**LOS ALTOS, Calif.****,** **Feb. 7, 2023** **/PRNewswire/ --** Contrast Security (Contrast), the code security platform built for developers and trusted by security, today released its Cyber Bank Heists report, an annual report that exposes the cybersecurity threats facing the financial sector.

Authored by Contrast's Senior Vice President of Cyber Strategy Tom Kellermann, the report is a warning to global financial institutions (FIs) that security must be a top-of-mind issue amid rising geopolitical tensions, increased destructive attacks utilizing wipers and a record-breaking year of zero-day exploits. Financial sector security leaders from around the world - in a series of interviews - revealed specific trends when it comes to notable cyberattacks, e-fraud and cyber defense. Some of the most eye-opening results from the report include:

*   60% were victimized by destructive attacks
*   64% saw an increase in application attacks, while 50% experienced attacks against their APIs
*   48% experienced an increase in wire transfer fraud
*   50% have detected campaigns to steal non-public market information
*   54% of the banks were most concerned with the cyber threat posed by Russia
*   72% plan to invest more in application security in 2023

"The increase of online threats, phishing, ransomware attacks, account takeovers and business email compromises impacting the financial sector is growing every day and we can see in real-time the damage this is doing to the longevity of businesses and the impact it's having on our economy," said Derek Booth, Assistant to the Special-Agent-in-Charge, U.S. Secret Service and Head of the Mountain West Cyber Fraud Task Force. "I applaud Tom Kellermann for speaking with some of the most influential people within the sector to determine solutions that can better protect FIs against vulnerabilities in banks and methods of commerce through industry-wide transparency."

"The complexity of securing financial digital systems and the need to develop new ways to guard against sophisticated cyberattacks has increased exponentially in the last year. In response, FIs are fighting to evolve and create more effective prevention, detection and response to these damaging attacks," said Booth.

"Cybersecurity can no longer be viewed as an expense but rather a functionality of conducting business. Trust and confidence in the safety of FIs depend on effectively mitigating and responding to cyberattacks," said Kellermann.

The report provides helpful guidance, and specific defensive countermeasures to defend against growing cybercrime conspiracies and cyberespionage including:

1.  Deploy intelligent runtime protection
2.  Conduct weekly threat hunting
3.  Deploy AppSec for serverless platforms
4.  Defend your APIs
5.  Add a cybersecurity specialist to your board

"The financial sector needs to shift its thinking when it comes to attacks, as geo-political tensions manifest via cyberattacks. Cybercrime cartels are modernizing their criminal conspiracies so as to steal non-market information and destroy the integrity of sensitive data within financial institutions," said Kellermann. "This is no longer a question of duty of care but rather a duty of loyalty to the digital safety of customers. That is why the Cyber Bank Heists report not only highlights these trends but depicts countermeasures that can help institutions defend from within."

Booth will be joining Kellermann for a LinkedIn Live roundtable discussion at 9:00am PST on Tuesday, February 7 and a live webinar at 9:00am PST on Thursday, February 23 to discuss their reactions to the report and the financial security risks impacting organizations this year. Contrast also published a three-part blog series that dives deeper into cyberattack trends, e-fraud, and defensive shifts. 

To download the Cyber Bank Heists report, please visit https://www.contrastsecurity.com/cyberbankheistsreport. FIs can also request a demo of Contrast's financial capabilities by visiting https://www.contrastsecurity.com/solutions/financial-services. 

**About Cyber Bank Heists report:** 

Authored by Contrast's Senior Vice President of Cyber Strategy Tom Kellermann, the annual Cyber Bank Heist report includes findings from interviews conducted with global financial sector leaders focusing on the current state of security threats and the defensive shifts made by cybercriminals. The report provides an analysis of geopolitical tensions, destructive attacks and zero-day exploits from the previous year. It also offers specific defensive countermeasures that should be employed by FIs to protect against growing cybercrime conspiracies and cyberespionage. To learn more about the annual Cyber Bank Heists report, please visit https://www.contrastsecurity.com/cyberbankheistsreport.

**About the Author Tom Kellermann:** 

Tom Kellermann is the Senior Vice President of Cyber Strategy at Contrast Security, Inc. Previously, Tom held the positions of Head of Cybersecurity Strategy for VMware, Inc. and Chief Cybersecurity Officer for Carbon Black, Inc., wherein he authored the "Modern Bank Heist report" for the past five years. In 2020, he was appointed to the Cyber Investigation Advisory Board for the United States Secret Service. On Jan. 19, 2017, Tom was appointed the Wilson Center's Global Fellow for Cybersecurity Policy. Tom previously held the positions of Chief Cybersecurity Officer for Trend Micro, Inc., Vice President of Security for Core Security and Deputy CISO for the World Bank Treasury. In 2008, Tom was appointed a commissioner on the Center for Strategic & International Studies' (CSIS') Commission on Cyber Security for the 44th President of the United States. In 2003, he co-authored the Book "Electronic Safety and Soundness: Securing Finance in a New Age."

