PRESS RELEASE

New York City, NY. November 21, 2024 – Apono, the leader in privileged access for the cloud, today announced an update to the Apono Cloud Access Platform that enables users to automatically discover and revoke standing access to resources across their cloud environments. Users can then create guardrails for sensitive resources, allowing Apono to process and assess access requests, and quickly provide Just-in-Time, Just-Enough access to users when needed. Today’s update will be available across all three major cloud service providers, with AWS being the first to launch, followed by Azure and Google Cloud Platform. 

“Today’s update enriches the Apono Cloud Access Platform’s unique combination of automated discovery, assessment, management, and enforcement capabilities,” said Rom Carmel, CEO and Co-founder of Apono. “With deep visibility across the cloud, seamless permission revocation, and automated Just-in-time, Just-Enough Access, we eliminate one of the largest risks organizations face while ensuring development teams can innovate rapidly with seamless access within secure guardrails. This powerful combination is essential for modern businesses, unlocking a new level of security and productivity for our customers.” 

Standing access within the cloud has long been a prime target for cybercriminals, enabling them to swiftly escalate both horizontally and vertically during a breach. However, security teams have lacked complete visibility over existing standing access, leaving critical vulnerabilities across the user base. Additionally, security teams have been reluctant to revoke existing standing access due to the risk of impacting users' day-to-day needs, which can ultimately lead to significantly hampering business operations across the organization.  

Today’s update allows users to overcome this challenge by enabling security teams to: 

Gain complete visibility over user permissions, identifying 100% of standing user entitlements in the cloud and where high-risk, standing privileges exist. 

Confidently and seamlessly remove 95% of standing entitlements without impacting business operations.  

Use critical insights on high-risk permissions to inform remediation plans, guide administrators in establishing access flows, and automatically grant Just-in-Time, Just-Enough access to cloud resources for only the required duration before access is revoked again. 

“Over-privileged access is one of the most significant risks to identity security that organizations face today, and it's made even more challenging to manage by expanding cloud environments. At the same time, to keep pace, organizations need to grant permissions dynamically to support day-to-day work. This creates a complex obstacle: how can an organization grant the necessary access for productivity while also enhancing its identity security?” said Simon Moffatt, Founder and Analyst, The Cyber Hut, “With this in mind, delivering Just-in-Time and Just-Enough Access across cloud services should be the goal of modern identity management. An approach to solve this will help companies significantly reduce their attack surface while ensuring a seamless access experience for their workforce.” 

Apono will provide in-person demonstrations of today's update and the complete Apono Cloud Access Platform at AWS re:Invent from December 2-6. Click here to learn more.  

For more information, visit the Apono website here: www.apono.io. 

You May Also Like

Apono Enhances Platform Enabling Permission Revocation and Automated Access

Starting in 2025, the RSAC Innovation Sandbox Top 10 Finalists will each receive a $5 million investment to drive cybersecurity innovation.

SAN FRANCISCO, Nov. 21, 2024 /PRNewswire/ -- RSA Conference™, the world's leading cybersecurity conferences and expositions, today announced that starting in April 2025, the Top 10 Finalists in the RSAC Innovation Sandbox (ISB) contest will receive financing to help them further accelerate innovation to fight the next generation of cybersecurity threats. The investment program will provide these startups with additional capital to deliver solutions that help organizations defend against the increasing volume and complexity of cybersecurity attacks.

The RSAC™ ISB contest, celebrating its 20th anniversary in 2025, has become the world's premier showcase for the cybersecurity startup community. Some of the most successful cybersecurity innovators have competed in the RSAC ISB contest in order to highlight their game-changing ideas that have disrupted the cybersecurity industry. The contest has grown to receive roughly 150 applicants annually, forming an important source of innovation and ideation that has been essential in addressing ever-changing cybersecurity challenges. More than 750 investors, cybersecurity leaders, entrepreneurs and members of the media join the packed audience to watch the ISB event live.

The RSAC ISB contest has become a preeminent platform within the cybersecurity community, providing increased visibility and awareness to the Top 10 Finalists each year. Since the RSAC ISB contest's inception, companies named as Top 10 Finalists have collectively raised over $16.4 billion\* in investments and been involved in over 90 merger and acquisition transactions. Each year, a panel of independent judges selects the Top 10 Finalists after reviewing the applicants' submissions. At RSA Conference in San Francisco, each Top 10 Finalist presents an overview of their business, and a winner is selected by an independent panel of judges drawn from the cybersecurity community. Starting in 2025, the Top 10 Finalists will each receive a $5 million uncapped Simple Agreement for Future Equity (SAFE) investment, provided by affiliates of Crosspoint Capital Partners.

"Attackers are constantly adapting and changing their tradecraft. Continuous innovation from cybersecurity startups is essential to global cyber defense," said Dr. Hugh Thompson, Executive Chairman and long-serving program chair of RSA Conference, and Managing Partner of Crosspoint Capital Partners. "Historically, the RSAC Innovation Sandbox competition has anointed winners in cybersecurity long before they became winners in the marketplace. We are excited to introduce simplified, founder-friendly financing for the companies selected by the independent and neutral process of the RSAC Innovation Sandbox to further fuel cybersecurity innovation."

For many industry-leading cybersecurity companies, the ISB platform has been an important part of their journey. "When Wiz participated in the RSAC Innovation Sandbox contest in 2021, we were a young company in an emerging cybersecurity category," said Anthony Belfiore, Chief Security and Strategy Officer of Wiz. "The exposure that we received from the ISB platform and RSA Conference helped us attract more customers earlier in our journey. This was extremely helpful for us. This new investment program is a game-changer."

