Information Technology

The Federal Bureau of Investigation (FBI) is warning about a big uptick in scams using smartphone SIM swapping to defraud victims. Subscriber Identity Module (SIM) swapping is an old trick, but the FBI has issued a new alert about it because of a massive leap in reported cases in 2021 compared to previous years.    

ZDNet Recommends

Smartphones are critical tools for authenticating to online services, such as banks that use SMS for sign-in codes. It is a serious problem – if crooks can gain control of these services, they can access the victim’s bank, email, social media, and bank accounts. Complaints to the FBI’s Internet Crime Complaint Center (IC3) have skyrocketed in the past year.SEE: Cybersecurity: Let’s get tactical (ZDNet special report)From January 2018 to December 2020, the FBI received 320 complaints related to SIM-swapping incidents with losses of approximately $12 million. In 2021, it received 1,611 SIM-swapping complaints with losses of more than $68 million, the FBI warned in a new public service announcement. Scammers abuse the support services of mobile network operator call centers by calling them and posing as customers to get a new SIM card. The victim doesn’t know a new SIM card is connected to their phone number, which gives attackers the access they need.”Once the SIM is swapped, the victim’s calls, texts, and other data are diverted to the criminal’s device. This access allows criminals to send ‘Forgot Password’ or ‘Account Recovery’ requests to the victim’s email and other online accounts associated with the victim’s mobile telephone number,” the FBI’s IC3 warns. 

“Using SMS-based two-factor authentication, mobile application providers send a link or one-time passcode via text to the victim’s number, now owned by the criminal, to access accounts. The criminal uses the codes to login and reset passwords, gaining control of online accounts associated with the victim’s phone profile.” To improve security, many organizations use SMS messages as a form of multi-factor authentication because the account owner is assumed to have control over the device. Codes delivered via SMS are convenient because of high adoption and the belief that SMS is better than just relying on a password that can be compromised. SIM swapping is one way for crooks to circumnavigate this security.As Microsoft and others have argued, SMS is an insecure and unreliable way to deliver codes for authenticating to online accounts. Microsoft wants organizations to use apps, such as its Authenticator, because they’re a harder target to compromise.The FBI details the many ways in which attackers can not only dupe but also entice employees of mobile network operators for nefarious goals. From the attacker’s perspective, the rise of cryptocurrencies like Bitcoin and exchanges’ reliance on phones for authentication adds to the appeal of SIM-swapping scams. “Criminal actors primarily conduct SIM swap schemes using social engineering, insider threat, or phishing techniques,” the FBI’s IC3 says. The attacker often impersonates a victim and tricks the mobile carrier’s employees into switching the victim’s mobile number to a SIM card in the criminal’s possession. “Criminal actors using insider threat to conduct SIM swap schemes pay off a mobile carrier employee to switch a victim’s mobile number to a SIM card in the criminal’s possession. Criminal actors often use phishing techniques to deceive employees into downloading malware used to hack mobile carrier systems that carry out SIM swaps,” says the FBI’s IC3.SIM swapping is a real problem. T-Mobile in December confirmed SIM swapping was behind a major data breach. A former employee of a US mobile carrier was sentenced in October for taking bribes of up to $500 a day to swap phone numbers. Operators also lack procedures to help customers when they become victims of SIM-swapping scams, as detailed in a personal account in 2019 by ZDNet’s mobile specialist Matthew Miller. It’s a global problem for telcos, too. Australia’s Telstra now flags to banks when a mobile number is ported to counter SIM-swapping attacks.The FBI’s tips for protecting yourself include:Do not advertise information about financial assets, including ownership or investment of cryptocurrency, on social media websites and forums.Do not provide your mobile number or account information over the phone to representatives that request your account password or pin. Verify who they really are by dialing the customer service line of your mobile carrier.Avoid posting personal information online, such as mobile phone number, address, or other personal identifying information.Use a variation of unique passwords to access online accounts. More

Brute-forcing passwords, as well as the exploit of ProxyLogon vulnerabilities against Microsoft Exchange Server, were among the most popular attack vectors last year. 

