One researcher thinks trust is broken in AD. Microsoft disagrees that there's a security vulnerability. But enterprise IT environments should be aware of an authentication gap either way.

An access control gap in Microsoft's Active Directory (AD) service may allow users within Windows environments to access domains beyond those for which they are authenticated, all while IT admins are none the wiser.

AD, Microsoft's catchall identity management service for authenticating computers, printers, users, or really anything participating in an IT environment, is built into most Windows domain-type networks. Tens of thousands of organizations use the service, including 90% of Global Fortune 1000 companies, according to Frost & Sullivan.

Network administrators use AD to manage authentication across a domain, ensuring that intended users — _only_ intended users — can access the resources they're allotted — _only_ those they're allotted.

In a report published March 14, however, Charlie Clark, security researcher at Semperis, detailed how a user can escape the guardrails within AD, and access domains for which they were not explicitly granted permission.

"It massively increases the attack surface for an attacker," he explains, "and obviously, the larger the attack surface, the more likely it is that an attacker can find an exploitable bug."

**MSFT AD's "Transitive Trust" Problem**

According to the transitive property of mathematics, if a = b and b = c, then a = c.

In AD, if domain A connects to domain B, and domain B connects to domain C, domains A and C may or may not be able to access one another, depending on whether they share a "transitive trust." As stated in Microsoft's documentation, "transitivity determines whether a trust can be extended outside of the two domains with which it was formed."

Two domains belonging to two different organizations might bear an "external trust" — a form of trust that's set up manually in AD, which is nontransitive. However, herein lies the issue that Clark found: that external trust can be used by one company to access sister domains within the same group (what Microsoft calls a "forest") as the second, for which no official external trust has been established, Clark says.

"If what we thought about non-transitive trusts were true," Clark explains, an authenticated user from one domain would "only be able to target the specific domain they've got a trust with. They wouldn't be able to move around the forest to other domains."

Instead, "any account within the trusted domain will be able to authenticate against any domain within the entire forest in which the trusting domain resides," he wrote in his analysis.

A malicious user who figures out how to burrow around a forest at will can access resources, reach accounts, and find data they otherwise should not.

"It allows an attacker to have a much larger attack surface from any low-privileged account on a trusted domain," Clark reasons, because "if you manage to take over a single domain within a forest, it's very easy to take over the whole forest."

Clark first reported his findings to Microsoft on May 4, 2022. On Sept. 29, Microsoft wrote in an email that "we have determined that this submission does not meet the definition of a security vulnerability for servicing. This report does not appear to identify a weakness in a Microsoft product or service that would enable an attacker to compromise the integrity, availability, or confidentiality of a Microsoft offering." With that, the company closed the case.

“We provide many mechanisms for limiting resource access when using external trusts in a forest trust environment," a Microsoft spokesperson explained. "For example, by applying an authentication policy to resources at any granularity to allow or deny authentication based on any security descriptor. Customers can also set a deny-by-default posture which only allows those users to authenticate to accounts where the user has the allowed-to-authenticate right. We are continuously researching ways to improve security for future releases. More information is available in our authentication policy documentation.”

**Why Trust Matters**

Clark worked as a systems administrator for over 15 years, and a pen tester for six. "Every medium to large business or infrastructure that I've worked with has had external trusts," he claims. By that logic, most of AD's clients are likely at risk right now, he alleges, if additional protections haven't been put in place.

Microsoft's recommendations aside, to protect against this form of access control abuse, Clark recommends that admins remove all external trusts. If this is not possible, then monitoring which users are accessing what is the next best thing.

The most important thing, in the end, is awareness. Otherwise, admins may fall prey to a false sense of security. They "can see that a trusted domain is a higher risk. So they may apply greater security to that domain," Clark explains, but "they might not apply the same level of security to the rest of the domains within the forest," despite the similar risk.

"I think the main thing is to make system admins aware that this is possible," Clark concludes. By knowing this, "they can harden the rest of the domain sufficiently."

Access Control Gap in Microsoft Active Directory Widens Enterprise Attack Surface

Organizations need to take steps now to strengthen their cyber defenses.

Anxiety over an artificial intelligence tool called ChatGPT is spreading across a wide range of sectors, from education to business to cybersecurity circles. Numerous articles have shown ChatGPT's efficiency in creating phishing emails, as well as passing medical and business school tests. Its ability to write, speak, and answer queries across a wide range of subjects as competently as many humans do, as well as its ability to find vulnerabilities in computer systems, has raised legitimate concerns over how it may be used to create effective phishing campaigns on a large scale.

