Government security processes are often viewed as tedious and burdensome — but applying the lessons learned from them is imperative for private industry to counter a nation-state threat.

The private sector's utility, telecom, banking, transportation, and medical networks have become a part of physical, mental, and economic well-being in the modern world. They are also under unprecedented threat from state actors — recently underscored by the unclassified summary of the Department of Defense's cybersecurity strategy, which stated that China "steals technology secrets and undermines the DIB \[defense industrial base\]," and that, in the event of conflict, China "likely intends to launch destructive cyber attacks against the U.S. Homeland." The Director of National Intelligence's assessment further elaborated that "China is almost certainly capable of launching cyberattacks that could disrupt critical infrastructure services within the United States, including against oil and gas pipelines, and rail systems."

The DIB and critical infrastructure are under clear threat from our near-peer competitors and would do well to apply select best practices from US government classified systems to protect their own crown jewels.

**Understand Where and How Protected Enclaves and the Internet Intersect**

Whether in the operational technology (OT) networks of utilities, the research and development enclaves of pharmaceutical networks, or the medical equipment networks of hospitals, some parts of networks need to be more secure than others. But even in utilities' OT networks, which contain a critical mass of potentially vulnerable legacy technology, total segmentation is a myth, and for good reason: Companies increasingly require the power of big data analytics, integrations with Internet-connected financial systems, and similar services to operate an effective business.

A sound approach to risk management in connecting protected enclaves to broader IT networks can be found in a relatively obscure section of National Security Memorandum 8 (NSM-8): Cultivate visibility and rigor around the areas in which the networks overlap. By declaring that cross-domain systems — the systems responsible for connecting classified networks to unclassified networks — are "vital \[national security systems\] that require centralized visibility" and establishing the NSA's Raise the Bar program to oversee them, the US government ensured a level of consistent risk evaluation and security rigor around these inherently risky junctures in the network.

By doing the same, organizations can better manage risk and ensure a consistent approach, rather than crafty and unique but often unvetted solutions to bridge protected enclaves and the broader network. As these centralized points of visibility mature within organizations, they can also unite at an industry level via information sharing and analysis centers (ISACs) or ad hoc collaborative networks to understand best practices and technologies to minimize the risks at these critical network junctures.

**Protect the Critical Enterprise Along With Critical Infrastructure**

As alluded to above, the crown jewels of critical infrastructure organizations may be well-protected, but they are surrounded by a critical enterprise of enabling functions — HR, customer service, finance, logistics — hosted on a less-secure IT network and sometimes one step removed from the culture of security that permeates operational parts of the organization. But the threat of lateral movement within the network, whereby an adversary could compromise an employee in the critical enterprise and eventually navigate their way to more sensitive systems, renders this an unwise approach. The risk is compounded by the fact that a joint advisory by the NSA, CISA, the FBI, and others highlights China-sponsored threat actors "living off the land" within critical infrastructure networks, using native services rather than malware to evade detection once they have established a foothold.

The intelligence community has long embraced the concept of the critical enterprise by requiring that all employees — whether working operationally or in a support role — complete a thorough suitability process and protect support networks with the same rigor as their mission networks. By doing so, they not only protect their endpoints and systems at a given classification level from technical compromise but also cultivate a culture of security that renders the organization less vulnerable to human-enabled attacks, such as phishing.

While it is untenable for private sector companies to subject their employees to the same degree of scrutiny needed for a US security clearance, they can take a page from the government by securing the entire critical enterprise through training, preventive cybersecurity architecture, and a culture of security that makes the entire critical enterprise aware of the shared risks to their organization.

**Demand Security by Design**

The complexity of creating a solid cybersecurity architecture is compounded by the fact that, as CISA director Jen Easterly put it, "We've unwittingly come to accept as normal that such technology is dangerous-by-design." This has resulted in the need to deploy myriad security and network management solutions, some of which have proven dangerous by design in and of themselves.

The US government, in general, and its Department of Defense, in particular, have long exercised rigorous processes around technology readiness assessment and operational testing and evaluation. These processes, while costly and lengthy, are designed to ensure the security, maturity, and operational readiness of the technologies that will be deployed to conduct the most critical functions of the US government and support its war fighters. By exercising diligence in their procurement processes, including a strong eye toward security, US government agencies minimize the risk that their technology will be compromised.

It would be impractical to recommend that private sector organizations conduct the same degree of testing and evaluation of technology. But incorporating questions geared toward CISA's joint "Security-by-Design and -Default" principles is an appealing alternative. By moving beyond reliance on regulatory certifications (many of which test a manufacturer's processes and policies rather than the inherent security of the underlying technology), security leaders can partner with acquisition teams to increase the security of both critical infrastructure and critical enterprise. A few examples of such questions include:

*   Does your solution include multiple layers of security in case an adversary defeats one layer?
*   Do you provide and maintain a software bill of materials?
*   What hardware architectural protections are in place?
*   What is required to "harden" deployment of this solution?

