ISPM is a combination of identity attack surface management, and risk reduction, as well as identity threat prevention, detection, and response.

Identity security startup Spera came out of stealth with $10 million in seed funding and a platform to protect enterprises from identity-driven threats.

Spera is carving out a segment of the already crowded identity and access market with what it calls identity security posture management — a combination of identity attack surface management, risk reduction, and identity threat prevention, detection, and response. Spera's platform creates a real-time, continuously updated, risk and context-based inventory of identities and access across cloud and on-premises environments, the company said in a release announcing the company's launch. The resulting inventory is then analyzed, assessed, and normalized so that security teams can use the granular insights for remediating identity-driven attacks. This allows security professionals to identify or mitigate partially offboarded users, overprovisioned employees, unused and risky privileges, compromised credentials, and other identity risks.

According to IBM's Cost of a Data Breach report, identity-based attacks involving compromised credentials and phishing were the two most common and costly attack vectors of 2022. Spera has helped solve more than 75% of critical issues within the first weeks of deployment, the company said.

"As far as identity security is concerned, security teams can't see who accesses what resource, using what identity," said Richard Reinders, VP of Information Security at Gravity Payments, said in the announcement.

YL Ventures, which led the funding round, has been "bullish on the identity space" for some time, John Brennan, senior partner at YL Ventures, said in the announcement. "\[Despite\] a massive allocation of budget to IAM solutions, existing IAM tools failed to deliver on their promise," Brennan said.

Spera's founders are Dor Fledel, CEO, and Ariel Kadyshevitch, CTO.

Spera Takes Aim at Identity Security Posture Management

Elon Musk, Steve Wozniak, and Andrew Yang are among more than 1,000 tech leaders asking for time to establish human safety parameters around AI.

More than 1,000 of technology's top talent names — including Twitter CEO Elon Musk, Apple co-founder Steve Wozniak, and politician Andrew Yang — have signed an open letter urging AI pioneers to pump the brakes on the AI development race, because of its potential danger to humanity.

"Powerful AI systems should be developed only once we are confident that their effects will be positive, and their risks will be manageable," the open letter, published on the Future of Life Institute site said, in part. "Therefore, we call on all AI labs to immediately pause for at least 6 months the training of AI systems more powerful than GPT-4."

The potential danger of unchecked training of large learning models (LLMs), as outlined in the letter, is nothing less than humans being fully replaced by more intelligent AI systems. 

**Real-Life SkyNet? Parsing AI's Danger to Humanity**

"Contemporary AI systems are now becoming human-competitive at general tasks, and we must ask ourselves: Should we let machines flood our information channels with propaganda and untruth?" the letter asks. "Should we automate away all the jobs, including the fulfilling ones? Should we develop nonhuman minds that might eventually outnumber, outsmart, obsolete, and replace us? Should we risk loss of control of our civilization?"

Possible harm from advanced AI is a worry even for its proponents: Greg Brockman, CEO of ChatGPT, which created OpenAI, recently told a crowd at SXSW he was concerned about AI's ability to both spread disinformation and launch cyberattacks. But those worries are a far cry from fears that AI could become sentient.

To be clear, the six-month pause is intended to give policymakers, and AI safety researchers, time to put safety parameters around the technology, the letter explained. The Pause Giant AI Experiments letter stresses that the group is not calling for a halt on all AI development, but rather wants developers to stop the rush to roll out new capabilities without fully understanding their potential harm.

Even so, skeptics might look at CEOs like Musk, with potential commercial interests at stake in slowing OpenAI's development of GPT-5, and dismiss the Pause AI Open Letter as little more than a public relations ploy.

"We have to be a little suspicious of the intentions here — many of the authors of the letter have commercial interests in their own companies getting a chance to catch up with OpenAI's progress," Chris Doman, CTO of Cado Security said in a statement provided to Dark Reading. "Frankly, it's likely that the only company currently training an AI system more powerful than GPT-4 is OpenAI, as they are currently training GPT-5."

**Will the "Pause AI" Open Letter Do Anything?**

Beyond the celebrity names, the varied backgrounds, and public points of view of the signatories makes the letter worth taking seriously, according to Dan Shiebler, researcher with Abnormal Security. Indeed, the signatories include some of the brightest academic minds in the AI field, including John Hopfield, Professor Emeritus of Princeton University, and the inventor of associative neural networks, and Max Tegmark, professor of physics at MIT's Center for Artificial Intelligence & Fundamental Interactions.

"The interesting thing about this letter is how diverse the signers and their motivations are," Shiebler said in a statement to Dark Reading. "Elon Musk has been pretty vocal that he believes \[artificial general intelligence\] (computers figuring out how to make themselves better and therefore exploding in capability) to be an imminent danger, whereas AI skeptics like Gary Marcus are clearly coming to this letter from a different angle." 

However, ultimately, Shiebler doesn't predict the letter will do anything to slow AI development.

"The cat is out of the bag on these models," Shiebler said. "The limiting factor in generating them is money and time, and both of these will fall rapidly. We need to prepare businesses to use these models safely and securely, not try to stop the clock on their development."

