The ASCII Group, the vendor-neutral community for managed service providers (MSPs) in North America, has unveiled the speaker lineup for its highly anticipated ASCII Edge 2026 conference series. This multi-city event is designed to empower MSP business owners through peer-driven education, hands-on workshops and community engagement.

Scheduled to take place in eight cities across the United States and Canada, ASCII Edge 2026 aims to foster in-person learning and candid discussions among MSPs. The series reflects The ASCII Group’s decades-long commitment to supporting the MSP community with practical insights and real-world expertise.

The 2026 conference will feature keynote addresses from James Gadomski, a shipwreck treasure hunter and History Channel personality, and Carolyn April, vice president of research and market intelligence at GTIA. In addition to these high-profile speakers, the event will include sessions led by industry experts and experienced ASCII member MSPs. Notable speakers include Emily Tell of IdeaTilt, Wayne Hunter of Avtek Solutions, and Joe Rojas of Start Grow Manage, who will cover topics such as AI adoption, revenue strategies, and market differentiation.

The program also includes interactive workshops and peer discussions. One highlight is a Day 1 workshop presented by Kaseya, which will focus on helping MSPs leverage underutilized marketing development funds to drive measurable pipeline results. Additional workshops are expected to be announced in the coming months.

“ASCII Edge has always been about bringing the right people into the room,” said Jerry Koutavas, CEO of The ASCII Group. “When MSPs come together to share openly and learn from one another, they gain clarity and confidence in the decisions they’re making. That’s what ASCII Edge is designed to deliver.”

For more information about ASCII Edge 2026, including event details and registration, visit events.ascii.com.

The post ASCII Edge 2026 Unveils Speaker Lineup for MSP-Focused Conference Series appeared first on My TechDecisions.

Universities are filling up with network-connected devices. Smart locks manage building access. HVAC systems run on automated controls. Cameras stream to command centers. Vending machines, printers, thermostats, research tools and classroom displays all connect to the network. The Internet of Things (IoT) is everywhere.

These devices are often invisible to most of campus life, quietly making things run more smoothly. But for IT and security teams, they represent a rapidly growing liability. Each device is a potential entry point for an attacker looking for a path of least resistance. And too often, universities don’t even know what their IoT landscape actually looks like.

The Expanding IoT Footprint in Higher Ed

A modern institution of higher education operates more like a small city than a school. Hundreds of buildings may be tied into the same digital infrastructure, and each department brings its own tools and purchase preferences. Devices arrive from dozens of manufacturers and run software that is rarely standardized. The result is an unmanaged sprawl of smart systems, all connected and all potentially vulnerable.

The first security problem is that many, if not most, institutions still lack a complete inventory of their connected devices. Traditional discovery strategies often miss IoT assets because they communicate over obscure or proprietary protocols. Even when devices are visible, IT teams often don’t know what software they’re running or whether they’ve received recent updates.

The risks become clearer when you consider what these devices actually do. Connected door locks and building systems affect physical security, lab equipment and research infrastructure support time-sensitive or grant-funded work, and classroom technology and signage shape the student experience. Each of these categories carries risk not just to data, but to operations.

Digital Breaches Can Have Physical Security Consequences

Security breaches on campus no longer stop at stolen data, but have the potential to disrupt real-world systems. In a worst-case scenario, that puts people at risk. A compromised building automation system might allow an attacker to disable alarms or unlock secured areas. Access to HVAC systems could shut down ventilation in research facilities or residence halls. Camera systems might be hijacked to track movement or manipulate surveillance records.

These kinds of intrusions were once theoretical. Today, they are plausible and increasingly documented across sectors.

Universities are particularly exposed because they tend to maintain more open and flexible networks than traditional corporate environments. Academic freedom often requires fewer restrictions on network access, and many devices end up getting deployed without central IT involvement. Security policies may vary between departments or not exist at all for operational technologies.