According to ESET’s Q3 Threat Report, covering September to December 2021, while the rates of supply chain attacks rose over 2020, 2021 was defined by the continual discoveries of zero-day vulnerabilities powerful enough to wreak havoc on enterprise systems. The discovery of zero-day flaws in Exchange Server and Microsoft’s emergency patches to resolve the on-premise issues continued to haunt IT administrators well into the year.  Brute-force and automated password guessing, such as through dictionary-based attacks, were the most frequent attack vectors detected according to ESET telemetry. Attacks against remote desktop protocol (RDP) increased by 274% during the four-month period.  “The average number of unique clients that reported at least one such attack per day shrank by 5% from 161,000 in T2 2021 to 153,000 in T3 2021,” the report says. “In other words, the intensity of RDP password-guessing attacks is growing rapidly, yet the pool of potential victims is becoming smaller.” Also: One in seven ransomware extortion attempts leak key operational tech recordsPublic-facing SQL servers and SMB services also saw an uptick in credential-based attacks. 

However, exchange Server’s ProxyLogon bugs secured the second spot when it came to popular attack vectors. “Microsoft Exchange servers ended up under siege again in August 2021, with ProxyLogon’s “younger sibling”, named ProxyShell, exploited worldwide by several threat groups,” the report says.  The last four months of 2021 also revealed the consequences of a critical vulnerability in Log4j. Tracked as CVE-2021-44228, the remote code execution (RCE) flaw in Log4j issued a CVSS severity score of 10.0, sent teams scrambling to patch the problem. Threat actors instantaneously began attempting to exploit the vulnerability. Even though the issue was only made public in the last three weeks of 2021, ESET has recorded CVE-2021-44228 among the top five attack vectors of the year.  Ransomware, as expected, remains a thorn in the side of businesses today. ESET says its “worst expectations” of this malware variant were surpassed during 2021, with critical infrastructure attacked — including the assault against Colonial Pipeline — and over $5 billion in cryptocurrency transactions tied to ransomware campaigns were recorded during the first half of 2021 alone.  The research also notes a recent surge in Android banking malware, rising by 428% in 2021 in comparison to 2020. According to ESET, infection rates associated with Android banking Trojans — such as SharkBot, Anatsa, Vultur, and BRATA — have now reached the same levels as adware.  See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Organisations worldwide including in Asia-Pacific are expected to increase their focus on building trust, with several appointing chief trust officers to lead efforts. The move will be necessary especially as ransomware and supply chain attacks are projected to escalate this year. At least five global companies currently have dedicated executive roles that oversee trust matters. None are from Asia-Pacific, according to Jinan Budge, principal analyst with Forrester, where she looks at Asia-Pacific security and risk research. She pointed to a 2022 prediction, in which Forrester expected at least 15 Global 500 organisations to appoint chief trust officers. Reporting directly to their CEO, these roles initially would look at security, privacy, and risk management, before expanding their efforts to encompass brand strategy, corporate values, and other human-centric aspects of trust.

Other organisations also were expected to add such responsibilities to an existing C-level executive, such as chief information security officers, according to the Forrester report, which Budge co-authored. The analyst told ZDNet that Asia-Pacific enterprises must start looking more closely at the issue of trust, especially as such discussions surfaced amongst consumers. She noted that privacy and confidentiality were the top five priorities for consumers in Asia-Pacific when they made online purchases. She added that Forrester expected two chief trust officers appointed this year to be from this region.

