To put the impact of cybercrime into perspective, let’s examine some important, and startling, numbers: Data breach costs increased from $3.86 million to $4.24 million in 2021. Every 39 seconds, there is an attack. About 90% of healthcare organizations have fallen victim to at least one breach within the past three years. The bottom line? Cyberattacks are frequent and costly, and COVID-19 has only fueled the fire with more employers adopting a remote work structure.

On Thursday, March 31, 2022, GitLab released an advisory for a critical password security vulnerability in GitLab Community and Enterprise products tracked as CVE-2022-1162. GitLab is DevOps software that combines the ability to develop, secure, and operate software in a single application. The exploitation of CVE-2022-1162 can allow a threat actor to guess a hard-coded password for any GitLab account with relative ease.

On March 29, 2022, a critical vulnerability targeting the Spring Java framework was disclosed. This vulnerability was initially confused with a vulnerability in Spring Cloud, CVE-2022-22963. However, it was later identified as a separate vulnerability inside Spring Core, now tracked as CVE-2022-22965 and canonically named Spring4Shell.

Most company decision-making executives know how blockchain technology works but few have adopted it within their organization at this stage. This is the conclusion drawn by the latest Pulse survey conducted on 145 senior IT managers from companies on three continents. It shows that only 8% have experienced this technology, compared to 53% who know how it works but are yet to use it.

Our security researchers, engineers, and our Crowdsource community are actively working on understanding the vulnerabilities and developing tests. We have received a dozen POCs already and anticipate more over the coming days. While the situation is rapidly developing, here is what we know so far. The Spring Cloud Function vulnerability (CVE-2022-22963) was disclosed and patched earlier this week.

A selection of this week’s more interesting vulnerability disclosures and cyber security news. For a daily selection see our twitter feed at #ionCube24. Another day and another cyber heist. Not much to say really…

That’s right all, it’s time for the latest MITRE Engenuity ATT&CK® evaluation. As we have come to expect each year, Elastic — along with other security vendors — are evaluated by MITRE Engenuity, a tech foundation that brings MITRE research to the public. The evaluation focuses on emulating techniques from the MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework to assess vendor protection capabilities.

On Wednesday 30th March 2022, news was disclosed online about an unauthenticated RCE zero-day vulnerability in Spring Core, a framework for building modern Java-based enterprise applications.

Organizations today are pressured to keep their IT applications and infrastructure up and running and minimize their downtime. While this has always been a critical goal, it’s become harder to achieve with modern architectures, such as microservices, containerization, edge computing, hybrid-cloud deployments and the newer development methods such as agile DevOps techniques.