Information Technology

Palo Alto Networks delivered better-than-expected second quarter financial results on Monday. The cybersecurity firm reported non-GAAP Q2 earnings of $154.2 million, or $1.55 a share, on revenue of $1 billion, up from $816.7 million a year ago.

Analysts were expecting the security-software vendor to report earnings of $1.43 a share on revenue of $985.68 million.
The company’s Q2 billings grew to $1.2 billion, up 22% from the same period last year, while its deferred revenue rose 30% year over year to $4.2 billion.
“The momentum in the business continues to be strong, with second quarter revenue growth of 25% year over year to over 1 billion USD, driven by strong execution across the board,” said Palo Alto Networks CEO Nikesh Arora. “Events like the SolarStorm attack highlight the importance of cybersecurity, and Palo Alto Networks is well positioned to protect our customers with best-of-breed solutions. We are excited about the bets that we have made in SASE, Cloud and AI. Our three-platform strategy is paying off.”
In terms of guidance, Palo Alto expects third quarter EPS in the range of $1.27 to $1.29 and revenue in the range of $1.05 billion to $1.06 billion. The guidance is roughly in line with Wall Street’s consensus for EPS of $1.28 a share and revenue of $1.05 billion.
For the year the company expects revenue to range from $4.15 billion to $4.20 billion, with non-GAAP net income per share in the range of $5.80 to $5.90. The EPS guidance incorporates net expenses related to the company’s proposed acquisition of Bridgecrew, using 99 million to 101 million shares.
The company’s stock fell more than 3% in after-hours trading.

Tech Earnings More

Image: FireEye
The attacks using zero-days in Accellion FTA servers that have hit around 100 companies across the world in December 2020 and January 2021 have been carried out by a cybercrime group known as FIN11, cyber-security firm FireEye said today.
During the attacks, hackers exploited four security flaws to attack FTA servers, install a web shell named DEWMODE, which the attackers then used to download files stored on victim’s FTA appliances.
“Out of approximately 300 total FTA clients, fewer than 100 were victims of the attack,” Accellion said in a press release today. “Within this group, fewer than 25 appear to have suffered significant data theft.”
But FireEye says that some of these 25 customers have now received ransom demands following the attacks on their FTA file-sharing servers.
The attackers reached out via email and asked for Bitcoin payments, or they’d publish the victims’ data on a “leak site” operated by the Clop ransomware gang.

Image: FireEye
FireEye, which has been helping Accellion investigate these attacks, said the attacks had been linked to two activity clusters the company tracks as UNC2546 (the zero-day exploitation on FTA devices) and UNC2582 (the emails sent to victims threatening to publish data on the Clop ransomware leak site).
Both groups have infrastructure overlaps with FIN11, a major cybercrime gang that FireEye discovered and documented last year, which has its fingers in various forms of cybercrime operations.

FireEye says that despite the fact that FIN11 operators are now publishing data from Accellion FTA customers on the Clop ransomware leak site, these companies haven’t had any part of their internal network encrypted but are rather victims of a classic name-and-shame extortion scheme.
Security podcast Risky Business spotted the Accellion FTA companies on the Clop ransomware leak site last week, even before the FireEye report published today. Companies that had their data listed on the Clop site so far include the likes of:
Other companies that have reported network breaches due to attacks on their FTA servers (but have not had data leaked on the Clop site) also include the likes of:
Accellion to retire the old FTA servers
But while Accellion’s response to these attacks has been slow in the beginning, the company is now operating on all cylinders.
Since the attacks have begun, the company has released several waves of patches to address the bugs exploited in the attacks but has also announced its intention to retire the old FTA server software later this year, on April 30, 2021.
The company is now actively urging its customers to update to its newer Kiteworks product, which superseded the old FTA server, a file-sharing tool developed in the early 2000s that allowed companies a simple way to share files with employees and customers, at a time before products like Dropbox or Google Drive were largely available.
Due to the amount of data that has been uploaded to these servers, which were often developed with little security features in mind, FTA systems have now become a prime target for attackers.
Accellion hopes companies understand the risks they are now facing and choose to update to its newer line of products instead, and avoid having sensitive files like trade secrets, intellectual property, or personal data, leak online. More

A bill has been put forward to propose the postponement of the enforcement of fines for non-compliance with data protection regulations in Brazil.
The country’s General Data Protection Law (LGPD, in the Portuguese acronym) came into force in September 2020, with sanctions for non-compliance ranging from warnings to daily fines of up to 50 million reais (US$ 9 million), in addition to a partial or total suspension of activities related to data processing.
The sanctions will be applicable from August 2021 by the newly-formed National Data Protection Authority, and the bill put forward on Friday (18) proposes to postpone the penalties to January 2022. The challenges imposed by the Covid-19 pandemic are the main argument of congressman Eduardo Bismarck, who authored the bill, noting that the novel coronavirus is a major barrier for compliance.