Apart from the need to build trust, enterprises also should be concerned about brain drain in the security sector, she said. One in 10 experienced security professionals were expected to exit the industry this year, according to Forrester’s predictions. With more than 3 million roles already unfilled globally, the lack of talent in security would be further compounded as executives suffered from burnout. Forrester’s 2021 figures revealed that 51% of cybersecurity professionals experienced extreme stress, while 65% said they considered leaving their job due to work stress as well as poor financial incentives and limited promotion and career development. Budge noted that the brain drain also would impact organisations in Asia-Pacific and affect all aspects of cybersecurity, including national security. She urged businesses and chief information security officers to address the issue by looking at ways to attract and retain stuff. These should include efforts to reduce team burnout, create opportunities for career development, and nurture a good culture. Supply chain attacks likely to escalate Asked about security challenges that would escalate this year, Yihao Lim, Mandiant Threat Intelligence’s principal intelligence advisor, said third-party attacks would continue to persist because they were difficult to detect and combat. Third parties were trusted source and organisations often push out software patches and updates from these partners without first testing them in a sandbox, Lim said in an interview. These sometimes would be applied directly on production servers, resulting in malware being deployed without much scrutiny. Third-party suppliers served as pivot points for hackers targeting businesses in the wider ecosystem, he added. Pointing to high profile supply chain attacks such as SolarWinds and Kaseya, he noted that these involved applications that were used by multiple customers and were highly reputable. Forrester predicted that third-party attacks would account for 60% of global security incidents in 2022, with 55% of security professionals acknowledging their organisation last year experienced a security incident or breach involving supply chain providers. Some 27% of organisations experienced at least 10 such disruptions in 2021, compared to just 4.8% the year before. The research firm underscored the need for companies to deploy tools for risk assessment, supply chain mapping, real-time risk intelligence, and business continuity management. Budge added that while these attacks were not new, they were expected to increase as the pandemic further accelerated the growth and expansion of third-party ecosystems. Companies were not only tapping the innovation of external partners rather than developing their own products, but also collaborating with third parties to drive their digital engagement with customers. Furthermore, Asia’s role as a major manufacturing hub made the region a bigger target of supply chain attacks, said Righard Zwienenberg, ESET’s senior research fellow. He, too, expected such attacks to likely worsen this year. Zwienenberg noted that the change in work environment due to the pandemic provided cybercriminal with a lot more options in seeking out vulnerable systems, including those that resided within the wider supply chain ecosystem. These could comprise non-IT suppliers that might not know how to ensure their networks and data were adequately secured in a remote or hybrid work infrastructure, he said. Security risks from the accelerated shift to remote work were likely more prevalent in Asia-Pacific, he added, where organisations were less accustomed to such work practices. This meant they were less prepared in facilitating the move, while maintaining their overall security posture. Vulnerabilities on employees’ personal devices or home routers brought new threats to corporate networks, he said. If enterprise networks were not segmented as a security measure, ransomware then could easily spread and move to the wider supply chain ecosystem. Zwienenberg suggested that organisations mitigate such risks by restricting user access to what was essential to their job, so they did not have access to the entire corporate network.