Traditional Campus Security Strategies Miss the Mark

Most campus security stacks are built around endpoints like laptops and servers, but IoT devices are fundamentally different. They typically run stripped-down operating systems that don’t support endpoint agents. Many come with hardcoded credentials that users cannot change. Firmware updates are inconsistent or unavailable, and some devices lack even the most basic protections (like encrypted traffic or secure boot processes).

Conventional scanners often fail to detect them. Network monitoring tools might miss unusual traffic patterns because the devices operate outside expected behavior profiles. The gaps are large enough that attackers can use IoT devices as hidden footholds inside the network without immediate detection.

Device Visibility, Prioritization and Monitoring: A Smarter Approach to IoT Risk

To improve, universities must start with visibility. You can’t secure what you can’t see. Discovery mechanisms designed for IoT can uncover a full inventory of connected devices, including model numbers, firmware versions, and communication patterns. The strategy must rely on behavioral analysis, not just IP scans, to surface the devices that traditional systems miss.

Once visibility is established, prioritization becomes key. Not all devices present the same level of threat. A vulnerable light sensor behind a firewall might be low risk, while a connected access control panel exposed to the open internet is far more urgent. Universities should consider factors like how devices are segmented on the network, what privileges they have, and what kinds of traffic they generate.

Real-time behavioral monitoring adds an essential layer. IoT devices tend to behave predictably. A thermostat shouldn’t start making DNS requests or communicating with external command and control servers. When anomalies occur, they need to be flagged and acted on immediately.

From Detection to Containment

Once a threat is identified, containment must happen quickly. The longer a compromised device remains online, the more time an attacker has to move laterally. Automated isolation, packet capture, and investigation workflows allow campus teams to respond before an incident spreads.

Speed matters because the stakes are growing, and campus operations depend on uptime. Building access, lab integrity, and student services all rely on digital infrastructure working as expected, so a single compromised camera or lock can cascade into a serious operational failure.

Start Now to Get Ahead

Universities can act now without overhauling everything at once. The most important step is to begin discovering what’s on the network and where the gaps are. Prioritize the systems that support critical operations. Look at who owns which devices and what policies govern them. Start separating operational technology from academic and administrative networks wherever possible.

From there, teams can build a roadmap. IoT procurement processes should include baseline security requirements for all new devices. Update schedules should be set and tracked, and security policies should reflect the fact that many devices on campus cannot be patched or monitored like traditional endpoints.

Cultural change also plays a role and, in some ways, can be the most challenging factor. But ideally, facilities, IT, and academic departments will treat IoT security as a shared responsibility. Open communication and shared tooling help build consistent coverage across campus.

A Critical Moment for Higher Education

IoT devices will continue to scale, but universities have an opportunity to get ahead of the threat. With visibility, context, and faster responses, they can turn a chaotic sprawl of devices into a manageable and secure foundation. The longer they wait, the more difficult it will be to close the gaps.

Another version of this article originally appeared on our sister-site CampusSafety on August 4, 2025. It has since been updated for My TechDecisions’ audience.

Shankar Somasundaram is the CEO of Asimily.

The post Universities Face Rising IoT Security Risks Amid Device Growth appeared first on My TechDecisions.

For midsize companies, this shift reflects a more strategic, value-conscious approach to the cloud. They often lack the expansive budgets or large IT teams of enterprise organizations, so their cloud decisions are being made with tighter cost controls, simplified management and stronger ROI in mind. Cloud choices are more intentional – and often more innovative – as these businesses try to balance agility and security with operational efficiency.

This mindset is fueling a growing interest in hybrid and multi-cloud environments, in fact, 47% of the respondents are now operating in multi-cloud environments, while 35% are currently using hybrid cloud setups – with another 25% planning to adopt a hybrid cloud model soon – clear signs that midsize companies are diversifying their cloud strategies and getting smarter about how and where they deploy workloads, public cloud included.

Drivers of Change: Cost, Security and Complexity

Several powerful forces are shaping this shift, including cost efficiency, close examination of current SaaS, DaaS and VDI engagements, and heightened awareness of cyberattacks and vulnerabilities. For mid-market companies, in particular, budget management and risk mitigation are priorities. That’s why many are combining public cloud with on-premises infrastructure to extend its benefits while controlling costs and exposure.