Government security processes are often viewed as tedious and burdensome, but applying the lessons learned from them doesn't need to be. Taking these three key lessons and applying them to securing not only critical infrastructure but also the broader critical enterprise is imperative for private industry to counter a nation-state threat.

Protect Critical Infrastructure With Same Rigor as Classified Networks

Joe Sullivan's lawyers have claimed his conviction on two felony charges is based on tenuous theories and criminalizes the use of bug bounty programs.

Former Uber CISO Joseph Sullivan's conviction earlier this year on charges related to a 2016 data breach at the company should not be allowed to stand because it threatens the use of bug bounty programs among enterprise organizations, his lawyers argued in an appeal this week.

In a brief filed Tuesday with the US Court of Appeals for the Ninth Circuit, Sullivan's legal team described him as the victim of a "profoundly flawed" verdict that was based on tenuous theories about his responsibilities as the security chief at Uber.

**'Profoundly Flawed' Decision**

"Joe Sullivan used tools and strategies that all CISOs utilize to protect the data of hundreds of thousands of Uber drivers and was prosecuted for doing his job," said one his lawyers, Aravind Swaminathan of the Orrick law firm, in a statement. "If \[the verdict\] is allowed to stand, it's a precedent that threatens to take away a valuable tool that has helped security teams across all industries better protect their systems and puts Americans at much greater risk of being harmed."

A federal jury last October found Sullivan guilty of obstructing justice and misprision of a felony — or working to conceal it — in connection with a 2016 breach at Uber that exposed sensitive data of more than 50 million customers and 600,000 drivers.

The breach happened in the middle of an investigation by the Federal Trade Commission (FTC) of an earlier 2014 security incident at Uber involving the compromise of personal information belonging to some 50,000 individuals.

Prosecutors charged Sullivan, whom Uber hired as CISO after the 2014 breach, of withholding information about the 2016 incident from the FTC even as its investigators were scrutinizing the company's data security and privacy practices. The government argued that Sullivan should have informed the FTC of the 2016 incident, but instead went out of his way to conceal it from them.

**Flawed Understanding of Bug Bounty Programs**

Prosecutors also accused Sullivan of attempting to conceal the breach itself by paying $100,000 to buy the silence of the two hackers behind the compromise. Sullivan had characterized the payment as a bug bounty similar to ones that other companies routinely make to researchers who report vulnerabilities and other security issues to them. His lawyers pointed out that Sullivan had made the payment with the full knowledge and blessing of Travis Kalanick, Uber's CEO at the time, and other members of the ridesharing giant's legal team.

But prosecutors described the payment and an associated nondisclosure agreement that Sullivan's team wanted the hackers to sign as an attempt to cover up what was in effect a felony breach of Uber's network.

Following the jury verdict in May 2023, Judge William Orrick of the US District Court for the Northern District of California sentenced Sullivan to three years of probation and 200 hours of community service and ordered him to pay a $50,000 fine.

**Scapegoats for Security Failures?**

Sullivan's fate struck a nerve with many peers and others in the industry who perceived CISOs as becoming scapegoats for broader security failures at their companies. Many argued — and continue to argue — that Sullivan acted with the full knowledge of his supervisors but in the end became the sole culprit for the breach and the associated failures for which he was charged. They believed that if Sullivan could be held culpable for his failure to report the 2016 breach to the FTC — and for the alleged hush payment — then so should Kalanick at the very least, and probably others as well.

It's an argument that Sullivan's lawyers once again raised in their appeal of the obstruction conviction this week. "Despite the fact that Mr. Sullivan was not responsible at Uber for the FTC's investigation, including the drafting or signing any of the submissions to the FTC, the government singled him out among over 30 of his co-employees who all had information that Mr. Sullivan is alleged to have hidden from the FTC," Swaminathan said.

The appeal similarly challenged the misprision conviction, arguing that it criminalized bug bounty programs, a practice that other organizations have made a fundamental part of their security strategies. Sullivan's lawyers argued that the former Uber CISO had leveraged the program effectively to get the two hackers to disclose how they had accessed the data and to get them to agree not to publicly release it.

**Criminalizing a Commonly Used Tactic**

The bug bounty program worked as it should have, the brief claimed. "Mr. Sullivan and his team fully resolved the 2016 incident through a Bug Bounty agreement," the appeal noted. "Two young men agreed to disclose the vulnerability, destroy a database of 600,000 drivers' license numbers they had downloaded, and not disclose the data or incident publicly," the brief said. "Uber paid a $100,000 reward and pursued no legal action. No data was ever exposed. No Uber user was ever injured. Mr. Sullivan and his team had done their jobs."