Access segmentation would enable companies to quickly isolate systems in the event of a security incident or breach, and prevent the rest of their network from being compromised, he said. They also should implement other security tools such as multifactor authentication, network monitoring, and threat detection, he added. For instance, companies should be able to detect if an employee’s home router was unsecured and deny access. He noted that there still were many organisations in Asia-Pacific that did not have such tools in place to ensure their networks were secured. Interestingly, Forrester had forecasted insider threats to climb significantly in 2021, but this did not materialised. In fact, incidents of insider threats fell last year, Budge said. She theorised that this mismatch might be due to the shift towards remote work, which impacted organisations’ ability to effectively detect insider threats. Because it became difficult to determine what was “normal” behaviour within the network, due to the change in how users accessed corporate data, companies likely were unable to detect insider threats even if these surfaced. The ability to do so may prove critical as ransomware attacks are expected to further gain ground. Lim noted that ransomware and extortion incidents saw significant growth last year and would continue to climb this year. Threat actors had been proactive in attempts to shame their victims, for example, by contacting media agencies with proof they had access to the victim’s systems. They would do so to get the attention of the victim, which could be a high profile financial company, knowing that data leaks would have repercussions such as lawsuits and damaged reputation for the victim. Such extortion attempts had been highly effective, he said, adding that they would continue to escalate this year amidst the public attention and profits they generated for cybercriminals. “Shaming victims is effective because, especially in Asia-Pacific, organisations would try to keep security breaches confidential and would not even admit them when asked. Now, they can’t even play dumb because hackers are shaming them publicly,” Lim said. By identifying their victims and demonstrating they had access to customer information, cyber attackers were establishing some form of non-repudiation, in which businesses could no longer deny they suffered a security breach. This added pressure on them to pay the ransom to prevent their customers’ data from being leaked, he noted. “The hackers know it’s lucrative, so this trend will continue to persist this year,” he said. He advised organisations to consider all legal and regulatory implications if they had operations in countries such as the US, where they might be sanctioned if they paid up ransom in state-sponsored attacks. Growing geopolitical tensions can drive cybersecurity threats In fact, an increasingly unstable global geopolitical landscape could fuel cyberattacks, including those targeting critical information infrastructures (CII), said Acronis’ co-founder Serguei Beloussov, in a video interview with ZDNet. Pointing to increased tensions between countries such as the US, Russia, and China, he said these could lead to more attacks that disrupt national infrastructures. Security risks were further exacerbated with hacking tools readily available online, Beloussov said. The number and sophistication of such tools not only had increased, but also were more varied, making cyber attacks more efficient and inexpensive to launch.

This could lead to more ransomware attacks against smaller targets such as small and midsize businesses and individuals, he said. While these were less profitable, the wide variety and availability of tools made it easier for hackers to expand the spread of their targets for more returns. Voicing his concerns about raising geopolitical tensions, he said this might push governments to focus on developing cyberweapons. This, in turn, likely would lead to such tools eventually finding their way out of cyber laboratories, and into the hands of conventional bad guys. Beloussov said: “Imagine a scenario when a government launches a cyber attack on another government, and a cybersecurity company detects the activity and investigates it. It figures out how the attack is carried out and publishes the details, from which the bad guys then are able to learn from.” Be it ransomware or supply chain attacks, Budge said the fundamentals remained important in managing security threats. Regardless of the type of attack or vulnerabilities, the analyst advised companies to be strategic and avoid a knee-jerk reaction to security. Beloussov underscored basic things businesses should do to better safeguard against security threats, including running security tools on their systems and devices and maintaining backups of their data. Beyond securing physical access, they also should ensure all systems were regularly checked and updated and properly configured, he said. “The important thing is to take the common sense approach and adopt basic precaution, such as running penetration and vulnerability,” he added. “You need to know how well prepared you are in dealing with all types of attacks.” Zero trust slow to gain momentum in Asia-Pacific And while zero trust had been widely pitched as an essential cybersecurity framework, Budge noted that its adoption remained low in Asia-Pacific for various reasons. First, its label had led to confusion in a region where many cultures were built and reliant on trust. Second, Asian markets largely were risk adverse, she said, with companies only moving to adopt something when another had actually done so. This was starting to change, with more organisations over the past 12 months taking their first steps towards zero trust. However, it required significant transformation on the company’s part, encompassing added investment in technology, resources, and culture. Not all organisations in Asia-Pacific had sufficient people or resources to adopt a zero trust architecture, she said, adding that this also had resulted in its low adoption. Furthermore, vendors in the region were touting such tools as the panacea and silver bullet to  everything related to security. This would not sit well with businesses here, Budge said. Citing figures from Forrester, she noted that just 13% of security leaders in Asia-pacific described zero trust as a top strategic cybersecurity priority in 2021. According to Lim, Singapore’s take on “assume breach position” underscored the importance of zero trust mindset. He noted that businesses should consider two key points this year, with regards to security. First, apply principles of least privilege in establishing the types of network access. Users should only be given access to what they needed for their role and this should be regularly reviewed, especially as employees move from one department to another, he said. Echoing Zwienenberg’s advice, Lim also recommended companies put in place some form of network segmentation, which would help prevent widespread outage when a security incident occurred. Networks could be segregated by functions, enabling attacks to be contained within a zone so an affected section would not affect another. He further emphasised that moving to the cloud did not necessary mean an organisation’s environment would be fully secured. He pointed to the shared responsibility model adopted amongst most cloud providers, he said customers also had to ensure due diligence in securing their own environment, such as implementing the right configuration and administrative tasks. Shared responsibility models typically outlined security boundaries that were under the cloud vendor’s purview and those that should be undertaken by the customers.  RELATED COVERAGE More