While today it's a toy, a parlor trick that people take out to show how much AI has improved, businesses and government institutions should be worried about what's going to happen in two to five years, as AI models continue to improve and bad actors take advantage of what it can do. Organizations need to take steps now to strengthen their cyber defenses, against both current threats and what's lurking around the corner.

**AI's Versatility Creates Risks**

ChatGPT, created by OpenAI, has been available for queries since November 2022, in an open-ended beta testing period. OpenAI, a research and deployment company that pursues innovations in AI, says it created the chatbot to interact in a conversational way, study user feedback, and learn its own strengths and weaknesses. It's been used to explore scientific subjects, help write a poem or a song, and even apply for a job. ChatGPT does make mistakes. The coding platform StackOverflow temporarily banned ChatGPT because its answers to questions were often incorrect, deciding that posting those answers would be "substantially harmful" to StackOverflow users. But it is learning and improving.

**The Next Stage of AI Threats**

The most immediate cybersecurity concerns over ChatGPT are that it can give neophyte cyberattackers the ability to write phishing emails, exploit buffer overflows, and carry out other basic cyberattacks. But in a few years, these threats will become much more serious.

AI tools will make it easier for malicious insiders or cybercriminals who gained brokered access to engineer and manipulate intracompany dialogue, sending precisely targeted phishing emails that look like legitimate requests from a person inside the company.

**What Businesses Can Do to Protect Themselves**

There are several steps businesses can take to adopt a security-first culture and protect themselves from the kind of threats AI poses, now and in the future:

1.  **Make sure the business leans toward skepticism.** People at every level of a company should question what they see in email or any other communication channels. Phishing is so pervasive because it has so often worked, accounting for 73% of social engineering attacks in North America, according to Verizon's "2022 Data Breach Investigations Report." Employees should be trained to look at any email, Slack invitation, or other communication with a critical eye. They need to be aware of the signs that it's fraudulent.
2.  **Deliver continuous, real-time cybersecurity training.** Almost every organization has a cybersecurity training program that their employees must take annually. Given the number of breaches we've seen based on phishing attacks, it's clear this is not enough. Organizations need to help employees identify phishing attacks in real-time, pointing out as it happens when employees click on fraudulent links or download privileged information onto a thumb drive. For the sake of productivity, employees try to find workarounds, and cybersecurity training needs to happen in the moment to remind employees why protocols are there in the first place.
3.  **Establish some Internet borders to reduce unnecessary use.** Workplaces already do this to some extent, such as by blocking offensive websites or forbidding Internet use that could put company data in jeopardy. If they have not done it already, businesses can establish a written policy detailing acceptable and forbidden Internet use. Programs are available that will limit Internet use to approved websites, and routers can be used to block sites. Tracking and logging Internet use also can act as a deterrent.
4.  **Improve corporate security policies and actually enforce them.** Security transformation does not happen in days. It happens over months and years, requiring a cultural change in how everyone in the organization thinks about cybersecurity. The best practices in security today can be effective, but only if fully implemented and followed. As with other security steps, businesses should communicate consistently about security, reminding staff of what's expected from them.
5.  **Question current standard practices.** One of the most common explanations used in IT has always been, "We've always done it that way." This is the worst explanation possible for any security practice. An essential component of a security-minded culture is a willingness to change processes and implement new tools to keep up with the ever-changing cyber threat landscape. Be ready to consider more secure and efficient modes of cybersecurity protocol.

**Building a Culture Around Security**

Many organizations begin to see greater success against advanced AI threats when they empower their workforce, which begins with strengthening communication between IT, HR, security teams, and employees about anything and everything concerning risk, data privacy, Internet use, and more. In today's threat environment, security is everyone's responsibility.

How Businesses Can Get Ready for AI-Powered Security Threats

Organizations must educate themselves and their users on how to detect, disrupt, and defend against the increasing volume of online disinformation.

More and more, nation-states are leveraging sophisticated cyber influence campaigns and digital propaganda to sway public opinion. Their goal? To decrease trust, increase polarization, and undermine democracies around the world.

In particular, synthetic media is becoming more commonplace thanks to an increase in tools that easily create and disseminate realistic artificial images, videos, and audio. This technology is advancing so quickly that soon anyone will be able to create a synthetic video of anyone saying or doing anything the creator wants. According to Sentinel, there was a 900% year-over-year increase in the proliferation of deepfakes in 2020.

It's up to organizations to protect against these cyber influence operations. But strategies are available for organizations to detect, disrupt, deter, and defend against online propaganda. Read on to learn more.