Still, shining a light on the safety and ethics considerations is a good thing, according to John Bambenek, principal threat hunter at Netenrich.

"While it's doubtful that anyone is going to pause anything, there is a growing awareness that consideration of the ethical implications of AI projects is lagging far behind the speed of development," he said via email. "I think it is good to reassess what we are doing and the profound impacts it will have."

Top Tech Talent Warns of AI's Threat to Human Existence in Open Letter

Attackers are targeting cryptocurrency accounts belonging to users in Russia and more than 50 other countries.

Threat actors are using Trojanized installers for The Onion Router (Tor) browser to distribute clipboard-injector malware that pilfers funds from cryptocurrency accounts and transfers it to their illicit wallets.

Researchers from Kaspersky who have been tracking the activity since at least January 2022 have determined the threat actors are mostly targeting users in Russia, a nation that blocked access to Tor's official site in December 2021. Of the 16,000 instances where Kaspersky has detected the malware so far, most of them were in Russia and Eastern Europe. However, the researchers also detected the threat in more than four dozen countries so far, including the US, Germany, Netherlands, China, and the United Kingdom.

**Quiet Theft**

Kaspersky's analysis showed that the threat actors behind the campaign have, so far, siphoned out about $400,000 from crypto wallets belonging to users who downloaded the weaponized Tor installer. Almost all of the compromised accounts — more than 90% — were Bitcoin accounts, followed by LiteCoin.

"Given that we only see a fraction of the real picture, the global number of infections may well be several or even tens of times higher," Kaspersky warned in a report this week.

Clipboard injector malware, aka a clipboard hijacker, intercepts and replaces the contents of a user's clipboard with malicious code or content. This type of malware is not new, it has been around for at least a decade. Over the past few years, cybercriminals have typically used the malware to replace cryptocurrency wallet information from a user's clipboard with their own crypto information — and then transferring coins from the victim's wallet to their own.

Though seemingly straightforward, clipboard injector tools can be hard to detect and handle, Kaspersky said. They don't exhibit any of the more obvious behaviors associated with typical malware such as communicating with an external system, causing pop ups, or slowing down an infected system. They often blend in with legitimate clipboard activity and any data that the malware replaces can be hard to detect because of how frequently data in a clipboard gets overwritten in the normal course of events.

"\[Clipboard injectors\] can be silent for years, show no network activity, or any other signs of presence until the disastrous day when they replace a crypto wallet address," Kaspersky said.

**New Distribution Vector**

Threat actors so far have typically used phishing emails, malicious websites, and other malware to distribute clipboard hijackers.

The campaign to distribute it via weaponized Tor installers is a spin that Kaspersky surmised was likely inspired by Russia's move to ban access to the browser.

Tor gives individuals a way to browse the Internet anonymously by routing their traffic through a network of volunteer-run servers around the world. Frequent Tor users — apart from cybercriminals — include human rights activities, journalists, and those seeking to circumvent censorship and surveillance. Tor has previously described Russia as a country with over 300,000 daily Tor users.

According to Kaspersky, threat actors began distributing Trojanized Tor bundles to Russian-speaking users in December 2021, soon after the country's move to block access. The bundles typically consist of the original torbrowser dot exe installer with a valid Tor Project digital signature, a command-line extraction tool in the RAR archive form with a randomized name, and a password-protected RAR archive.

When a user downloads the weaponized Tor browser bundle, the original torbrowser executable runs in the foreground. In the background, it also runs the extraction tool on the password-protected RAR archive, which sets into motion a set of actions that ends with the clipboard injector malware installed on the victim system.

The authors of the malware likely have used a cracked version of Enigma, a commercially available software protector, to pack the malware and make it harder to detect.

Once installed, the "malware integrates into the chain of Windows clipboard viewers and receives a notification every time the clipboard data is changed," Kaspersky said.

If the malware detects cryptocurrency information in the clipboard, it replaces the content with an attacker-controlled address for Bitcoin or another cryptocurrency. Kaspersky researchers who analyzed various samples of the malware found each sample to contain thousands of replacement addresses making it hard for defenders to create a deny list or to trace cryptocurrency theft, the security vendor said.

The ongoing campaign is not the first time malware authors have abused Tor's popularity in Russia to target users there for cryptocurrency theft. In 2019, ESET observed a Bitcoin-stealing campaign involving a Trojanized version of the Tor browser. The security vendor's investigation showed that some of the attacker-owned Bitcoin addresses in the campaign had been active since at least 2017.

Trojan-Rigged Tor Browser Bundle Drops Malware

A vulnerability with a 9.8 CVSS rating in IBM's widely deployed Aspera Faspex offering is being actively exploited to compromise enterprises.

A critical bug in IBM's popular Aspera Faspex file transfer stack that allows arbitrary code execution is catching the eye of increasing numbers of cybercriminals, including ransomware gangs, as organizations fail to patch.