The investment program is delivered as an uncapped SAFE, which provides an immediate capital infusion while maintaining future fundraising flexibility. "Post Series A investment, subsequent rounds have trended to be larger with multiple investors. A valued security investor like Crosspoint Capital with the deep operational experience of their founding partners would be welcomed into the cap table," said Theresia Gouw, co-founding partner, Acrew Capital.

In addition to the investment capital, RSAC is also developing a new forum, the RSAC Founders Circle, to provide past and present ISB Top 10 Finalists with additional exposure, coaching, mentorship, and connections with the CISO community. This initiative will also serve as a powerful alumni network for these distinguished entrepreneurs. Multiple ISB finalists have gone on to become standalone public companies while others become attractive acquisitions for platform assets. These previous Top 10 Finalists include leading cybersecurity innovators such as: Wiz, Imperva, SentinelOne, Talon Cyber Security, Phantom Cyber, and Hidden Layer.

Additional details on the RSAC ISB submission process for qualifying candidates will be made available in January 2025.

RSAC's Commitment to the Cybersecurity Community

RSAC has a heritage of supporting important investments for the community through former and existing programs, including the RSAC Innovation Sandbox, RSAC Security Scholar, child online safety, College Day, community philanthropic activities during the Conference and Conference scholarships to underrepresented communities through its vast network of partners. A portion of the returns received from the investments made in the Top 10 Finalists will be used by RSAC to support the cybersecurity community.

\*Indicates latest numbers according to Crunchbase

Additional Quotes: 

Nasrin Rezai, SVP and Chief Information Security Officer, Verizon – RSAC Innovation Sandbox Judge

"CISOs like me who are constantly trying to sort through the barrage of new cybersecurity entrants are always looking for a signal on who to spend time with and which solutions to try," said Nasrin Rezai, SVP and Chief Information Security Officer, Verizon and returning ISB judge. "The rigorous process of picking these Top 10 Finalists creates a signal to the market of who to pay attention to."

Dean Sysman, Co-Founder and CEO, Axonius – RSAC 2019 Innovation Sandbox Winner 

"One of the best things you want to achieve as a startup in the cybersecurity world is to be a part of the RSAC Innovation Sandbox contest," said Dean Sysman, Co-Founder and CEO, Axonius. "RSA Conference is the most important place where cybersecurity business, ideas, and products get introduced, talked about, and reviewed. The recognition and validation that winning ISB provides coming from that esteemed judging panel was instrumental in people trusting that we would follow through in what we promised we would do for them. There is nothing to lose by applying. Winning it sets you apart in a very differentiated and unique way while pushing the industry to look at you in a new light."

Rehan Jalil, CEO, Securiti AI – RSAC 2020 Innovation Sandbox Winner

"Making it into the RSAC ISB Top 10 and then winning the contest sends a very strong signal to not only the venture capitalists but the industry at large. The panel of judges for the ISB competition is very diverse, and they each evaluate startups with a different lens, which ultimately helps you as a company be judged more holistically. Winning ISB put us on the map, boosting our brand and increasing customer engagement. Whether you raise money before the contest or after, you get community interest in potentially making a jump to the next stage once you make it into the Top 10," said Rehan Jalil, CEO of Securiti AI, RSAC 2020 Innovation Sandbox Winner.

Oliver Friedrichs, Founder and CEO, Pangea and Founder and CEO, Phantom Cyber – RSAC 2023 Innovation Sandbox Finalist and RSAC 2016 Innovation Sandbox Winner

"Being a Finalist puts you on the map and separates you from the pack," said Oliver Friedrichs, Founder and CEO of Pangea, RSA Conference 2023 Innovation Sandbox Finalist and Founder and CEO of Phantom Cyber, RSAC 2016 Innovation Sandbox Winner. "If you're a new, relatively unknown entity, it's a great way to launch your company on the big stage. The attention you get being a Top 10 Finalist attracts venture capitalists, strategic investors, and enterprise customers who are all trying to understand what these new companies are doing and how they can help me. This new investment program for the Top 10 Finalists is a testament to the quality and potential of these companies. This added funding provides an even greater long-term financial impact for these startups and further extends their runway." 

Dave Chen, co-head of Global Technology Investment Banking at Morgan Stanley – RSAC Innovation Sandbox Judge

"Several of the companies that have been selected to the ISB Top 10 have gone on to become juggernauts in cybersecurity. The Innovation Sandbox competition is where some of the biggest stories in cybersecurity begin," said Dave Chen, co-head of Global Technology Investment Banking at Morgan Stanley. "I'm honored to be a judge for the 2025 contest."

Ben Colman, Co-Founder and CEO, Reality Defender – RSAC 2024 Innovation Sandbox Winner 

"For over a year, we had board members, investors, and clients encourage us to apply to the Innovation Sandbox contest," said Ben Colman, Co-Founder and CEO of Reality Defender and winner of the RSA Conference 2024 Innovation Sandbox contest. "We applied with no expectations, made it to the Top 10, and quickly realized our fellow Finalists were almost all pure play cybersecurity companies — something we thought was our disadvantage as a cybersecurity company focused on AI, but ultimately proved to be why we won. Awarding future winners with an uncapped SAFE note now makes applying to RSAC Innovation Sandbox a truly game-changing proposition."

Paul Kocher, Independent Researcher, Investor and Marconi Prize winner – RSAC Innovation Sandbox Judge

"The Innovation Sandbox contest is a fantastic event and terrific driver for bringing new technology to market — and for entrepreneurs it's an opportunity to present to the ideal audience," said Paul Kocher, RSAC ISB Judge, Investor, Independent Researcher and Marconi Prize winner. "I've served as a judge for most of the contest's 20 years, and have seen first hand how it raises Finalists' profiles, helping start-ups build enthusiasm with customers, investors, and new hires. Although the strong field of applicants makes the selection process challenging, I appreciate the Conference and judges' commitment to ensuring the neutrality and independence of the evaluation and selection process."