Larger enterprises have similar drivers but have the advantage of more resources to devote to cyber defense and the increasing complexity of application workloads. These organizations are investing further in public cloud scalability while augmenting it with hybrid options for data control, compliance, or latency-sensitive workloads.

DaaS and VDI: Under Review, Not Rejected

Remote work has exponentially driven up the use of the cloud, and use of VDI and workload delivery systems like DaaS. However, IT leaders are now taking a hard look at how they deliver virtual desktops, not whether they belong in the cloud. According to survey data, IT flags “too many resources,” “lack of centralized control,” and “too expensive” as the top DaaS/VDI issues. Not far behind are concerns with performance and reliability.

These findings signal the need for better DaaS/VDI implementations and more flexible vendor agreements.  Companies, particularly those in the budget-conscious mid-market, are looking for shorter-term agreements, scalable pricing, and improved service levels to make DaaS and VDI work within their broader cloud strategy.

Securing the Hybrid Remote Environment

Security remains top of mind, with 35% of respondents from midsize companies reporting their company had experienced a security breach in the last year. Fear of malware and ransomware attacks and cloud vulnerabilities are the top two concerns. Midsize companies are willing to invest more in security: 90% are planning to significantly or moderately increase the budget this year. But this investment isn’t a signal that hybrid environments are inherently insecure, it’s a recognition that endpoint and browser-based threats are the new battlegrounds, especially as remote workers desire fast, no-fuss access to whatever data they need, on any device.

SaaS has been the go-to-choice for application delivery to remote workers. Since so many workers use SaaS applications, it is fertile ground for a security breach. IT professionals, as a result, are starting to look at browser isolation solutions to basically separate and lock down a worker’s browser session in the cloud. It prevents a cybercriminal from accessing the data, thereby containing any threat. If the web content a worker is viewing might be destructive, an isolation tool will also stop any possible threat to the larger network. Currently 40% of respondents at midsize companies have web browser isolation, still relying predominantly on traditional tools with firewalls, VPNs and anti-virus software, the top deployed threat defense solutions. Cloud-based isolation solutions themselves reinforce the continued relevance of the public cloud as a defense layer, not just a workload host.

Besides web browser isolation, which is definitely gaining traction, companies recognize the need for improved monitoring of device and application use that can signal a threat before it becomes a breach event. Mindful of budget and staff limitations, companies can look for remote application delivery solutions that support multiple cloud providers and can also integrate with monitoring and remediation tools.

Looking Ahead: Public Cloud at the Core of Hybrid Success

What the survey data ultimately show is that the public cloud is actually maturing. Companies, notably the mid-market, are embracing hybrid and multi-cloud setups. Public cloud remains at the heart of scalable IT strategy.

What’s changing is how it is combined with on-premises infrastructure, edge computing, and private cloud services to meet the unique needs of different workloads, users and security profiles.

With ease of platform integration, flexibility in workload placement, and improved security tooling, hybrid cloud strategies are enabling companies to get the best of both worlds, while keeping the public cloud as a vital, growing piece of their puzzle.

Kamal Srinivasan is SVP of product and program management at Parallels, a part of the Alludo portfolio. With more than two decades of experience in the field, Srinivasan is known for building robust enterprise technology platforms. He previously served as the head of product at Blink Health, contributed to Microsoft’s Azure team and led incubator efforts to build drones and develop machine learning on satellite imagery for its infrastructure security business and was a cloud product lead at Oracle. He holds a Ph.D. in computer engineering from the University of Wisconsin-Madison.

The post IT Leaders at Midsize Companies Are Rethinking Their Cloud Mix appeared first on My TechDecisions.

The event illustrated two things:

1. how deep the roots of digitization have become globally;
2. the fragility of the global technology ecosystem, exacerbated by an overreliance on a select number of cloud providers.

This is a wake-up call for us all. Although not a cyber attack, imagine if a nation state was able to find and exploit such vulnerabilities through a coordinated and sustained attack?

It’s given us a glimpse into what cyber armageddon could look like; how should we respond?