Months after IBM released a patch for the critical vulnerability, it's being exploited in the wild, researchers with Rapid7 stressed this week, noting that one of its customers was very recently compromised by the bug, tracked as CVE-2022-47986. Immediate action is needed, the researchers said.

"We strongly recommend patching on an emergency basis, without waiting for a typical patch cycle to occur," Caitlin Condon, senior manager of security research at Rapid7, warned in a blog post.

**Under the Hood of a 9.8 CVSS IBM Vulnerability**

IBM Aspera Faspex is a cloud-based file exchange application that utilizes the Fast Adaptive and Secure Protocol (FASP) to allow organizations to transfer files at higher speeds than would be achieved over ordinary TCP-based connections. The Aspera service is used by large organizations like Red Hat and the University of California, according to Enlyft, and is so lauded that it has literally won an Emmy.

The vulnerability exists in Faspex's version 4.4.2 Patch Level 1, and carries a 9.8 out of 10 on the CVSS vulnerability-severity scale.

"By sending a specially crafted obsolete API call," IBM explained in a security bulletin published on Jan. 26, an attacker could remotely deploy their own code onto any target system running Faspex.

The bug was first reported to IBM back on Oct. 6, 2022, and remedied on Dec. 8, in 4.4.2 Patch Level 2.

Exploitation activity began shortly after the patch was issued earlier this year, when the IceFire ransomware group shifted from targeting Windows to Linux systems. In doing so, it encountered a technical problem: Windows is everywhere, but Linux is most often run on servers. For that reason, they shifted to a new intrusion method for that environment: exploiting CVE-2022-47986.

In the time since, other cybercriminal outfits have pounced on this easy yet powerful vulnerability. In February, an unknown threat actor used it to deploy Buhti ransomware, after the Shadowserver Foundation picked up on live attempts.

**Why Can't Everyone Just Patch Already?**

Rarely in life do severe problems have instant remedies, yet CVE-2022-47986 is utterly amenable with a simple upgrade to Patch Level 2, or the newest Patch Level 3, released March 20, according to Condon. Why, with such a simple solution just a few clicks away, is any organization still vulnerable?

Negligence may be the answer in many cases. "Folks don't necessarily have consistent regular patch cycles," Condon tells Dark Reading. "We're seeing vulnerable software and appliances still exposed to the Internet after months and sometimes years." Indeed, as of last month, there were nearly 140 instances of Aspera Faspex exposed on the Web, she noted.

In certain cases, though, "I would not be surprised if this is difficult to patch," Condon says. "A lot of our analysis involved simply trying to set up the software and get it to work. So whether it's a complex stack or just software that is finicky when you set it up, that can also mean that it is difficult to patch."

Companies that haven't already patched, and can't do so immediately, have limited options left to protect themselves. "Putting in a couple layers of defense there would be very helpful," Condon says, and taking Aspera Faspex offline is absolutely crucial.

Ultimately, the only surefire fixes are to either patch or abandon the software outright, she adds.

"We're aware that when we say 'Hey, if you can't patch, shut it down,' that's not necessarily practical for everyone,” she explains. “So at the very least, take it off the public Internet, and put any other controls you can think of in place."

Patch Now: Cybercriminals Set Sights on Critical IBM File Transfer Bug

Credential phishing emails are the clear favorite of threat actors, with a 478% spike last year, new research shows.

The sheer volume of phishing emails sent in 2022 spiked by a jaw-dropping 569% according to a just-released analysis.

After sifting through a global network of data from 35 million users, using artificial and machine learning analysis, Cofense researchers released their latest State of Email Security Report that details the astronomical rise of email phishing as a tactic among threat actors in 2022.

The email security report revealed five specific trends:

1.  The number of credential phishing emails sent spiked by 478%;
2.  Emotet and QakBot are the top malware families observed;
3.  For the eighth consecutive year, business email compromise (BEC) ranked as the top cybercrime;
4.  Web3 use jumped by 341%;
5.  And there was an 800% increase in the use of Telegram bots for exfiltration.

"The cybersecurity landscape is always evolving, so it is imperative to stay on top of the latest trends and tactics," Tonia Dudley, vice president and CISO at Cofense said about the email security report. "The increase in nation-state attacks and major incidents overall continues to apply pressure to drive visibility of an organization's security program by boards, corporate executives, and cyber insurers.”

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Phishing Emails Up a Whopping 569% in 2022

Security analysts expect little improvement until at least the second half of the year.

Financial activity in the cybersecurity industry declined sharply in the first quarter of 2023 compared to the same period in 2022, and analysts tracking the sector expect little improvement until at least the second half of the year.

Even that expectation is tinged with some uncertainty over how the market will respond — in the short and long term — to Silicon Valley Bank's (SVB) stunning collapse in mid March and the resulting impact on venture capital funding in the sector.

And meanwhile, next quarter in fact might be the slowest for cybersecurity startup funding in years, at least one researcher predicts.