By characterizing what Sullivan did as a crime, the government in effect asked the jury to view the bug bounty agreement as a hush money payment and not as an effective way to mitigate security risks, the brief claimed.

"We aren't raising new legal arguments or evidence, since we are confined to the record," says David Chamberlin, managing director at Orrick, in comments to Dark Reading. "But the appeal does emphasize key legal limitations on when an individual can be held criminally liable for organizational decisions, actions, and inactions." It also adds "nuance on the importance of bug bounty programs and the uncertain factual settings and legal frameworks in which they operate."

The government's response is due by Nov. 9, and Sullivan will have an opportunity to respond to that by Nov. 30. Oral arguments in the appeals case are projected to start in the spring of 2024, and a decision won't happen until mid- to late 2024, Chamberlin says.

Uber's Ex-CISO Appeals Conviction Over 2016 Data Breach

Cryptocurrency apps were the most high risk for exposing sensitive information, a reverse-engineering study shows.

Encryption, authentication, and signing keys are often exposed in mobile fintech apps used across Africa, according to researchers at Approov, who found passwords, application programming interface (API) keys, and private keys for cryptography when the most commonly used apps were reverse-engineered.

**Risky Mobile Business**

Approov examined the top 10 apps based on revenue and downloads. The fintech apps included those offering loans, mobile banking, P2P money transfer, investment, and cryptocurrency services.

Trevor Henry Chiboora, research associate at CyLab-Africa, which conducted the study along with Approov, says some of the apps surveyed are used exclusively within Africa, and some are geolocked to regions within Africa. He also confirmed all the apps were downloaded from the Google Play Store.

The crypto apps were determined to be the worst when it comes to security, with 33.3% of them rated as high risk and 53.3% as medium risk.

The high-risk category is considered extremely dangerous if exposed, as they disclose private keys, keys for payment or transfer services, and "authentication" or "attestation" keys. Researchers said the exposure of these secrets could potentially lead to unauthorized access, data breaches, and compromised user privacy.

The medium-risk category secrets include sensitive data that, if exposed, could potentially compromise the confidentiality of user data and application functionality. Although not as critical as the high-severity secrets, the compromise of these secrets could still have significant repercussions.

Chiboora says there is neglect across the board when it comes to the levels of security in the apps, but crypto apps have a larger user base and geographical coverage than most other categories.

Research found 22.2% of personal finance apps were rated as high risk and 66.7% as medium risk. Payment and transfer apps were next worst, with 19.1% rated as high risk and 76.6% as medium risk. Of the total of 224 applications examined, only 5.4% revealed no details.

**The Secret Key Is Exposed**

To do the analysis, the researchers collected each app's ID and, using an automated script to download the Android Application Packages, the apps were reverse-engineered and scanned for risky items.

Cryptographic API keys, private keys, and passwords are used to authenticate the application and authorize access to protected resources or services, as well as to ensure the integrity and security of data exchanges between the application and a server.

Typically an API serves a dual purpose: It identifies the app to the backend API, and it validates the legitimacy of the requesting app, thereby establishing a clear link between the requesting entity and the API backend. This mechanism effectively prevents unauthorized or anonymous access attempts and provides a means to regulate the flow of data requests.

The researchers claimed that exposing API keys — especially those related to services like Google, AWS, and other cloud services — can result in unauthorized usage, which may incur unexpected costs or disrupt the functionality of integrated features.

"Keys are vital in the security and privacy of data as they authenticate and authorize access to services," Chiboora says, adding that most of the time these details are hidden from application users. "There are mobile cybersecurity methods that allow app developers to move these keys out of the app and into the cloud, which is a better approach and a recommendation for better security."

The researchers said this secret information is essential for verifying the identity of the application and protecting against unauthorized access, tampering, or data breaches. These secret keys are often present in the compiled source code of these applications and may also be inadvertently published to public repositories like GitHub.

Ted Miracco, CEO of Approov, said that as financial services become more digitized and accessible through mobile platforms across the world, the potential risks associated with the exposure of confidential information have escalated. "Developers can no longer depend on 'official' app stores or on native client OS security and must ensure that end-to-end security is built into the app itself," he said.

Pan-African Financial Apps Leak Encryption, Authentication Keys

Companies with customers in California need to prepare for a new process for demanding deletion of personal data.

Now that California Gov. Gavin Newsom has signed a bill defining the legal obligations of data brokers into law, businesses that serve people in the Golden State will have to meet a new set of processes to safeguard consumers' personal privacy. The new law consolidates California-specific processes under a state agency established by prior privacy legislation.