Bismarck noted that delaying the financial sanctions is needed in order to avoid “burdening companies in the face of the enormous difficulties arising from the pandemic”.
“We cannot expect that all the companies working with data processing will have managed to adapt to the norms foreseen in the LGPD by August 2021, since they do not even have the economic conditions to stay afloat amid this chaotic scenario of world crisis”, the congressman pointed out.
The bill follows the emergence of two major data protection scandals in 2021: the exposure of personal data of over 220 million citizens in January, and a leak discovered earlier this month, which exposed over 102 million mobile phone accounts.
Most Brazilian companies have not increased their investments in information and cyber security since the Covid-19 pandemic emerged despite an increase in threats, according to a study by Marsh and Microsoft on perceptions of cybersecurity risk in Latin America since the start of the crisis.

Despite the increase in security threats, 56% of the Brazilian companies polled currently invest 10% or less of their IT budget in cybersecurity. According to the study, 52% of Brazilian organizations said investment in security has not changed since the start of the pandemic. More

Botnet operators are abusing VPN servers from VPN provider Powerhouse Management as a way to bounce and amplify junk traffic part of DDoS attacks.
This new DDoS vector has been discovered and documented by a security researcher who goes online as Phenomite, who shared his findings with ZDNet last week.
The researcher said the root cause of this new DDoS vector is a yet-to-be-identified service that runs on UDP port 20811 on Powerhouse VPN servers.
Phenomite says that attackers can ping this port with a one-byte request, and the service will often respond with packets that are up to 40 times the size of the original packet.
Since these packets are UDP-based, they can also be modified to contain an incorrect return IP address. This means that an attacker can send a single-byte UDP packet to a Powerhouse VPN server, which then amplifies it and sends it to the IP address of a victim of a DDoS attack —in what security researchers call a reflected/amplified DDoS attack.
Attacks already detected in the wild
Both Phenomite and ZDNet have reached out to Powerhouse Management to notify the company about its products’ behavior, seeking to ensure that a patch is deployed to its servers that would prevent its VPN infrastructure from being abused in future DDoS attacks.
However, the company has not responded to any of our emails.

Furthermore, we also learned today that threat actors have also discovered this DDoS attack vector, which they have already weaponized in real-world attacks, some of which have reached as much as 22 Gbps, sources have told ZDNet.
Around 1,520 Powerhouse VPN servers ready to be abused
According to a scan performed by Phenomite last week, currently, there are around 1,520 Powerhouse servers that expose their 20811 UDP port, meaning they can be abused by DDoS threat groups.
While servers are located all over the world, most vulnerable systems appear to be “in the UK, Vienna, and Hong Kong,” the researcher told ZDNet.
Until Powerhouse fixes this leak, the researcher has recommended that companies block any traffic that comes from the VPN provider’s networks (AS21926 and AS22363) or block any traffic where “srcport” is 20811.
The second solution is recommended, as it doesn’t block legitimate VPN traffic from all Powerhouse VPN users but only “reflected” packets that are most likely part of a DDoS attack.
Phenomite’s discovery comes to add to a long list of new DDoS amplification vectors that have been disclosed over the past three months. Previous disclosures included the likes of: More

The Python Software Foundation (PSF) has rushed out Python 3.9.2 and 3.8.8 to address two notable security flaws, including one that is remotely exploitable but in practical terms can only be used to knock a machine offline. 

