The security operations centre (SOC) has served public sector cyber teams well over the years but is fundamentally a reactive tool and now needs to be superseded by something else in order to address not just alerts about in-progress security events but the underlying risks that lead to them, all in the service of ‘doing’ cyber more efficiently and, crucially, cheaper. This is the view of Qualys CEO Sumedh Thakar, who, speaking at an event for federal government IT leaders hosted in the Washington DC suburbs at the end of May, defined the new-generation SOC as a ROC, where the letter R stands for risk. Thakar said that things needed to change in the cyber security world. “Continuing in the way that we have where we would scan every week or two and those scans were dumped somewhere on a hard drive somewhere and then someone goes and triages those manually and then you try to fix everything that comes your way – that approach is not really a success,” he said. “Continuing that approach is just not in the future.” He urged CISOs to stop putting so much effort into attack surface management and refocus on risk surface management, where risk management is defined as the mitigation of risk – or transfer of it to someone else – for the most plausible losses that could affect the organisation. It is not possible to get risk down to zero, so it is important to figure out how to address the most plausible factors and address those instead. For a company the most plausible loss will likely be a dollar revenue or profit figure. However, public sector organisations have it tough because they have a very different perspective on what ‘loss’ looks like beyond the financial cost. For example, they could and should be more worried about the safety of the general public or frontline personnel, national security, critical infrastructure security, economic stability, or public health, said Thakar, referencing attacks such as the infamous Colonial Pipeline incident, which paralysed petrol stations across a swathe of the US in 2022. “For most agencies it is really about aligning factors to what is the potential disruption to the mission, to the programme, that currently is important,” he said. Translating this into action for public sector buyers – wherever they may be located – Jonathan Trull, CISO and senior vice president of security solution architecture, and Mayuresh Ektare, vice president of product management at Qualys, said they wanted to help public sector CISOs make the most of the limited resources they have available to them in the face of a mountain of security data  “Our larger customers are having to deal with not a million findings, but hundreds of millions of findings on a daily basis. It is not humanly possible to go and patch or mitigate them all. This is where the concept of a risk operation centre is absolutely needed,” said Ektare. “You’ve got a limited number of resources at your disposal – how do you point them in the right direction so that you can actually reduce the risk that matters to your agencies the most.” Ektare described running an ROC as being a “peacetime” activity for defenders, comparing it to an SOC which is more akin to a wartime situation room. Trull, who spent 12 years working in cyber roles for the state of Colorado, rising to the post of CISO, said: “If this was a capability I’d have had back in the day … an ability to continuously aggregate [and] normalise, whatever standard they were using, because we didn’t dictate – it was very much you decide what tooling you want  and you use that tooling effectively. But what I needed was an accurate picture to advise the governor and the legislature what risks we’re facing on a monthly basis – that wasn’t available. “If you’re a customer a lot of this is built and in the solution, so in these federated environments in which you’re trying to gain control I can’t think of a better option than looking at this concept of an ROC,” he said. Read more about risk management Data risk management identifies, assesses and mitigates threats to organisational data, safeguarding sensitive information from unauthorised access. Knowing the types of risks businesses commonly face and their applicability to your company is a first step toward effective risk management. Every facet of business operations is exposed to risks, requiring a risk management team that's composed of a diverse mix of corporate executives and managers.