**Building a Cyber Influence Campaign**

Cyber influence operations have three main stages. They begin with prepositioning, which is when nation-state actors first introduce their propaganda or false narratives to the general public — whether using the Internet or through making it part of breaking world news. These false Internet narratives are especially harmful because they can lend credence to subsequent references.

Next is the launch phase. This involves foreign entities creating a coordinated campaign to spread their narrative through government-influenced media outlets and social channels. Then comes the amplification phase in which nation-state-controlled media and proxies amplify false narratives to targeted audiences.

The corruption doesn't end there. Cyber influence campaigns can lead to market manipulation, payment fraud, vishing, impersonations, brand damage, and botnets, to name a few. But the greater threat is to our collective sense of trust and authenticity. The growing use of artificial media means that any compromising or undesirable image, audio, or video of a public or private figure can be dismissed as fake — even when it's legitimate.

**How Organizations Can Protect Themselves**

As technology advances, tools that have traditionally been used in cyberattacks are now being applied to cyber influence operations. Nation-states have also begun collaborating to amplify each other's fake content.

These trends point to a need for greater consumer education on how to accurately identify foreign influence operations and avoid engaging with them. We believe the best way to promote this education is to increase collaboration between the federal government, the private sector, and end users in business and personal contexts.

There are four key ways to ensure the effectiveness of such training and education. First, we must be able to detect foreign cyber influence operations. No individual organization will be able to do this on its own. Instead, we will need the support of academic institutions, nonprofit organizations, and other entities to better analyze and report on cyber influence operations.

Next, defenses must be strengthened to account for the challenges and opportunities that technology has created for the world's democracies — especially when it comes to the disruption of independent journalism, local news, and information accuracy.

Another element in combating this widespread deception is radical transparency. We recommend increasing both the volume and dissemination of geopolitical analysis, reporting, and threat intelligence to better inform effective responses and protection.

Finally, there have to be consequences when nation-states violate international rules. While it often falls on state, local, and federal governments to enforce these penalties, multistakeholder action can be leveraged to strengthen and extend international norms. For example, Microsoft recently signed onto the European Commission's Code of Practice on Disinformation along with more than 30 online businesses to collectively tackle this growing challenge. Governments can build on these norms and laws to advance accountability.

Ultimately, threat actors are only going to continue getting better at evading detection and influencing public opinion. The latest nation-state threats and emerging trends show that threat actors will keep evolving their tactics. However, there are things organizations can do to improve their defenses. We just need to create holistic policies that public and private entities alike can use to combat digital propaganda and protect our collective operations against false narratives.

Deepfakes, Synthetic Media: How Digital Propaganda Undermines Trust

An analysis of trillions of DNS requests shows a shocking amount of malicious traffic inside enterprise networks, with threats using DNS as a sort of malicious Autobahn.

The Internet's domain name system (DNS) has become a superhighway of sorts for threat actors, with one in six organizations experiencing malicious network traffic in the form of either malware such as Emotet, phishing attacks, or command-and-control (C2) activity in an given quarter, researchers have found.

Researchers from Akamai looked at data from more than than 7 trillion daily DNS requests to examine how threat actors are leveraging the servers and devices enterprises use to manage these requests to conduct their nefarious activity.

What they found is that attackers are zooming in and out of networks via DNS at an alarming frequency, with between 23% and 27% of organizations experiencing at least one instance in which C2 traffic was observed traveling out of their network in any given quarter, the Akamai researchers said in a report published today.

This traffic provides "a very accurate predictor for attacks in progress, and can provide a very accurate image of the threat landscape," says Eliad Kimhy, cybersecurity research team lead at Akamai.

Moreover, much of this traffic is occurring in real time, making it harder for the enterprise to defend against it, he adds.

"Attackers are increasingly operating with a 'hands on keyboard' philosophy, giving the job of hacking an organization to a live operator," Kimhy says. "This is going to make detecting and stopping C2 traffic a crucial aspect of an organization's security, and we will likely see this play an ever-growing role in the modern attack."

**Emotet, QSnatch & the Current State of Attacks**

The Akamai researchers reported a range of findings about not only how attackers are using DNS, but what type of attacks and malware are most prevalent in their observations. One of the most interesting was that the stalwart threat Emotet, which resurfaced recently after a brief hiatus, is not only back, but back with a vengeance.

"It is prevalent and seems to conduct massive campaigns to try and breach organizations," Kimhy says.