PSF is urging its legion of Python users to upgrade systems to Python 3.8.8 or 3.9.2, in particular to address the remote code execution (RCE) vulnerability that’s tracked as CVE-2021-3177. 
The project expedited the release after receiving unexpected pressure from some users who were concerned over the security flaw. 
SEE: Hiring Kit: Python developer (TechRepublic Premium)
“Since the announcement of the release candidates for 3.9.2 on 3.8.8, we received a number of inquiries from end users urging us to expedite the final releases due to the security content, especially CVE-2021-3177,” said the Python release team.
“This took us somewhat by surprise since we believed security content is cherry-picked by downstream distributors from source either way, and the RC releases provide installers for everybody else interested in upgrading in the meantime,” PSF said.
“It turns out that release candidates are mostly invisible to the community and in many cases cannot be used due to upgrade processes which users have in place.”

Python 3.x through to 3.9.1 has a buffer overflow in PyCArg_repr in ctypes/callproc.c, which may lead to remote code execution. 
It affects Python applications that “accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param.”
The bug occurs because “sprintf” is used unsafely. The impact is broad because Python is pre-installed with multiple Linux distributions and Windows 10.  
Various Linux distributions, such as Debian, have been backporting the security patches to ensure the built-in versions of Python are shielded. 
The vulnerability is a common memory flaw. Per RedHat, a stack-based buffer overflow in Python’s ctypes module improperly validated the input passed to it, “which would allow an attacker to overflow a buffer on the stack and crash the application.”
SEE: Developer: Rust programming language is being used for bigger projects
While a remote code execution vulnerability is bad news, RedHat notes that the “highest threat from this vulnerability is to system availability.” In other words, an attacker would likely only be able to pull off a denial of service attack.  
“Our understanding is that while the CVE is listed as “remote code execution”, practical exploits of this vulnerability as such are very unlikely due the following conditions needing to be met for successful RCE,” said the PSF. 
“To be sure, denial of service through malicious input is also a serious issue. Thus, to help the community members for whom the release candidate was insufficient, we are releasing the final versions of 3.9.2 and 3.8.8 today,” the organization added. 
The other flaw is tracked as CVE-2021-23336 and concerns a web cache poisoning vulnerability by “defaulting the query args separator to &, and allowing the user to choose a custom separator.” 

Open Source More

For years, I’ve been reading predictions about new technologies that will render passwords obsolete. Then I click through and inspect the details and I wind up shaking my head. There are plenty of clever identity technologies working their way into the mainstream, but passwords will remain a necessary evil for many years to come.
And unless you want to be a sitting duck on the Internet, you need a strategy for managing those passwords. Large organizations can create sensible password policies and use single-sign-on software, but small businesses and individuals are on their own.
As best practices go, the rules for creating passwords are simple: Use a random combination of numbers, symbols, and mixed-case letters; never reuse passwords; turn on two-factor authentication if it’s available.

There’s some disagreement on whether you should change passwords regularly. I think there’s a valid case to be made for changing passwords every year or so for sites that contain important data, if only to avoid being innocently caught up in a database breach.
And, as far as I am concerned, the most important rule of all is use a password manager.
I have used several software-based password managers over the years and can’t imagine trying to get through the day without one.
I know people who keep password lists in an encrypted file of some sort. That’s exactly what a software-based password manager does. But that’s where the resemblance stops.

In this article, I explain why I consider a password manager essential. I also tackle some of the arguments I routinely hear from skeptics.
The case for password managers
You can choose from dozens of third-party password manager apps and services, both commercial and open source. Despite some differences in user experience, they are all similar in their core features. On a PC running Windows or Linux, on a Mac running MacOS, or on a mobile device, you install an app that manages a database containing sets of credentials (usernames, passwords, and other required details). The contents of the database are protected with AES-256 encryption. To unlock the password database, you enter a decryption key (your master password) that only you know, and then allow the program to fill in the saved credentials so you can sign in on a webpage or app.
As an alternative, you can use the built-in password management tools built into your browser. (For a full discussion, see Password managers: Is it OK to use your browser’s built-in password management tools?) Architecturally, these designs are similar to third-party tools, except that they’re designed to work in a single browser ecosystem. They’re an adequate choice (and certainly better than nothing!), but third-party solutions are more robust.
Password managers that sync your password database to the cloud use end-to-end encryption. The data is encrypted before it leaves your device, and it stays encrypted as it’s transferred to the remote server. When you sign in to the app on your local device, the program sends a one-way hash of the password that identifies you but can’t be used to unlock the file itself.
Also: Why nearly 50% of organizations are failing at password security TechRepublic 
The companies that manage and sync those saved files don’t have access to the decryption keys. In fact, if the developers have done their job properly, your master password isn’t stored anywhere. It’s your job to safeguard that secret, and if you forget the decryption key, you’re out of luck. Even with the most powerful computing resources, there’s no practical way to crack an AES-256 encrypted file that’s protected with a strong personal key.
That architecture offers five distinct advantages over a DIY solution.