Lazarus has been tied to a new campaign attacking hopeful job applicants in the defense industry. 

The advanced persistent threat (APT) group has been impersonating Lockheed Martin in the latest operation. The Bethesda, Maryland-based company is involved in aeronautics, military technology, mission systems, and space exploration. Lockheed Martin generated $65.4 billion in sales in 2020 and has approximately 114,000 employees worldwide.  Lazarus is a state-sponsored hacking group with ties to North Korea. The prolific and sophisticated group is generally financially-motivated and is believed to be responsible for serious attacks in the past beginning with the WannaCry ransomware outbreak, as well as the $80 million heist against Bangladeshi Bank, assaults against freight companies, and South Korean supply chains.  On February 8, Qualys Senior Engineer of Threat Research Akshat Pradhan revealed a new campaign using Lockheed Martin’s name to attack job applicants.  In a similar way to past activities that abused the reputation of Northrop Grumman and BAE Systems, Lazarus is sending targets phishing documents pretending to offer employment opportunities.  The documents, named Lockheed_Martin_JobOpportunities.docx and Salary_Lockheed_Martin_job_opportunities_confidential.doc, contain malicious macros which trigger shellcode to hijack control flow, retrieve decoy documents, and create Scheduled tasks for persistence. 

Living Off the Land Binaries (LOLBins) are also abused to further the compromise of the target machine. However, when the malicious scripts attempted to pull in a further payload, an error was returned — and so Qualys can’t be sure what the final malware package was meant to achieve.  “We attribute this campaign to Lazarus as there is significant overlap in the macro content, campaign flow, and phishing themes of our identified variants as well as older variants that have been attributed to Lazarus by other vendors,” Pradhan says.  This isn’t the first time Lazarus has exploited job candidates or vacancies. F-Secure has previously found samples of phishing emails, masquerading as job offers, that were sent to a system administrator belonging to a targeted cryptocurrency organization. In related research, Outpost24’s Blueliv cybersecurity team has named Lazarus, Cobalt, and FIN7 as the most prevalent threat groups targeting the financial industry today. ZDNet has reached out to Lockheed Martin and we will update when we hear back.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Netwalker ransomware gang affiliate Sebastien Vachon-Desjardins was sentenced to seven years in prison for his involvement with the group after pleading guilty in an Ontario court on January 31.Court documents published on February 1 revealed that Vachon-Desjardins pleaded guilty to five charges related to “theft of computer data, extortion, the payment of cryptocurrency ransoms, and participating in the activities of a criminal organization.”In addition to the seven year sentence, Vachon-Desjardins agreed to partial restitution, forfeiture of assets seized, and a DNA order. The court documents say Vachon-Desjardins was implicated in 17 ransomware attacks that caused at least $2.8 million in damages in Canada. “In August 2020, the Royal Canadian Mounted Police (“RCMP”) received information from the American Federal Bureau of Investigation (“FBI”) in relation to a NetWalker ransomware affiliate operating in Gatineau Quebec. The FBI advised the RCMP that their suspect was responsible for ransomware attacks in several countries, and he was suspected to have received over $15,000,000.00 USD in ransom payments,” Ontario court judge G. Paul Renwick wrote, adding that he was told that the data seized from Vachon-Desjardins’s would fill an entire hockey arena if printed.”Eventually, based on internet protocol addresses, data gleaned from US investigations into various Apple, Google, Microsoft, and Mega.nz accounts, aliases, email addresses, and personal information revealed on social media platforms, the Defendant was identified by the Canadian authorities.”In January, police in Florida arrested the Canadian citizen in connection with several attacks by the Netwalker ransomware group. The DOJ claimed Vachon-Desjardins managed to make about $27.6 million through several ransomware attacks on Canadian organizations like the Northwest Territories Power Corporation, the College of Nurses of Ontario, and a Canadian tire store in B.C. One of the biggest issues facing Vachon-Desjardins is when he will be sent to the US to face his charges there. He was supposed to be sent to the US but his surrender was delayed because he had other drug trafficking charges outstanding in Quebec. The ruling says Vachon-Desjardins’ sentence can begin to run now and it will continue to run during and subsequent to the resolution of his charges in the US.

