Public and private sector organizations must collaborate on a shared cybersecurity agenda to protect and benefit society at large.

As a managing partner investing in cybersecurity at Thoma Bravo, "diplomacy" in my world is usually limited to my interactions with business owners and executive teams. The goal is to create new investment opportunities and help our portfolio companies grow and serve their constituents.

But at the 2023 Milken Institute Global Conference in May, I participated in a cybersecurity panel discussion titled "Digital Defense and Diplomacy: Enhancing Global Cyber Coordination." When I was asked to participate in the Milken panel, I was concerned that I might be a bit of an outlier. In a group of specialists with extraordinary expertise in government and public sector cybersecurity, I was asked to represent the "voice of the private sector."

**What Does a Private Equity Firm Have to Do With Cybersecurity?**

Thoma Bravo has been investing in cybersecurity companies since 2009. We have a portfolio of cyber companies with an enterprise value close to $40 billion that generates a total annual revenue of $5.8 billion and employs more than 20,000 people (at end of 2022). My job is to help build great cybersecurity companies through equal parts innovation and business management to generate returns for those investors who trust us with their capital.

So, what could I lend to a conversation about the "high politics" of cyber conflict between countries and the dynamics of government policy involved in these critical discussions on defense, deterrence, and the like?

On the face of it, these seem like very different — and some may even argue incompatible — cultural contexts in which to talk about cybersecurity. However, in practice, the public and private sectors have quite a lot in common when it comes to the digital environment.

**Public and Private Sectors Have Similar Challenges and Goals**

The challenge of digital security is fundamentally equivalent for both the public and the private sector. Both environments share the simple goal of protecting the underlying fabric of today's digital economy and society. As digital transformation proceeds, that increasingly means protecting the economy and society as a whole regardless of sector. All these blurring lines have driven a growing focus on public-private partnerships (PPPs), an attempt to bridge the best of these two cultures and strengthen cybersecurity overall as a result.

That makes good sense; cybersecurity in practice is a societal-level problem that impacts both the private and public sectors. But I find that a great deal of what is said and written (and to a lesser extent attempted) in cybersecurity PPPs tends to be high-level, abstract, and overly aspirational. In private equity, there's little room for dealing in abstraction.

When we invest in cybersecurity companies, I look for concrete actions that can create efficiencies, enhance performance, and result in measurably better outcomes in both security and business terms — and seek to do so sooner rather than later.

**4 Ways to Advance Public-Private Cybersecurity Partnerships**

The Milken panel helped me see how the public sector could better harness that kind of private-sector pragmatism to make progress on a shared agenda. I've crystallized those thoughts into four points of common interest, language, and perspective — actionable areas of crossover that have the potential to advance and accelerate the PPP agenda.

*   **Adapt the calculus:** It's important to recognize that the bad actors we are trying to defend against are making decisions about what and what not to do in a rational, cost-sensitive way. This logic lies not only at the heart of national defense, but also at the heart of a CISO's decisions about what security products to spend precious resources on. But public and private defenders alike need to better understand the granular motivations and calculations of bad actors to make good decisions about cybersecurity priorities and investments. Hacktivists, for example, have a different rational calculation than state actors or pure profit-seeking criminals. An important PPP focus ought to be on sharing what we have each learned about those calculations over time.
    
*   **Cover the basics:** The weakest links in the security value chain are often not the most scientifically sophisticated or interesting attack vectors, nor those that tend to garner the most attention among researchers. More cybersecurity efforts today are still basic protections that amount to fixing the easy holes in our defenses — things we already know how to fix. Both governments and private companies need to pay much greater attention to fundamental cyber hygiene — things like two-factor authorization (2FA) and identity management. This might not be the stuff of exciting storytelling or scientific intrigue, but it's still where defenders often get the most protective bang for the buck. Execution on basics can make a great deal of difference.
    
*   **Innovating for profit:** The acceleration in digital technology — and, of course, most recently in generative AI — means that cybersecurity R&D is absolutely critical to the future of defense. But R&D expenditures by themselves don't always produce appropriate value. We need R&D to be productive, by which I mean great innovation should be channeled and focused by business discipline. With that in mind, the drive for profitability is a feature of productive R&D, not a bug or an unfortunate constraint.
    
*   **Learning to row:** Lastly, I believe that information sharing between the public and private sectors needs to be systematic and specific to be most useful to both. One of my fellow panelists brought up the example of particularly valuable information sharing in the run-up to the Ukraine invasion. We were all "rowing in the same direction," he said, as the government shared pertinent intel with those private companies well-positioned to act on it. We need to constantly be practicing this kind of information sharing — building both the requisite muscle and coordination to row in tandem — especially when neither sector is in crisis.
    

I left the Milken panel with a strengthened belief in the critical role that PPPs will play in the future of cybersecurity. For those PPPs to be successful, it will take less finger-pointing (in both directions) and more substantive collaboration. That means identifying specific areas for partnership and measuring results over time, with the goal of benefiting society in general, including public and private organizations.

Cybersecurity's Future Hinges on Stronger Public-Private Partnerships

Attackers are leveraging well-executed brand impersonation in a Google ads malvertising effort that collects both credit card and bank details from victims.

Threat actors are impersonating the United States Post Office (USPS) in a legitimate-looing malvertising campaign that diverts victims to a phishing site to steal payment-card and banking credentials, researchers have found.

A malicious ad appears on Google searches for both mobile and desktop users looking to track packages via the USPS website, Jérôme Segura, director of threat intelligence at Malwarebytes Labs revealed in a blog post published July 5.

Though it looks "completely trustworthy," it isn't, he said. Instead, it redirects victims to a malicious site that first collects their address and credit card details, and then requires them to log into their bank account for verification, eventually stealing that info as well.

Segura cites Jesse Baumgartner, marketing director at Overt Operator, as the person who first discovered the campaign. Baumgartner shared screenshots of his experience attempting to track a package that led him onto a scam website in a LinkedIn post.

Malwarebytes Labs researchers set out to find the scam themselves and were immediately able to find the authentic-looking ad by performing a simple Google search for "usp tracking."

"Incredibly, the ad snippet contains the official website _and_ logo of the United States Postal Service and yet, the 'advertiser' whose verified legal name is Анастасія Іващенко (Ukraine), has nothing to do with it," Segura wrote.

Malwarebytes Labs has reported the campaign to Google and for its part, Cloudflare has already flagged the domains as phishing sites.

The campaign is yet another reminder that no matter how much awareness there is about malicious ads, links, and websites lurking on the Internet, threat actors still successfully wield oft-used tactics that abuse and impersonate trusted entities to trick and defraud Internet users, he said.

"Malvertising via search results remains an issue that affects both consumers and businesses who place their trust behind well-known brands," Segura wrote in the post.

A recent malvertising campaign in January also leveraged trusted brands by targeting users searching for Bitwarden and 1Password's Web vaults on Google. Threat actors used paid ads with links to cleverly spoofed sites for stealing credentials to the unsuspecting users' password vaults.

**Creating a Convincing Phishing Campaign**

Segura broke down how the actor or actors behind the USPS campaign managed to make it look so convincing to an end user. Essentially, they used tactics that can apply to various types of malvertising, he said.

There are two ad campaigns — one that targets mobile users, and the other targeting desktop users. While the ads appear to use the official USPS URL while redirecting victims to an attacker-controlled domain, the URLs shown in the ad "are pure visual artifacts that have nothing to do with what you actually click on," Segura explained.

"When you click on the ad, the first URL returned is Google's own which contains various metrics related to the ad, followed by the advertiser's own URL," he said. "Users never get to see this, and that is what makes malvertising via brand impersonation so dangerous."

Victims that click on the ad land on a website that asks them to enter their package tracking number, just as any page for this type of request would. However, upon submitting that information they receive an error informing them that their package couldn't be delivered "due to incomplete information in delivery address."

This might arouse suspicion, but likely not, as it's pretty typical for someone tracking a package to receive this type of notification, Segura noted. However, the next step of the attack — in which users are then asked to enter their full address again as well as submit their credit-card data to pay a small fee of 35 cents — should raise a red flag, he said.

It's at this point where victims enter the phishing site and attackers can steal their data, making the small fee "completely irrelevant," since giving up payment-card data — which can be used by the threat actor or resold on criminal markets — can result in much more damage to someone, Segura observed.

The final step of the attack is a request that victims enter credentials for their financial institution through a dynamic page that generates a template based on the credit-card info provided. For instance, if a person submits data for a Visa card associated with JP Morgan Bank, the page will ask the target to login to the JP Morgan page. Other banks and cards will result in different templates specific to the data provided, Segura said, similar to how banking Trojan overlays work.

**Recommendations to Thwart Malvertising**

As mentioned, malvertising is already a well-known method used by cybercriminals to steal user credentials. However, while awareness is key to avoid falling victim to a campaign, "training can only go so far" because of how legitimate modern malicious scams created by attackers look, Segura wrote.

One way to stop these campaigns before they reach end users is for search engines to apply stricter controls to combat the brand impersonation that threat actors have adopted so successfully, he said.

"When it comes to software downloads, one solution that comes to mind is reserving a placeholder for the official download page and never allowing an ad to take this spot, Segura wrote, noting that Microsoft's Bing already has applied policy with success.

Applying real-time browser protection that can disrupt the malvertising kill chain from the initial ad all the way to the payload — whether it be malware, phishing, or another type of scam — also can prevent and mitigate this type of attack.

Google Searches for 'USPS Package Tracking' Lead to Banking Theft

C-suite security leaders are feeling less prepared to cope with cyberattacks and more at risk than last year.

With the chaos of the pandemic now in the rearview mirror, we are finally back to "business as usual." The return to normal operations may imply that chief information security officers (CISOs) can now breathe easier, but the opposite is true. CISOs are feeling less prepared to cope with cyberattacks and more at risk than last year, indicating a reversal from the early days of the pandemic, new research shows.

The "2023 Voice of the CISO" report, Proofpoint's global survey of 1,600 CISOs, found that 68% of respondents feel at risk of experiencing a material cyberattack in the next 12 months. This is a sharp decrease from last year's 48% and a shift back to 2021 levels, when 64% felt at risk. The report also found that 61% of surveyed security leaders believe their organization is unprepared to cope with a targeted cyberattack, compared with 50% in 2022 and 66% in 2021.

**Reasons for CISOs' Elevated Concerns**

The tumultuous cybersecurity events of 2022 may be one reason behind the CISOs' return to an elevated concern. Last year saw increasingly devastating ransomware attacks that shuttered organizations and crippled entire nations. At the same time, geopolitical tensions continued to mount with incidents such as Russia's attacks on US airports and Chinese nation-state actors' targeting telecoms. The shaky economy did not help matters, and 58% of surveyed CISOs shared that the downturn has affected their security budgets negatively. All these events put security leaders on edge, perhaps lowering their confidence in their security posture.

Another explanation for CISOs' elevated concern may be the anomaly of the pandemic. Having conquered the unprecedented challenges caused by the overnight move to remote operations, security leaders felt a sense of calm. Although attack volumes did not abate, CISOs had a brief period of reprieve as they felt their organizations were less at risk. Yet the ability to secure their remote environments may have given CISOs a false sense of confidence. With the return to normal operations, the post-pandemic security metrics likely looked less reassuring, and the optimism wore off.

**Growing Pressures Make the CISO's Job Unsustainable**

Whatever the reason behind CISOs' recalibration of perceptions, their diminished confidence is exacerbated by new concerns about personal liability raised by last year's blockbuster Uber case, which resulted in probation for the company's former chief security officer. The US federal court ruling has deep implications that may set a dangerous precedent, and 62% of CISOs surveyed by Proofpoint agreed that they are concerned about personal liability.

The survey also revealed that 60% of CISOs have experienced burnout in the past 12 months, while 61% feel their job expectations are unreasonable, which is a big jump from the previous year's 49%. When we add these mounting pressures to ongoing struggles such as the cybersecurity talent shortage and new issues such as the recent wave of layoffs, it is not surprising that the CISO's role is becoming unsustainable.

This is a time when CISOs need champions on their board of directors more than ever. The Proofpoint report gives a glimmer of hope in this regard, showing a thawing CISO-board relationship — 62% of CISOs say they see eye-to-eye with their board on cybersecurity issues. This trend has been on an upward trajectory in the past three years.

**Protecting Data a Top Priority — and a Big Challenge**

The Voice of the CISO report shows that data protection remains a top-of-mind priority for CISOs. The ripple effect of the Great Resignation and employee turnover exacerbate the problem of data loss — 63% of surveyed security leaders reported dealing with a material loss of sensitive data in the past 12 months, and 82% said that employees leaving the organization contributed to this loss. Layoffs, like the massive ones we've seen in the technology sector, could especially be an issue because employees may feel wronged and justified in taking corporate data with them on the way out.

Despite the widespread loss of data, 60% of CISOs believe they have adequate controls in place to protect it. This optimism is surprising, especially given CISOs' lack of confidence in their security postures. And we expect that the problem will get worse as the economic uncertainty lingers and more sectors beyond technology — from manufacturing to consulting — pursue mass layoffs.

**Supply Chain All But Secure**

Another area where security leaders are far too optimistic is supply chain security. Nearly two-thirds of CISOs surveyed by Proofpoint said they have appropriate controls for mitigating supply chain risk. However, protecting today's complex and interconnected supply chain is extremely difficult — and a problem the industry has not been able to solve.

Most organizations simply do not have a grasp on third-party risk while relying heavily on a range of partners and suppliers. Threat actors know this well, which is why we have entered a new era of weaponization of trust. As one example, research found an astounding 633% increase in the number of supply chain attacks using malicious components in the past year. That is one of the many reasons supply chain security has become a matter of national security — and part of a new national cyber strategy in the United States.

The good news is that addressing supplier risk is one of the top priorities in the next 12 months among surveyed CISOs. These findings indicate that security leaders realize supply chain security is critical. The question is whether they can continue to devote adequate resources to this area if security budgets hang in the balance.

**Security Risk Is Business Risk**

Added regulatory scrutiny, escalating supply chain attacks, data protection — all these challenges impact investor, consumer, and employee confidence in the enterprise. As trust becomes more important for organizational success, it is important for both CISOs and boards to look at security risk as business risk and understand the implications of systemic risk within their organization. Although solving complex cybersecurity problems requires an industrywide effort, it all starts at the organizational level — and CISOs must lead the conversation.

CISOs Find 'Business as Usual' Shows the Harsh Realities of Cyber-Risk

Six months of honeypot data finds that 19% of traffic to sensors were malicious exploit attempts, and 95% of those attempts came from just three botnets.

Attackers quickly turn around real-world attacks using proof-of-concept code, taking only days to weeks to create workable exploits from published research, according to six months of data collected by researchers at Trustwave.

During the experiment, Trustwave deployed honeypots that mimicked five common enterprises appliances, finding that attackers began exploiting one vulnerability within six days of the release of proof-of-concept (PoC) code and another within 17 days. Overall, the researchers found that exploit scans, which include legitimate scanning of the Internet by security professionals as well as attackers, accounted for 25% of HTTP and HTTPS requests, while actual attacks accounted for 19% of traffic to the newly created servers. Nearly all the attacks came from three specific botnets: Mozi, Mirai, and Kinsing.

Companies should assume that attackers will be able to reverse engineer any patch and develop their own exploit, even without a proof of concept, says Ziv Mador, vice president of security research at Trustwave.

"It's essential to stay aware of the constant stream of newly discovered vulnerabilities, take proactive measures, and apply patches promptly to minimize the window of opportunity for threat actors," he says.

The research highlights not only that attackers are quickly using exploit code, but that attacks are quickly automated by plugging into existing botnet infrastructure. Of the 19% of traffic that attempted to exploit the researchers' honeypots, 73% came from the Mozi botnet, 14% from the Kinsing botnet, and 9% came from the Mirai botnet.

All three botnets tend to focus on Internet of Things (IoT) and edge devices, such as managed file servers, mail servers, network gateways, and industrial control systems that manage operational technology. Mozi, for example, is a peer-to-peer botnet that started by infecting network gateways and digital video recording devices, but evolved to exploit vulnerabilities in network gateway appliances. Recent updates to the Mirai botnet include the ability to exploit bugs in Tenda and Zyxel networking appliances.

Currently, Mozi is very aggressive in its efforts to find as many unprotected IoT devices as possible, says Allen West, a security researcher with Akamai.

"Security has historically not been as much of a priority on IoT devices, yet they make up a huge portion of the Internet landscape," he says. "If it can send traffic, it's good enough to be used as a bot. Attackers, most notably Mirai, have acknowledged this and built their entire operation around this idea."

**Grabbing Code on the Fly**

To conduct the research, cybersecurity experts at Trustwave SpiderLabs deployed honeypots in six different countries for five different devices — Fortra GoAnywhere MFT, Microsoft Exchange, Fortinet FortiNAC, Atlassian BitBucket, and F5 Big-IP — to emulate vulnerable enterprise networks. They collected data from more than 38,000 IP addresses, including at least 1,100 unique payloads, the researchers stated in their analysis.

The honeypots had some capability to interact with attackers, using a "medium-interaction honeypot," attempting to fool the intruders into believing that their exploit had worked. However, the honeypots did not extend the charade beyond that basic level. Following an exploit attempt, attackers typically run \_wget\_ or \_curl\_ to download the next stage of the attack, but rather than run the command, the honeypot merely attempted to download the next stage for analysis, says Trustwave's Mador.

"Our honeypots were configured as true vulnerable applications and that's how they appeared in services like Shodan," Mador says. "We successfully captured several Web shells, which are commonly used by individuals or groups involved in such activities, but due to the medium-interaction nature of our honeypot, we were unable to track the subsequent actions that attackers may have taken."

The honeypots detected an attack against Fortra GoAnywhere MFT, a managed file transfer service, in the US and UK that attempted to upload a previously unreported Web shell. The researchers also detected attacks that targeted a vulnerability in Fortinet FortiNAC appliance (CVE-2022-39952) within six days of PoC exploit code being released. Other attacks targeted Atlassian Bitbucket servers and F5 Big-IP devices.

**Should Every Company Have a Honeypot?**

While quickly patching edge and IoT devices should be a priority, organizations should also prioritize those devices for which PoC exploits have been released or are being attacked in the wild.

Nonetheless, Mador suggests that companies should consider deploying honeypots of their own.

"When existing security measures do not offer adequate visibility into these attacks, the deployment of a honeypot can be a valuable option to consider," he says. "Honeypots act as additional layers of defense, luring attackers and providing valuable insights into their tactics and techniques."

Botnets Send Exploits Within Days to Weeks After Published PoC

Email fraud is a confidence game that costs the economy billions. An effective defense takes technology and vigilance.

Last year the FBI registered over 21,000 complaints about business email fraud, with adjusted losses of over $2.7 billion. Today this line of attack shows no sign of slowing down. Business email compromise (BEC) techniques are increasingly sophisticated; cybercrime-as-a-service (CasS) has lowered the barrier to entry for threat actors while also making it easier to evade "impossible travel" alerts, among other safeguards. 

BEC is a confidence game. The technology aspects — links that download malware, take users to spoofed sites, or motivate a financial transaction — require social engineering to gain trust and motivate a click. 

What are threat actors looking for? Along with useful data like employee records, payroll information, and proprietary business records, BEC actors want to convince someone to fulfill a request for payment or funds transfer using messages that look legitimate, with logos and designs that are copies of the real thing. 

With BEC fast becoming a specialty of cybercriminals, security teams need to stay ahead of these evolving threats. Through a combination of technology, policy, and culture, enterprise security teams can help preempt attacks and mitigate the risks of email fraud. Let’s look at how BEC works, along with six key steps to mitigate the risk.

**As-a-Service Fuels BEC Growth**

Phishing-as-a-service providers make it easy for threat actors to produce effective, authentic-looking BEC campaigns without needing high-level tech skills of their own. Criminal platforms, such as BulletProftLink, go even further, selling templates, automated services, and even a hosting platform. This not only opens up BEC as an avenue to any criminal organization willing to pay, but it also accelerates the ramp-up time, making it fast and easy to launch new campaigns.

**Localizing the Threat**

Most importantly, in a new trend BEC threat actors are also purchasing residential IP addresses from residential IP services, enabling them to mask where their emails originate. Armed with localized address space to support their malicious activities (in addition to usernames and passwords), BEC attackers can obscure movements, circumvent "impossible travel" flags, and open a gateway to conduct further attacks. 

Impossible travel alerts indicate that a user account might be compromised. They flag physical restrictions that indicate a task is being performed in two locations, without the appropriate amount of time to travel from one location to the other. The specialization and consolidation of this sector of the cybercrime economy could escalate the use of residential IP addresses to evade detection.

**Defend Against BEC**

There are six key tips security teams can apply. Some can be implemented immediately, while others will require long-term thinking and reinforcement. 

*   **Inbox protection:** Configure mail systems to flag messages from outside of the enterprise. Enable alerts about unverified senders, and block senders who can’t be independently identified.

*   **Strong authentication:** Enabling multifactor authentication makes it harder for attackers to compromise user email.

*   **Secure email:** Cloud platforms with artificial intelligence and machine learning can provide enhanced protection, continuous updates, and centralized management of security policies.

*   **Identity and access management:** Control access to the organization's apps and data with zero trust and automated identity governance.

*   **Secure payments:** Replace emailed invoices with a system that authenticates payments and providers.

*   **Education and empowerment:** Regularly train and remind employees to think twice before clicking. Establish and enforce policies requiring employees to verify payment requests — not by clicking the link in the email, but with a phone call. Teach employees to take the initiative to stop BEC scams, and be sure to reinforce the consequences that a single mistake can cause.

Policy and governance are crucial to helping stop BEC. Security by default — for example, a domain-based message authentication, reporting, and conformance (DMARC) policy of "reject" — ensures that unauthenticated messages are rejected at the mail server. Updating policies for accounting, internal controls, payroll, and HR can help employees know how to handle inbound requests for access, money, or personal information, such as their Social Security numbers.

Thwarting BEC threat actors takes vigilance and an ongoing commitment. As their techniques get more sophisticated, their tricks become harder to spot. Putting the brakes on this con game takes the entire organization, from the C-suite and IT, compliance, and risk management teams to every business unit. Awareness, backed by policy and technology, is the crucial factor in a consistently strong defense.

6 Steps To Outsmart Business Email Compromise Scammers

The startup, one of four finalists in Black Hat USA's 2023 startup competition, uses deterministic AI to optimize cloud security.

Cloud misconfigurations are a leading cause of breaches that lead to data loss for the enterprise, especially with the continued shift to cloud and multicloud environments. But surveying and monitoring all possible endpoints and connections with cloud services is too big a job for humans to accomplish alone — which is how such breaches proliferate. Gomboc.ai aims to solve the problem with a proprietary type of deterministic artificial intelligence (AI) that the company says sidesteps the issues with the more well-known generative AI model.

That hook — deterministic AI — earned Gomboc a spot in the finals of the second annual Startup Spotlight, presented by Black Hat USA. "We are solving the cloud security misconfiguration problem," says CEO and co-founder Ian Amit. That would be a huge accomplishment, since such problems cause most cloud breaches.

"Security misconfiguration backlogs are one of the highest priority issues CISOs deal with since they pose an immediate threat to the organization's cloud security posture, and existing solutions that focus on prioritization and ticketing do not provide a scalable way to address those," Amit adds.

**What Is Deterministic AI?**

Generative AI, which includes high-profile models like OpenAI's ChatGPT and Google's Bard, analyzes large collections of data to learn the structures well enough to assemble plausible new content from it — that is, it _generates_ outputs. Deterministic AI, on the other hand, defines data characteristics so that a specific problem will have one specific, correct solution that does not change — that is, the data values _determine_ the outputs.

Amit sees this as one of his company's great differentiators.

"\[W\]hen given the same input, Gomboc will always provide the same output — a crucial factor when writing secure code," he says. "Gomboc does not generate nor hallucinate any sort of IaC."

Generative, or stochastic, AI systems generate code based on statistical analysis, which Amit says can result in code that's inaccurate, imprecise, or bereft of context.

Instead, Gomboc built a proprietary ingestion engine that processes cloud service provider updates as they're released. It then applies the new data to clients' existing network policies, pushing any fixes live itself rather than issuing a ticket for a human to address. The tool works within existing DevSecOps environments, Amit says, keeping approval simple and easy to track.

    

Of course, deterministic AI, aka reactive AI or expert systems, is not an approach exclusive to Gomboc. Other security companies that employ deterministic AI include identity verification service Vouched and life-science compliance firm LighthouseAI. But by focusing on the highly complex and fraught multicloud environment, Gomboc is putting the technology to good use.

**What's Ahead for Gomboc**

The four finalists in the Black Hat Startup Spotlight — Gomboc, Binarly, Endor Labs, and Mobb — will present their business models to a panel of judges at the Mandalay Bay in Las Vegas on Wednesday, Aug. 9. Eligible candidates included companies that are 2 years old or less and have fewer than 50 employees. Dark Reading's editor-in-chief, Kelly Jackson Higgins, will host the event, which begins at 4:30 p.m. PT.

Amit says that his company's future plans include expanding to more environments, especially multicloud and hybrid installations. At the Black Hat USA booth, he promises a product demo and merch, as well as a chance to talk to the team who built the product.

The story of the company name is an interesting one: A gomboc is a geometric solid with exactly two points of equilibrium, one stable and one unstable. That means it will always return to its stable equilibrium point, no matter how it's pushed or rolled.

"Our platform turns everyone's cloud infrastructure into a self-righting environment \[in a security sense\] no matter how a company grows or scales. A Gomboc is a shape that does exactly that: It always rights itself no matter how much you push it," Amit says. "We're big math nerds here at Gomboc, so the shape and analogy have a special place in our hearts."

**Speed Round**

**Website:** https://www.gomboc.ai/  
**Founded:** Late 2022 (Funded in November)  
**Funding stage:** Seed  
**Total funding raised so far:** $5.3M  
**Number of employees:** 10  
**If the company were a band, what would its band name be, and what kind of band would it be:** Ship or Be Shipped (Hard Rock/Metal)  
**Pineapple on pizza, yea or nay?:** "As New Yorkers, it's absolutely nay."

Startup Spotlight: Gomboc.ai Balances Cloud Infrastructure Security

Exposed and unpatched solar power monitoring systems have been exploited by both amateurs and professionals, including Mirai botnet hackers.

Hundreds of solar power monitoring systems are vulnerable to a trio of critical remote code execution (RCE) vulnerabilities. The hackers behind the Mirai botnet and even amateurs have already started taking advantage, and others will follow, experts are predicting.

Palo Alto Networks' Unit 42 researchers previously discovered that the Mirai botnet is spreading through CVE-2022-29303, a command injection flaw in SolarView Series software developed by the manufacturer Contec. According to Contec's website, SolarView has been used in more than 30,000 solar power stations.

On Wednesday, vulnerability intelligence firm VulnCheck pointed out in a blog post that CVE-2022-29303 is one of _three_ critical vulnerabilities in SolarView, and it's more than just the Mirai hackers targeting them.

"The most likely worst-case scenario is losing visibility into the equipment that's being monitored and having something break down," explains Mike Parkin, senior technical engineer at Vulcan Cyber. It's also theoretically possible, though, that "the attacker is able to leverage control of the compromised monitoring system to do greater damage or get deeper into the environment."

**Three Ozone-Sized Holes in SolarView**

CVE-2022-29303 is borne from a particular endpoint in the SolarView Web server, confi\_mail.php, which fails to sufficiently sanitize user input data, enabling the remote malfeasance. In the month it was released, the bug received some attention from security bloggers, researchers, and one YouTuber who showed off the exploit in a still publicly accessible video demonstration. But it was hardly the only problem inside SolarView.

For one thing, there's CVE-2023-23333, an entirely similar command injection vulnerability. This one affects a different endpoint, downloader.php, and was first revealed in February. And there's CVE-2022-44354, published near the end of last year. CVE-2022-44354 is an unrestricted file upload vulnerability affecting yet a third endpoint, enabling attackers to upload PHP Web shells to targeted systems.

VulnCheck noted that these two endpoints, like confi\_mail.php, "appear to generate hits from malicious hosts on GreyNoise meaning that they too are likely under some level of active exploitation."

All three vulnerabilities were assigned "critical" 9.8 (out of 10) CVSS scores.

**How Big of a Cyber Problem Are the SolarView Bugs?**

Only Internet-exposed instances of SolarView are at risk of remote compromise. A quick Shodan search by VulnCheck revealed 615 cases connected to the open Web as of this month.

This, says Parkin, is where the unnecessary headache starts. "Most of these things are designed to be operated _within_ an environment and shouldn't need access from the open Internet under most use cases," he says. Even where remote connectivity is absolutely necessary, there are workarounds that can protect IoT systems from the scary parts of the wider Internet, he adds. "You can put them all on their own virtual local area networks (VLANs) in their own IP address spaces, and restrict access to them to a few specific gateways or applications, etc."

Operators might risk remaining online if, at least, their systems are patched. Remarkably, however, 425 of those Internet-facing SolarView systems — more than two thirds of the total — were running versions of the software lacking the necessary patch.

At least when it comes to critical systems, this may be understandable. "IoT and operational technology devices are often a lot more challenging to update compared to your typical PC or mobile device. It sometimes has management making the choice to accept the risk, rather than take their systems off-line long enough to install security patches," Parkin says.

All three CVEs were patched in SolarView version 8.00.

3 Critical RCE Bugs Threaten Industrial Solar Panels, Endangering Grid Systems

Dark Reading's latest special report looks at a missing, but necessary, ingredient to effective third-party risk management.

When it comes to enterprise risk, third-party cybersecurity risks have increased substantially in recent years. By implementing an effective third-party risk management program, organizations can mitigate much of their risk and better protect themselves from attacks that emanate from third parties. The key word here is "effective."

Dark Reading's latest special report, "How to Use Threat Intelligence to Mitigate Third-Party Risk," digs into how threat intelligence can be implemented to attain a continuous risk assessment on partners, suppliers, vendors, contractors, and other third parties.

Third-party threat intelligence helps security teams move beyond capturing a point-in-time view of security and regulatory compliance maturity and more accurately assess the risk over time. The convergence of threat intelligence and third-party risk management (TPRM) programs can ensure that third parties don't drastically increase the risk of data breaches or other cybersecurity events and, should such an incident occur, can help to minimize its impact.

**How TPRM Is Changing**

Historically, if TPRM was done at all, effective programs included identifying, categorizing, and assessing the risk of third parties, along with due-diligence questionnaires designed to gauge the maturing of their security and regulatory compliance program. Additionally, an enterprise would conduct a thorough independent investigation of vendors before signing any contract. Finally, the organization would include new partners and suppliers in their incident response planning so as to minimize any incident's impact.

"Organizations can send questionnaires, and they're going to provide some indication of the policies they have in place and their certifications," says senior research analyst at Forrester Alla Valente, who covers governance, risk, and compliance (GRC), third-party risk, and supply chain risk. "But that doesn't tell you everything happening inside their networks or systems. It also doesn't provide answers about broader risks, such as geography or if nation-states are targeting that vertical. These are all things you want to identify."

While there is scant data on how enterprises use TPRM threat intelligence to improve their third-party risk management, TPRM programs are gaining steam. In Prevalent's "2022 Third-Party Risk Management Industry Study," two-thirds of respondents reported that their TPRM programs have more visibility among executives and the board than the year before.

Read Dark Reading's "How to Use Threat Intelligence to Mitigate Third-Party Risk" for ideas on reducing third-party risks for your organization by leveraging threat intelligence.

Mitigating Risk With Threat Intelligence

70% think criminals will move from WhatsApp etc to non-regulated apps, post OSB.

**London - 4th July 2023 -** This week, the House of Lords continues to debate the Online Safety Bill (OSB), demanding every private online message sent in the UK is scanned for the potential of illegal content. A new study shows the UK public believe the new legislation will not achieve this aim.

The independent survey, conducted by Opinium for Element, polled 2,000 politically and nationally representative UK citizens. It revealed that, despite Government assurances, 70% of the UK public believes scanning our online messages will not stop criminal activity, and 44% think it will damage national security, by creating a centralised 'honeypot' for nation state hackers. 

**UK Public at Odds With Government**

Unlike the Government, some 83% of UK citizens believe personal conversations on messaging apps such as Element, WhatsApp, or Signal should have the highest level of security and privacy. However, under the Online Safety Bill, communications providers are expected to break the trust of their consumers and scan every single one of their conversations, on the off chance they are committing an egregious crime. Key findings from the research study are:

*   70% of respondents said the if the OSB insists on scanning all online messages, criminals will move to other platforms to continue illegal activities
*   44% believe it will make the UK more vulnerable to cyber attacks from nation states like Russia and China
*   43% believe UK citizens will be even more vulnerable to cyber attacks from criminals

Matthew Hodgson, CEO of Element, comments: "Technology is not responsible for criminal behaviour and it should never be touted as a catch-all solution as the OSB currently does. If the UK won't listen to security experts, perhaps it will now listen to its citizens who know very well that surveilling our online conversations will only push criminals to other platforms, while reducing security for good actors."

He notes: "This research shows UK citizens are well aware that their privacy, and that of our businesses and even our Government, will suffer if this poorly thought-out legislation comes to pass. Criminals and rogue nations will rejoice. We need to stop this Bill."

**Private Conversations for All**

No matter how you cut it, UK consumers care about retaining the privacy and security of online conversations. 44% of the British public believe citizens should have access to the best private and secure communications available, not just the government (27%). This drops down to only 7% for businesses.

**OSB Drops UK Privacy to North Korea, Russia, and China Levels**

The Online Safety Bill proposes that Ofcom can mandate an unspecified 3rd party tool to connect to private messaging systems such as Element, WhatsApp, and Signal to covertly scan messages. Brits said China, North Korea and Russia are the countries most likely to routinely scan private messages in this way today — just 12% expected Britain to adopt such widespread routine surveillance, although this is the stated intention of the Bill.

Hodgson continues: "If the Online Safety Bill goes through, every online conversation could end up being surveilled, placing us on the same stage as other governments we know monitor their citizens' conversations - China, Russia and North Korea. Meanwhile Brits will lose their strongest cyber defence, giving criminals the upper hand; criminals who will not be using regulated apps known to comply with Ofcom’s requirements."

83% of Brits Demand Messaging Apps Remain Private, Ahead of Threat From Online Safety Bill

The "TeamsPhisher" cyberattack tool gives pen testers — and adversaries — a way to deliver malicious files directly to a Teams user from an external account, or tenant.

A new tool is available on GitHub that gives attackers a way to leverage a recently disclosed vulnerability in Microsoft Teams and automatically deliver malicious files to targeted Teams users in an organization.

The tool, dubbed "TeamsPhisher," works in environments where an organization allows communications between its internal Teams users and external Teams users — or tenants. It allows attackers to deliver payloads directly into a victim's inbox without relying on a traditional phishing or social engineering scams to get it there.

"Give TeamsPhisher an attachment, a message, and a list of target Teams users," said the tool's developer Alex Reid, a member of the US Navy's Red Team, in a description of the tool on GitHub. "It will upload the attachment to the sender's Sharepoint and then iterate through the list of targets."

**Fully Automated Cyberattack Flows**

TeamsPhisher incorporates a technique that two researchers at JUMPSEC Labs recently disclosed for getting around a security feature in Microsoft Teams. While the collaboration app allows communications between Teams users from different organizations, it blocks the sharing of files between them.

JUMPSEC researchers Max Corbridge and Tom Ellson found a relatively easy way to bypass this restriction, using what is known as the Insecure Direct Object Reference (IDOR) technique. As security vendor Varonis noted in a recent blog post, "IDOR bugs allow an attacker to maliciously interact with a Web application by manipulating a 'direct object reference' such as a database key, query parameter, or filename."

Corbridge and Ellson found they could exploit an IDOR issue in Teams simply by switching the ID of the internal and external recipient when submitting a POST request. The two researchers discovered that when a payload is sent in this manner, the payload is hosted on the sender's SharePoint domain and arrives in the victim's Team's inbox. Corbridge and Ellson identified the vulnerability as affecting every organization running Teams in a default configuration and described it as something an attacker could use to bypass anti-phishing mechanisms and other security controls. Microsoft acknowledged the issue but assessed it as something not deserving of an immediate fix.

**TeamsPhisher Incorporates Multiple Attack Techniques**

Reid described his TeamsPhisher tool as incorporating JUMPSEC's techniques as well as some earlier research on how to leverage Microsoft Teams for initial access by independent researcher Andrea Santese. It also incorporates techniques of TeamsEnum, a tool for enumerating Teams users, that a researcher from Secure Systems Engineering GmbH had previously released to GitHub.

According to Reid, the way TeamsPhisher works is to first enumerate a target Teams user and verify that the user can receive external messages. TeamsPhisher then creates a new thread with the target user. It uses a technique that allows the message to arrive in the target's inbox without the usual "Someone outside your organization messaged you, are you sure you want to view it" splash screen, Reid said. 

"With the new thread created between our sender and the target, the specified message will be sent to the user along with a link to the attachment in Sharepoint," he noted. "Once this initial message has been sent, the created thread will be visible in the sender's Teams GUI and can be interacted with manually, if need be, on a case-by-case basis."

Microsoft said it is aware of TeamsPhiser and has determined that the tool relies on social engineering to be successful. "We encourage customers to practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files, or accepting file transfers," the company said in an emailed statement.

Microsoft did not directly respond to a Dark Reading question on whether the release of TeamsPhiser had changed its stance on releasing a patch and/or guidance for affected users. Instead, the company pointed to its Microsoft Security Servicing Criteria webpage . The page describes the criteria the Microsoft Security Response Center (MSRC) uses to determine whether a reported vulnerability affecting currently supported versions of affected software might be updated/patched or addressed in the next version of the affected software.

JUMPSEC itself has urged organizations using Microsoft Teams to review whether there is any business need for enabling communications between internal Teams users and external tenants. 

"If you are not currently using Teams for regular communication with external tenants, tighten up your security controls and remove the option altogether," the company has advised.

Source

DARKReading