The California Delete Act, formally called "Data Broker Registration: Accessible Deletion Mechanism" (SB362), updates the state civil code to add and modify sections that pertain to data brokers to clarify such entities' responsibilities and processes. The new law also moves enforcement of data broker obligations from the California District Attorney's office to the California Privacy Protection Agency.

The California Privacy Protection Agency is tasked with maintaining a website that informs consumers of their rights and how to exercise them, as well as establishing a mechanism by Jan. 1, 2026, that allows consumers to request any and all data brokers to delete their personal data. The data brokers will have to start accessing the agency's mechanism and process all consumer deletion requests at least every 45 days as of Aug. 1, 2026. Once the broker has deleted a consumer's data, it further has to delete any personal information it has regarding that consumer during that same 45-day period. The Delete Act also requires data brokers to "register with, pay a registration fee to, and provide information to" the California Privacy Protection Agency starting July 1, 2027.

**Business Concerns**

The new law defines a data broker as "a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship." The California Privacy Rights Act of 2020's definition of "business" — a company that meets at least one of these conditions: gross annual revenues of more than $25 million; collects personal information of at least 50,000 people, households, or devices; and/or makes at least half its annual revenue from selling consumer data — still stands.

Data brokers will have to register with the California Privacy Protection Agency, providing information such as business contact information, data deletion links, audit reports, and whether the company collects information about minors, geolocation data, or reproductive health care — a hot-button issue for consumer rights advocates since the striking down of federal abortion rights protections.

Neither the CCPA, the CPRA, nor the Delete Act defines "direct relationship" with consumers, however, as industry group International Association of Privacy Professionals (IAPP) pointed out in its coverage of the new law. Another concern data brokers have, according to the IAPP, includes a provision that doubles fines for brokers that fail to register with the California Privacy Protection Agency to $200 a day. Meanwhile, the Consumer Data Industry Association asserted that deleting consumer data will open the door to fraud.

Joey Stanford, vice president of data privacy and compliance at Platform.sh, said in a statement that the Act will close some loopholes, which will benefit consumers.

"Regulation comes with implementation costs for businesses and usually a negative hit to the bottom line of companies that are affected, which can cause pushback from corporations," he added.

**Fodder for Wider Regulation**

Interestingly, the Delete Act was signed into law just two days before the UK-US Data Bridge takes effect on Oct. 12. That agreement sets out conditions for transferring personal data between the US and the UK. A similar agreement already exists between the US and the European Union, but because the UK left the EU as of 2020, after the 2016 Brexit referendum, a separate agreement was required. Now that Britain is out of the EU, it has privacy laws separate from Europe's stringent GDPR — as do many other countries, presenting compliance complexity. But the US has yet to create a truly unified piece of federal privacy regulation. Federal data privacy legislation seems like a natural progression, once lawmakers can agree on the right balance.

"As we see more attempts at regulating data privacy at the state level, perhaps with the right combination of CCPA+CPRA+Delete Act rolled up together, it could be a blueprint for a federal law. Although there would be no effect on data brokers in other geographies (e.g. India), creating nationwide policy for the US would help tremendously," Stanford said.

New California Delete Act Tightens Rules for Data Brokers

A sophisticated APT known as "ToddyCat," sponsored by Beijing, is cleverly using unsophisticated malware to keep defenders off their trail.

Chinese advanced persistent threats (APTs) are known for being sophisticated, but the "ToddyCat" group is bucking the trend, compromising telecommunications organizations in Central and Southeast Asia using a constantly evolving arsenal of custom-developed, but very simple, backdoors and loaders.

ToddyCat was first discovered last year, though it has been in operation since at least 2020. According to Check Point, it has previously been linked with Chinese espionage operations.

In a blog post published this week, Check Point's researchers described how the group is staying nimble these days: by deploying, and just as quickly throwing away, cheap malware it can use to drop its payloads.

Victims of its latest "Stayin' Alive" campaign — active since at least 2021 — include telcos from Kazakhstan, Pakistan, Uzbekistan, and Vietnam. The precise extent of their reach, and whether they caused any damage, are yet unknown.

**ToddyCat's Latest Tactics**

Stayin' Alive attacks begin with spear phishing emails containing archive files. Once executed, the archive files are designed to take advantage of CVE-2022-23748, a 7.8 out of 10 "High" criticality DLL sideloading vulnerability in Dante AV systems software. ToddyCat uses such DLL sideloading — a popular technique, especially among Chinese threat actors — to drop loaders and downloaders onto targeted devices.

These loaders and downloaders are not nearly to the specs one would expect of a high-level, state-affiliated threat actor, explains Sergey Shykevich, threat intelligence group manager at Check Point.