About RSA Conference

RSA Conference™ is the premier series of global events and year-round learning for the cybersecurity community. RSAC is where the security industry converges to discuss current and future concerns and have access to the experts, unbiased content, and ideas that help enable individuals and companies advance their cybersecurity posture and build stronger and smarter teams. Both in-person and online, RSAC brings the cybersecurity industry together and empowers the collective "we" to stand against cyberthreats around the world. RSAC is the ultimate marketplace for the latest technologies and hands-on educational opportunities that help industry professionals discover how to make their companies more secure while showcasing the most enterprising, influential, and thought-provoking thinkers and leaders in cybersecurity today. For the most up-to-date news pertaining to the cybersecurity industry visit www.rsaconference.com. Where the world talks security.

RSA Conference 2025 Innovation Sandbox Contest Celebrates 20th Anniversary

PRESS RELEASE

SAN FRANCISCO, Nov. 21, 2024 /PRNewswire/ -- VISO TRUST, a leader in AI-powered third-party risk management (TPRM), today announced the closing of its latest funding round of $7M in additional funding, bringing the total raised to $24M, with participation from both existing investors, Bain Capital Ventures, Work-Bench, Sierra Ventures, and Lytical Ventures, and new investors, Allstate Strategic Ventures, Cisco Investments, EnvisionX Capital, and Scale Asia Ventures.

This funding will further VISO TRUST's mission to transform TPRM through an adaptive AI-driven platform, bringing enhanced security intelligence and seamless third-party risk management to enterprises worldwide.

Enhancing Third-Party Risk Management with Integrated Security Intelligence

VISO TRUST's AI-powered platform delivers real-time, evidence-based assessments by intelligently collecting, analyzing, and continuously monitoring artifacts from vendors. This approach removes friction for vendors, eliminates the manual analysis burden for TPRM professionals, and enables comprehensive, high-quality assessments. The platform analyzes control presence, testing methodologies, exceptions, Nth-party references, and more, allowing security teams to focus on strategic initiatives.

VISO TRUST's AI-driven automation platform has become the industry benchmark for third-party risk management for industry leaders like Upwork, Instacart, Notion, and Bain Capital. By leveraging intelligent automation, VISO TRUST reduces vendor assessment and onboarding time by up to 90%, cutting TPRM hours to mere minutes per vendor and enabling enterprises to achieve comprehensive risk management at scale. With rapid assessments completed in just 5-7 days and a remarkable 98% vendor adoption rate, the platform empowers organizations to make informed, proactive risk decisions.

Paul Valente, CEO of VISO TRUST, commented on the funding round:

"We're excited to assemble a set of complementary and deep tech investors to advance our mission of transforming third-party risk management. This funding will enable us to accelerate the innovation of our platform, creating a robust ecosystem that integrates security intelligence and aligns with today's complex business workflows."

An investment in Next-Generation Monitoring and Response

VISO TRUST is at the forefront of next-generation monitoring, aggregating and analyzing diverse sources of vendor intelligence, including breach advisories, Software Bill of Materials (SBOM), and SEC filings. The platform provides real-time insights, enabling teams to make data-driven decisions, respond swiftly to emerging threats, and maintain continuous compliance, offering a distinct advantage in managing evolving cyber risks across the cloud-first, AI-driven enterprise landscape. This funding round will allow VISO TRUST to scale its unique artifact-based platform, creating an adaptable AI governance framework focused on real risk reduction.

"VISO TRUST's platform reshapes governance, risk, and compliance, enabling organizations to streamline vendor risk assessments and manage evolving cyber risks with agility in an increasingly complex digital landscape leveraging AI," said Janey Hoe, vice president, Cisco Investments. "As part of Cisco's AI Fund, we are excited to help accelerate VISO TRUST's mission to enhance security intelligence and real-time monitoring capabilities for enterprises worldwide."

VISO TRUST continues to build a future in governance, risk, and compliance where AI not only strengthens security but empowers organizations to navigate the dynamic and high-stakes digital landscape with resilience and precision.

About VISO TRUST

VISO TRUST is an AI-driven third-party risk management platform transforming traditional vendor risk assessments through automation and acceleration. Our platform provides continuous monitoring, risk remediation, Nth-party intelligence, and seamless workflow integrations, serving a global customer base across sectors like financial services, healthcare, and technology. VISO TRUST helps organizations mitigate the risks of vendor relationships at scale.

For more information, visit www.visotrust.com or contact \[email protected\].

VISO TRUST Secures $24M to Accelerate Innovation in AI-Powered Third-Party Risk Management

Dazz's remediation engine will  boost risk management in Wiz's cloud security portfolio.

Source: John Williams RF via Alamy Stock Photo

Cloud security provider Wiz announced on Thursday that it has entered into a deal to acquire Dazz, a Israeli startup specializing in security remediation and risk management. 

The cash-and-share deal is worth $450 million, TechCrunch reported, and the acquisition beefs up Wiz’s product portfolio. Earlier this year Wiz launched Wiz Code, a cloud application security product to help security and development teams identify and fix cloud risks directly in code before they become critical issues.

“Everything we do is rooted in customer need. Wiz has always been driven by a desire to help organizations actually improve their security posture—not just by reporting risks, but by prioritizing and resolving issues where it matters most,” Wiz CEO and founder Assaf Rappaport wrote on the company’s blog post announcing the deal. 

With the addition of Dazz’s remediation engine, Wiz will now enable security teams to work with data from multiple sources and manage risk in a single platform. 

“In today’s world, organizations must connect risks across the entire application lifecycle—from code to cloud and on-prem infrastructure. They need tools that prioritize issues with precision and make collaboration effortless. Dazz delivers on this need, simplifying remediation and empowering teams to act quickly and decisively,” Rappaport wrote.

