Most Attackers Need Less Than 10 Hours to Find Weaknesses | Microsoft Looks to Enable Practical Zero-Trust Security

Vulnerable configurations, software flaws, and exposed Web services allow hackers to find exploitable weaknesses in companies' perimeters in just hours, not days. [TechWeb]( Follow Dark Reading: [RSS]( September 29, 2022 LATEST SECURITY NEWS & COMMENTARY [Most Attackers Need Less Than 10 Hours to Find Weaknesses]( Vulnerable configurations, software flaws, and exposed Web services allow hackers to find exploitable weaknesses in companies' perimeters in just hours, not days. [Microsoft Looks to Enable Practical Zero-Trust Security With Windows 11]( With the update, Microsoft adds features to allow easier deployment of zero-trust capabilities. Considering the 1.3 billion global Windows users, the support could make a difference. [Fast Company CMS Hack Raises Security Questions]( The company's website remains offline after hackers used its compromised CMS to send out racist messages. [Chaos Malware Resurfaces With All-New DDoS & Cryptomining Modules]( The previously identified ransomware builder has veered in an entirely new direction, targeting consumers and business of all sizes by exploiting known CVEs through brute-forced and/or stolen SSH keys. [FBI Helping Australian Authorities Investigate Massive Optus Data Breach: Reports]( Initial reports suggest a basic security error allowed the attacker to access the company's live customer database via an unauthenticated API. [BlackCat/ALPHV Gang Adds Wiper Functionality as Ransomware Tactic]( Using its "Exmatter" tool to corrupt rather than encrypt files signals a new direction for financially motivated cybercrime activity, researchers say. [Fake Sites Siphon Millions of Dollars in 3-Year Scam]( A crime syndicate based in Russia steals millions of dollars from credit card companies using fake dating and porn sites on hundreds of domains to rack up fraudulent charges. [Malicious Apps With Millions of Downloads Found in Apple App Store, Google Play]( The ongoing ad fraud campaign can be traced back to 2019, but recently expanded into the iOS ecosystem, researchers say. [Despite Recession Jitters, M&A Dominates a Robust Cybersecurity Market]( Funding has been somewhat lower than last year, but investment remains healthy, analysts say, amid thirst for cloud security in particular. [App Developers Increasingly Targeted via Slack, DevOps Tools]( Slack, Docker, Kubernetes, and other applications that allow developers to collaborate have become the latest vector for software supply chain attacks. [Cyberattackers Compromise Microsoft Exchange Servers via Malicious OAuth Apps]( Cybercriminals took control of enterprise Exchange Servers to spread large amounts of spam aimed at signing people up for bogus subscriptions. [Developer Leaks LockBit 3.0 Ransomware-Builder Code]( Code could allow other attackers to develop copycat versions of the malware, but it could help researchers understand the threat better as well. [Time to Change Our Flawed Approach to Security Awareness]( Defend against phishing attacks with more than user training. Measure users' suspicion levels along with cognitive and behavioral factors, then build a risk index and use the information to better protect those who are most vulnerable. [4 Data Security Best Practices You Should Know]( There are numerous strategies to lessen the possibility and effects of a cyberattack, but doing so takes careful planning and targeted action. [Should Hacking Have a Code of Conduct?]( For white hats who play by the rules, here are several ethical tenets to consider. [Microsoft Rolls Out Passwordless Sign-on for Azure Virtual Desktop]( Azure says cloud-native single sign-on with a passwordless option is most-requested new AVD feature in the product's history. [CISA: Zoho ManageEngine RCE Bug Is Under Active Exploit]( The bug allows unauthenticated code execution on the company's firewall products, and CISA says it poses "significant risk" to federal government. [MORE NEWS /]( [MORE COMMENTARY]( HOT TOPICS [7 Metrics to Measure the Effectiveness of Your Security Operations]( SOC metrics will allow stakeholders to track the current state of a program and how it's supporting business objectives. [Neglecting Open Source Developers Puts the Internet at Risk]( From creating a software bill