With new vulnerabilities emerging daily and cyber threats becoming more sophisticated, organizations must evolve their cybersecurity strategies to protect their digital assets. One such strategy endorsed by a leading industry analyst firm is gaining traction with forward-thinking CISOs: Continuous Threat Exposure Management (CTEM). In this blog, we’ll explore the basics of CTEM, its benefits, and how it fits into modern cybersecurity strategies. 

What is Continuous Threat Exposure Management (CTEM)? 

Continuous Threat Exposure Management (CTEM) is a comprehensive framework or process designed to provide ongoing visibility and management of cybersecurity threats and vulnerabilities, putting greater priority on those that have greater business impact. No network will ever be perfect, and you can’t prevent or fix every single issue. CTEM emphasizes practical scoping, proactive threat discovery, continuous risk assessment and validation, and cross-team collaboration—to reduce both existing and future exposures. 

It’s important to note that with CTEM, “threat exposure” is not limited to vulnerabilities or external threats. An exposure is anything that puts an organization’s assets at risk. It could be an outdated password or firewall rule, a misconfigured router or gateway, an unknown device, a known vulnerability, or an unintended connection. It could be in on-premises, private cloud, public cloud, OT, or IoT environments. The sheer type and volume of exposures in today’s complex, hybrid networks are too many for overwhelmed teams to manage.   

A Fundamental Shift in Cybersecurity

Traditional cybersecurity strategies focus on event-based vulnerability management and periodic assessments. However, this type of episodic, reactive approach can leave significant gaps in protection, as threats evolve faster than many organizations can respond. 

CTEM represents a fundamental shift away from managing vulnerabilities based solely on severity or Common Vulnerability Scoring System (CVSS) scores. Instead of simply identifying and patching vulnerabilities, it takes into consideration the entire context of the exposure, including its exploitability, blast radius, and verified business impact to prioritize remediation efforts within the context of the business. As the term implies, Continuous Threat Exposure Management is a more continuous, holistic approach that encompasses dynamic threat assessment and response. 

The Five Stages of CTEM

Continuous Threat Exposure Management is a structured approach with five key stages, each critical to managing and mitigating cybersecurity threats effectively.

Stage 1 – Scoping (of business risks and relevant attack surfaces): This stage involves identifying the mission-critical priorities for the business, understanding the systems and processes involved, and determining risk owners and appetites. Scopes don’t limit the CTEM program’s reach but rather provide a means of organizing, reporting, and communicating exposure management work and results to senior leadership and business teams. Understanding the organization’s full attack surface, as well as that of individual scopes, helps put the broader concept of threat exposure management into meaningful business context. 

Stage 2 – Discovery (of all assets and threat exposures): This stage involves identifying all assets and connectivity (hidden and visible) and continuously assessing them for vulnerabilities and other exposures (known, unknown, and emerging). Running discovery against scopes outlined in the previous stage helps increase awareness of risks among relevant business teams and makes exposure management successes more impactful in later stages.  

Stage 3 – Prioritization (of exposure management work): In this stage, threat exposures of all types are prioritized, considering internal, external, business, and technical factors. Prioritization must go beyond CVSS scores and severity to include concepts of visibility, exploitability, asset criticality, and potential impact. Again, prioritization within and across defined scopes helps teams focus on high-business-value issues. 

Stage 4 – Validation (of exposure—and exposure management—viability/impact): In this stage, thinking like an attacker and verifying suggested remediation are key. Validating the exploitability of an exposure through virtual pentesting, red teaming, and attack path analysis—including the blast radius and further lateral movement—helps refine prioritization. Validating that proposed changes are feasible and won’t conflict with existing policies helps build the business case for remediation and collaboration. 

Stage 5 – Mobilization (of teams and stakeholders): While automated remediation makes sense for certain types of black-and-white issues, there is a lot of gray area in which stakeholders across teams must make decisions about how to address an exposure, whether that exposure is fixable or not. In this stage, communication and collaboration are key to documenting and operationalizing exposure management work for the (present and future) benefit of the entire organization. 