Earlier this year Wiz raised $1 billion for strategic acquisitions, and rejected a $23 billion acquisition offer from Google. 

**About the Author**

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

Cloud Security Startup Wiz to Acquire Dazz in Risk Management Play

Federal prosecutors in Los Angeles this week unsealed criminal charges against five men alleged to be members of a hacking group responsible for dozens of cyber intrusions at major U.S. technology companies between 2021 and 2023, including LastPass, MailChimp, Okta, T-Mobile and Twilio.

Federal prosecutors in Los Angeles this week unsealed criminal charges against five men alleged to be members of a hacking group responsible for dozens of cyber intrusions at major U.S. technology companies between 2021 and 2023, including **LastPass**, **MailChimp**, **Okta**, **T-Mobile** and **Twilio**.

A visual depiction of the attacks by the SMS phishing group known as Scattered Spider, and Oktapus. Image: Amitai Cohen twitter.com/amitaico.

The five men, aged 20 to 25, are allegedly members of a hacking conspiracy dubbed “**Scattered Spider**” and “**Oktapus**,” which specialized in SMS-based phishing attacks that tricked employees at tech firms into entering their credentials and one-time passcodes at phishing websites.

The targeted SMS scams asked employees to click a link and log in at a website that mimicked their employer’s Okta authentication page. Some SMS phishing messages told employees their VPN credentials were expiring and needed to be changed; other phishing messages advised employees about changes to their upcoming work schedule.

These attacks leveraged newly-registered domains that often included the name of the targeted company, such as twilio-help\[.\]com and ouryahoo-okta\[.\]com. The phishing websites were normally kept online for just one or two hours at a time, meaning they were often yanked offline before they could be flagged by anti-phishing and security services.

The phishing kits used for these campaigns featured a hidden Telegram instant message bot that forwarded any submitted credentials in real-time. The bot allowed the attackers to use the phished username, password and one-time code to log in as that employee at the real employer website.

In August 2022, multiple security firms gained access to the server that was receiving data from that Telegram bot, which on several occasions leaked the Telegram ID and handle of its developer, who used the nickname “**Joeleoli**.”

The Telegram username “Joeleoli” can be seen sandwiched between data submitted by people who knew it was a phish, and data phished from actual victims. Click to enlarge.

That Joeleoli moniker registered on the cybercrime forum **OGusers** in 2018 with the email address **joelebruh@gmail.com**, which also was used to register accounts at several websites for a Joel Evans from North Carolina. Indeed, prosecutors say Joeleoli’s real name is **Joel Martin Evans**, and he is a 25-year-old from Jacksonville, North Carolina.

One of Scattered Spider’s first big victims in its 2022 SMS phishing spree was **Twilio**, a company that provides services for making and receiving text messages and phone calls. The group then used their access to Twilio to attack at least 163 of its customers. According to prosecutors, the group mainly sought to steal cryptocurrency from victim companies and their employees.

“The defendants allegedly preyed on unsuspecting victims in this phishing scheme and used their personal information as a gateway to steal millions in their cryptocurrency accounts,” said **Akil Davis**, the assistant director in charge of the FBI’s Los Angeles field office.

Many of the hacking group’s phishing domains were registered through the registrar **NameCheap**, and FBI investigators said records obtained from NameCheap showed the person who managed those phishing websites did so from an Internet address in Scotland. The feds then obtained records from Virgin Media, which showed the address was leased for several months to **Tyler Buchanan**, a 22-year-old from Dundee, Scotland.

A Scattered Spider phishing lure sent to Twilio employees.

As first reported here in June, Buchanan was arrested in Spain as he tried to board a flight bound for Italy. The Spanish police told local media that Buchanan, who allegedly went by the alias “**Tylerb**,” at one time possessed Bitcoins worth $27 million.

The government says much of Tylerb’s cryptocurrency wealth was the result of successful **SIM-swapping** attacks, wherein crooks transfer the target’s phone number to a device they control and intercept any text messages or phone calls sent to the victim — including one-time passcodes for authentication, or password reset links sent via SMS.

According to several SIM-swapping channels on Telegram where Tylerb was known to frequent, rival SIM-swappers hired thugs to invade his home in February 2023. Those accounts state that the intruders assaulted Tylerb’s mother in the home invasion, and that they threatened to burn him with a blowtorch if he didn’t give up the keys to his cryptocurrency wallets. Tylerb was reputed to have fled the United Kingdom after that assault.

A still frame from a video released by the Spanish national police, showing Tyler Buchanan being taken into custody at the airport.

Prosecutors allege Tylerb worked closely on SIM-swapping attacks with **Noah Michael Urban**, another alleged Scattered Spider member from Palm Coast, Fla. who went by the handles “**Sosa**,” “**Elijah**,” and “**Kingbob**.”

Sosa was known to be a top member of the broader cybercriminal community online known as “**The Com**,” wherein hackers boast loudly about high-profile exploits and hacks that almost invariably begin with social engineering — tricking people over the phone, email or SMS into giving away credentials that allow remote access to corporate networks.

In January 2024, KrebsOnSecurity broke the news that Urban had been arrested in Florida in connection with multiple SIM-swapping attacks. That story noted that Sosa’s alter ego Kingbob routinely targeted people in the recording industry to steal and share “grails,” a slang term used to describe unreleased music recordings from popular artists.

FBI investigators identified a fourth alleged member of the conspiracy – **Ahmed Hossam Eldin Elbadawy**, 23, of College Station, Texas — after he used a portion of cryptocurrency funds stolen from a victim company to pay for an account used to register phishing domains.