of materials for applications your company uses to supporting open source projects and maintainers, businesses need to step up their efforts to help reduce risks. [MORE]( EDITORS' CHOICE [Sophisticated Covert Cyberattack Campaign Targets Military Contractors]( Malware used in the STEEP#MAVERICK campaign features rarely seen obfuscation, anti-analysis, and evasion capabilities. LATEST FROM THE EDGE [Cyber Insurers Clamp Down on Clients' Self-Attestation of Security Controls]( After one company suffered a breach that could have been headed off by the MFA it claimed to have, insurers are looking to confirm claimed cybersecurity measures. LATEST FROM DR TECHNOLOGY [Time to Quell the Alarm Bells Around Post-Quantum Crypto-Cracking]( Quantum computing's impact on cryptography is not a cliff that we'll all be forced to jump off of, according to Deloitte. WEBINARS - [Threat Hunting Today: The Tools and Techniques That Get You Out in Front of Criminals]( Proactive "threat hunting" is becoming a more common practice for organizations who know it is no longer enough to detect threats and defend against them. Security teams are increasingly taking a more proactive approach--seeking out potential threats using analytical tools. ... - [Using Zero Trust to Protect Remote and Home Workers]( When COVID-19 hit, many organizations attempted to implement Zero Trust environments to protect their data from online threats presented by unsecured home office equipment. But these efforts were often temporary and not particularly effective. In this webinar, experts offer a ... [View More Dark Reading Webinars >>]( WHITE PAPERS - [How Machine Learning, AI & Deep Learning Improve Cybersecurity]( - [State of Ransomware Readiness: Facing the Reality Gap]( - [Top Cloud Threats to Cloud Computing: Pandemic Eleven]( - [Dark Reading: Close the Visibility Gap]( - [BotGuard for Streaming Service Case Study]( - [BotGuard for Denial of Inventory & Stockouts]( - [BotGuard Supplements CDN and WAF Case Study]( [View More White Papers >>]( FEATURED REPORTS - [Implementing Zero Trust In Your Enterprise: How to Get Started]( - [6 Elements of a Solid IoT Security Strategy]( - [Practical Network Security Approaches for a Multicloud, Hybrid IT World]( The report covers areas enterprises should focus on for their multicloud/hybrid cloud security strategy: -increase visibility over the environment -learning cloud-specific skills -relying on established security frameworks -re-architecting the network [View More Dark Reading Reports >>]( PRODUCTS & RELEASES [Malwarebytes Expands OneView Platform for MSPs]( [Illumio Introduces New Solution to Stop Endpoint Ransomware from Spreading Across the Hybrid Attack Surface]( [Jamf Announces Intent to Acquire ZecOps, to Provide a Market-Leading Security Solution for Mobile Devices as Targeted Attacks Continue to Grow]( [Adversaries Continue Cyberattacks with Greater Precision and Innovative Attack Methods According to NETSCOUT Report]( [Netography Upgrades Platform to Provide Scalable, Continuous Network Security and Visibility]( [Samsung Fails Consumers in Preventable Back-to-Back Data Breaches, According to Federal Lawsuit]( [Organizations Finding the Need for New Approaches on the Cybersecurity Front, CompTIA Research Reveals]( [Cyber Threat Alliance Extends Membership to 6+ Leading Cybersecurity Companies]( [MORE PRODUCTS & RELEASES]( CURRENT ISSUE [How Machine Learning, AI & Deep Learning Improve Cybersecurity]( [DOWNLOAD THIS ISSUE]( [VIEW BACK ISSUES]( Dark Reading Weekly -- Published By [Dark Reading]( Informa Tech Holdings LLC | Registered in the United States with number 7418737 | 605 Third Ave., 22nd Floor, New York, New York 10158, USA To opt-out of any future Dark Reading Weekly Newsletter emails, please respond [here.]( Thoughts about this newsletter? [Give us feedback.](mailto:ContactDarkReading@informa.com) Keep This Newsletter Out Of Your SPAM Folder Don't let future editions go missing. Take a moment to add the newsletter's address to your anti-spam white list: If you're not sure how to do that, ask your administrator or ISP. Or check your anti-spam utility's documentation. We take your privacy very seriously. Please review our [Privacy Statement.]( [© 2022]( | [Informa Tech]( | [Privacy Statement]( | [Terms & Conditions]( | [Contact Us](mailto:ContactDarkReading@informa.com)