How RedSeal Supports the CTEM Process 

While the CTEM term might be relatively new or unfamiliar, the framework’s core principles have been at the heart of RedSeal’s approach for two decades. Since 2004, RedSeal has been pioneering network exposure management to close gaps in cybersecurity defenses on premises and in the cloud. Our hybrid network modeling technology is key to helping our customers know their networks better than their adversaries do.   

RedSeal integrates with hundreds of networking and security tools to simplify and accelerate the CTEM process, delivering a unique combination of capabilities from a single platform: 

1. Scoping: RedSeal models the entire connected network across public cloud, private cloud, and on-prem environments; then, it maps resources into physical/logical/custom topology groups to help organizations understand and organize their attack surface. This visualization helps stakeholders easily identify business-critical systems and assets and define scopes within their business context.
2. Discovery: RedSeal continuously identifies all assets and exposures, including those due to hidden assets, misconfigurations, unintended connections (direct and indirect), firewall rules, and policy violations, as well as known and unknown vulnerabilities. It also runs automated attack path analysis and compliance checks against external regulations/standards, internal policies, and best practices to keep exposure assessments current.
3. Prioritization: RedSeal considers a range of internal, external, business, and technical factors to assess risk and prioritize all exposures. Risk scores are calculated based on security controls, asset criticality, and vulnerability data—combined with unmatched network context, which includes the visibility, exploitability, exploitation potential, and potential impact of the exposure. Exposures with greater business impact take higher priority.
4. Validation: RedSeal runs virtual penetration tests to confirm the viability of exposure exploitation, analyze lateral movement (blast radius), and measure the impact of exposures. It validates vulnerability scans and security controls such as network segmentation and device configurations. Simulating what-if scenarios, the platform minimizes unforeseen complications when making changes to live environments.
5. Mobilization: Unlike any other platform on the market, RedSeal serves as the single source of truth for teams collaborating on CTEM. It delivers detailed remediation guidance, including an asset’s precise logical and physical location as well as access paths for containing unpatchable exposures. It also sends alerts directly to stakeholders when policy violations are detected and provides an executive-level dashboard and score to measure the CTEM program over time.  

Overall, the RedSeal network exposure management platform embodies the proactive, continuous cybersecurity model that CTEM advocates—and includes a comprehensive set of technical capabilities to accelerate the process. 

Accelerate CTEM with RedSeal 

Ultimately, Continuous Threat Exposure Management is about proactively mitigating threats and reducing risk. CTEM is not a standalone solution or any single tool but rather a comprehensive, coordinated process to enhance an organization’s overall protection and security posture. With the right level of visibility and collaboration among teams, a CTEM strategy can also inform and support more reactive and longer-term initiatives, such as incident response and digital resilience programs. 

By leveraging the capabilities of the RedSeal platform, organizations can significantly enhance their CTEM process, ensuring they stay ahead of cyber threats, mitigate risks efficiently, and safeguard their digital assets in an increasingly complex cyber environment. Contact us for a demo today. 

 

Updated Monday, August 26, 2024

This week, CISA issues warnings about Cisco device vulnerabilities, while APT42 targets U.S. presidential campaigns. A Tennessee man is arrested for aiding North Korean IT schemes, and a severe CPU flaw from AMD raises alarms. Plus, GPS spoofing hacks are grounding commercial airliners, researchers uncover flaws in Georgia’s voter portal, and ransomware operators exploit ESXi hypervisors for mass encryption. We’ve rounded up the highlights from this week’s headlines on critical issues shaping the digital security landscape.