ZDNet Recommends

1) Browser Integration
Most password managers include browser extensions that automatically prompt you to save credentials when you create a new account or sign in using those credentials for the first time on a device. That browser integration also allows you to automatically enter credentials when you visit a matching website and to update the saved credentials when you change your password.
Contrast that approach with the inevitable friction of a manual list. You don’t need to find a file and add a password to it to save a new or changed set of credentials, and you don’t need to find and open that same file to copy and paste your password.
2) Password Generation
Every password manager worth its salted hash includes a password generator capable of instantly producing a truly random, never-before-used-by-you password. If you don’t like that password, you can click to generate another. You can then use that random password when creating a new account or changing credentials for an existing one.
Most password managers also allow you to customize the length and complexity of a generated password so you can deal with sites that have peculiar password rules.
With the possible exceptions of John Forbes Nash, Jr., and Raymond Babbitt, mere mortals are not capable of such feats of randomization.
3) Phishing Protection
Integrating a password manager with a browser is superb protection against phishing sites. If you visit a site that has managed to perfectly duplicate your bank’s login page and even mess with the URL display to make it look legit, you might be fooled. Your password manager, on the other hand, won’t enter your saved credentials, because the URL of the fake site doesn’t match the legitimate domain associated with them.
Also: Google releases Chrome extension to check for leaked usernames and passwords 
That phishing protection is probably the most underrated feature of all. If you manage passwords manually, by copying and pasting from an encrypted personal file, you will paste your username and password into the respective fields on that well-designed fake page, because you don’t realize it’s fake.
4) Cross Platform Access
Password managers work across devices, including PCs, Macs, and mobile devices, with the option to sync your encrypted password database to the cloud. Access to that file and its contents can be secured with biometric authentication and 2FA.
By contrast, if you manage passwords in an encrypted file that’s saved locally, you have to manually copy that file to other devices (or keep it in the cloud in a location under your personal control), and then make sure the contents of each copy stay in sync. More friction.
5) Surveillance Safeguard
Password managers generally offer good protection against “shoulder surfing.” An attacker who’s able to watch you type, either live or with the help of a surveillance camera, can steal your login credentials with ease. Password managers never expose those details.
Is there a case against password managers?
Even armed with those arguments, when I make that recommendation to other people, I typically hear the same excuses. Honestly, though, none of them hold up to scrutiny.
“I already have a perfectly good system for managing passwords.”
Usually, this system involves reusing an easy-to-remember base password of some sort, tacking on a special suffix or prefix attached to that base on a per-site basis. The trouble with that scheme is that those passwords aren’t random, and if someone figures out your pattern, they pretty much have a skeleton key to unlock everything. And a 2013 research paper from computer scientists at the University of Illinois, Princeton, and Indiana University, The Tangled Web of Password Reuse, demonstrated that attackers can figure out those patterns very, very quickly.
More importantly, this sort of scheme doesn’t scale. Eventually it collides with the password rules at a site that, say, doesn’t allow special characters or restricts password length. (I know, that’s nuts, but those sites exist.) Or a service forces you to change your password and won’t accept your new password because it’s too close to the previous one and now you have another exception to your system that you have to keep track of.
Also: How to manage your passwords effectively with KeePass TechRepublic 
And so you wind up keeping an encrypted list of passwords that are not exactly unique and not exactly random, and not at all secure. Why not just use software built for this purpose?
“If someone steals my password file, they have all my passwords.”
No, they don’t. They have an AES-256 encrypted blob that is, for all intents and purposes, useless gibberish. The only way to extract its secrets is with the decryption key, which you and you alone know.