May 31, 2025Ravie LakshmananVulnerability / Linux Two information disclosure flaws have been identified in apport and systemd-coredump, the core dump handlers in Ubuntu, Red Hat Enterprise Linux, and Fedora, according to the Qualys Threat Research Unit (TRU). Tracked as CVE-2025-5054 and CVE-2025-4598, both vulnerabilities are race condition bugs that could enable a local attacker to obtain access to access sensitive information. Tools like Apport and systemd-coredump are designed to handle crash reporting and core dumps in Linux systems. "These race conditions allow a local attacker to exploit a SUID program and gain read access to the resulting core dump," Saeed Abbasi, manager of product at Qualys TRU, said. A brief description of the two flaws is below - CVE-2025-5054 (CVSS score: 4.7) - A race condition in Canonical apport package up to and including 2.32.0 that allows a local attacker to leak sensitive information via PID-reuse by leveraging namespaces CVE-2025-4598 (CVSS score: 4.7) - A race condition in systemd-coredump that allows an attacker to force a SUID process to crash and replace it with a non-SUID binary to access the original's privileged process coredump, allowing the attacker to read sensitive data, such as /etc/shadow content, loaded by the original process SUID, short for Set User ID, is a special file permission that allows a user to execute a program with the privileges of its owner, rather than their own permissions. "When analyzing application crashes, apport attempts to detect if the crashing process was running inside a container before performing consistency checks on it," Canonical's Octavio Galland said. "This means that if a local attacker manages to induce a crash in a privileged process and quickly replaces it with another one with the same process ID that resides inside a mount and pid namespace, apport will attempt to forward the core dump (which might contain sensitive information belonging to the original, privileged process) into the namespace." Red Hat said CVE-2025-4598 has been rated Moderate in severity owing to the high complexity in pulling an exploit for the vulnerability, noting that the attacker has to first the race condition and be in possession of an unprivileged local account. As mitigations, Red Hat said users can run the command "echo 0 > /proc/sys/fs/suid_dumpable" as a root user to disable the ability of a system to generate a core dump for SUID binaries. The "/proc/sys/fs/suid_dumpable" parameter essentially controls whether SUID programs can produce core dumps on the crash. By setting it to zero, it disables core dumps for all SUID programs and prevents them from being analyzed in the event of a crash. "While this mitigates this vulnerability while it's not possible to update the systemd package, it disables the capability of analyzing crashes for such binaries," Red Hat said. Similar advisories have been issued by Amazon Linux, Debian, and Gentoo. It's worth noting that Debian systems aren't susceptible to CVE-2025-4598 by default, since they don't include any core dump handler unless the systemd-coredump package is manually installed. CVE-2025-4598 does not affect Ubuntu releases. Qualys has also developed proof-of-concept (PoC) code for both vulnerabilities, demonstrating how a local attacker can exploit the coredump of a crashed unix_chkpwd process, which is used to verify the validity of a user's password, to obtain password hashes from the /etc/shadow file. Canonical, in an alert of its own, said the impact of CVE-2025-5054 is restricted to the confidentiality of the memory space of invoked SUID executables and that the PoC exploit can leak hashed user passwords has limited real-world impact. "The exploitation of vulnerabilities in Apport and systemd-coredump can severely compromise the confidentiality at high risk, as attackers could extract sensitive data, like passwords, encryption keys, or customer information from core dumps," Abbasi said. "The fallout includes operational downtime, reputational damage, and potential non-compliance with regulations. To mitigate these multifaceted risks effectively, enterprises should adopt proactive security measures by prioritizing patches and mitigations, enforcing robust monitoring, and tightening access controls." Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    

May 16, 2025Ravie LakshmananMalware / Cyber Attack Cybersecurity researchers have shed light on a new malware campaign that makes use of a PowerShell-based shellcode loader to deploy a remote access trojan called Remcos RAT. "Threat actors delivered malicious LNK files embedded within ZIP archives, often disguised as Office documents," Qualys security researcher Akshay Thorve said in a technical report. "The attack chain leverages mshta.exe for proxy execution during the initial stage." The latest wave of attacks, as detailed by Qualys, employs tax-related lures to entice users into opening a malicious ZIP archive containing a Windows shortcut (LNK) file, which, in turn, makes use of mshta.exe, a legitimate Microsoft tool used to run HTML Applications (HTA). The binary is used to execute an obfuscated HTA file named "xlab22.hta" hosted on a remote server, which incorporates Visual Basic Script code to download a PowerShell