 

CISA warns of actively exploited Cisco devices

CISA has warned organizations about threat actors exploiting improperly configured Cisco devices, specifically targeting the legacy Cisco Smart Install (SMI) feature. Malicious hackers are acquiring system configuration files, which can lead to network compromises. CISA noted the continued use of weak password types on Cisco devices, making them vulnerable to password cracking attacks. Additionally, Cisco disclosed critical vulnerabilities in their end-of-life Small Business SPA IP phones, which can be remotely exploited but will not receive patches. (SecurityWeek)

 

Iran’s APT42 targets US presidential campaigns

Google’s Threat Analysis Group (TAG) has published a report on the Iran-aligned threat actor APT42’s targeting of US presidential campaigns. Google confirms that APT42 has targeted both the Trump and Biden-Harris campaigns with spearphishing attacks: “In May and June, APT42 targets included the personal email accounts of roughly a dozen individuals affiliated with President Biden and with former President Trump, including current and former officials in the U.S. government and individuals associated with the respective campaigns. We blocked numerous APT42 attempts to log in to the personal email accounts of targeted individuals.” TAG adds that the group “successfully gained access to the personal Gmail account of a high-profile political consultant.” The researchers note that APT42 has also ramped up its phishing attacks against users in Israel, targeting “people with connections to the Israeli military and defense sector, as well as diplomats, academics, and NGOs.” (Google)

 

Tennessee man arrested for alleged participation in North Korean employment scheme

The US Justice Department has arrested a man in Nashville, Tennessee, for allegedly helping North Korean IT workers get remote jobs at companies in the US and the UK. Matthew Isaac Knoot is accused of running a “laptop farm” to make the North Korean workers appear as if they were located in the US. The Justice Department stated, “The victim companies shipped laptops addressed to ‘Andrew M.’ to Knoot’s residences. Following receipt of the laptops, and without authorization, Knoot logged on to the laptops, downloaded and installed unauthorized remote desktop applications, and accessed the victim companies’ networks, causing damage tqqq o the computers. The remote desktop applications enabled the North Korean IT workers to work from locations in China, while appearing to the victim companies that ‘Andrew M.’ was working from Knoot’s residences in Nashville. For his participation in the scheme, Knoot was paid a monthly fee for his services by a foreign-based facilitator who went by the name Yang Di.”

The Justice Department says North Korea’s remote IT workers “have been known individually earn up to $300,000 annually, generating hundreds of millions of dollars collectively each year, on behalf of designated entities, such as the North Korean Ministry of Defense and others directly involved in the DPRK’s UN-prohibited WMD programs.” (DOJ)

 

Researchers find flaws in Georgia voter portal

Security researcher Jason Parker alerted ProPublica and Atlanta News First of a flaw in a portal run by the Georgia Secretary of State’s Office. This would allow someone to submit a voter cancellation request for anyone in the state. Parker said they attempted to contact the Secretary of State’s Office but did not receive a response. The portal launched on July 29th and already garnered attention for exposing driver’s license numbers.  Parker found that by inspecting the portal’s source HTML, anyone could delete code requiring them to submit a driver’s license number and proceed to request a voter cancellation. The state eventually patched the issues, but security researcher Zach Edwards told ProPublica “It’s shocking to have one of these bugs occur on a serious website.” (ProPublica)

 

AMD SinkClose flaw helps install nearly undetectable malware

A warning from chip maker AMD about a high-severity CPU vulnerability which has been named SinkClose. The vulnerability affects multiple generations of its EPYC, Ryzen, and Threadripper processors, and allows attackers with Kernel-level (Ring 0) privileges to gain Ring -2 privileges and install malware that becomes nearly undetectable. For context, “Ring -2 is one of the highest privilege levels on a computer, running above Ring -1 (used for hypervisors and CPU virtualization) and Ring 0, which is the privilege level used by an operating system’s Kernel.” SinkClose has apparently passed undetected for almost 20 years.(BleepingComputer)

 

Ransomware operators exploit ESXi hypervisor vulnerability for mass encryption

Microsoft has also uncovered a vulnerability in ESXi hypervisors which it says is being exploited by “several ransomware operators to obtain full administrative permissions on domain-joined ESXi hypervisors.” The vulnerability “involves a domain group whose members are granted full administrative access to the ESXi hypervisor by default without proper validation.” Microsoft has disclosed the findings to VMware, and recommends that administrators apply the updates released by VMware. (Microsoft)

 