The researchers observed one "massive campaign" last year, and it appears that the threat group is ramping up for another, he says. "This is a very difficult group to contend with, as it specializes in breaching and selling access to more dangerous groups, like ransomware groups," Kimhy notes.

Moreover, this resurgence of Emotet is a good indicator that more attacks — potentially from ransomware groups — are on the horizon, as the malware is often used as an initial access to networks, he says.

In fact, the researchers found that 9% of infected network devices that they observed reaching out to C2s accessed domains associated with ransomware-as-a-service (RaaS) group, demonstrating the continued risk from ransomware attacks with business-crippling consequences — including remediation and recovery costs, legal fees, fines, downtime resulting in loss of productivity, and brand and reputation damages — for the enterprise.

Attackers also are increasingly finding their way into organizations' networks via network-attached storage (NAS) devices on the back of the botnet QSnatch, with more than a third of affected devices that researchers observed showing traffic leading to C2 domains related to this threat, the researchers found.

These devices can represent "a huge threat surface" if they're not well-secured, as organizations often use NAS devices for backups and the storage of crucial data, according to Akamai.

"Finding yourself in a position where your data is stolen or backups are deleted in support of a ransomware attack can be a terrible position to be in," Kimhy says.

In terms of which types of organizations attackers go after using DNS, the researchers found that manufacturing, business services, and retail are facing the highest risk, though no industry is safe from imminent attack.

**How Cyber Defenders Can Protect Against DNS Threats**

Given the insight about the current malicious activity hitching a ride into enterprise networks via DNS, security administrators can now arm themselves against the most prevalent threats targeting their networks. One way to do this is to conduct gap assessments and close those gaps where necessary, the researchers said.

Overall, given the current threat landscape, knowledge is power, Kimhy says. "Security teams need to know who’s on the other side of the attack — and which groups put their organization at risk — in order for them to be able to defend," he says.

Moreover, the "broken record" advice of adopting a "zero trust" mentality continues to ring true, with the deployment of "products that specialize in stopping an attack that has gone past the perimeter" — such as endpoint detection and response (EDR), microsegmentation, and secure Web gateways (SWGs) — offering particular advantage in defending against the current threat landscape, the researchers said.

Given the advanced threat posed to NAS devices, the Akamai researchers also recommended that organizations ensure any that companies have on their network be securely nailed down. "It is strongly advised that security teams ensure their NAS devices are up to date," Kimhy says "and properly secured via segmentation, or other appropriate tools."

Emotet, QSnatch Malware Dominate Malicious DNS Traffic

Only by working collaboratively can boards and security leaders make progress and agree about cybersecurity threats and priorities.

As leaders responsible for prioritizing their organizations' goals, board members must push the cybersecurity agenda forward. Yet new research shows healthcare boards are far behind their peers in making cybersecurity a priority and understanding cyber-risks, despite the potentially severe consequences to patient safety and care.

"Cybersecurity: The 2022 Board Perspective," a new global report from Proofpoint and Cybersecurity at MIT Sloan, found that cybersecurity is much lower on healthcare boards' agendas compared with other sectors. Although 77% of the 600 board members surveyed suggested cybersecurity is a top priority for their organizations, only 59% of healthcare directors concurred.

The report also found that only 61% of healthcare boardrooms discuss the topic at least monthly (versus 75% across all sectors), and only 64% believe they have invested adequately in cybersecurity (versus 76% for all sectors).

The future appears just as bleak. While 87% of participants expected to see their cybersecurity budgets increase in the next 12 months, only 77% of healthcare board members share this belief.

****Healthcare Boards Need Better Focus on Cyber-Risks****

What makes these findings more alarming is the contrast between healthcare boards' opinions about their cyber preparedness and the sentiments of other boards. Despite their lower cyber priorities, healthcare boards are much more optimistic. Only 50% believe their organization is at risk of a material cyberattack in the next 12 months (compared to 65% across sectors), and just 43% think their organizations are unprepared to cope with a targeted cyberattack (compared with 47% for all cohorts).

One reason behind the healthcare directors' misplaced confidence is their lack of cybersecurity understanding and expertise — another area where they fall behind their peers. Across all industries, 85% of survey participants believe their boards understand systemic risk, but only 61% of healthcare directors feel the same. Furthermore, fewer healthcare organizations have experts on their boards (68% versus 73%) and adequate training to respond to a cyber incident (59% versus 74%).