"They have relatively basic functionality, but they're good enough to achieve initial goals, like allowing the attacker to get basic reports about infected machines: computer name, user name, system info, some directories, and so on. They also include the functionality of shelling, allowing the execution of any command the attacker wants," he explains.

"Our assumption is that via the shell, they were able to implement additional backdoors and modules," he adds, though the research didn't extend to finding out what payloads they ultimately did deploy.

**A Smart Use of Dumb Malware**

Though at first it might seem lazy or ineffectual, there is a reasoning behind using such basic tools instead of more sophisticated, multifunctional weapons of cyberwar.

"The smaller the tool, the more difficult it is to detect," Shykevich explains. "And also, when it's a small tool, it's relatively easy to adjust it to a target."

Easier to adjust, and less expensive to throw away. Typically, researchers identify and track APTs by cross-referencing details between different attacks. With ToddyCat, however, it's impossible to do that — each of its malware samples has zero discernible overlap with known malware families, or even with one another. The researchers expect that they're likely discarded for new samples even after little use. "The small changes mean that you can catch one of them, but it won't be so straightforward to catch all the others. It will require some additional work," Shykevich says.

That said, ToddyCat is undone by the fact that each sample traces back to its easily identifiable command-and-control (C2) infrastructure.

To defend against such a nimble attacker, Shykevich recommends a layered approach. "The first layer here, for example, was the email — you should have proper email protection to identify a malicious attachment," he advocates. "But another level is endpoint detection and response (EDR) endpoints, to identify for example the DLL sideloading and malicious shell activity."

Chinese 'Stayin' Alive' Attacks Dance Onto Targets With Dumb Malware

Touted for days as potentially catastrophic, the curl flaws only impact a narrow set of deployments.

For days now, the cybersecurity community has waited anxiously for the big reveal about two security flaws that, according to curl founder Daniel Stenberg, included one that was likely "the worst curl security flaw in a long time."

Curl is an open source proxy resolution tool used as a "middle man" to transfer files between various protocols, which is present in literally billions of application instances. The suggestion of a massive open source library flaw evoked memories of the catastrophic log4j flaw from 2021. As Alex Ilgayev, head of security research at Cycode, worried, "the vulnerability in the curl library might prove to be more challenging than the Log4j incident two years ago."

But following today's unveiling of patches and bug details, neither vulnerability lived up to the hype. However, it's still important for organizations to uncover whether the bugs are present in their environments (Dark Reading's latest Tech Tip covers how to scan environments for the curl vulnerabilities), and remediate accordingly.

**Impacting a Limited Number of Curl Deployments**

The first vuln, a heap-based buffer overflow flaw tracked under CVE-2023-38545, was assigned a rating of "high" due to the potential for data corruption or even remote code execution (RCE). The issue lies in the SOCKS5 proxy handoff, according to the advisory.

"When curl is asked to pass along the hostname to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that hostname can be is 255 bytes," the advisory stated. "If the hostname is detected to be longer than 255 bytes, curl switches to local name resolving and instead passes on the resolved address only to the proxy."

The bug could allow the wrong value to be handed off during the SOCKS5 handshake.

"Due to a bug, the local variable that means 'let the host resolve the name' could get the wrong value during a slow SOCKS5 handshake, and contrary to the intention, copy the too long hostname to the target buffer instead of copying just the resolved address there," the advisory added.

However, the high severity designation only applies to a fraction of deployments, cybersecurity expert Jake Williams says.

"This is only high severity in very limited circumstances," Williams says. "I think it's just an issue that when you have a library vulnerability, you know know how the library is being used. You have to assign the CVE assuming a worst case scenario for implementation."

The second curl bug, tracked under CVE-2023-38546, is a low-severity cookie injection flaw that only impacts the libcurl library, not curl itself.

"I think this is a bigger problem for security devices, and appliances (which fetch untrusted content and often use curl under the hood)," Andy Hornegold, vice president of product at Intruder, said in a statement in reaction to the release of the curl bug details. "I don't see it being a huge problem for standalone usage."

**Dangers of Hyping Up a Fix**

Beyond heartburn for cybersecurity teams, hyping up a fix before technical details are released can hand over an easy win to threat actors. In this instance, Williams points out that RedHat updated its change log ahead of the official curl release, which could have given cyberattackers important intel on unpatched targets, had the vulnerability been as dangerous as previously assumed.

Indeed, Mike McGuire with Synopsys saw the dangers of the amped up attention on the curl update and wrote about it in an Oct. 9 blog.

"Despite having no additional details about the vulnerability, threat actors will undoubtedly begin exploit attempts," McGuire wrote. "Additionally, it's not unheard of for attackers to post bogus 'fixed' versions of a project riddled with malware to take advantage of teams scrambling to patch vulnerable software."