GPS spoofers hack clocks on commercial airliners

The relatively recent phenomenon of GPS spoofing involves hackers modifying GPS signals used by commercial airlines to navigate. The technique is also used to disorient drones and missiles in conflict zones. But now, according to Ken Munro, founder of British cybersecurity firm Pen Test Partners, and speaking recently at DEF CON, the technology is being used to change the times and dates on the clocks in aircraft cockpits, sometimes by years, Causing the plane to lose access to its digitally-encrypted communication systems, and requiring them to be grounded for weeks while engineers manually reset their onboard systems. (Reuters)

 

At Defcon, researchers reveal significant vulnerabilities in Google’s Quick Share

At Defcon 32, researchers Or Yair and Shmuel Cohen from SafeBreach revealed significant vulnerabilities in Google’s Quick Share, a peer-to-peer file transfer utility for Android, Windows, and Chrome OS. Quick Share uses various protocols like Bluetooth and Wi-Fi Direct, but these were not originally designed for file transfers. The researchers identified ten vulnerabilities, including a critical Remote Code Execution (RCE) flaw on Windows systems, dubbed QuickShell. This RCE exploit combines five of the vulnerabilities, allowing attackers to bypass security controls and take full control of target devices. The flaws also enable attackers to force file downloads and hijack Wi-Fi connections. Google has acknowledged the seriousness of these issues, assigning CVEs to two of the vulnerabilities. (Hack Read)

 

U.S. operation of “laptop farm” for North Korea shutdown

Tennessee resident Matthew Isaac Knoot has been arrested for allegedly running a ‘laptop farm’ to help North Korean IT workers secure remote jobs with American companies. Here’s how the scheme worked: Knoot would steal the identities of U.S. citizens and pose as U.S.-based IT professionals. Once hired, the company would send the work laptop to Knoot’s home, which he then gave the North Koreans access to, allowing them to log in remotely. If convicted, Knoot could face up to 20 years in prison, including a mandatory minimum of two years for aggravated identity theft. (Security Week)

 

Millions on the line as AI Teams advance in security challenge

Ninety teams competed at DEF CON over the weekend in the Artificial Intelligence Cyber Challenge hosted by the U.S. government’s Defense Advanced Research Projects Agency (DARPA) to develop autonomous tools that can find and fix vulnerabilities in open-source software. Twenty-two unique vulnerabilities were discovered in major open-source programs like the Linux kernel, with 15 automatically patched.  The seven finalists are now tasked with building out their AI systems before the final competition at the 2025 DEF CON, with nearly $30 million up for grabs in prize money. (CyberScoop)

 

South Korean government says North Korean hackers stole tank and spy plane information

The South Korean government says North Korean hackers stole sensitive information on South Korea’s tanks and spy planes, BleepingComputer reports. The spy plane data was reportedly stolen from a South Korean defense contractor that produces operating manuals for military equipment. BleepingComputer cites local media reports as saying that “the leakage of the K2 tank data occurred when engineers working on one of the tank’s part makers moved to a competing company, taking along with them in external storage drives design blueprints, development reports, and details about the tank’s overpressure system.” (People Power Party, Bleepingcomputer)

 

NIST finalizes post-quantum encryption standards 

On Tuesday, the National Institute of Standards and Technology (NIST) published three new encryption algorithms to bolster global cybersecurity efforts against future attacks using quantum technologies. The new standards are designed for general encryption and digital signatures. The algorithms, called FIPS 203, FIPS 204, and FIPS 205, are published to NIST’s post-quantum cryptography (PQC) project website. Head of the PQC project, Dustin Moody, urges security practitioners to immediately begin using the new algorithms to keep their data secure. (Dark Reading)

 

Orion loses $60 million in BEC scam

Luxembourg-based company, Orion, who is a leading supplier of carbon black, a material used to make tires, ink, batteries, and plastics was tricked into making several wire transfers through a Business Email Compromise (BEC) attack. According to documents filed with the Securities and Exchange Commission (SEC), a non-executive employee “was the target of a criminal scheme that resulted in multiple fraudulently induced outbound wire transfers to accounts controlled by unknown third parties.” Orion expects to record “a one-time pre-tax charge of approximately $60 million.” if the funds are not recovered. (The Record)