The sentence will also run concurrently to the 54-month sentence he got for drug trafficking offenses in Quebec.The judge’s decision explained that Vachon-Desjardins was a prolific member of the Netwalker ransomware group and even sent the group’s leaders 224 Bitcoins to invest in “the next generation of malicious code that could be used.””The Defendant even improved upon the ransom messages used by NetWalker affiliates and eventually convinced the creator of NetWalker to use ‘mixing services’ to disguise funds paid for ransoms in Bitcoin,” Renwick said. “The Defendant admitted to investigators that over 1,200 Bitcoins related to his NetWalker malware activities passed through his e-wallet and were shared with his unindicted co-conspirators and the developer of the NetWalker ransomware. As well, the Defendant admits that his entire ransomware activities involved over 2000 Bitcoins.” Canadian officials were only able to seize less than 720 Bitcoins from Vachon-Desjardins’ e-wallets and accounts because he managed to turn the stolen funds into Canadian dollars. In some instances he received bags of money ranging from $100,000 to $150,000.When he was arrested in January 2021, Vachon-Desjardins had about $640,000 in cash and $421,000 in his bank account. “The Defendant was not an insignificant actor in these and other offenses; he played a dominant, almost exclusive, role in these offenses and he assisted NetWalker and other affiliates by improving their ability to extort their victims and disguise their proceeds,” Renwick explained. “The Defendant has an unrelated criminal record for drug trafficking and he was sentenced to 3.5 years imprisonment in 2015 and 4.5 years imprisonment, last week; during the commission of these offenses, the Defendant was awaiting the disposition of some of his outstanding charges in Quebec.”One strange aspect of the report was Renwick’s preoccupation with Vachon-Desjardins’ physical appearance. He called Vachon-Desjardins “good-looking, presentable, and instantly likeable.”Vachon-Desjardins will have to pay restitution to some of the victims affected by his attacks. He will need to pay nearly $1 million to Cegep St. Felicien, $725,000 to Elite Group, more than $700,000 to Enterprise Robert Thibert and Travelers Ins. Co. of Canada as well as $206,737 to Ville de Montmagny. Windward Software Systems Inc. will get $91,966.02 and Endoceutics Inc. will get $72,503.43.The funds will be taken from the cryptocurrency that was seized during the raids on his home. Canadian ransomware expert Brett Callow said people often assume that ransomware actors are based in Russian or CIS countries, but this case demonstrates that they can be much closer to home. “Which isn’t surprising. Ransomware is a multi-billion dollar industry. North America has talent, criminals and talented criminals. It only makes sense that they’d be wanting in on the action, especially as cybercriminals operate with almost complete impunity,” said Callow, who works as a threat analyst at cybersecurity firm Emsisoft.”Or, at least, they did. That’s starting to change and arrests such as this will inevitably make some individuals consider whether they should get out while the going is good.” More

Three vulnerabilities with CVSS of 10, 8.1 and 7.5 have been patched by SAP after being discovered by cybersecurity firm Onapsis. The patches were were part of a group of 19 security notes released by the company about a range of security issues. Three of the vulnerabilities related to log4j and had a CVSS of 10. 