Curl Bug Hype Fizzles After Patching Reveal

Organizations should brace for mass exploitation of CVE-2023-22515, an uber-critical security bug that opens the door to crippling supply chain attacks on downstream victims.

A China-sponsored advanced persistent threat (APT) tracked as Storm-0062 is responsible for the in-the-wild exploitation of the recently disclosed critical bug in Atlassian Confluence Server and Confluence Data Center, Microsoft has announced. And it turns out that proof-of-concept exploits are now available for it, portending mass exploitation.

The flaw (CVE-2023-22515) was disclosed last week, with Atlassian acknowledging that it had been exploited as a zero-day in the wild prior to that. The vulnerability was at first labeled a privilege escalation problem, but it's remotely exploitable without authentication and should be seen as more akin to a code-execution tool, according to researchers — an assessment borne out by its 10 out of 10 ranking on the CVSS vulnerability-severity scale.

Accordingly, Atlassian subsequently updated its advisory to label the bug a broken access control issue.

Microsoft this week delivered additional details on the zero-day campaign, which it said has been active since Sept. 14. In a series of tweets, it identified four IP addresses that were observed sending related CVE-2023-22515 exploit traffic; also, it noted that "any device with a network connection to a vulnerable application can exploit CVE-2023-22515 to create a Confluence administrator account within the application."

In tandem with that attribution, a former computer science student and "security enthusiast" who goes by the handle s1r1us dropped a proof of concept (PoC) on GitHub; researchers at Rapid7 published a detailed analysis of the vulnerability that could offer plenty of breadcrumbs to PoC developers.

**Who Is Beijing-Sponsored Storm-0062?**

The Storm-0062 APT is also known as DarkShadow or Oro0lxy, Microsoft pointed out. Both names are aliases for Chinese state hackers Li Xiaoyu and Dong Jiazhi, who were indicted by the US Department of Justice in 2020 for probing for "vulnerabilities in computer networks of companies developing COVID-19 vaccines, testing technology, and treatments."

They remain at large, presumably in China, and have a history of state-sponsored hacking in tandem with various associates that goes back to at least 2009.

Microsoft offered no details on the victimology of the latest attacks but noted in its annual Digital Defense Report issued last week that Chinese state-sponsored campaigns typically reflect the Chinese Communist Party's (CCP) dual pursuit of global influence and intelligence collection, and thus cast a wide net.

"Cyber threat groups \[in China\] continue to carry out sophisticated worldwide campaigns targeting US defense and critical infrastructure, nations bordering the South China Sea, and even China's strategic partners," according to the report. "Some Chinese cyber activity may also indicate possible avenues of response in the event of a future geopolitical crisis."

**Atlassian: Open to Software Supply Chain Attack**

The stakes are high when it comes to the bug. Confluence collaboration environments can house sensitive data on both internal projects as well as its customers and partners — which means that intruders lurking inside its files can gather all the intel they need to mount follow-on attacks on those third parties.

Tom Kellermann, senior vice president of cyber strategy at Contrast Security, notes that this kind of zero-day exploit is "purpose-built to pollute the application, thus allowing these Chinese cyber spies to use Confluence as an attack vector into a myriad of organizations."

He adds, "This represents a systemic supply chain attack. A majority of businesses and government agencies use it, and it can be hijacked to facilitate island hopping."

He also warns that businesses should brace for mass exploitation waves, since there are now public road maps for leveraging this particular vulnerability, and Confluence has a history of being popular with cybercrime types.

China's "People's Liberation Army has a vast cyber-spy network, much of which focuses on arming \[the country\] with zero-days," Kellermann says. "Initially, this vulnerability required an APT to exploit, but now with the details being disclosed, a mass compromise could be ensuing."

To protect themselves, "organizations with vulnerable Confluence applications should upgrade as soon as possible to a fixed version: 8.3.3, 8.4.3, or 8.5.2 or later," Microsoft advised. "Organizations should isolate vulnerable Confluence applications from the public Internet until they are able to upgrade them."

Kellerman adds that beyond patching, businesses must increase threat hunting for evidence of this specific APT group, and says that deploying runtime security is "imperative to mitigate exploitation or zero-days."

Microsoft: Chinese APT Behind Atlassian Confluence Attacks; PoCs Appear

Cisco's $28 billion purchase of Splunk was the biggest story, but there were other big security acquisitions and investments during a richer-than-expected quarter.

Cisco's massive $28 billion acquisition of Splunk in September was the financial highlight of a quarter during which several other vendors also made strategic purchases to position themselves for emerging enterprise requirements around cloud, application, and identity security.

The acquisitions added to a better-than-expected quarter ended Sept. 30, 2023, with venture funding also picking up steam after a slowdown earlier this year following the collapse of Silicon Valley Bank. IPO activity showed early signs of a revival for the first time since late 2021 and provided further evidence of the resilience of the sector against economic conditions that have roiled other verticals.