 

Azure AI health bot infected with critical vulnerabilities

Multiple privilege escalation issues in Microsoft Azure’s cloud-based Health Bot service exposed the platform to server-side request forgery (SSRF) and access to cross-tenant resources. The Azure AI Health Bot Service enables healthcare organizations to build their own virtual health assistants to interact with patients and manage administrative workloads. Depending on the nature of the integration, the chatbots could potentially have privileged access to extremely sensitive health information. Researchers at Tenable, who identified the issues said, though Microsoft quickly patched the vulns, they showcase inherent concerns about chatbot risks. (Dark Reading)

 

Palo Alto Networks patches several vulnerabilities

Palo Alto Networks has issued patches for several vulnerabilities, including the high-severity CVE-2024-5914, which affects the Cortex XSOAR product. This flaw allows unauthenticated attackers to execute commands within certain configurations. Patches are available starting with version 1.12.33. Additionally, updates were released for Prisma Access Browser, addressing over 30 vulnerabilities in the Chromium-based browser. Two medium-severity flaws were also patched, impacting PAN-OS and the GlobalProtect app. Palo Alto Networks is not aware of any active exploitation of these vulnerabilities. (SecurityWeek)

 

Microsoft patches zero-click RCE vulnerability

Microsoft has issued a patch for a zero-click remote code execution vulnerability (CVE-2024-38063) that affects all Windows machines using IPv6, which is enabled by default, BleepingComputer reports. Microsoft says “[a]n unauthenticated attacker could repeatedly send IPv6 packets, that include specially crafted packets, to a Windows machine which could enable remote code execution.” The vulnerability was discovered by a researcher at Kunlun Lab, who noted that the bug is triggered before the packet reaches the Windows firewall. There’s no evidence of exploitation so far, but Microsoft has given the flaw its “Exploitation more likely” label. Users are urged to update Windows as soon as possible or disable IPv6 until patches can be applied. (Bleepingcomputer)

 

Massive cyberattack hits Central Bank of Iran and other Iranian banks

News agency Iran International has reported a massive cyberattack that has disrupted the operations of the Central Bank of Iran (CBI) along with several other banks in the country, disabling the computer systems of many banks in the country. As reported in Security Affairs, “this incident coincides with intensified international scrutiny of Iran’s operations in the Middle East,” amid announcement from Tehran regarding attacks on Israel as well as its widely reported attempts to influence the upcoming U.S. Presidential election. According to the news agency, this is one of the largest cyberattacks on Iran’s state infrastructure to date. (Security Affairs)

 

Kim Dotcom to be extradited from New Zealand

After a 12-year fight, the infamous Kit Dotcom is being extradited to the U.S. to face criminal charges relating to the operations of his now closed file-sharing website Megaupload. Dotcom, whose real name is Kim Schmitz, holds Finnish and German nationalities and has been living in New Zealand, and has faced numerous charges since the mid-1990s for computer fraud, data espionage, and many other nefarious activities. U.S. authorities say, “Dotcom and three other Megaupload executives cost film studios and record companies more than $500 million by encouraging paying users to store and share copyrighted material, which generated more than $175 million in revenue for the website.” (Reuters)

 

Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts.

Start your week in the know.

Last week’s cyber headlines bring news from Delta Air Lines CEO Ed Bastian stating the recent CrowdStrike outage cost the company $500 million in damages plus CrowdStrike is also being sued by shareholders over the outage. In healthcare news—OneBlood, a major blood donation nonprofit, sustained a ransomware attack disrupting its operations, and has asked hospitals to activate critical blood shortage protocols. Additionally, researchers in the Netherlands report a significant increase in cyberattacks on the shipping industry, with 64 incidents in 2023 compared to just three in 2013. HealthEquity is notifying 4.3 million people of a data breach that compromised personal and health information due to a third-party vendor. A phishing campaign dubbed “EchoSpoofing” exploited weak permissions in Proofpoint’s email protection service, sending millions of fake emails impersonating Fortune 100 companies.