The vulnerabilities found by Onapsis — dubbed “ICMAD” — allow attackers to execute serious malicious activities on SAP users, business information, and processes, which ultimately compromises unpatched SAP applications. The issues revolve around SAP’s Internet Communication Manager (ICM), a core component of many of their applications. ICM is the SAP component that enables HTTP(S) communications in SAP systems. Because ICM is exposed to the internet and untrusted networks by design, vulnerabilities in this component have an increased level of risk, the companies explained. JP Perez-Etchegoyen, CTO at Onapsis, told ZDNet that with a single request, an attacker could be able to steal every victim session and credentials in plain text and modify the behavior of the applications. “Abusing these vulnerabilities could be simple for an attacker as it requires no previous authentication, no necessary preconditions, and the payload can be sent through HTTP(S),” Perez-Etchegoyen said. SAP has released two security notes about the issues, and the Cybersecurity and Infrastructure Security Agency (CISA) issued its own notice urging customers to implement the patch. 

“These vulnerabilities can be exploited over the internet and without the need for attackers to be authenticated in the target systems, which makes them very critical,” said Mariano Nunez, CEO and Co-founder of Onapsis. 

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

He went on to explain that Onapsis Research Labs had been investigating HTTP Smuggling issues over the last year before discovering the SAP issues. Threat actors, according to Onapsis, can send malicious payloads leveraging these HTTP Smuggling techniques and successfully exploit SAP Java or ABAP systems with an HTTP request that is indistinguishable from a valid message. These vulnerabilities can be exploited in affected systems over the internet and pre-authentication, meaning they are not mitigated by multi-factor authentication controls, Onapsis added. “SAP has partnered with Onapsis to maintain secure solutions for our global customer base,” said Richard Puckett, Chief Information Security Officer for SAP. “It is through collaboration with key partners like Onapsis that SAP can provide the most secure environment possible for our customers. We strongly encourage all SAP customers to protect their businesses by applying the relevant SAP security patches as soon as possible.” SAP said it is not aware of any data breaches that resulted from threat actors exploiting the vulnerability but urged customers to apply the security notes. Onapsis released a free tool that SAP customers can use to scan their systems for affected applications. Aaron Turner, vice president at Vectra, said that what we learned in March of 2021 with the Hafnium attack targeting on-premises Exchange servers is being replayed in the SAP ecosystem. “SAP servers are extremely rich targets, with significant access to material business processes and generally have multiple privileged credentials stored and used on those servers. With the Onapsis research, they have uncovered an exploit path that allows attackers to gain access to those privileged credentials to move laterally within the on-premises network and also pivot into the cloud, as most SAP customers have federated their legacy SAP workloads with cloud-based ones,” Turner said. “Just as Hafnium allowed attackers to pivot from on-prem Exchange to M365, this SAP attack path could allow the same. The SAP security updates will be critical ones to install, not just to protect those on-premises SAP servers but also any systems, on-prem or cloud, that may share credentials or trust relationships with those servers.” More

Mandiant, one of the world’s largest security firms, beat Wall Street expectations for Q4 as the company adjusts following the sale of a major part of its business. The earnings report came as Bloomberg reported Microsoft was considering acquiring the company.The company reported a loss per share of $0.10 for the quarter on revenue of $132.9 million. For the full fiscal year, Mandiant said it had a revenue of $483 million, representing a 21% increase year over year. They also reported a non-GAAP net loss per share of 51 centsWall Street was expecting a Q4 loss of $0.13 per share on revenue of $131.57 million. The report sent Mandiant’s shares down 2% in late trading.”We achieved a significant milestone in Q4, divesting the FireEye Products business and positioning Mandiant to deliver accelerating growth and extend our leadership position in expertise and intelligence,” said Kevin Mandia, CEO of Mandiant. “We are uniquely positioned to address an enormous market need and can concentrate all of our attention on helping organizations close their cyber security gap. We had record billings and revenue for Threat Intelligence and Consulting in the fourth quarter, and our overall performance highlights the early financial and operational success in the relaunch of our company.”Mandiant completed the sale of the FireEye Products business to McAfee Enterprise on October 8, 2021. Mandiant was split from the FireEye Products business last year in a June 2021 deal with a consortium led by Symphony Technology Group for $1.2 billion, dramatically changing the company’s outlook. The all-cash deal closed at the end of the fourth quarter. FireEye initially acquired Mandiant in 2013 for $1 billion. Mandiant said that the deal separated FireEye’s network, email, endpoint and cloud security products from Mandiant’s software and services. FireEye Products and Mandiant Solutions continued to be one entity until the transaction closed. Symphony Technology Group and FireEye will maintain reselling and collaboration agreements.