**Continued Financial Headwinds for Cyber**

"Conservatism and expectations for continued headwinds throughout 2023 were the recurring themes across the public cybersecurity company annual earnings calls held throughout the first quarter," says Eric McAlpine, founder and managing partner at Momentum Cyber. "\[Strategic decision makers\] are approaching the rest of the year with great caution and that has downstream impact for everyone else in the ecosystem."

The cautionary tone comes amid lingering fears of a broad economic recession, falling stock prices and huge layoffs at technology giants such as Amazon, Meta, Microsoft, and Tesla. Though analyst firms such as IDC expect cybersecurity spending to increase 12.1% in 2023 to $219 billion, there are some fears that inflation and rising technology costs could dent the gains organizations are hoping to get from the increased spending.

McAlpine says that through Feb. 28, Momentum Cyber has tracked 32 cybersecurity M&A deals totaling $2.6 billion in disclosed deal value and 102 financing deals totaling $2.5 billion in value. That is down sharply from the M&A deal volume of $13.8 billion across 79 deals that Momentum Cyber tracked in the year-ago quarter. In Q2 last year, that number surged to a record $89.8 billon before dipping sharply in the last half of the year.

"Both M&A and financing deal count and dollar value are down considerably from the same period in 2022 as we continue to deal with turbulent markets," he says.

Market research firm Omdia reported a similar slowdown in the first quarter of 2023 with analyst Ketaki Borade describing the volume of M&A transactions so far this year as just over half of last year's volume in the same period: 44 versus 97 in 2022.

Notable M&A examples in the first quarter of 2023 include Thoma Bravo’s $1.1 billion acquisition of Magnet Forensics, Francisco Partners' purchase of Sumo Logic for $1.7 billion, and SailPoint's acquisition of SecZetta for an undisclosed sum in January.

**Broad Investment Slowdown, Including in VC**

It was not just M&A activity that slowed in the first three months of 2023. Venture capital and other investment activity in cybersecurity companies declined as well says Richard Stiennon, chief research analyst at market research firm IT-Harvest.

Stiennon says IT-Harvest tracked a total of 41 investments totaling some $1.35 billion in cybersecurity companies through March: "That is at an annual rate of only $8 billion \[which is\] considerably down from 2022, which saw investments of $17 billion, and 2021, which set an all-time high of $24 billion." 

Of the 41 investments, there were seven rounds of $50 million or more which accounted for $893 million of the total $1.35 billion, Stiennon says. There have been no initial public offerings (IPOs) so far this year.

Despite the general slowdown in cybersecurity M&A and investment activity, the first three months of 2023 had its share of major transactions. Easily the standout among them was Israeli cloud security vendor Wiz' capital raise of $300 million in a Series D financing round in February that valued the company at an astounding $10 billion, Stiennon says. That made Wiz the highest valued private cybersecurity firm ever.

Stiennon points to a $205 million growth funding round that identity management vendor Saviynt secured from AB Private Credit Investors and $180 million in equity investments and strategic financing that MDR vendor Deepwatch raised in February, as two other major deals in 2023's first quarter. Yet another was a $500 million capital raise by Alphabet spinoff Sandbox AQ in February.

**Hot Sectors**

As has always been the case, some segments within the cybersecurity industry received more love from investors than other segments. Rik Turner, an analyst with Omdia, identified the segments that have received the largest amounts of funding so far in 2023 as network security, security management, and SecOps. These sectors have perennially been attractive to investors, he says. 

"Others such as cloud, application, and data security are now also mainstays within the overall totals," Turner says. "\[The trend\] speaks to the growing amount of cloudification of app infrastructures, which was already underway before the pandemic, but was undoubtedly turbocharged by it."

Several of the technologies that investors are betting on are also — unsurprisingly — the areas where enterprise organizations are spending most of their security dollars on as well. In a recent Dark Reading virtual event, Chenxi Wang, founder and general partner of Rain Capital, identified cloud security, network security, identity and access management, SecOps, and application security as some of the top spending priorities for organizations currently.

In comments to Dark Reading, Wang says based on her observation, overall deal volumes and the velocity of strategic deals decreased in the first three months of 2023. "We observed the same thing on the venture side. Less companies are getting funded compared to last year."

**A Cautious Cyber-Investment Outlook for the Rest of 2023**

Wang and other industry analysts have a somewhat cautious outlook on M&A and investment activity in the cybersecurity sector for the rest of the year. 

One major issue is how SVB's demise will playout over the rest of the year. Wang believes — like many others — that the SVB collapse will make it harder for startups and early-stage companies — especially those with a high-risk appetite — to get funding. 

"In the long run, it means less companies will cross the chasm to scale up and become a sustainable business," she says.

McAlpine is less concerned about the short-term implications of SVB's implosion. The immediate slowdown in financial activity that the bank's collapse triggered has already begun reversing itself. But the longer-term impact may not be evident for years. 

"Going forward, we're advising companies to avoid putting all their eggs in one basket," he says. "Working with multiple banks, for example, \[such as\] one global bank and one regional bank, can help to avoid business interruptions during this period of volatility in the banking system."

He expects that things will start to loosen up sooner rather than later. Financing and M&A activity can't remain in a state of limbo forever, he says. Many companies will still need capital to reach the next stage of their business, even if they're able to adjust and extend their runway near term. "We also expect to see more companies take a parallel approach where they pursue financing and M&A at the same time," he says. "This gives them optionality if one or the other doesn't materialize at a valuation that's acceptable to founders and investors."

Steinnon, who expected a lot of funding that didn't happen last year to be pushed into 2023, says he is underwhelmed by what he has seen so far this year. But he predicts investment and M&A activity will begin ticking upward starting in the third quarter and will at least match 2020's total of $10 billion. 

He predicts that the second quarter of 2023 will be the slowest investment quarter in years in the cybersecurity industry. 

"Fallout from SVB's failure is going to have a negative impact on all funding, including in cybersecurity," he says. "I fully expect private equity to take advantage of decreased valuations \[and\] to snap up deals from the public and private sectors."

Cybersecurity Investment Outlook Remains Grim as Funding Activity Sharply Declines

With an infrastructure for observability, security teams can make better decisions about access and identity-based threats.

When it comes to security, you can't protect what you can't see. That's why organizations that can visualize and understand their data are in a much better position to thwart cyberattacks and breaches. Observability is the best way for businesses to change how they detect and remediate cyberattacks — so much so that the observability market is expected to reach $2 billion by 2026.

While observability isn't a mainline discussion in the identity security space, it's an essential piece of the puzzle, shining a light on the attack surface that allows teams to identify and prevent breaches. By layering observability with identity management, security teams have access to more data on identity-based threats, and fewer silos to break down as they race to identify and prevent attacks.

**Observability's Role in the Threat Landscape**

Observability enables organizations to fully see, understand, and manage their systems. For example, data observability gives business leaders a clear picture of the data they have, where it's stored, and who has access. It lets teams know if their systems, servers, and applications are functioning properly and can identify downtime or vulnerabilities. A recent report found that the most sophisticated observability practitioners cut downtime costs by 90%, to $2.5 million versus $23.8 million, for observability beginners.

This is especially true when it comes to managing the identity attack surface. The sprawl of applications and systems employees are connected to is increasing exponentially, and security teams need specific information in order to determine which kinds of access are legitimate and which are risky. By getting full visibility into these systems, teams can track metrics about access over time and set clearer policies.

**Establishing a Baseline of Normal**

Observability not only helps to establish a baseline of "normal behavior," but helps identity and access management (IAM) systems use data to make valuable decisions that protect business operations and directly contribute to positive business outcomes. This strategy, known as behavior-driven governance, takes granular data about how people actually use their identities and access privileges, rather than what a business assumes they're doing.

Three types of data matter the most in setting a baseline:

*   **Metrics:** Quantifying performance, including key performance indicators (KPIs) such as response time, error rates, alerts, etc.
*   **Traces:** Allowing IT teams to locate the source of an alert (i.e., which part of a login process is vulnerable to bugs)
*   **Logs:** Answering the who, what, where, when, and how of access activities with contextual event information

For example, a security team using observability could monitor certain metrics, such as when employees sign in and sign out of a system, their location and their keystrokes, then look at the data over a 60- or 90-day period to form a baseline for "normal" utilization. If a log shows that an employee has access to 15 applications and only uses five on a regular basis, the team can revoke access to the unused apps to minimize risk.

If the company only has US employees and North American suppliers, and there's a login attempt from Singapore, it's easier to log that as a red flag and investigate. Better observability into data and the patterns associated with it can help businesses detect potential breaches quickly and efficiently.

To get the most out of observability, these three types of data should be used together to gain an overall understanding of the identities a business manages.

**Third-Party Observability**

Data observability should be built into systems; often it is, but its context changes as customers request different capabilities. For example, if customers want authentication-as-a-service, and choose to plug in an authentication module and let a third party handle that, they surrender their observability to the third party to some degree. These customers won't have access to performance metrics around the app's authentication modules, and they might not know what baseline behavior actually looks like unless they ask that third party for granular details.

Regardless of how much a security team builds versus buys its identity security infrastructure, it must make sure observability is built in from the start. Take Netflix as an example: At the beginning of the year, the company embarked on a plan to crack down on password sharing to stop users from accessing the app from devices not associated with their home network. While the company quickly walked back that plan amid user backlash, the original idea provides an interesting case study for how to use observability for identity security. To set identity management policy that is accurate, Netflix would have needed to be able to process, visualize, and get full observability into user data — everything from where users log in most to what time of day they're most likely to watch.

So, what can we take away from this example? How can businesses set up a data-first observability framework to use this data and set accurate policies? I'd suggest that all enterprises need to follow these best practices when it comes to setting up a data-first observability approach to security:

*   Key observability metrics based on organizational business priorities
*   Executive buy in to, and organization-wide education on, a culture of observability, data access, and governance
*   A pipeline to centralize and standardize data sources (like metrics, logs, and traces) that can be used to identify baseline and "abnormal" behavior
*   Analytics tools and automated processes (like RPA software bots) that can sort through the noise of alerts

Businesses already have much of the data they need on identity management. By implementing an infrastructure for observability, security teams can break through the noise and make better decisions about access and identity-based threats.