The indictment unsealed Wednesday alleges Elbadawy controlled a number of cryptocurrency accounts used to receive stolen funds, along with another Texas man — **Evans Onyeaka Osiebo**, 20, of Dallas.

Members of Scattered Spider are reputed to have been involved in a September 2023 ransomware attack against the **MGM Resorts** hotel chain that quickly brought multiple MGM casinos to a standstill. In September 2024, KrebsOnSecurity reported that a 17-year-old from the United Kingdom was arrested last year by U.K. police as part of an FBI investigation into the MGM hack.

Evans, Elbadawy, Osiebo and Urban were all charged with one count of conspiracy to commit wire fraud, one count of conspiracy, and one count of aggravated identity theft. Buchanan, who is named as an indicted co-conspirator, was charged with conspiracy to commit wire fraud, conspiracy, wire fraud, and aggravated identity theft.

A Justice Department press release states that if convicted, each defendant would face a statutory maximum sentence of 20 years in federal prison for conspiracy to commit wire fraud, up to five years in federal prison for the conspiracy count, and a mandatory two-year consecutive prison sentence for aggravated identity theft. Buchanan would face up to 20 years in prison for the wire fraud count as well.

Further reading:

The redacted complaint against Buchanan (PDF)

Charges against Urban and the other defendants (PDF).

Feds Charge Five Men in ‘Scattered Spider’ Roundup

In a sign of the times, a backdoor malware whose ancestors date back to 2005 has morphed to target Linux systems.

Source: Imagebroker via Alamy Stock Photo

Two well-documented Chinese backdoors have recently been modified to operate on Linux systems.

The advanced persistent threat (APT) "Gelsemium" is a decade old now, and the new malware tied to the group, Wolfsbane and Firewood, can trace their lineage back to 2005. Throughout its history, Gelsemium has focused on information gathering from Windows systems. Now, it has adjusted its tooling to operate just as effectively in Linux environments.

This, experts say, is merely the latest manifestation of a long-brewing trend.

"The Linux malware landscape is certainly accelerating," says Jason Soroko, senior fellow at Sectigo. "The increase does make sense, as organizations have heavily adopted Linux for their back office server needs, both on premises and in the cloud. Adversaries are developing cross-platform malware to maximize their reach."

**The Wolfsbane & Firewood Backdoors**

The first public sample of the first new backdoor, dubbed Wolsbane, was uploaded to VirusTotal on March 6, 2023, from Taiwan, with later uploads coming from the Philippines and Singapore (historically, Gelsemium has targeted entities in the Middle East and East Asia).

Contextual evidence suggests that the malware's authors have been exploiting vulnerabilities in Java Web applications to access public-facing Apache Tomcat servers. And a deeper look inside reveals unmistakable overlaps with Gelsevirine, a Windows backdoor known to be used by Gelsemium. In essence, the Wolfsbane malware was a Linux port of Gelsevirine, featuring a modified Beurk Experimental Unix RootKit to hide its various malicious activities.

Alongside Wolfsbane, though not definitively attributable to Gelsemium, was a second Linux-ported backdoor, Firewood. An addition to its varied and typical backdoor capabilities, it possesses a kernel-level rootkit. 

Most interestingly, Firewood appears to be the latest evolution of "Project Wood," a phylum of a backdoor that traces back generations to a program first compiled in January 2005. The latest manifestation of Project Wood before Firewood, NSPX30, was reported earlier this year.

**What Explains the Surge in Linux Cyber Threats?**

Cyber threats rise across the board every year, but the particular rise in Linux-based threats stands out. 

Since at least 2020, vendors have tracked double- and triple-digit year-over-year increases in Linux attacks. In its annual "Global Threat Report," Elastic Security has regularly found that the Linux threat landscape vastly outpaces that of macOS, more closely resembling Windows in terms of sheer volume of attacks. In 2023, for example, it found that 54% of endpoint attacks affected Linux-based devices, compared with just 39% for Windows.

Over the past 12 months, around 32% of malware infections have targeted Linux, according to Jake King, Elastic's head of threat and security intelligence. "While steadily increasing, we are seeing greater volumes of attacks and, in some cases, with greater levels of sophistication. The XZ/Liblzma backdoor discovered by researchers earlier this year shows the desire of adversaries to compromise Linux hosts, likely for a variety of reasons, growing in sophistication to supply chain compromise," he says.

The rising threats to Linux may be attributable to an increasing adoption of Linux in enterprise environments, as Soroko alluded to, or the generally improving state of Windows security — the explanation ESET went with in its blog post — or an explanation even simpler.

"One of the reasons for growing observations can always be targeted to adversarial focus changing, but it is also likely that security tooling and telemetry for Linux hosts are improving at a pace whereby attacks are identified earlier, with a greater level of context," King suggests. For example, "A growing trend for threat observations this year was Impaired Defenses for Linux, showing that adversaries are specifically looking to bypass security tools native to Linux or disable third-party security tools. This is important, as it shows we're exposing many attacks that would have previously gone undetected years ago."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Chinese APT Gelsemium Deploys 'Wolfsbane' Linux Variant

The DOJ proposes tough proposals in its antitrust lawsuit against Google, including selling the Chrome browser, limiting search…

The DOJ proposes tough proposals in its antitrust lawsuit against Google, including selling the Chrome browser, limiting search deals, and restructuring its operations to limit monopoly.

As part of its antitrust lawsuit against Google, the U.S. Department of Justice (DOJ) has proposed major changes that could entirely change the tech giant’s business structure and its role on the Internet.

The DOJ’s latest filing seeks the divestiture of key Google assets, including its Chrome browser, and calls for structural changes that could impact Android and its search operations. Google has strongly criticized the proposals, framing them as a threat to innovation, security, and consumer choice.