The Interconnectivity Trade-Off

Dubbed “the largest IT outage in history,” the global technology outage was caused when an update to one of CrowdStrike’s pieces of software, Falcon Sensor, malfunctioned, paralyzing computers running Windows and resulting in widespread tech failures around the world.

While not the cause, the severity of the impact was only made possible as a result of the increasingly interconnected systems and software that have become so entrenched in our digital infrastructure. The effects were also inflamed by the global reliance on a select number of cloud providers – with Windows devices the worst impacted, many initially thought it was solely a Microsoft issue.

This dependency has brought with it many benefits – global connectivity, efficiency and innovation. But it’s a simple fact that it leaves us all more vulnerable. If a major cloud provider goes down or is impacted, the world grinds to a halt.

For many of us in the business of IT and security, questions are starting to be asked about the trade-off: can we find a way to remain connected, but become more resilient and lessen the impact of events like these?

The initial discussion has been around reassessing cloud strategies, such as avoiding the automatic updating of patches. Some may also be thinking about a multi-cloud approach, where more than one cloud provider is used to ensure continuity if one goes down – “Microsoft is down? That’s ok, we can just switch to Google.” However, despite being a relatively simple undertaking, it would be an expensive luxury that’s out of reach for most.

Build Something from the Ground Up

Rather than trying to patch up ever more complex and interdependent legacy architecture, company boards should use this opportunity to explore shifting their legacy digital architecture to something built from the ground up and future proof.

That is, firms should be viewing this as an opportunity to run an entirely new, low-cost, digital infrastructure in parallel, which is independent of their primary cloud provider and legacy applications. The idea is that in the case of a major systems outage, organizations would have the ability to seamlessly switch over to this secondary infrastructure without manual intervention, allowing them to perform critical functions throughout the crisis. This infrastructure would be backed up with essential data, with advanced security protocols to protect against cyber threats. As a minimum, this provides an out-of-band communications channel for the board and senior management to tell staff and clients what to do and ensures they are not swamped by fraudulent scams after the Crowdstrike outage.

Imagine an airline affected by a major software outage. Having an independent backup system would allow them to continue day-to-day operations such as booking passengers, handling ticket changes and scheduling flights. Instead of relying on extensive manual interventions to recover the primary system, backup protocols would prevent disruption while the main systems are brought back online.

Any solution developed in this way needs to be quick-to-implement and must be able to initiate a contingency command and control process, handle basic tasks and keep the company running in the event of a major attack or outage. Our mission critical clients are beginning to build these fail-over systems that can handle basic tasks and keep the company running in the event of a major attack or outage. In some instances, these shadow systems operate entirely through a mobile messaging platform.

Continuity and Resilience are Possible

As businesses now begin to revisit how they can ensure a return to business as usual as quickly as possible when disaster strikes, they should not be clouded by all the technical terms and confusing offerings, and just focus on three simple and fundamental principles when assessing their current and future risks: completeness, accuracy and validity.

Shifting legacy digital architecture towards something that is built from the ground up ticks all these boxes.  Moreover, it addresses the inter-connectivity, inter-dependency and relatedness and reputational risks that we all face in the digital world today. This may just be the difference between surviving the next global meltdown or being left in its wake.

Andersen Cheng is the founder and chairman of Post-Quantum.

The post CrowdStrike Cyber Armageddon: How Do Firms Now Build Resilience? appeared first on My TechDecisions.

For eCommerce businesses, the main risk is DDoS attacks. Known as a dangerous and malicious attack to destabilize and halt services or products, its biggest drawback is disrupting operations. By making products or services utterly inaccessible to consumers, DDoS attacks effectively eliminate any incoming profits.

The key lies in understanding how it works to protect your business and keep out these intrusions. In this article, we will review the different layers and ways to prevent them.

7 Layers of DDoS Attacks

1. Physical Layer Attacks

These DDoS attacks target the network or infrastructure of a business. By using a range of techniques: overloading network switches, jamming wireless signals, or physically cutting cables, attackers can cut income streams if they can access a business’s location. The difficulty in preventing it lies in how unpredictable people can be. One of the best ways to combat this is by installing surveillance that regularly monitors and alerts owners of suspicious activities. This can mitigate risks, especially if alerts go directly to the police.