Of course, this assumes you’ve followed some reasonable precautions with that decryption key. Specifically, that you’ve made it long enough, that it can’t be guessed even by someone who knows you well, and that you’ve never used it for anything else. And if you’ve enabled multi-factor authentication, you’ve given a password thief one more very large hurdle to get over.
If you need a strong and unique password, you can generate one at correcthorsebatterystaple.net, which uses the surprisingly secure methodology from this classic XKCD cartoon. Other high-quality random password generators are available from 1Password, LastPass, and Random.org.
You definitely shouldn’t write that key down on a sticky note or a piece of paper in your desk drawer, either. But you might want to write down that password and store it in a very safe place or with a very trusted person, along with instructions for how to use it to unlock your password file in the event something happens to you.
“I don’t trust someone else to store my passwords on their server.”
I understand the instinctive reaction that allowing a cloud service to keep your full database of passwords must be a horrifying security risk. Like anything cloud-related, there’s a trade-off between convenience and security, but that risk is relatively low if the service follows best practices for encryption and you’ve set a strong master password.
But if you just don’t trust the cloud, you have alternatives.
Also: 57% of IT workers who get phished don’t change their password behaviors TechRepublic 
Several of the password managers I’ve looked at offer the option to store a local-only copy of your AES-256 encrypted file, with no sync features whatsoever. If you choose that option, you’ll have to either forgo the option to use your password manager on multiple sites or devise a way to manually sync those files between different devices.
As a middle ground, you can use a personal cloud service to sync your password files. 1Password, for example, supports automatic syncing to both Dropbox and iCloud, ensuring that you’re protected even if one of those services is compromised.
“I’m not a target.”
Yes, you are.
If you’re a journalist working on security issues, or an activist in a country whose leaders don’t approve of activism, or a staffer on a high-profile political campaign, or a contractor that communicates with people in sensitive industries, you’re a high-value target. Anyone who fits in one of those categories should take opsec seriously, and a password manager is an essential part of a well-layered security program.
But even if you’re not an obvious candidate for targeted attacks, you can be swept up in a website breach. That’s why Have I Been Pwned? exists. It’s easy enough for a compromised website to force you to reset your password, minimizing the risk of that breach, but if you’ve used that same combination of credentials elsewhere, you’re at serious risk. And no matter how careful you are, you’re always at risk of being fooled into handing over your credentials in a well-designed phishing attack.
Which password manager is right for you?
Any password manager solution is better than none.
The simplest solution is to use the password management tools built into your default browser or operating system. That option works especially well for anyone who is technically unsophisticated, has a limited number of credentials to store, and uses hardware and services from a single ecosystem. If you’re setting things up for a friend or relative who has a Mac and an iPhone, for example, Apple’s Keychain will suffice. Those who live in Google’s ecosystem can probably get by with Chrome’s password manager.

For those whose computing life is more complicated, a third-party solution is most appropriate.
Although most commercial programs offer a free tier, that option typically involves unacceptable limitations, such as a restriction on the number and type of devices you can use or the number of credentials you can save. A noteworthy exception is Bitwarden, a free, open source app whose free tier has no such limitations.
For personal use, most full-featured commercial options cost a few dollars per month; family subscriptions typically cost a bit more but allow five or six family members to share a subscription. These paid plans usually offer some more advanced features as well, including support for hardware-based authentication and the ability to share passwords securely.
Finally, most commercial password managers include business plans that allow central administration and robust organizational sharing and security. As a bonus, some business plans include free personal licenses so employees can manage personal passwords using the same tools they use for business.
We’ve put together a list of the best free and paid options here:  Best Password Manager in 2021 . Each entry in this list includes pricing details as well as a link to security information. Every paid program offers a free trial, and we strongly recommend taking advantage of those trials to see if a program is right for you.

Related stories: More

A stored cross-site scripting (XSS) vulnerability in the iCloud domain has reportedly been patched by Apple. 

Bug bounty hunter and penetration tester Vishal Bharad claims to have discovered the security flaw, which is a stored XSS issue in icloud.com. 
Stored XSS vulnerabilities, also known as persistent XSS, can be used to store payloads on a target server, inject malicious scripts into websites, and potentially be used to steal cookies, session tokens, and browser data. 
According to Bharad, the XSS flaw in icloud.com was found in the Page/Keynotes features of Apple’s iCloud domain. In order to trigger the bug, an attacker needed to create new Pages or Keynote content with an XSS payload submitted into the name field.  
This content would then need to be saved and either sent or shared with another user. An attacker would then be required to make a change or two to the malicious content, save it again, and then visit “Settings” and “Browser All Versions.”  
After clicking on this option, the XSS payload would trigger, the researcher said.  
Bharad also provided a Proof-of-Concept (PoC) video to demonstrate the vulnerability. 
[embedded content]