Given the gap in the directors' understanding of cyber-risks, it is understandable that they would look to their chief information security officers (CISOs) for guidance. However, the report findings show that this is not true. Only 57% of healthcare boardrooms have regular presentations from CISOs or other cybersecurity experts, compared to 73% across all sectors. Twenty-three percent of healthcare board members only see their CISOs when they appear before the board to make a cybersecurity report.

****Board-CISO Rift a Barrier to Progress****

Our industry is well aware of the communications gap between boards and CISOs. For years, boards showed little interest in cybersecurity, viewing it as an IT problem rather than a business one. Today, thanks to growing publicity about escalating threats such as ransomware, we finally see cybersecurity elevated to the board level.

But this increased awareness has not yet resulted in thawed tensions between boards and their security leaders. The survey found that 31% of directors globally still do not see eye to eye with their CISOs — and even more healthcare directors (41%) fall into this camp. If the two sides don't know, like, or even see each other very much, how can they agree on priorities and improve their organizations' security posture?

This chasm is especially alarming given the magnitude of cyber threats and patient risk in healthcare. A Ponemon Institute report on healthcare threats earlier this year found that 89% of surveyed organizations experienced an average of 43 attacks in the past 12 months. Among those that experienced attacks such as ransomware and cloud compromise, 20% saw an increased patient mortality, rate while 57% saw poor patient outcomes because of delays in tests or procedures. There is a clear connection between cybersecurity and patient wellbeing — yet the healthcare sector often fails to take that seriously.

Why Healthcare Boards Lag Other Industries in Preparing for Cyberattacks

Organizations recognize that they are responsible for protecting remote workers from cyber threats, but they have a long way to go in deploying the necessary security technologies.

Remote work, or work from anywhere, is the reality for most organizations. However, organizations are still in the early stages of implementing security technology to accommodate the remote workforce, according to a recent report from Fortinet.

The insecurity of home networks, employees using company laptops for personal use, and compromised family devices infecting an employee's work device are considered to be the top security risks around work-from-anywhere, the company found in its "2023 Work-From-Anywhere Global Study." Just shy of three-quarters of respondents (71%) of respondents said the responsibility for protecting home offices falls on the corporation and service providers.

Of the 570 respondents, 40% had shifted back to being in the office full-time and 55% had some form of hybrid policy (remote work either one to two days or three to four days per week). Nearly two-thirds (62%) of respondents said their companies experienced a data breach during the past two to three years that could be attributed to an employee working remotely.

The survey asked respondents to identify which security solutions are the most important to secure remote employees, which security solutions have already been deployed within their organizations, and which areas they plan to invest in over the next 24 months. The results are uneven and show that organizations have much room for improvement in how they protect their remote workforce. While the top priority was network access control, only 58% said they have deployed network access control. In fact, only half of the respondents in the survey said they have implemented some of the fundamentals, such as installing antivirus on corporate devices (62%), enabling multifactor authentication (59%), and setting up a secure web gateway (53%). Barely half of the organizations have VPNs (51%) or require employees to run a firewall on personal devices (48%) despite the fact that they both were included in the list of 10 most important security technologies to protect remote workers.

Interestingly, those who have had a breach that can be attributed to a remote employee are more likely to be investing in antivirus for corporate devices, virtual private networks, secure access service edge, SD-WAN, and zero-trust network access. However, the report suggests that organizations are still figuring out what kind of protection to provide.

Not many organizations have deployed advanced security controls, such as zero trust networks (29%) or extended detection and response (XDR), but the interest in implementing them is high, at 72% and 79%, respectively. The fact that 92% of the respondents said they have plans to implement VPN in the next two years is a sign of just how far organizations have to go.

Orgs Have a Long Way to Go in Securing Remote Workforce

**BENGALURU, March 10 –** CloudSEK researchers have detected an increase of 200-300% month-on-month in YouTube videos containing links to stealer malware such as Vidar, RedLine, and Raccoon in their descriptions since November 2022.

These videos pretend to be tutorials on downloading cracked versions of licensed software, such as Adobe Photoshop, Premiere Pro, Autodesk 3ds Max, AutoCAD, and others, available only to paid users.

Threat actors are using various tactics to spread the malicious software, including screen recordings, audio walkthroughs, and, more recently, AI-generated personas, which appear more trustworthy and familiar to users.

AI-generated videos featuring synthetic personas are on the rise, used in various languages and platforms for recruitment, education, and promotional purposes. Unfortunately, threat actors have also adopted this tactic. **(****For More Information Check Full Report****)**

Infostealers are malicious software designed to steal sensitive information from computers, such as passwords, credit card information, bank account numbers, and other confidential data. Infostealers are spread via malicious downloads, fake websites, and YouTube tutorials. They infiltrate systems and steal information, which is uploaded to the attacker's Command and Control server.