The most active security segments included services; consulting; application governance, risk, and compliance (GRC); security operations; and identity and access management.

**Reasonable Valuations Drive Acquisition Interest**

The third quarter's M&A activity continued a gradual consolidation of the security industry as big players got bigger through acquisitions and smaller players looked for opportunities to make profitable exits.

"It appears to have been quite an active quarter, even without Cisco's $28 billion acquisition of Splunk, and there are some good reasons for this," says Rik Turner, an analyst at Omdia. With IPO activity still not fully revived, some venture capital firms are looking for quicker exits, resulting in a lot of cybersecurity companies being available at reasonable prices. "That’s why there are currently stories circulating about the likes of Dig and Talon being in negotiation to be acquired by Palo Alto \[Networks\], for instance. Even SentinelOne — which is currently public — is also said to be on the hunt for an acquirer," Turner says.

Cisco's purchase of Splunk positioned the company as one of the industry's foremost players in the next-generation SIEM market, a cloud and analytics-driven alternative to traditional security information and event management technologies.

The Splunk acquisition — Cisco's largest ever — was one of more than several the company has made this year to insert itself into multiple hot cybersecurity segments. Others include identity management vendor Oort, AI/ML software vendor Armorblox, network performance monitoring vendor Accedian, and cloud security vendors Lightspin and Valtix.

**A Gradual Reshaping of the Industry**

Cisco was not alone in its attempts this quarter to buy its way into lucrative and emerging security segments. The most prominent among them included CrowdStrike's purchase of application security posture management vendor Bionic for a reported $350 million; Check Point's $490 million deal for secure remote access vendor Perimeter 81; Thales' $3.6 billion acquisition of Imperva in July, and Tenable's $265 million cash and restricted stock purchase of cloud-native application protection platform vendor Ermetic.

"Strategic technology buyers are actively looking to round up their offerings by acquiring innovative solutions and teams with the subject matter expertise that will help them stay relevant and competitive in emerging market segments," says Alberto Yépez, managing director of Forgepoint Capital. "Sponsors are also actively looking for acquisitions that will help them add capabilities to the platform companies they own in order to expand their addressable market and increase their rate of growth."

Yépez identified the managed security services market as a segment that garnered considerable interest from acquirers last quarter — and through the year in general. Much of the activity was in response to growing demand for security services from companies that were either struggling to find professionals or were looking to outsource security functions.

"We expect more activity in this segment in the next four to six quarters. It is primed for consolidation," Yépez says. M&A activity so far this year suggests that cloud security and compliance are sectors with lots of potential for consolidation, given how overcrowded the segments are with emerging companies, he adds.

Momentum Cyber recorded a total of 63 M&A deals in the third quarter with a total value of $34.9 billion. Of those, eight involved transactions of $100 million or more.

"While the majority of 2023 has centered around continued headwinds in a difficult market, strategic activity did see an uptick in deal volume across both M&A and financing toward the back half of the third quarter," Momentum analyst John Gould says. Momentum anticipates the trend will continue into 2024. "Strategic investors are becoming more opportunistic in M&A markets, as evidenced by a number of key deals this past quarter," Gould says.

**Investment Activity Showed Signs of a Rebound**

Increased VC activity in the third quarter also suggested that investors have finally put behind them the disruption caused by Silicon Valley Bank's spectacular collapse in March.

All signs point to total venture funding in cybersecurity hitting $10 billion in 2023, matching the record-setting year of 2020, says Richard Stiennon, chief research analyst at IT-Harvest. That total is less than half of the all-time record of $24 billion in 2021, he says. But "considering the failure of Silicon Valley Bank early in the year and the devastating impact that had on VCs, investments are not too shabby," Stiennon says.

IT-Harvest's data showed there was some $7.5 billion invested through the end of September in the cybersecurity sector, with the GRC segment once again attracting the most investments, at $1.6 billion. At the other end of the spectrum was the API security segment with just four investments totaling just $15.9 million so far this year, and email security with only $12.2 million in investor funding.

Investment activity in the third quarter included some big rounds, such as the $238 million that Cato Networks raised in equity investment in September. The financing round valued Cato at $3 billion and brought to $773 million in total that the secure access service edge technology provider has raised so far. Cato is one of several companies in the third quarter that hinted at going public in the near term, Stiennon says. "There are signs of life on Wall Street with companies like Palo Alto Networks, CrowdStrike, and Zscaler up 63% to 95% from their lows on Jan. 6," he notes.

Other major investments that Momentum tracked in the third-quarter included OneTrust's $150 million in July, SpyCloud's $110 million growth round in August, Resilience's $100 million Series D round, and Nord Security's $100 million in September.