****Background of the Lawsuit****

The DOJ first filed its antitrust lawsuit against Google **in October 2020**, accusing the company of abusing its dominance in the search engine market to squash competition. The case focuses on Google’s search distribution agreements with major partners, such as Apple, Mozilla, and smartphone manufacturers, which allegedly back its **monopoly** by making Google Search the default on browsers and devices.

The DOJ argues that these practices harm competition by blocking rival search engines from gaining a foothold in the market. Central to the case is the allegation that Google’s actions prevent fair competition and innovation, ultimately harming consumers.

****What the DOJ Proposes****

Hackread.com analysed the DoJ’s **latest filing (PDF)**. Here’s what the Department has outlined and proposed to end Google’s dominance:

*   **Divestiture of Chrome and Possibly Android**: The DOJ suggests that Google sell its Chrome browser and its Android operating system to limit its control over internet access points.
*   **Search Choice Screens**: The proposal requires Google to implement choice screens, where users select their preferred search engine on devices like Google Pixel phones. This design must be approved by a newly proposed “Technical Committee.”
*   **Data Sharing Requirements**: Google would be required to share search data and innovations with competitors, including foreign companies.
*   **Ban on Default Search Agreements**: The DOJ aims to prohibit Google from entering into agreements with partners like Apple or Mozilla to make Google Search the default engine.

The DOJ has framed these measures as necessary to ensure fair competition and restore balance to the digital marketplace.

****Google’s Response****

In response, Google has strongly pushed back against the DOJ’s proposals, describing them as extreme, radical interventionist agenda, and harmful to consumers. In a **blog post** published November 11, 2024, Google argued that the proposals would:

*   **Compromise Privacy and Security**: Divesting Chrome and Android could lead to increased risks for user data and diminish the security features Google has built into these platforms.
*   **Stifle Innovation**: Google warned that the measures could chill investment in cutting-edge technologies, particularly in artificial intelligence, where the company is a global leader.
*   **Hurt Partners and Developers**: Google claims the proposals would harm partners like Mozilla, whose Firefox browser relies on revenue from Google’s search placement agreements.
*   **Introduce Overregulation**: Google criticized the creation of a Technical Committee with broad powers to oversee its operations as an unprecedented overreach.

Google maintains that its dominance in the search market is due to offering “the industry’s highest quality search engine,” not through unfair practices. The company plans to submit its own proposals and continue its legal battle into the next year.

> DOJ had a chance to propose remedies related to the issue in this case: search distribution agreements. Instead, DOJ chose to push a radical interventionist agenda that would harm Americans and America’s global technology leadership. https://t.co/QslGbUyklR
> 
> — News from Google (@NewsFromGoogle) November 21, 2024

****Industry-Wide Implications****

If the DOJ’s proposals are implemented, the tech industry could see a major change in power dynamics and business practices:

*   **Impact on Browser and Operating System Markets**: Forcing Google to sell Chrome and potentially Android would create opportunities for competitors, but it might also disrupt the user experience for millions who rely on Google’s integrated ecosystem.
*   **Search Market Competition**: Measures like search choice screens could pave the way for smaller search engines to gain traction, but critics argue that such interventions may confuse users and lead to inferior experiences.
*   **AI Development**: Google’s claims about reduced AI investment could have far-reaching consequences for advancements in automation, machine learning, and related industries.
*   **Global Technology Leadership**: The case raises concerns about U.S. competitiveness in technology, as the remedies could weaken one of the nation’s largest and most influential tech companies.

Nevertheless, the DOJ’s proposals mean a straightforward measure to limit one of the most powerful companies in the world, but the battle is far from over. Google has vowed to contest the measures, and the case will likely drag on for months if not years.

This legal battle will also challenge how we balance competition and innovation in the tech world. Its outcome could change how we use technology and online search for years to come.

1.  **ChatGPT’s Training Methods Challenged in Lawsuit**
2.  **Google Incognito: New Disclaimer Reveals Data Tracking**
3.  **$4B lawsuit claims Google tracked iPhone users’ activities**
4.  **DuckDuckGo says Google Incognito searches are not private**
5.  **HP Monopoly on Ink, Alleges 3rd-Party Cartridge Malware Risk**

DOJ Proposes Breaking Up Google: Calls for Sale of Chrome Browser

The Threat Source Newsletter is back! William Largent discusses bidirectional communication in the SOC, and highlights new Talos research including the discovery of PXA Stealers.

Thursday, November 21, 2024 14:02

Welcome to this week’s edition of the Threat Source newsletter. 

Bidirectional communication is foundational to a well-built team regardless of environment. It’s critical in information security to be able to drive a conversation up the ladder and down and not lose the critical elements. One of the most difficult challenges that cyber security teams face is making sure that everyone that is in a decision-making space is aware of the highly technical challenges that the evolving threat landscape dictates. Navigating the challenges that come in continually evolving the team and it’s tools to defend is often a much greater challenge. I’m going to help you with those conversations. In both directions. By talking about drumming. I know, I don’t have the pro wrestling takes that Jon came to the table with, so you’re going to have to run with me Constant Reader.  

I’m going to choose drumming to outline an easy way to identify some complex issues and talk about them in both directions and drumming is a little easier to identify for non-musicians and FAR less contentious than a spicy guitar opinion. Ok, so let’s start with a simple concept.  

 Sounds difficult. Is difficult.    
Sounds difficult. Is easy.   
Sounds easy. Is difficult.     
Sounds easy. Is easy.  

 Sounds difficult. Is difficult. This one is easy – Tomas Haake from Meshuggah playing Bleed is a perfect example. Polyrhythms, stamina, speed, interdependence, and complexity. This sounds difficult. It is difficult. Only the criminally insane attempt to learn how to play this song.  