YouTube is a popular platform with over 2.5 billion active monthly users, making it an easy target for threat actors. CloudSEK has observed a 2 to 3 times month-on-month increase in the number of videos spreading stealer malware on YouTube. Threat actors use a variety of tactics to deceive the platform's algorithm and review process, such as using region-specific tags, adding fake comments to give the videos legitimacy, and frequent video uploads to compensate for deleted or taken-down videos. **(****For Detailed Analysis Check Full Report)**

“The threat of infostealers is rapidly evolving and becoming more sophisticated, leaving users vulnerable to devastating consequences. In a concerning trend, these threat actors are now utilizing AI-generated videos to amplify their reach, and YouTube has become a convenient platform for their distribution. As a result, it is absolutely critical that users exercise extreme caution when downloading software and avoid any suspicious links or videos at all costs,”said Pavan Karthick, a CloudSEK researcher.

**Automated and Frequent Video Uploads of Malicious Content on YouTube**

CloudSEK research shows that 5-10 crack software download videos with malicious links are uploaded to YouTube every hour. The videos contain deceptive tactics that mislead users into downloading malware, making it challenging for the YouTube algorithm to identify and remove them.

**SEO Optimization using Region-Specific Tags and Obfuscated Links**

The threat actors use SEO optimization with region-specific tags and obfuscated links to make these malicious videos appear more credible. Using random keywords in different languages, the YouTube algorithm recommends the videos, making them more accessible to users. Additionally, URL shorteners and links to file hosting platforms, such as bit.ly, and cutt.lymediafire.com, make it difficult for users to detect malicious links.

**Fake Comments and AI-generated Videos**

The threat actors also add fake comments to give the legitimacy of the video. These comments trick users into believing the malware is legitimate. Moreover, using AI-generated videos featuring personas that appear more familiar and trustworthy is a growing trend among threat actors.

**The Way Forward**

Traditional string-based rules will prove ineffective against malware that dynamically generates strings and/or uses encrypted strings. Therefore, organizations need to adopt adaptive threat monitoring to address constantly changing threats. Closely monitoring threat actors' tactics, techniques, and procedures is crucial to identifying potential threats. It is also essential to conduct awareness campaigns and equip users to detect and prevent potential threats. Additionally, users should enable multi-factor authentication, refrain from clicking on unknown links and emails, and avoid downloading or using pirated software.

**About CloudSEK**

CloudSEK is a contextual AI company that predicts Cyber Threats. Our Cloud SaaS platform constantly seeks security solutions for our customers’ digital risks.

To learn more about how CloudSEK can strengthen your external security posture and deliver value from Day One, visit https://cloudsek.com/ or drop a note to \[email protected\].

200-300% Increase in AI-Generated YouTube Videos to Spread Stealer Malware

The implosion of Silicon Valley Bank will impact investors, startups, and enterprise customers as they become more cautious over the near term, security experts say.

Last week's stunning collapse of Silicon Valley Bank (SVB) could put a damper on the ability of venture-backed cybersecurity startups to secure vital capital for operations and strategic investments.

Security experts perceive that even the US government's swift move over the weekend to protect SVB customer deposits will likely do little to tamp down the uncertainly that the bank's sudden exit has caused.

**Younger Startups Will Feel the Brunt**

"Financial support in the form of lines of credit and venture debt is going to become much more difficult \[for startups\] to come by," says Rob Ackerman, founder and managing director of AllegisCyber Capital. "SVB was the leading source of that financing and with them gone, the slope of the hill for young startups just became that much more difficult."

SVB was, until the middle last week, the 16th largest bank in the US with assets of more than $200 billion and total deposits of some $175 billion. Its troubles began March 8 when the bank, in a midquarter update, announced that it had lost $1.8 billion from the sale of US treasuries and mortgage-backed securities that it had purchased heavily in recent years. On the same day, SVB announced plans to raise $2.25 billion via public offering to pay customers seeking to withdraw their deposits from the bank.

The news triggered a near immediate run on the institution, as spooked investors and customers withdrew a staggering $42 billion from the bank in a 24-hour period — leaving SVB with a negative balance of $958 million by close of business March 9. A day later, on Friday, March 10, federal regulators declared the bank insolvent and seized its deposits, signaling the biggest banking failure since the collapse of Lehman Brothers in 2008.