All this and more on this week’s Cyber News Roundup.

 

South Korea investigates reported military intelligence leak

South Korea is investigating a leak that reportedly exposed the identities of its military intelligence agents, the New York Times reports. South Korean media reported that the leak, which includes the identities of agents operating under civilian cover, may have reached North Korea. NK News cites sources as saying the leak is believed to have occurred “through a personal laptop belonging to a military-civilian public servant in the DIC’s overseas operations department.” The owner of the laptop claims the device was hacked, in which case they would still be guilty of storing classified information on a personal device. Seoul’s defense ministry said in a statement, “[T]he matter is currently under investigation by military authorities, so we cannot provide detailed explanations. Based on the investigation results, the military will handle the matter strictly according to the law and regulations.” (NYT)

 

Cyberattacks in the shipping industry

Researchers at the Netherlands’ NHL Stenden University of Applied Sciences warn that the shipping industry is facing a significant increase in cyberattacks, the Financial Times reports. The sector saw sixty-four attacks in 2023, compared to just three a decade earlier in 2013. More than 80 percent of cyberattacks since 2001 were tied to a known threat actor tied to Russia, China, North Korea, or Iran. (FT)

 

4.3 million impacted by HealthEquity data breach

One of the largest HSA providers in the U.S., HealthEquity, is in the process of notifying 4.3 million people that their personal and health information was compromised. The company disclosed that the breach was attributed to a third-party vendor and that threat actors stole PII, including names, social security numbers, and payment information. While HealthEquity did not name the compromised vendor, those impacted should expect to be notified early next month. (Security Week), (Bleeping Computer)

 

Proofpoint exploit allows for millions of fake emails 

This phishing campaign was reeling in the big boys. Dubbed “EchoSpoofing,” this massive phishing campaign exploited now-fixed weak permissions in Proofpoint’s email protection service. The emails impersonated Fortune 100 companies like Disney, Nike, IBM, and Coke, with an average of 3 million fake emails sent daily. It wasn’t easy deciphering these fake emails; they included properly configured Sender Policy Framework and DomainKeys Identified Mail signatures to make the emails look authentic. The sec urity gap was discovered in May and has since been fixed, though Bleeping Computer reports the campaign reached a peak of 14 million emails in early June. (Bleeping Computer)

 

PatchNow: CISA adds two ServiceNow critical RCE bugs to catalog

A threat actor has claimed to have harvested email addresses and associated hashes from over 105 ServiceNow databases by exploiting two critical vulnerabilities,  (CVE-2024-4879 and CVE-2024-5217). These vulnerabilities, with CVSS scores of 9.3 and 9.2, respectively, have been actively exploited and are now being sold for $5,000. The US Cybersecurity and Infrastructure Security Agency (CISA) has added these flaws to its known exploited vulnerabilities catalog, mandating federal agencies patch it by August 19. (Dark Reading)

 

WhatsApp for Windows allows Python to run wild

A security flaw in the latest version of WhatsApp for Windows allows execution of Python and PHP attachments without warning when opened, Bleeping Computer reports.  This primarily affects users with Python already installed, like developers and researchers. The issue is similar to a previous Telegram vulnerability. Despite blocking several risky file types, WhatsApp does not block Python scripts, which can be executed directly from the app. Security researcher Saumyajeet Das discovered this vulnerability and reported it to Meta, but the issue was dismissed as non-applicable. Das criticized this decision, suggesting that simply adding the relevant file extensions to WhatsApp’s blocklist could prevent exploitation. WhatsApp advises users not to open files from unknown sources and has no current plans to fix the issue, leaving users vulnerable to potential attacks. (Bleepingcomputer)

 