Using Observability to Power a Smarter Cybersecurity Strategy

Google TAG researchers reveal two campaigns against iOS, Android, and Chrome users that demonstrate how the commercial surveillance market is thriving despite government-imposed limits.

Researchers from Google's Threat Analysis Group (TAG) have discovered two separate, highly-targeted campaigns that use various, unpatched zero-day exploits against users of both iPhone and Android smartphones to deploy spyware.

The discoveries — revealed in a blog post on March 29 — are the result of active tracking that Google TAG does of commercial spyware vendors, with more than 30 of them currently on the radar screen, the researchers said. These vendors sell exploits or surveillance capabilities to state-sponsored threat actors, thus "enabling the proliferation of dangerous hacking tools, arming governments that would not be able to develop these capabilities in-house," the researchers wrote. These are often used to target dissidents, journalists, human rights workers, and opposition-party politicians in potentially life-threatening ways, they noted.

The use of surveillance technologies is currently legal under most national or international laws, and governments have abused these laws and technologies to target individuals that don't align with their agendas. However, since this abuse came under international scrutiny due to the revelation of governments abusing NSO Group's Pegasus mobile spyware to target iPhone users, regulators and vendors alike have been cracking down on the production of and use of commercial spyware.

In fact, on March 28, the Biden administration issued an executive order that falls short of an outright ban on spyware, but restricts the use of commercial surveillance tools by the federal government.

Google's findings this week show that those efforts have done little to thwart the commercial-spyware scene, and "underscore the extent to which commercial surveillance vendors have proliferated capabilities historically only used by governments with the technical expertise to develop and operationalize exploits," TAG researchers wrote in the post.

Specifically, the researchers discovered what they characterize as two "distinct, limited, and highly targeted" campaigns aimed at users of Android, iOS, and Chrome on mobile devices. Both use zero-day exploits and n-day exploits. Regarding the latter, the campaigns take particular advantage of the period of time between when vendors release fixes for vulnerabilities and when the hardware manufacturers actually update end-user devices with those patches, creating exploits for unpatched platforms, the researchers said.

This demonstrates that those creating the exploits are keeping a close eye on vulnerabilities that they can exploit for nefarious purposes and are likely colluding to maximize the potential for using them to compromise targeted devices, according to TAG. The campaigns also suggest that surveillance software vendors share exploits and techniques to enable the proliferation of dangerous hacking tools, the researchers wrote in the post.

**The iOS/Android Spyware Campaign**

The first campaign that researchers outlined was discovered in November and exploits two vulnerabilities in iOS and three in Android, including at least one zero-day flaw each.

Researchers found initial access attempts that affect both Android and iOS devices that were delivered via bit.ly links sent over SMS to users located in Italy, Malaysia, and Kazakhstan, they said. The links redirected visitors to pages hosting exploits for either Android or iOS, then redirected them to legitimate websites — "such as a page to track shipments for Italian-based shipment and logistics company BRT, or a popular Malaysian news website," researchers wrote in the post.

The iOS exploit chain targeted versions prior to 15.1 and included an exploit for a WebKit remote code execution (RCE) flaw, tracked as CVE-2022-42856, but a zero-day at the time of the exploit. It involves a type confusion issue within the JIT compiler, the exploit used a PAC bypass technique fixed in March 2022 by Apple. The attack also exploited a sandbox escape and privilege escalation bug in AGXAccelerator, tracked as CVE-2021-30900, which was fixed by Apple in iOS 15.1.

The final payload of the iOS campaign was a simple stager that pings back the GPS location of the device and also allows the attacker to install an .IPA file (iOS application archive) onto the affected handset, researchers said. This file can be used to steal information.

The Android exploit chain in the campaign targeted users on devices that use an ARM GPU running Chrome versions prior to 106, the researchers said. There were three vulnerabilities exploited: CVE-2022-3723, a type confusion vulnerability in Chrome that was fixed in last October in version 107.0.5304.87, CVE-2022-4135, a Chrome GPU sandbox bypass only affecting Android that was a zero-day when exploited and fixed in November, and CVE-2022-38181, a privilege escalation bug fixed by ARM last August.

The significance of attacking ARM and CVE-2022-38181 in particular is that when the fix for this flaw was initially released, several vendors — including Pixel, Samsung, Xiaomi, and Oppo — did not incorporate the patch, giving attackers several months to freely exploit the bug, researchers said.

**Samsung Browser Cyber-Espionage Campaign**

Google TAG researchers discovered the second campaign, which includes a complete exploit chain using both zero-days and n-days to target the latest version of Samsung Internet Browser, in December. The browser runs on Chromium 102 and has not been updated to include recent mitigations, which would have required attackers to do additional work to carry out the exploit, the researchers said.

Attackers delivered the exploits in one-time links sent via SMS to devices located in the United Arab Emirates (UAE), the researchers said. The link directed users to a landing page identical to one present in the Heliconia framework developed by commercial spyware vendor Variston, they added.

The payload of the exploit in this case was a C++-based, "fully-featured Android spyware suite" that included libraries for decrypting and capturing data from various chat and browser applications, the researchers wrote. They suspect that the actor involved may be a customer, partner, or otherwise close affiliate of Variston.

Flaws exploited in the chain were CVE-2022-4262, a type confusion vulnerability in Chrome that was a zero-day at time of exploitation, CVE-2022-3038, a sandbox escape in Chrome fixed in version 105 in June 2022, CVE-2022-22706, a vulnerability in Mali GPU Kernel Driver fixed by ARM in January 2022, and CVE-2023-0266, a race condition vulnerability in the Linux kernel sound subsystem providing kernel read and write access that was a zero-day at the time of exploitation.

"The exploit chain also took advantage of multiple kernel information leak zero-days when exploiting CVE-2022-22706 and CVE-2023-0266" that Google reported to ARM and Samsung, the researchers wrote.

**Limiting Spyware & Protecting Mobile Users**

TAG researchers provided a list of indicators of compromise (IoC) to help device users know if they're being targeted by the campaigns. They also stressed how important it is for vendors as well as users to update their mobile devices with the latest patches as quickly as possible after vulnerabilities and/or exploits for them are discovered.

"A big takeaway here would be to use fully updated software on fully updated devices," Google TAG researchers say in response to questions posed by Dark Reading. "In this case, none of the exploit chains described would have worked."

Google: Commercial Spyware Used by Governments Laden With Zero-Day Exploits

For the foreseeable future, with the spigots closing shut, CISOs will need to find ways to do more with less.

It's always easier to upgrade an organization's defenses when times are flush and money's no object. But try getting your CFO to fund a new cybersecurity project when the boom goes bust.

Good luck with that.

In the immediate past, the security function received ample investment to add staff and equip teams with the latest and greatest security tools. But when uncertainty clouds the economic climate, companies rein in overall spending, reduce head count, and back away from investment projects not deemed essential. This is also when CISOs get put to the test. 

The security leaders of the organization don't have the luxury of sitting on their hands until the business cycle picks up again. Threat actors operate during good times and bad, and trust me, they will find –— and exploit — vulnerabilities that emerge from neglected defenses.

But for the foreseeable future, with the spigots closing shut, CISOs will need to find ways to do more with less.

**Dealing With a New Reality **

That sounds painful, but CISOs can handle the drill. Speaking as a former CSO, we're always under pressure to achieve more, especially when the cost of all that security overhead comes under scrutiny.  

CISOs now find themselves operating in a new environment. In short, the new reality imposes a new discipline.

For starters, security departments need to learn to be leaner than in previous years as the C-suite directs them to squeeze more out of their current technology deployments. The new marching orders will challenge their skills as business managers, forcing them to step beyond their comfort zone as technologists, perhaps for the first time. 

In practice, that may require them to reduce head counts while reviewing their security ecosystems to eliminate overlaps while amplifying supporting controls. They'll also need to demonstrate that the tools they're using are working as expected and that they're optimized by deploying the latest available intelligence.  

Some CISOs might want to push back. But savvy CISOs will recognize they need to demonstrate that they can run a smart operation, just as smartly as the rest of the other departments in the business.

If you want your organization's security to be fit, then accept the oversight and invite the new rigor coming from your board. Do the necessary advance work and be prepared to defend your asset deployment. That is just sound business practice. 

If you can explain how you're spending the company's dollars to secure the business and demonstrate that you're running an efficient operation, it pays off later on. When new threats do materialize and you make a case for a bigger budget, you'll be presenting to a more supportive and appreciative board.

When I was running cybersecurity at BT, I examined how we were set up and discovered that we had far more managers than doers. In other words, we were top-heavy with more tiers of management than was needed. So I restructured our operations to flatten the org chart, giving the employees more responsibilities and accountabilities across a broader base.

At first blush, that sounds as if I squeezed people harder than ever. But it was just the opposite. We were giving them broader, more enriched roles because the people that work in security have a real passion for what they do. All they ask is to be given the environment, the tools, and the data to do a great job. So my role was to promote that rationalization and make sure we were properly aligned to have the best-possible impact defending against attackers. And after expanding the responsibilities of the people in my security teams, guess what? They loved it.

**Winding Up Stronger Long Term**

Everyone has an innate immunity to change, but this is a moment where CISOs must step up to meet the challenge. With knowledge comes power: Not only will they learn a lot about the true capabilities of their own security organizations, but they'll also wind up more able to define future security strategy. 

Gaining a clear idea about your attack surface is a fundamental prerequisite if you hope to marshal your resources against the types of attacks heading your way. Do you have the right overlapping controls? Have you got controls that have been around for a long time? If so, are they still delivering value or have they become expensive albatrosses? If so, get rid of them and lighten up the operational costs on your teams, so you can double down on the things that matter. 

Next, consider what intelligence you have, and what you wish you had access to. If you're a CISO of a major financial institution, for example, might it be beneficial to know what threat intelligence other CISOs from competitor organizations are gathering? It might be counterintuitive to share information with rivals, but it's time to reframe our thinking around what's truly proprietary and what information we could all benefit from. Sharing threat intelligence through communities like Information Sharing and Analysis Centers (ISACs), Information Sharing and Analysis Organizations (ISAOs), and others is an effective way to bolster your defenses without having to start from scratch.

Elsewhere, have you made sure that your offboarding processes are working properly and limiting data access? Over the years, some employees may have aggregated access privileges that no longer make sense given their current jobs. That's a recipe for major trouble if they get compromised. 

Do all this so if (and when) you're ordered to make cuts, you can talk from a position of knowledge, and also ensure you're getting the most out of your existing investments. Remember, security doesn't live in products; it lives in intelligence and your ability to access and put that intelligence to work. Having done the requisite analysis, you'll be talking in business terms back to your board. That's a language they will understand and it will set you up to be stronger in the long term.

The CISO Mantra: Get Ready to Do More With Less

With the rise in cloud-based security concerns and other issues, organizations must improve data literacy across the enterprise.

**Question: How does data literacy enhance data security in the enterprise, and why is it important to enterprise security?**

**Sam Rehman, SVP and CISO, and Taryn Hess, Ph.D., Principal, Business Consulting, EPAM Systems:** The shift to cloud computing is perhaps the most significant tech trend of recent years, with the public cloud computing market expected to be worth more than $800 billion by 2025. From decreasing IT costs to increasing opportunities for innovation, the cloud holds many benefits for companies across every industry. However, many employees are unprepared to securely set up cloud applications or unaware of how poor configuration could affect data security. One of the main reasons why organizations struggle to secure their cloud environments is a companywide lack of data literacy.

In today's marketplace, a data-literate workforce — one that uses data as a company asset in decision-making, evaluates and questions data, knows how to find data, and confidently interacts with data to derive insights and tell a story about it — is critical to business success. In a 2022 survey by the Data Literacy Project, only 11% of respondents were fully confident in their data literacy skills. It is of the utmost importance that businesses engage in efforts to enhance data literacy, which will improve data security.

**Data Handling and Classification**

Fundamentally, data leaks are a result of insufficient data literacy. These incidents stem from someone not fully understanding the value of a particular data set and mishandling it by either sharing it with people who shouldn't have access or leaving it unprotected and exposed to hackers.

The consequences of not understanding and mishandling data can be costly, causing damage to brand reputation, and, should proprietary information be stolen, a company could lose market share to a competitor. Moreover, if an employee's potentially identifiable information (PII), such as their health records or religion, is leaked in a data breach, that person could be in danger.

From a data literacy perspective, everyone within a company should consider themselves a data security ambassador. Indeed, a sufficient understanding of the data an employee uses regularly will empower them to secure it properly. Of course, there are layers to data literacy within a business, as some roles require greater literacy than others — i.e., data scientists and architects compared with legal or HR personnel.

One of the main ways people can increase their data literacy is by learning data labels. In particular, people must be aware of a data set's classification and have adequate knowledge to handle that information accordingly.

Today, commercial businesses leverage data classifications similar to those the government uses, including public, internal, confidential, and restricted levels. Public data is nonsensitive information available to anyone via the company website. Internal data, such as the employee handbook, is reserved for those within the organization. Confidential data, like pricing or marketing materials, must remain limited to select teams. And restricted data, such as trade secrets or PII, is highly sensitive and could be disastrous should it be disclosed.

**Data Maturity Assessment and Culture Transformation**

Improving data literacy is a multifaceted process. To establish a baseline, brands can conduct a data maturity assessment or map data security competencies (knowledge, skills, and abilities) across every role in a company. Organizations can determine their data maturity by checking what isn't working, be it a lack of communication or misunderstanding from not speaking the same language, such as the same term meaning different things for different departments.

From there, businesses can build growth plans and create opportunities for everyone in the organization to upskill on data security based on their roles. Likewise, a data maturity assessment will reveal whether an organization needs to look outside of itself for talent.

Though the previous methods are critical to improving data literacy, almost 92% of executives rate culture as the greatest barrier, making it the top priority in this area. Shifting a culture to one that embraces data literacy can be tricky; however, by involving the right leaders and stakeholders, companies can ensure alignment across the enterprise.

Once leadership has bought in, organizations can engage everyone with data security through various means, including newsletters, project meetings, town halls, online learning, workshops, etc. Likewise, it's critical to drive awareness of potential threats, like phishing attacks, data loss, or cloud misconfiguration.

**Data Literary Undergirds All Security Efforts**

Although various strategies, such as deploying policy and encryption to protect cloud environments, are necessary to minimize the impacts of data breaches, companywide data literacy undergirds the effectiveness of such methods and must remain a priority. Indeed, data handling and proper attention to the different classifications will empower people to use data safely, driving innovation and business success.

Source

DARKReading