**Containing the Damage**

Over the weekend, the Federal Deposit Insurance Corporation (FDIC) as receiver created a new entity called the Deposit Insurance National Bank of Santa Clara (DINB) and transferred all of SVB's deposits to it. On March 12, a US government scrambling to prevent a broad meltdown across the banking sector quickly announced that depositors would have full access to all of their money at SVB starting Monday, March 13. In a statement, Secretary of the Treasury Janet Yellen said the government would extend the same exception for customers of Signature Bank of New York, which also went insolvent over the weekend.

Analysts see SVB's failure as taking an especially heavy toll on the technology sector. "SVB was a foundational cornerstone of the financing ecosystem for the innovation ecosystem, and the cybersecurity industry is no exception," Ackerman says. "They were arguably more influential than any other single player to the growth and success of tech startups."

Virtually every venture firm was engaged with SVB at some level — be it the venture firms themselves banking at SVB, or their portfolio companies. And within the security community, they were vital to the banking and financing needs of the sector in the US, Israel, and the UK, Ackerman says.

**A Revaluation of Investment Practices?**

Richard Stiennon, chief research analyst at IT-Harvest, says public reports show that some 500 cybersecurity vendors banked with SVB — a not-surprising number considering there are 640 cybersecurity firms just in California alone. The move by federal regulators to ensure that SVB customer deposits remained untouched has relieved some of the early anxiety over the failure when many cybersecurity firms faced the real prospect of being unable to make payroll. 

"The VCs that were locked out of their accounts on Friday spent a long weekend trying to save their portfolio companies, while their own funds were unavailable," Stiennon says.

That experience will likely leave them reevaluating their practices. "I fully expect a death in new investments in cybersecurity," Stiennon tells Dark Reading. Cybersecurity investment activity in the first two months of 2023 has already been low; at just $1.7 billion so far, it's back at 2020 levels. 

"Companies, which were raising to extend runways, will either have dramatic down rounds or actually have to shut down," he says. Limited partners, or the investors who back VC initiatives, are going to be reluctant to put more money into funds. And with the generous venture funding that was available only through SVB now gone, startups have three options, he says. They have to either find a way to become profitable, significantly cut costs, or find a new funding source.

"Companies with good technology and good teams may be snapped up by strategic investors at rock-bottom valuations," Stiennon notes. "Private equity firms will have a unique opportunity to snap up some good companies."

**Spreading the Financial Risk**

Expect to see VC firms and their portfolio companies diversify where they hold their deposits, Ackerman adds. Increasingly, they are going to be looking for the security offered by much larger financial institutions — which, however, are unlikely going to be as supportive or as understanding of the requirements of innovative cybersecurity firms, he notes.

Analysts also expect that the SVB debacle will have an impact on how and from where enterprise organizations source their cybersecurity requirements, at least in the short term. SVB's failure has drawn attention to the risks associated with buying from startups and many are going to be looking for the security that more established, mature organizations offer.

"I'd expect procurement teams to introduce more hurdles in the due diligence process of earlier-stage vendors to understand the underlying resilience of the cybersecurity vendors' financial ecosystem," Forrester analyst Jeff Pollard tells Dark Reading. Enterprise procurement staff are going to want to know more about the concentration risk and resilience of their vendor's banking processes, he adds. And they will likely need reassurances that if a similar scenario plays out again, their early vendor can continue to make payroll or pay critical suppliers for a specific period of time.

Also, cybersecurity startups will increasingly look to bank with more than one entity to spread risk. "The problem with that is many startups worked with SVB because SVB made it easy for startups to work with them," Pollard says. 

Now startups are going to have a hard time working with other banks, because cyber startups tend to have more volatility in their cash flows, he notes. "In addition, many founders may not be US citizens which can create its own set of issues when trying to establish accounts."

SVB Meltdown: What It Means for Cybersecurity Startups' Access to Capital

AT&T, PayPal, and Microsoft top the list of domains that victims visit following a link in a phishing email, as firms fight to prevent fraud and credential harvesting.

Credential-seeking cyberattackers garnered the most phishing success by impersonating the brands of telecommunications firms, financial institutions, and popular technology companies in 2022.

That's according to an analysis of data collected by Internet services provider Cloudflare, which found that Individuals most often clicked on links in emails that appeared to come from AT&T and Verizon, PayPal and Wells Fargo, or Microsoft and Facebook. The rankings did not align with popularity — the Internal Revenue Service ranked No. 6 — but rather with the size of the brand's user base and the relative opportunity to turn compromise into cash, says Matthew Prince, CEO and co-founder of Cloudflare.