Dark Angels receives record-breaking ransom payment

A new report from Zscaler ThreatLabz has revealed that an unnamed company paid a record-breaking $75 million ransom payment to the Dark Angels ransomware gang. Zscaler did share that the company was in the Fortune 50 and that the attack occurred in early 2024. The record-breaking ransom payment was further confirmed on X by crypto intel company, Chainalysis. One Fortune 50 company that suffered a cyberattack back in February is pharmaceutical giant Cencora, ranked #10 on the list. Cencora has not confirmed it made this particular payment. DarkAngels launched in May 2022 and is known for “big game hunting” and using Windows and VMware ESXi ransomware encryptors. Previously, the largest known ransom payment was $40 million shelled out back in 2021 by insurance giant, CNA. (Bleeping Computer)

 

Microsoft services go down… again

On Tuesday, Microsoft once again found itself grappling with service outages, this time seemingly unrelated to Crowdstrike. These issues appear to have affected Microsoft 365 admin center, Intune, Entra, Power Platform, and Power BI in addition to reports of lagging authentication requests taking up to 10 minutes to complete. The company acknowledged the issues and said the outage was caused by an “unexpected usage spike” that “resulted in Azure Front Door (AFD) and Azure Content Delivery Network (CDN) components performing below acceptable thresholds.” Security expert Kevin Beaumont speculated that the issues may have been caused by a botnet-generated, distributed denial of service (DDoS) attack. (ZDNet and Bleeping Computer)

 

CISA warns of actively exploited ServiceNow vulnerabilities

CISA has also added two critical ServiceNow vulnerabilities (CVE-2024-4879 and CVE-2024-5217) to its KEV Catalog, requiring FCEB agencies to patch the flaws by August 19th, the Record reports. ServiceNow issued patches for the vulnerabilities in May and June, and threat actors have been attempting to exploit them since a proof-of-concept exploit was released earlier this month. According to Resecurity, the vulnerabilities “enable unauthenticated remote attackers to execute arbitrary code within the Now Platform, potentially leading to compromise, data theft, and disruption of business operations.” (The Record)

 

Ransomware gangs are exploiting VMware ESXi flaws

Microsoft has warned that several ransomware actors are exploiting a vulnerability (CVE-2024-37085) in ESXi hypervisors that can be used to obtain full administrative permissions. VMware has issued patches for the flaw. Microsoft stated, “Microsoft security researchers identified a new post-compromise technique utilized by ransomware operators like Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest in numerous attacks. In several cases, the use of this technique has led to Akira and Black Basta ransomware deployments. The technique includes running the following commands, which results in the creation of a group named ‘ESX Admins’ in the domain and adding a user to it.” The US Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, ordering Federal Civilian Executive Branch (FCEB) agencies to apply patches by August 20th. (Broadcom)

 

Delta dishes on CrowdStrike damages

Just yesterday we mentioned that Delta Air Lines began lawyering up for legal action against CrowdStrike. In an update, Delta CEO Ed Bastian laid out the stakes on CNBC for any potential legal action, saying it cost the company $500 million in damages. This accounts for the lost revenue from the outage as well as compensation and hotels for stranded passengers. Delta canceled over 5,000 flights over a five-day period due to the outage, more than all cancelations in 2019. The outage also sparked an investigation by the US Department of Transportation. Bastian said the company has “no choice” but to seek damages from CrowdStrike. (CNBC)

 

CrowdStrike sued by shareholders over outage

CrowdStrike’s shareholders have filed a lawsuit against the company over last week’s outage, accusing CrowdStrike of making “false and misleading” statements about its software testing, the BBC reports. CrowdStrike has denied the allegations and says it will defend itself. Delta Air Lines is also planning to sue CrowdStrike for compensation, CNBC reports. Delta estimates that the outage cost the airline up to $500 million after 7,000 flights were canceled. The company has hired high-profile attorney David Boies to handle the suit. (BBC, CNBC)

 

Ransomware attack disrupts US blood donation nonprofit

OneBlood, a major nonprofit blood donation organization operating in the southeastern US, has sustained a ransomware attack that’s disrupting its ability to provide blood to hospitals, the Record reports. Susan Forbes, OneBlood’s senior vice president of corporate communications, said in a statement, “We have implemented manual processes and procedures to remain operational. Manual processes take significantly longer to perform and impacts inventory availability. In an effort to further manage the blood supply we have asked the more than 250 hospitals we serve to activate their critical blood shortage protocols and to remain in that status for the time being.”