2. Data Link Layer Attacks

Unlike physical layer attacks, data link attacks target how network devices communicate. With a MAC (Media Access Control) address, attackers can trick digital devices into communicating with a fake network device. In other cases, it is also common to use STP (Spanning Tree Protocol) attacks to manipulate how the network switches forward traffic. The only way to manage this is by ensuring businesses have a foolproof authentication mechanism, including MAC filtering that drives smooth configuration.

3. Network Layer Attacks

Network layer attacks work by affecting data that is transmitted across the Internet. Through IP (Internet Protocol) fragmentation attacks, data is sent in small batches to overwhelm network devices. Or, attackers can engage in ICMP (Internet Control Message Protocol) floods where a target is drowned with ICMP messages. To prevent such occurrences, firewalls and intrusion detection systems should be utilized to block or flag uncommon network traffic.

4. Transport Layer Attacks

As the name suggests, transport layer attacks target how data is transmitted between network devices. By engaging in techniques such as TCP (Transmission Control Protocol) SYN floods, attackers send a high volume of TCP SYN requests to a target. On the other hand, they can also use UDP (User Datagram Protocol) floods, where a high volume of UDP packets is sent to the target. Hence, businesses need to implement load balancers and rate limiters to reduce and prevent possible transport layer attacks to halt a high volume of traffic from overwhelming their network devices.

5. Session Layer Attacks

Not limited to network devices, DDoS attacks can also occur in applications by targeting how they communicate. Using techniques such as SSL (Secure Sockets Layer) attacks, attackers exploit vulnerabilities in SSL/TLS (Transport Layer Security) protocols to intercept data, or they can drown a target with SIP (Session Initiation Protocol) messages. The easiest way to prevent session layer attacks is by ensuring applications are securely configured with updated SSL/TLS certificates.

6. Presentation Layer Attacks

As the name implies, presentation layer attacks work by attacking how information is presented to users. Through techniques such as XML (Extensible Markup Language) attacks, attackers either exploit vulnerabilities in XML parsers to execute malicious code or implement XSS (Cross-Site Scripting) attacks, where they inject malicious scripts into web pages. Firms can avoid presentation layer attacks with secure coding practices and frequent vulnerability scans.

7. Application Layer Attacks

For the application layer attacks, its emphasis lies in attacking the way applications function. Using techniques such as SQL (Structured Query Language) injection attacks, attackers inject malicious SQL queries into a target application to gain unauthorized access to data. In other cases, they can also use RFI (Remote File Inclusion) attacks to exploit vulnerabilities in web applications to execute malicious code. Unlike the other solutions, you can educate employees to prevent these attacks. You can eradicate this possibility by focusing on coding practices, phishing awareness, and password hygiene.

DDos Protection

DDoS Protection takes a community of conscious efforts to keep firms up and running. For businesses to excel, driving revenue and consumers to the store is no longer an option. Cybersecurity is vital to help safeguard existing assets and keep revenue flowing. Hence, implementing these features should be paramount to stay vigilant for businesses to flourish.

The post 7 Layers of DDoS Attacks and How To Prevent Them appeared first on My TechDecisions.

AVI-SPL has been a Cisco solutions provider for more than a decade, the company says. It thus continues to deepen and expand the expertise in its Cisco practice to guide companies everywhere. With this, it aims to reimagine the workplace for better employee, partner and customer engagement as new hybrid work models take hold. In Cisco fiscal year (FY) 2023, AVI-SPL ranked as the #3 video devices partner in the U.S. and globally.

“Cisco’s recognition of AVI-SPL as a leading workspaces partner speaks volumes to our ability to confidently guide customers to reimagine and realize the modern work experience,” says Tom Nyhus, AVI-SPL vice president of the Cisco practice. “By embracing Cisco Webex’s innovative, leading-edge roadmap and programs, together we’ve helped global companies stay securely connected and productive from anywhere.”