"We're seeing up and down the brand list, from the largest and most risky down to the smallest, that phishing is not going away as a problem," Prince says. "Email still continues to be the No. 1 entry point for an attacker \[and\] phishing still continues to be the No. 1 threat for almost all of our customers."

In addition, attackers are increasingly using phishing in an attempt to steal credentials from privileged employees and gain access to corporate networks, he says.

Cloudflare is not the only organization to see phishing as a threat, of course. In 2022, more than 300,000 complaints of phishing attacks flooded the FBI's Internet Crime Complaint Center (IC3), slightly down from the peak in 2021 of nearly 324,000 complaints, but a 162% increase from three years ago. The numbers do not include business email compromise (BEC) and investment scams, the most damaging types of attacks, both of which typically have a targeted phishing component.

The phishing problem can be more problematic on mobile devices, since attackers are harder to spot in most mobile mail clients. In 2022, mobile phishing encounter rates — a measure of the number of phishing attempts the average user receives — increased roughly 10% for enterprise devices and more than 20% for personal devices, according to mobile-device management firm Lookout. Overall, half of mobile users faced a phishing attack at some point in 2022, the company stated in its recent "State of Mobile Phishing in 2023" report.

**An Often-Ignored Threat**

Most users have become inured to the fake emails using known brands to attempt to harvest credentials as the first step in an account compromise. Yet the deluge of disguised emails do have the occasional success, which makes the effort worth the attackers' time and mean that they remain the most common cause of data breaches.

Cloudflare used data from its domain name service (DNS) resolver to find the known phishing URLs that were most often visited by users, with visits to common hosting sites, such as Google and GoDaddy, removed from the data if the site could not be confirmed to be fraudulent.

It's not an indication of a successful phishing attack, but the top-50 list does show which emails overcome the recipient's initial skepticism, Cloudflare's Prince says.

"There are plenty of phishing scams where you might get something and say — 'Is this legitimate?' — so you might click on that link," he says. "It's at least the start down a journey of success; it doesn't mean that somebody necessarily entered their credentials, or even, if they entered information, that they entered accurate information."

Last August, Cloudflare detected a sophisticated phishing attack against the company, the same attack that compromised customer-data platform Twilio and more than 100 other companies, dubbed "Oktapus" for its targeting of the identity firm Okta.

Most recently, a phishing email sent to a Reddit employee led to a cloned gateway for the company and allowed an attacker to gain access to the social media site's internal network for a few hours.

**The Long Tail of Phish**

The top-50 list represents typical targets of credential stealing campaigns, and while there is a significant difference in volume between the start and the end of the list, smaller companies and the much lower volume of phishing directed against their brands result in a very long tailed distribution, Prince says.

Attackers tend to see phishing directed against brands in the top 50 as a way to steal money, packages, or valuable information from accounts, while the long-tail phishing tends to focus on gaining access for further compromise, Prince says. The first 10 companies on the list are AT&T, PayPal, Microsoft, DHL, Facebook, the IRS, Oath Holdings/Verizon, Mitsubishi UFJ NICOS, Adobe, and Amazon. The final five companies on the list are Banco Itaú Unibanco, Steam, Swisscom, LexisNexis, and Orange S.A.

"In most of these cases, when it's in the top-50 list, it's about how an attacker can gain access to an account to, in relatively short order, do something that generates cash for the attacker," he says. "I think that when we look at some of the more targeted attacks, those \[that\] are much more about compromising systems, they then can be used more indirectly to launch some sort of attack."

Brand Names in Finance, Telecom, Tech Lead Successful Phishing Lures

Campaign demonstrates the DPRK-backed cyberattackers are gaining tools to avoid EDR tools.

North Korean advanced persistent threat (APT) group Lazarus (aka UNC290) has been targeting security researchers with a phishing campaign via LinkedIn since last June.

Mandiant reported that the phishing attacks started against a US-based tech company, and noted the threat actors were using three new code families — Touchmove, Sideshow, and Touchshift — in their activities.

Posing as recruiters on LinkedIn, the group works to earn a victim's trust, and it then convinces them engage on WhatsApp or by email, where they can send a malware dropper, Mandiant explained.

"Following the identification of this campaign, Mandiant responded to multiple UNC2970 intrusions targeting US and European media organizations through spear-phishing that used a job recruitment theme and demonstrated advancements in the groups ability to operate in cloud environments and against endpoint detection and response (EDR) tools," Mandiant said about the emerging phishing campaign.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading