavioral systems to address and live-patch systems ahead of vulnerability patching – forcing threat actors to lesser-known techniques.
  3. Penetration of more targeted applications that are directed more at the supply chains – which tend to be weaker and harder to patch – such as firmware and centralized but exposed application services (embedded in SaaS and IoT/OT).

I would spend some time reading this report as it will guide you in terms of what to focus on so that you can keep your environment as safe as possible.

Leave a comment »

Quorum Cyber Launches New Threat Business Unit and Appoints Paul Caiazzo as Chief Threat Officer

Posted in Commentary with tags on February 4, 2025 by itnerd

Quorum Cyber, a global cybersecurity specialist with offices in the UK, the US, and Canada, has set a new strategic direction by acquiring Kivu Consulting Inc – a leader in digital forensics, cyber incident response, business restoration, and ransom negotiations in the global insurance, legal, and government sectors. Kivu provides threat intelligence, threat hunting, and incident response services across the UK, North America, the Middle East, and other international markets. Quorum Cyber has appointed Paul Caiazzo as Chief Threat Officer to lead the Kivu sector of the business and joins the company’s executive team.

This strategic acquisition underscores Quorum Cyber’s global expansion strategy, solidifying its position as a leading Microsoft Security partner and its mission to become Microsoft Security’s most valued partner worldwide.

Acquiring Kivu expands Quorum Cyber’s capabilities by putting cyber threats and adversaries at the heart of its comprehensive global cybersecurity services – better addressing customers’ problems and the protection they need in an inhospitable and unpredictable digital environment. Leading this deeper capability in threat intelligence and incident response, Caiazzo will input research and thought leadership into strategic, tactical, and operational cybersecurity, and will be responsible for integrating the deep experience of the Kivu team with Quorum Cyber, accelerating its threat intelligence and incident response teams.

With Quorum Cyber’s wider offerings, this threat arm of the business will protect customers, before, during, and after any kind of cybersecurity incident. 

In conjunction with this move, Quorum Cyber has released its annual Global Cyber Risk Outlook Report 2025, a comprehensive analysis of the ever-evolving cybersecurity landscape. This report offers crucial insights into the current cyber threats and anticipates emerging risks for 2025. Quorum Cyber will host a webinar on February 25th, 2025, featuring Caiazzo, to delve deeper into the report’s insights, offering actionable advice for organizations to enhance their cybersecurity posture in the face of evolving threats. Registrations for the webinar are open

As a cybersecurity engineer, entrepreneur, and strategist with over 27 years’ experience, Caiazzo brings a wealth of knowledge and expertise to the role, having previously developed cybersecurity businesses from the ground up. Prior to joining Quorum Cyber, he held senior positions for numerous technology companies from start-ups and scale-ups through to established enterprises such as Avertium, TruShield Security Solutions, Savvis Communications, and Northrop Grumman Mission Systems in support of the US Department of Defense.

Quorum Cyber has a close and longstanding relationship with Microsoft, having been founded as a Microsoft-first security services provider and a member of the Microsoft Intelligent Security Association (MISA). Quorum Cyber holds three Microsoft Security specializations of Threat Protection, Cloud Security, and Information Protection and Governance.

Leave a comment »

Leaseweb Launches Public Cloud and Virtual Private Server Solutions in Japan

Posted in Commentary on February 4, 2025 by itnerd

Leaseweb Global today announced the availability of its Public Cloud and Virtual Private Server (VPS) solutions in Japan. Delivered via local, in-country infrastructure, Leaseweb Public Cloud offers a highly competitive blend of cost-effective flexibility and global availability and is designed to be around 30% more cost-effective* than traditional hyperscalers while delivering the performance, reliability, and service levels customers demand. The solution is ideally suited for any global organization looking to expand into the Japanese market with local infrastructure.

With the Japanese Public Cloud market expected to reach $48.29bn in value by 2029, Leaseweb operates a transparent pricing model that eliminates hidden costs. This allows businesses to avoid upfront investment in software licenses or data center infrastructure while benefiting from an on-demand subscription model that supports hourly and monthly billing without long-term commitments. It is compatible with existing hyperscale platforms, making it suitable for organizations deploying new workloads and migrating existing ones.

Backed by the renowned Leaseweb brand and market-leading customer service, the solution is available globally across seven regions to minimize latency. It is suitable for a wide range of industries and use cases, from fintech and SaaS to martech and gaming, and it is built to support both simple applications and complex architectures.

Key advantages of Leaseweb Public Cloud include:

  • No upfront investment required in software licenses or data centers
  • Flexible and cost-predictive on-demand subscription model, including hourly or monthly billing
  • No vendor lock-in
  • Global availability across seven regions for reduced latency
  • Robust data sovereignty features
  • 99.99% availability SLA for all instances
  • 24/7 support by phone and ticketing system in multiple languages
  • Advanced API automation and integration with other Leaseweb solutions and hyperscalers

Leaseweb VPS – Delivering Exceptional Price-Performance, Fast Local Storage, and Easy Deployment

Leaseweb’s new and highly efficient Virtual Private Server (VPS) solution is designed for businesses that need a combination of exceptional price performance, fast local storage, and easy deployment; Leaseweb VPS packages deliver affordable solutions that don’t compromise on quality. Powered by the latest generation of CPUs, local NVMe storage, and lightning-fast 10 Gbps uplink speed, Leaseweb VPS provides customers with the flexibility to scale their infrastructure as their business needs grow.

Delivered via a low-touch, self-service portal, it requires limited technical expertise for setup or management, enabling users to configure their server, monitor resources, and manage snapshots with ease. This makes it ideal for businesses seeking a straightforward and efficient hosting service, as well as those looking for an entry-level solution to Leaseweb Public Cloud.

Leaseweb’s solution was designed with our customers in mind to deliver the value of the hyperscale concept but with better price, performance, and flexibility. Our track record, leadership, and customer-first approach position us to make a significant, positive impact on the Japanese public cloud market,” Duley concluded.

For further information about Leaseweb Public Cloud, please click here.

* Cost reduction percentage is based on benchmarks of standardized workloads. Exact cost reduction will differ based on individual use case and workload. 

Leave a comment »

Fortra Publishes Its 2025 State Of Cybersecurity Survey Results

Posted in Commentary on February 4, 2025 by itnerd

Fortra has published the results from its 2025 State of Cybersecurity survey. The report looks at some surprising shifts in what security leaders see as their biggest threats, and what’s slipping off the radar.

Phishing remains the top concern, but interestingly, zero-day attacks have dropped off the list, with only 38% seeing them as a primary risk (down from 50% last year). At the same time, emerging technology threats—like genAI—jumped 15% year over year, hitting the top five for the first time.

Other trends worth noting:

  • Cloud security is no longer a top initiative. Are companies feeling more confident, or are they overlooking evolving risks?
  • A major spike in pentesting outsourcing, as companies push compliance-heavy security tasks to third parties.
  • Budgets are still the biggest blocker with more than half (59%) saying that funding constraints are their top challenge in executing security strategies.

You can view Fortra’s findings here.

Leave a comment »

Action1 Expands Its Free Offering to 200 Endpoints, Delivering Industry’s First Free Autonomous Endpoint Management Solution

Posted in Commentary with tags on February 4, 2025 by itnerd

Action1, a leading provider of autonomous endpoint management solutions, today announced a major expansion of its free tier, increasing the number of free endpoints from 100 to200. The first, foundational use case for Autonomous Endpoint Management (AEM) is autonomous patching that accelerates patch deployment and compliance and reduces IT overhead and degradation of Digital Employee Experience (DEX). Driven by a mission to make autonomous endpoint management easily and universally accessible, Action1 will now enable organizations and home users to deploy its cloud-native patching solution to secure the first 200 endpoints at no cost, forever, with no feature limits. 

Democratizing Autonomous Endpoint Management

Today’s cyber threat landscape presents unprecedented challenges, from sophisticated, Gen-AI-enabled ransomware attacks to complex compliance demands. Small and medium-sized businesses (SMBs) and nonprofits often lack the resources to address these issues effectively. 

According to Veeam, 85% of ransomware attacks target small businesses. Action1’s expanded free tier provides a lifeline to these targeted groups, providing: 

  • Enterprise-grade autonomous endpoint management FREE: Protecting up to 200 endpoints free forever, with simple scaling above 200, without hidden costs or complexity. 
  • 5-minute deployment, effortless management: Start managing endpoints immediately, minimize training and free up IT resources.  
  • Low bandwidth and hybrid workforce patching: Seamlessly deploy patches, remediation, and updates with bandwidth-efficient P2P distribution—no VPN required. Easily patch offline devices as soon as they reconnect online. 

Redefining “Free” in Autonomous Endpoint Management

Unlike misleading “free” software offers that often serve as bait for trials or data monetization schemes, Action1 provides a genuinely free solution with comprehensive autonomous endpoint management capabilities for the first 200 endpoints and transparent pricing for any additional usage. With no hidden fees or commercial handling of user information, Action1 empowers small businesses and non-profits to operate and grow securely. It also enables larger organizations to start using the platform’s capabilities on smaller environments at no cost, with no functional limits, before scaling up. 

Reinventing Patching with the Powerful, Cross-Platform Solution

Action1’s platform disrupts legacy patch management approaches, offering an all-in-one solution tailored for today’s hybrid work environments. Key benefits include: 

  • Unified, cross-OS and third-party patching: Automate the entire patching process, from identifying and deploying missing updates to real-time reporting. 
  • Ease of use: Start getting value in minutes. Patch software consistently without legacy technology, clunky integrations, or multiple consoles. 
  • Vulnerability discovery and remediation: Prevent security breaches and ransomware attacks. Detect vulnerabilities in OS and applications in real-time and enforce remediation. 

Learn more about the difference Action1 can make for your IT operations with the first 200 endpoints free: https://www.action1.com/free-edition/

Leave a comment »

« Older Entries
Newer Entries »