Sounds easy. Is easy. Take Phil Rudd and pick any AC/DC song from Back in Black. The perfect example of sounds easy, is easy. Perfectly in the pocket.  

Sounds easy. Is difficult. This one is harder and will cause someone to wellackshully and I assure you I do not care. I’m going to give two examples, Jeff Porcaro of Toto playing Rosanna and Vinnie Colaiuta playing Seven Days with Sting. Both of these songs are immensely easy to listen to and don’t seem like there’s anything challenging going on. Until you try to play along, then you cry and examine all the choices you’ve made in life.  

Sounds difficult. Is easy. This is going to be a sticky situation, but I’d say that you could throw on anything by Travis Barker and Dave Lombardo. Bring it haters. I’m not saying that they are bad drummers – simply that what they do sounds more difficult than it is.  

Ok William, but how does this help me at all?  

When you have information security meetings with people in your organization take a second as you look at the agenda, and your conversation in specific, and think about the groupings above and determine what kind of drumming you are hearing. Depending on your environment and team the topics will fall naturally into these categories – it can be patch and vulnerability management,  EOL devices that need to be replaced, endpoint detection and response, deciding what traffic is actionable and defining that in your SIEM, forensic analysis, threat hunting, event response, the conversations are as malleable as the threat landscape.  

It’s easy to isolate the things in your environment that are very difficult to defend AND take a skilled defender and complex tooling to defend. Those conversations flow with either junior analysts or C-Level executives. This is the “Sounds difficult. Is difficult.” type of conversation. Ditto the “Sounds easy. Is easy.” conversations are easy to have in either direction. The most difficult topics to convey fall into the “Sounds difficult. Is easy.” or “Sounds easy. Is difficult.” In my experience these conversations are usually much easier to deliver in one direction and much more difficult in the other. Jazz guys enjoy the nuance of Colaiuta and can’t wrap their minds around Lombardo while metalheads love him and don’t want to be bothered by ghost notes. By taking a moment to dissect your topic and determine where you are going to run into the “Sounds difficult. Is easy.” or the “Sounds easy. Is difficult.” situation it will allow you to prepare for those more challenging conversations so that you can craft a narrative to best capture the nuance that might be lost in a highly technical conversation with a C-Level exec, or the motivation for waiting for the next financial quarter for new tooling that the analysts really need.  

I’m not going to lie - you can prepare this way and things can still fall on deaf ears, they can still underestimate the lift required because people are fallible but if you prepare just a bit and know your audience you can drag your C-Level into a discussion on polyrhythm and pull your junior analyst up with a little Vinnie Colaiuta and make them all feel like Phil Rudd.   

**The one big thing **

Cisco Talos discovered a new information stealing campaign operated by a Vietnamese-speaking threat actor targeting government and education entities in Europe and Asia. PXA Stealer targets victims’ sensitive information, including credentials for various online accounts, VPN and FTP clients, financial information, browser cookies, and data from gaming software. PXA Stealer also has the capability to decrypt the victim’s browser master password and uses it to steal the stored credentials of various online accounts. 

**Why do I care? **

Harvested credentials can allow attackers direct access to your environment without the need to exploit vulnerabilities or face any of your defensive architecture – they can just log in. Cisco Talos Incident Response has observed an increasing number of engagements where this is the case.  

**So now what? **

Cisco Talos has released several Snort rules and ClamAV signatures to detect and defend against PXA Stealer.   

**Top security headlines of the week **

Attackers are continuing to upload hundreds of malicious packages to the open-source node package manager (NPM) repository in an attempt to infect the devices of developers that rely on these libraries. (Ars Tecnica) 

Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that it's director Jen Easterly will step down from her position on President-elect Donald Trump's Inauguration Day. (Dark Reading) 

Palo Alto Networks has released a patch to fix a critical vulnerability in some instances of its firewall management interfaces. PAN observed threat activity exploiting an unauthenticated remote command execution vulnerability against firewall management interfaces. (Bleeping Computer,  Dark Reading)   

**Can’t get enough Talos? **

*   Unwrapping the emerging Interlock ransomware attack 
*   Talos Takes on Interlock 
*   November Patch Tuesday release contains three critical remote code execution vulnerabilities 
*   It's Taplunk! Talos and Splunk threat researchers meet to put the security world to rights 

**Upcoming events where you can find Talos **

 CyberCon Romania

(Nov 21-22)    
Bucharest, Romania 

 Martin Lee from Cisco Talos will speak on a panel discussion Maintaining Resilience for a Secure Cyber Infrastructure.  

misecCON (Nov. 22)    
Lansing, Michigan 

Terryn Valikodath from Cisco Talos Incident Response will explore the core of DFIR, where digital forensics becomes detective work and incident response turns into firefighting. 

AVAR

(Dec 4-6)    
Chennai, India 

 Vanja Svancer and Chetan Raghuprasad from Cisco Talos will both present, Vanja will be discussing Exploring Vulnerable Windows Drivers, while Chetan presents Sweet and Spicy Recipes for Government Agencies by SneakyChef.  

**Most prevalent malware files from Talos telemetry over the past week  **

SHA 256: c20fbc33680d745ec5ff7022c282a6fe969c6e6c7d77b7cfac34e6c19367cf9a  

MD5: 3bc6d86fc4b3262137d8d33713ed6082  

Typical Filename: 8c556f0a.dll  

Claimed Product: N/A  

Detection Name: Gen:Variant.Lazy.605353  

 SHA 256: bea312ccbc8a912d4322b45ea64d69bb3add4d818fd1eb7723260b11d76a138a 

MD5: 200206279107f4a2bb1832e3fcd7d64c 

Typical Filename: lsgkozfm.bat 

Claimed Product: N/A 

Detection Name: Win.Dropper.Scar::tpd   

SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca  

MD5: 71fea034b422e4a17ebb06022532fdde  

Typical Filename: VID001.exe  

Claimed Product: N/A  

Detection Name: RF.Talos.80  

SHA 256: 3a2ea65faefdc64d83dd4c06ef617d6ac683f781c093008c8996277732d9bd66  

MD5: 8b84d61bf3ffec822e2daf4a3665308c  

Typical Filename: RemComSvc.exe  

Claimed Product: N/A  

Detection Name: W32.3A2EA65FAE-95.SBX.TG

Bidirectional communication via polyrhythms and shuffles: Without Jon the beat must go on

Four of the arrested individuals of the cybercriminal gang, known for hacking MGM and Caesars, are American, all of whom could face up to 27 years in prison for the charges against them.

Source: Gregg Vignal via Alamy Stock Photo

Today the Department of Justice (DoJ) unsealed criminal charges against five individuals who belong to the hacking group "Scattered Spider," which is the cybercriminal group known for recruiting young people and carrying out high-profile cyberattacks, including last year's offensives against MGM Resorts and Caesar's Palace in Las Vegas.

The defendants allegedly targeted employees of companies across the United States via phishing messages, using the harvested employee credentials to log in to systems and steal private company data, including intellectual property, and personal identifying information, such as account credentials, names, email addresses, and telephone numbers. The indictment also says the group gained unauthorized access to individuals' cryptocurrency accounts and wallets, and stole millions of dollars of virtual currency.

Four of the defendants are American, ranging from 20 to 25 years old; the eldest, Joel Martin Evans, aka "joeleoli," of Jacksonville, N.C., made his first appearance in court yesterday after being arrested the day before by the FBI. All four of them are charged with one count of conspiracy to commit wire fraud, one count of conspiracy, and one count of aggravated identity theft.

The fifth individual, Tyler Robert Buchanan, 22, is located in the United Kingdom and is facing charges of conspiracy to commit wire fraud, conspiracy, wire fraud, and aggravated identity theft.

"These individuals, and other actors that they have collaborated with, have caused so much pain and financial harm to organizations across North America through their disruptive intrusions," Charles Carmakal, Mandiant Consulting CTO at Google Cloud, wrote in an emailed statement to Dark Reading. "We hope this sends a message to the other actors they collaborate with that they aren't immune to consequences."

If convicted, each of the defendants would face a statutory maximum sentence of 20 years in federal prison for conspiracy to commit wire fraud, up to five years for conspiracy, and two years for aggravated identity theft. Buchanan would face an additional 20 years for the wire fraud count.

Scattered Spider Cybercrime Members Face Prison Time

Consolidating endpoint management boosts cybersecurity while keeping an Oklahoma-based nonprofit focused on community mental health.

Source: Everything Possible via Alamy Stock Photo

At the center of community care, a lifeline for mental health is making a lasting impact — strengthened by technology that ensures security without compromising compassion.

Mental-health center Family and Children's Services (FCS), based in Tulsa, Oklahoma, has helped transform the lives of members of its local community with programs to support their well-being, including child abuse and trauma support, as well as counseling for families and those suffering from substance abuse and addiction. The organization is more than 100 years old, serves more than 150,000 people each year, and offers services in more than 50 schools. It also more than doubled its staff in recent years and now has 1,500 employees who provide a variety of services, many that have moved online since the start of the pandemic.

These changes created a challenge for FCS CIO Brent Harris, who was responsible for protecting a rapidly growing organization with a sprawling IT environment and a boom in the number of endpoints in use. At the beginning of the pandemic lockdown in 2020, FCS distributed approximately 2,000 iPads and other devices to clients so that clinicians could offer teletherapy and telemedicine services. That brought the total number of devices that needed to be managed to around 3,500.

FCS was willing to spend on its core mission — serving the community's mental health needs — so most of its headcount growth was in its clinical staff. But Harris still had to manage with the same number of IT staff to keep costs down. Automation was key to solving this challenge.

"We needed a way to automate, to buy back time instead of trying to solve problems with manpower," Harris says. "We try to solve problems with technology."

**Piloting an Endpoint Management Platform**

The IT staff needed visibility into which software packages were on each device and whether the devices were being patched properly. The legacy system in use didn't give Harris the confidence that his team had that insight.

"Devices were on the network that we didn't see, and software was on someone's device that shouldn't be there that we didn't pick up on," Harris says. "Most of the things we found we found manually."

When FCS deployed Tanium as part of a pilot, the endpoint management platform immediately found devices that the legacy system had missed, Harris says. A tragic incident in the community shortly after illustrated the importance of having endpoint management technology with an accurate view of the environment.

"There was an event in our community where there was an active shooter, not at Family and Children's Services, but at a healthcare facility that a lot of us were familiar with," Harris says. "A lot of people in our agency had worked there in the past or had friends there, and so it really hit near home."

FCS needed a reliable employee notification system to ensure that the healthcare provider was prepared if a similar situation were to unfold. FCS was looking for a guarantee that everyone would receive information — such as employee notifications and software updates — pushed out by the system onto their individual devices.

"We would push it out to 1,000 endpoints and then get a report that said 796 of them received it, and we would have to manually go try to figure out where there were gaps," Harris says. "Tanium is far better at doing that. And in this case, you know, it's really life or death. If that scenario were to ever occur, we need to make sure that 100% of the devices on the network have the agent installed and it's running."

A trial run is an essential part of evaluating which technologies to purchase and deploy because it can help illuminate how well the solution meets the organization's needs, Harris says.

"We were able to do a pilot, and we were pretty convinced within a matter of days and weeks, not months, that this tool was going to be a very important part of our technology stack going forward," he adds.

**About the Author**

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

Latest News