script, a decoy PDF, and another HTA file similar to xlab22.hta called "311.hta." The HTA file is also configured to make Windows Registry modifications to ensure that "311.hta" is automatically launched upon system startup. Once the PowerShell script is executed, it decodes and reconstructs a shellcode loader that ultimately proceeds to launch the Remcos RAT payload entirely in memory. Remcos RAT is a well-known malware that offers threat actors full control over compromised systems, making it an ideal tool for cyber espionage and data theft. A 32-bit binary compiled using Visual Studio C++ 8, it features a modular structure and can gather system metadata, log keystrokes, capture screenshots, monitor clipboard data, and retrieve a list of all installed programs and running processes. In addition, it establishes a TLS connection to a command-and-control (C2) server at "readysteaurants[.]com," maintaining a persistent channel for data exfiltration and control. This is not the first time fileless versions of Remcos RAT have been spotted in the wild. In November 2024, Fortinet FortiGuard Labs detailed a phishing campaign that filelessly deployed the malware by making use of order-themed lures. What makes the attack method attractive to threat actors is that it allows them to operate undetected by many traditional security solutions as the malicious code runs directly in the computer's memory, leaving very few traces on the disk. "The rise of PowerShell-based attacks like the new Remcos RAT variant demonstrates how threat actors are evolving to evade traditional security measures," J Stephen Kowski, Field CTO at SlashNext, said. "This fileless malware operates directly in memory, using LNK files and MSHTA.exe to execute obfuscated PowerShell scripts that can bypass conventional defenses. Advanced email security that can detect and block malicious LNK attachments before they reach users is crucial, as is real-time scanning of PowerShell commands for suspicious behaviors." The disclosure comes as Palo Alto Networks Unit 42 and Threatray detailed a new .NET loader that's used to detonate a wide range of commodity information stealers and RATS like Agent Tesla, NovaStealer, Remcos RAT, VIPKeylogger, XLoader, and XWorm. The loader features three stages that work in tandem to deploy the final-stage payload: A .NET executable that embeds the second and third stages in encrypted form, a .NET DLL that decrypts and loads the next stage, and a .NET DLL that manages the deployment of the main malware. "While earlier versions embedded the second stage as a hardcoded string, more recent versions use a bitmap resource," Threatray said. "The first stage extracts and decrypts this data, then executes it in memory to launch the second stage." Unit 42 described the use of bitmap resources to conceal malicious payloads a a steganography technique that can bypass traditional security mechanisms and evade detection. The findings also coincide with the emergence of several phishing and social engineering campaigns that are engineered for credential theft and malware delivery - Use of trojanized versions of the KeePass password management software – codenamed KeeLoader – to drop a Cobalt Strike beacon and steal sensitive KeePass database data, including administrative credentials. The malicious installers are hosted on KeePass typosquat domains that are served via Bing ads. Use of ClickFix lures and URLs embedded within PDF documents and a series of intermediary dropper URLs to deploy Lumma Stealer. Use of booby-trapped Microsoft Office documents that are used to deploy the Formbook information stealer protected using a malware distribution service referred to as Horus Protector. Use of blob URIs to locally loads a credential phishing page via phishing emails, with the blob URIs served using allow-listed pages (e.g., onedrive.live[.]com) that are abused to redirect victims to a malicious site that contains a link to a threat actor-controlled HTML page. Use of RAR archives masquerading as setup files to distribute NetSupport RAT in attacks targeting Ukraine and Poland. Use of phishing emails to distribute HTML attachments that contain malicious code to capture victims' Outlook, Hotmail, and Gmail credentials and exfiltrate them to a Telegram bot named "Blessed logs" that has been active since February 2025 The developments have also been complemented by the rise in artificial intelligence (AI)-powered campaigns that leverage polymorphic tricks that mutate in real-time to sidestep detection efforts. These include modifying email subject lines, sender names, and body content to slip past signature-based detection. "AI gave threat actors the power to automate malware development, scale attacks across industries, and personalize phishing messages with surgical precision," Cofense said. "These evolving threats are increasingly able to bypass traditional email filters, highlighting the failure of perimeter-only defenses and the need for post-delivery detection. It also enabled them to outmaneuver traditional defenses through polymorphic phishing campaigns that shift content on the fly. The result: deceptive messages that are increasingly difficult to detect and even harder to stop." Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    