The partnership between Cisco and AVI-SPL grew significantly in 2023 with new, joint go-to-market efforts. Per a statement, AVI-SPL led the way with the new Cisco Webex Hardware as a Service (HaaS) program. It thus became one of the first partners to conduct a customer pilot of the program. AVI-SPL also beta-tested new video devices and provided feedback through Cisco’s Video Champions Advisory Council around market trends and customer needs.

The Cisco 2023 Webex Partner Award honors partners who have developed and delivered exceptional Cisco-based solutions and services during the past year.

Cisco announced the Annual Partner Awards during the WebexOne 2023 conference on October 25, 2023. Additional details on the 2023 awards are available on the Cisco Webex blog.

Another version of this article originally appeared on our sister-site Commercial Integrator on November 1, 2023. It has since been updated for My TechDecisions’ audience.

The post AVI-SPL Receives Cisco 2023 Reimagine Workspaces Partner of the Year – Americas Award appeared first on My TechDecisions.

A breach notification letter filed with the Office of the California Attorney General said the Cl0p ransomware gang gained access to its MOVEit managed file transfer (MFT) server on May 30 and stole files containing personally identifiable information (PII).

Clearinghouse is a nonprofit that provides educational reporting, data exchange, verification, and research services to approximately 22,000 high schools and 3,600 colleges and universities, which make up roughly 97% of students in public and private institutions, according to Bleeping Computer.

“On May 31, 2023, the Clearinghouse was informed by our third-party software provider, Progress Software, of a cybersecurity issue involving the provider’s MOVEit Transfer solution,” NSC wrote in the letter. “After learning of the issue, we promptly initiated an investigation with the support of leading cybersecurity experts. We have also coordinated with law enforcement.”

The stolen PII contained names, birth dates, contact information, Social Security numbers, student ID numbers and other school-related records. NSC said it has implemented patches to the MOVEit software and additional monitoring measures to further protect its systems and customers’ data. It is also offering identity monitoring services at no cost for two years.

In late May, the Cl0p ransomware gang began exploiting an SQL injection vulnerability in the MOVEit Transfer platform, leveraging a zero-day security flaw and gaining access to an underlying database, reports Help Net Security. Starting June 15, the cybercriminals started extorting organizations that fell victim to the attacks, exposing names on its dark web data leak site.

In late June, NSC notified the impacted schools about the breach but did not provide many details as the investigation was ongoing. At that time, Databreachnet.com reported that NCS’s name had been removed from Cl0p’s leak site, “which is often an indication that a victim paid.”

The breach has affected many organizations across the globe, including governments, financial institutions, pension systems, and other public and private entities. Among the victims are multiple U.S. federal agencies and two U.S. Department of Energy entities.

Coveware, a cyber extortion incident response firm, estimates the gang will collect around $75-100 million in payment due to high ransom requests.

Another version of this article originally appeared on our sister-site Campus Safety on September 25, 2023. It has since been updated for My TechDecisions’ audience.

The post Nearly 900 Schools Impacted by National Student Clearinghouse Data Breach appeared first on My TechDecisions.

The company’s update comes amid reports of widespread exploitation, including several at several U.S. agencies that were breached as part of the attack. Cybersecurity researchers say ransomware groups have seized upon the vulnerability and are using it to exfiltrate data to compel victim organizations to pay the ransom.

In the advisory, dated June 16, Progress says it has discovered vulnerability in MOVEit Transfer that could lead to escalated privileges and potential unauthorized access to the environment.

“If you are a MOVEit Transfer customer, it is extremely important that you take immediate action as noted below in order to help protect your MOVEit Transfer environment,” the company says in the new advisory. “In Progress MOVEit Transfer versions released before 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), 2023.0.3 (15.0.3), a SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an un-authenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content.”

The incident, which was first identified in late May, now stretches well into June as organizations rush to patch their systems and protect their environment.