"IPO rumors are also heating up for the first time in a while going into 2024," Gould says. "Later-stage security startups, including Cato Networks and Rubrik, have been rumored to be considering going public next year as the market looks to rebound from a dead period in traditional IPO activity since late 2021," he says.

Cloud Security Demand Drives Better Cyber-Firm Valuations — and Deals

CISA flags use-after-free bug now being exploited in the wild.

The Cybersecurity Infrastructure & Security Agency (CISA) this week added to its catalog of known exploited vulnerabilities an Adobe Acrobat Reader use-after-free bug.

Adobe Acrobat and Reader Document Cloud Versions 22.003.20282 and 22.003.20281 and earlier contain the flaw (CVE-2023-21608), as do Adobe Acrobat and Reader 20.005.30418 and earlier. The use-after-free vuln allows an attacker to remotely execute malicious code on a compromised account, and execute the exploit when a victim opens the rigged PDF file.

CISA recommends applying the latest updates to the affected software, which was patched in January of this year. Researchers who discovered and reported the vuln shared details of their findings in a February 2023 blog post.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Adobe Acrobat Reader Vuln Now Under Attack

The Israeli-Hamas war will most assuredly impact businesses when it comes to ramped-up cyberattacks. Experts say that Israel's considerable collection of cybersecurity vendors be a major asset on the cyber-front.

Following the attacks on Israel by Hamas over the past days, when Prime Minister Benjamin Netanyahu warned Israelis "to brace themselves for a long and difficult war," attention turns to those cybersecurity vendors located in the Israeli tech hub and how they may contribute to the war effort.

Chris Pierson, CEO of BlackCloak, believes Israel's "substantive cybersecurity intelligence and strike capability" will serve it well, including having some of the best commercial cybersecurity companies in the world.

JP Castellanos, director of threat intelligence at Binary Defense, says that, particularly in light of potentially destructive attacks against IT or critical infrastructure, it is likely that Israeli cybersecurity companies will do all they can to help with the current crisis. "That means becoming more visible, not less," Castellanos says.

**Attacks Ramp Up During Wartime**

On the cyber front of the Gaza crisis, hacktivists have already begun preparing targets and offering their wares to the highest bidders, who may be looking to cause politically motivated website disruption on public-facing services. And indeed, there was a wave of notable distributed denial-of-service (DDoS) cyberattacks on Oct. 7 and Oct. 8, including one attack which reached 1.26 billion daily requests, while another other reached 346 million daily requests on Oct. 7, and 332 million daily requests the following day.

"Looking at these DDoS attacks in terms of requests per second, one of the impacted sites experienced a peak of 1.1 million requests per second," says João Tomé, content editor at Cloudflare.

But experts say they expect other kinds of attacks against companies and organizations in Israel to ramp up, carried out by both state-backed and non-state-backed operators with much larger arsenals than a DDoS botnet. Pierson for instance says the targets for attacks could be civilians as well as infrastructure and military targets.

"The most likely targets would be infrastructure as a whole - telecommunications, power, finance, and logistical transportation," he says.

It's already starting: Yossi Appleboum, CEO of Sepio Systems and a former member of the Israel Defense Force's Unit 8200, says cyberattacks against his company had increased by 100% in the last week.

Carlos Perez, research practice lead at TrustedSec, says retaliatory cyberattacks become more common during geopolitical crises, but says that many of these risks have been ongoing for Israeli companies, and they will continue to be vulnerable, as we have seen in the past. However Perez believes some companies will be ready, others will not. "It depends mainly on business buy-in and budgets: they do get targeted with a larger volume of attacks than most organizations, which puts them at a higher risk level."

**Call in the Reservists**

The Israeli military has summoned roughly 360,000 reservists — roughly four percent of Israel's 9.8 million population. Thus, the question for many companies in the region, is whether this will lead to staff leaving their day jobs, and for cybersecurity vendors, whether that will affect cyber defense.

Pierson says he expects those with special cyber intelligence training to be called to augment military teams on the ground, and expects those who have previously served their country to volunteer help and assistance for the war effort — and that could impact some operations. However, he does not foresee a change in marketing or external presence activities for most cybersecurity companies in Israel at the moment. 

Castellanos meanwhile believes with reservists being drafted, this would cause a momentary staff shortage until the conflict resolves. However, he adds that "in the case of cybersecurity vendors, I would imagine that Israel would take a balanced approach to this, because they certainly don't want to weaken the very vendors who will be playing a critical role in protecting Israel's national interests."

For his part, Sepio's Appleboum says some activities and features may be delayed or postponed due to staff shortages, but companies will prioritize what is important, "and this may affect current customers. Future planning can wait a bit."

Source

DARKReading