OneBlood added, “To help augment their supply the national blood community is rallying to assist OneBlood and the hospitals and patients it serves. Blood centers across the country are sending blood and platelets to OneBlood, and the AABB Disaster Task Force is coordinating national resources to assist with additional blood products being sent to OneBlood. All blood types are needed, but there is an urgent need for O Positive, O Negative and Platelet donations.” According to CBS News, OneBlood serves 355 hospitals across Florida, Georgia, and the Carolinas. (The Record, CBS)

 

Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts.

In today’s rapidly evolving digital landscape, organizations face an ever-increasing number of cyber threats. As highlighted by recent industry reports, traditional network operations solutions often fall short in providing the necessary visibility and control to manage and mitigate these threats effectively. This gap underscores the critical importance of comprehensive attack surface management (ASM) solutions.

Why Network Operation Solutions Fall Short

Limited Visibility and Context

Traditional network management tools are primarily designed to monitor and maintain network performance. While they excel at identifying performance bottlenecks and ensuring operational uptime, they often lack the ability to provide a complete and continuous view of an organization’s attack surface. This limitation becomes especially pronounced in complex, multi-cloud environments where assets are dispersed across various platforms and locations.

Incomplete Asset Inventories

Effective attack surface management begins with a comprehensive and up-to-date inventory of all digital assets. This includes not only the assets themselves but also their locations, the software they run, access permissions, and associated security controls. Traditional tools frequently struggle to maintain such detailed inventories, particularly in dynamic environments where assets and configurations are continually changing.

Inadequate Risk Prioritization

Identifying vulnerabilities is only the first step in securing an organization’s digital environment. The real challenge lies in prioritizing these vulnerabilities based on their potential impact. Traditional network management solutions often lack the advanced analytics required to assess and prioritize risks effectively. This can lead to inefficient use of resources and leave critical vulnerabilities unaddressed.

Performance Over Security

Many network operations solutions are primarily focused on ensuring network performance and availability. While these are important aspects of IT management, they do not address the dynamic and evolving nature of cyber threats. Effective cybersecurity requires a proactive approach that includes continuous monitoring, risk assessment, and the implementation of robust security measures.

The RedSeal Advantage

At RedSeal, we understand the complexities and challenges associated with managing an organization’s attack surface. Our platform provides the comprehensive visibility and contextual intelligence needed to secure your digital environment effectively.

Comprehensive Network Visualization

RedSeal offers detailed network visualization, allowing organizations to see their entire network, including cloud and on-premises environments. This holistic view is crucial for identifying and managing all assets, understanding access paths, and ensuring that security controls are properly implemented.

Continuous Monitoring and Risk Assessment

Our platform continuously monitors the network for changes and potential vulnerabilities. By maintaining an up-to-date inventory of all assets and their configurations, RedSeal keeps organizations ahead of evolving threats. Advanced analytics enable the prioritization of vulnerabilities based on their potential impact, ensuring that resources are used efficiently to address the most critical risks first.

Proactive Security Measures

At RedSeal, we proactively implement and maintain robust security measures for customers, including network segmentation, access control, and the continuous monitoring of security policies. This proactive stance reduces the attack surface and mitigates the risk of cyberattacks.

Continuous Compliance

RedSeal safeguards a full range of critical compliance and governance requirements with over 125 built-in integrations, ensuring adherence to external requirements, internal policies, and best practices.

In the face of increasingly sophisticated cyber threats, traditional network operations solutions are often inadequate for comprehensive attack surface management. RedSeal is the advanced and critical platform needed to visualize, monitor, and secure your entire digital environment effectively. By leveraging RedSeal’s platform, an organization’s cybersecurity posture is significantly enhanced, attack path surfaces are reduced, and critical assets are protected against cyber threat.