According to Progress Software, “All MOVEit Transfer customers must take action and apply the patch to address the June 15th CVE-2023-35708 vulnerability discovered in MOVEit Transfer. “

However, organizations have two paths to take, depending on if they applied the remediation and patching steps from the first MOVEit Transfer Critical Vulnerability (May 2023) advisory prior to June 15.

For those who have not yet applied the May 2023 patch, they should do so and follow the remediation steps immediately, the company says. This includes the newest patch for two separate vulnerabilities, including the original from May 31 (CVE-2023-34362) and another identified on June 9 (CVE-2023-35036).

Once that is taken care of, organizations should apply the June 15 patch (CVE-2023-35708).

If organizations have applied the May 31 and June 9 patch, they should now apply the June 15 patch, which will bring them fully up to date.

There is a lot of information coming out about these bugs, but cybersecurity firm Rapid7 has a detailed timeline of events, up until this new information.

May 27-28: Rapid7 services teams have so far confirmed indicators of compromise and data exfiltration dating back to at least May 27 and May 28, 2023 (respectively).

May 31: Progress Software publishes an advisory on a critical SQL injection vulnerability in their MOVEit Transfer solution.

May 31: Rapid7 begins investigating exploitation of MOVEit Transfer.

June 1: Rapid7 publishes initial analysis of MOVEit Transfer attacks after responding to incidents across multiple customer environments.

June 1: The security community publishes technical details and indicators of compromise.

June 1: Compromises continue; Rapid7 responds to alerts.

June 1: CISA publishes Security Advisory.

June 2: CVE-2023-34362is assigned to the zero-day vulnerability.

June 2: Mandiant attributes the attack to a threat cluster with unknown motives.

June 2: Velociraptor releases an artifact to detect exploitation of MOVEit File Transfer critical vulnerability.

June 4: Rapid7 publishes a method to identify which data was stolen.

June 4: Nova Scotian government discloses it is investigating privacy breach.

June 5: Microsoft attributes the attack to Lace Tempest, a Cl0p ransomware affiliate that has previously exploited vulnerabilities in other file transfer solutions (e.g., Accellion FTA, Fortra GoAnywhere MFT).

June 5: UK companies BA, BBC, and Boots disclose breaches as victims in MOVEit File Transfer.

June 5: Cl0p ransomware group claims responsibility for the zero-day attack.

June 6: Security firm Huntress releases a video allegedly reproducing the exploit chain.

June 6: The Cl0p ransomware group posts a communication on their leak site demanding that victim organizations contact them by June 14 to negotiate extortion fees in exchange for the deletion of stolen data.

June 7: CISA publishes #StopRansomware Cybersecurity Advisory regarding MOVEit File Transfer Vulnerability CVE-2023-34362.

June 9: Progress Software updates advisory to include a patch for a second MOVEit Transfer Vulnerability, which was uncovered by Huntress during a third-party code review. The vulnerability is later assigned CVE-2023-35036.

June 12: Rapid7 releases a full exploit chain for MOVEit Transfer Vulnerability CVE-2023-34362.

Organizations impacted should consult Progress Software, their cybersecurity services provider, and CISA for more information.

The post Progress Software Urges Further Action to Prevent MOVEit Exploitation appeared first on My TechDecisions.

That list of bugs that should be prioritized includes two remote code execution vulnerabilities in Microsoft Exchange Server, an elevation of privilege bug in Microsoft SharePoint, a trio of remote code execution flaws in Windows Pragmatic General Multicast, and a handful of others.

Based on input from security researchers from Zero Day Initiative (ZD), Tenable, Immersive Labs and others, here is a look at the vulnerabilities that warrant more attention for the June 2023 Patch Tuesday release.

CVE-2023-32031 – Microsoft Exchange Server Remote Code Execution Vulnerability

If this looks familiar, you aren’t alone. Microsoft has issued fixes for a number of Exchange Server remote code execution bugs in recent years, and this one is a bypass of fixes for CVE-2022-41082 and CVE-2023-21529, with the latter listed as being under active exploitation.