Mandia said in June that the deal was made because FireEye wants to scale its software platforms. But they projected that its products and related subscriptions and support revenue would fall 10% to 11% in 2021 compared to 2020.”The Mandiant Solutions business continued to deliver strong growth in revenue and annualized recurring revenue for the second quarter ended June 30, 2021,” Mandia said.For the first quarter of fiscal 2022, Mandiant expects non-GAAP net loss between 15 cents and 13 cents a share and a revenue between $128 million and $131 million.For the entire 2022 fiscal year, the company is expecting a loss per share between 38 cents and 36 cents as well as a revenue between $555 million and $565 million. In August, Mandia told investors that a quarter of its new Managed Defense customers were using Mandiant’s MDR services in conjunction with Microsoft’s Windows Defender endpoint security product. The two companies apparently forged closer ties in April 2021 as Mandiant sought to unravel itself from FireEye’s tools.In December 2020, the company disclosed that it was the target of a massive international cyber espionage campaign. 

Tech Earnings More

Microsoft has released 48 security fixes for software, including a patch for a zero-day bug, but there are no critical-severity flaws on the list this month. In the Redmond giant’s latest round of patches, usually released on the second Tuesday of each month in what is known as Patch Tuesday, Microsoft has fixed problems including remote code execution (RCE) vulnerabilities, privilege escalation bugs, spoofing issues, information leaks, and policy bypass exploits. 

ZDNet Recommends

The best Surface PCs

Microsoft’s lineup of Surface PCs now covers a wide range of hardware factors and price points — and every model is Windows 11-ready.

Read More

Products impacted by February’s security update include the Windows Kernel, Hyper-V, Microsoft Outlook and Office, Azure Data Explorer, and Microsoft SharePoint. The single zero-day vulnerability, now patched by Microsoft, is CVE-2022-21989. Issued a CVSS severity score of 7.8, this bug — which is publicly known — can be exploited to escalate privileges via the kernel. However, it has not been issued a critical rating, as Microsoft says triggering the exploit “requires an attacker to take additional actions prior to exploitation to prepare the target environment.”Some of the other vulnerabilities of interest in this update are: CVE-2022-21984 (CVSS 8.8): Windows DNS Server Remote Code Execution VulnerabilityCVE-2022-22005 (CVSS 8.8): Microsoft SharePoint Server Remote Code Execution VulnerabilityCVE-2022-23256 (CVSS 8.1): Azure Data Explorer Spoofing VulnerabilityCVE-2022-23274 (CVSS 8.3): Microsoft Dynamics GP Remote Code Execution VulnerabilityAccording to the Zero Day Initiative (ZDI), the volume of fixes is roughly in line with past releases in the month of February, which aside from 2020, is approximately 50 CVEs.Last month, Microsoft resolved six zero-day vulnerabilities in the first batch of security fixes for 2022. The previously-unknown bugs could be exploited for purposes including Man-in-The-Middle (MiTM) attacks, denial-of-service, spoofing, and remote code execution. 

Also: Microsoft is working on these new Windows 11 features hidden in test buildsA month prior, the tech giant tackled 67 security issues during December’s Patch Tuesday. A zero-day bug of note was being actively exploited by cybercriminals to spread Emotet malware.Alongside Microsoft’s Patch Tuesday round, other vendors, too, have published security updates which can be accessed below. More