The researcher disclosed the bug to Apple on August 7, 2020. The report was accepted and Bharad received a $5000 financial reward for his efforts on October 9. 
Bug bounty programs, such as those offered by HackerOne and Bugcrowd, remain a popular method for external researchers to report security issues to technology vendors. In 2020 alone, Google paid bug bounty hunters $6.7 million for their reports. 
ZDNet has reached out to Apple for comment and will update when we hear back.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Chinese threat actors “cloned” and used a Windows zero-day exploit stolen from the NSA’s Equation Group for years before the privilege escalation flaw was patched, researchers say. 

On Monday, Check Point Research (CPR) said the tool was a “clone” of software developed by the US National Security Agency (NSA)’s Equation Group, identified by Kaspersky in 2015 and described as “one of the most sophisticated cyberattack groups in the world.”
Thought to be active since at least 2001, Equation Group has since been linked to the US intelligence agency’s Tailored Access Operations (TAO) unit. 
The Shadow Brokers hacking group released tools and files belonging to Equation Group in 2017, some of which were used to exploit previously-unknown bugs in popular systems including Microsoft Windows — forcing vendors to issue a flurry of emergency patches and fixes to render the exploit tools useless. 
In the same year, Microsoft released a patch for CVE-2017-0005, a zero-day vulnerability in Windows XP to Windows 8 operating systems that could be used for privilege escalation and full system compromise.
Originally, it was thought that a tool created to exploit CVE-2017-0005 was the work of a Chinese advanced persistent threat group (APT) dubbed APT31, also known as Zirconium.
However, Check Point now says that the tool, called Jian, was actually a clone of software used by Equation Group and was being actively utilized between 2014 and 2017 — years before the vulnerability was patched — and was not a custom build by the Chinese threat actors. 

According to the researchers, Jian is a clone of “EpMe,” which was also included in the 2017 Shadow Brokers “Lost in Translation” leak and was “repurposed” to attack US citizens. 
“Both exploit versions for APT31’s “Jian” or Equation Group’s “EpMe” are intended for […] elevating the privileges of the attacker in the local Windows environment,” CPR says. “The tool is used after an attacker gains initial access to a target computer — say, via zero-click vulnerability, phishing email, or any other option — to give the attacker the highest available privileges, so they could “roam free” and do whatever they like on the already infected computer.”
The team notes that Lockheed Martin reported CVE-2017-0005 to Microsoft, which they say is a “rather unusual” footnote in the investigation. 
“To our knowledge, this is the only vulnerability they [Lockheed Martin] reported in recent years,” Check Point says. “It is possible that one of their clients, or even Lockheed Martin itself, was targeted by this actor.”
It is believed that APT31 had obtained access to Equation Group’s exploit module — both 32- and 64-bit versions, and while the cybersecurity researchers cannot be sure how the exploit was acquired by the Chinese APT, it may have been captured during an Equation Group attack on a Chinese target. Alternatively, the tool may have been stolen while Equation Group was present on a network also being monitored by APT31 or during a direct attack by APT31 on Equation Group systems. 
The investigation into Jian also exposed a module containing four privilege escalation exploits that were part of Equation Group’s DanderSpritz post-exploitation framework. 
Two of the exploits in the framework, dating back to 2013, were zero-day flaws. One of the exploits was EpMe, whereas another, dubbed “EpMo,” appears to have been quietly patched in May 2017 by Microsoft as a follow-up fix in response to the Shadow Brokers leak but was not assigned a CVE. The remaining code names are EIEi and ErNi.
This is not the only example of a Chinese APT stealing and repurposing Equation Group tools. In another case documented by Symantec in 2019, APT3 “Buckeye” was linked to attacks using Equation Group tools in 2016, prior to the Shadow Brokers leak. 
While Buckeye appeared to dissolve in mid-2017, the tools were used until 2018 — but it is not known whether or not they were passed on, or to whom.
Update 17.55 GMT: A Lockheed Martin spokesperson told ZDNet:

“Our cybersecurity team routinely evaluates third-party software and technologies to identify vulnerabilities and responsibly report them to developers and other interested parties. Leveraging our Intelligence Driven Defense approach, we have responsibly reported more than 100 zero-day vulnerabilities to multiple vendors over the past six years.”

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More