This vulnerability exists within the Command class, and the issue results from the lack of proper validation of user-supplied data, which can result in the deserialization of untrusted data. This bug requires the attacker to have an account on the Exchange server, but successful exploitation could lead to executing code with SYSTEM privileges.

CVE-2023-28310  – Microsoft Exchange Server Remote Code Execution Vulnerability

This is the other Exchange RCE bug listed this month, and like its twin this month, is rated as important but considered more likely to be exploited. This also requires an attacker to be authenticated, so an attacker will need valid credentials.

According to researchers, both Exchange Server bugs closely mirror the vulnerabilities identified as part of the ProxyNotShell exploits. Successful exploitation could result in an attacker gaining access to an organization’s email account, or even the ability to impersonate any user.

Since attackers are adept at stealing valid credentials via phishing attacks, these should not be ignored.

CVE-2023-29357 – Microsoft SharePoint Server Elevation of Privilege Vulnerability

According to researchers, this critical-rated vulnerability is used to bypass authentication due to a flaw within the ValidateTokenIssuer method. Microsoft lists enabling the AMSI feature to mitigate this flaw, but organizations are still urged to deploy the update as soon as possible.

Exploitation is achieved by sending a spoofed JWT authentication token to a vulnerable server, giving them privileged of an authenticated user on the target, researchers say.

CVE-2023-29363/32014/32015 – Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability

This trio of vulnerabilities, all critical-rated, allow a remote, unauthenticated attacker to execute code on an affected system where the messag queuing service s running in a Pragmatic General Multicast (PGM) Server environment. This is the third month in a row that Microsoft has patched a critical-rated bug in this component.

For successful exploitation, a system must have message querying services enabled.

For further June 2023 Patch Tuesday analysis, consult research blogs from Zero Day Initiative, Tenable, Immersive Labs and others.

The post June 2023 Patch Tuesday: Exchange Server, SharePoint, PGM appeared first on My TechDecisions.

The vulnerability–tracked as CVE-2023-27997–is a heap-based overflow flaw that could allow a remote attacker to execute arbitrary code or commands via specially crafted requests, says the Sunnyvale, Calif.-based firewall and endpoint security firm.

According to Fortinet, its Product Security Incident Response Team, following a previous incident from January also impacting FortiOS SSL VPN with exploitation, initiated a code audit of the SSL-VPN module, leading to the identification of issues that have been remediated in the company’s patch.

The investigation found that CVE-2023-27997 “may have been exploited in a limited number of cases.”

In the company’s blog, Fortinet says the attacks mimic the activity of Volt Typhoon, a suspected China-sponsored hacking group that has been targeting critical infrastructure organization. However, Fortinet doesn’t go as far to link exploitation of the vulnerability to that group, but does expect Volt Typhoon and other threat actors to leverage the bug in unpatched software and devices.

FortiGate devices were identified by the U.S. National Security Agency as being targeted by Volt Typhoon as an initial intrusion vector.

Organizations should apply the patch immediately. If they aren’t able to do so, disabling SSL-VPN is a legitimate workaround, the company says.

These devices and other SSL VPN products from Citrix, Pulse Secure and others have been popular targets in recent years, says Satnam Narang, senior staff research engineer at vulnerability management firm Tenable.

According to Narang, these flaws have not only been exploited by ransomware groups but also by nation-state aligned threat actors with a particular focus on flaws in Fortinet devices.

“SSL-VPNs are attractive targets due to their internet-facing nature, providing access to a company’s intranet,” Narang says. “They became even more popular at the beginning of the pandemic, as organization’s shifted towards allowing for remote work.”

Narang adds that pre-authentication bugs like CVE-2023-27997 are especially valuable to remote attackers because they don’t need to have valid credentials.

“Despite patches being available, the inherent value of the flaw remains significant, considering the ongoing success threat actors achieve by exploiting known, unpatched vulnerabilities,” Narang says. “It’s not a question of ‘if’, but rather ‘when’ a public proof-of-concept exploit for this flaw is made public, that we can expect more widespread scanning and exploitation of vulnerable assets.”

The post Patch FortiGate SSL-VPN Devices Immediately appeared first on My TechDecisions.