**About Contrast Security (Contrast):**

A world leading code security platform company purposely built for developers to get secure code moving swiftly and trusted by security teams to protect business applications. Developers, security and operations teams quickly secure code across the complete software development life cycle (SDLC) with Contrast to protect against today's targeted application security (AppSec) attacks. Contrast also makes security testing available to all developers for free with CodeSec.

Founded in 2014 by cybersecurity industry veterans, Contrast was established to replace legacy AppSec solutions that cannot protect modern enterprises. With today's pressures to develop business applications at increasingly rapid paces, the Contrast Secure Code Platform defends and protects against full classes of common vulnerabilities and exposures (CVEs). This allows security teams to avoid spending time on focusing false positives and remediate true vulnerabilities faster. Contrast's platform solutions for code assessment, testing, protection, serverless, supply chain, APIs and languages help enterprises achieve true DevSecOps transformation and compliance.

Contrast protects against major cybersecurity attacks for its customer base which represents some of the largest brand-name companies in the world, including BMW, AXA, Zurich, NTT, SOMPO Japan and American Red Cross, as well as numerous other leading global Fortune 500 enterprises. Contrast partners with global organizations such as AWS, Microsoft, IBM Cloud, Guidepoint Security, Trace3, Deloitte and Carahsoft, to seamlessly integrate and achieve the highest level of security for customers.

The growing demand for the world's only platform for code security has landed the company on some of the most prestigious lists including the Inc. 5000 List of America's Fastest Growing Companies and has designated Contrast as one of the fastest growing companies on the Deloitte Technology Fast 500 List.

Financial Institutions Are Suffering From Increasingly Sophisticated Cyberattacks, According to Contrast Security

**SANTA CLARA, Calif.****,** **Feb. 7, 2023** **/PRNewswire/ --** Valtix, the industry's first multi-cloud network security platform as a service, today announced findings from its 2023 Multi-cloud Security Report, which found that 95% of companies are pushing toward a multi-cloud environment, but only 58% believe they have the security architecture to support it. Respondents in the survey of more than 200 U.S. IT leaders cited complexities, gaps and other challenges between the overall strategy and the infrastructure they ultimately create.

The survey found that multi-cloud activity continues to rise with 93% of respondents currently having workloads and data on more than one cloud. Of those not yet in a multi-cloud environment, a full 94% expect to be multi-cloud within 12 months. Companies are embracing multi-cloud twice as fast this year compared to Valtix's year-ago survey. At that time, only 62% of organizations were multi-cloud, with 84% expecting to get there within two years.

"Multi-cloud continues as a strategic priority for most organizations in 2023—yet it also remains a concern for nearly all organizations," said Vishal Jain, co-founder and CEO of Valtix. "Very few companies have the tech, talent and confidence they need to put in place a comprehensive security infrastructure across multiple clouds. While many companies are still unintentional in their cloud choice, leaders are increasingly looking for proactive ways to leverage multi-cloud to benefit the business."

According to the survey, organizations cited several 'unintentional' factors that have accelerated their journey to a multi-cloud environment, including (1) shadow IT (51%), (2) different ISVs that support different clouds (48%), and (3) mergers and acquisitions (47%).

Even as adoption accelerates, 28% of IT leaders surveyed strongly believe multi-cloud is a "bad idea," citing issues such as (1) difficult to consistently secure (38%), lack multi-cloud security and management tools (35%) and (3) lack of multi-cloud reference architectures (32%). Only 57% of IT leaders are sure that multi-cloud security is achievable with current resources and technology, but admit they need to embrace it anyway, as 95% consider multi-cloud a "strategic priority" this year.

**Other findings:**

*   **Cloud Service Providers (CSPs) fail to define portability standards:** As businesses increasingly leverage CSPs for this cloud transformation, IT leaders surveyed were not hopeful CSPs will define portability standards anytime soon. A full 97% of IT leaders believe that CSPs should help define standards to enable better multi-cloud portability. However, 58% surveyed believe security standardization in a multi-cloud environment is a 'myth' and never achievable. Nearly all (90%) of organizations surveyed evaluate third-party security technology in addition to the security tools CSPs provide.
*   **Multi-cloud is a budgetary drain:** Managing multiple distinct security architectures with multi-cloud security is prohibitively expensive for 86% of organizations.
*   **The rise of the cloud security architect:** The Cloud Security Architect is growing as a common role with 86% of organizations currently employing an in-house cloud security architect. Moreover, 89% of organizations require every cloud project to adhere to a cloud security reference architecture.
*   **Cloud security posture management viewed as a commodity:** 67% of IT leaders view CSPM technology provided by the cloud providers as being critical to their success. Only 53% of organizations are looking to make a new CSPM technology investment in 2023.

A complimentary copy of the full report can be downloaded at https://valtix.com/lp/2023-multi-cloud-security-report/.

Follow Valtix on Twitter and LinkedIn to learn more.

**About the Survey**

Valtix commissioned an independent research firm to survey 200 IT leaders in the US about the problems they face with multi-cloud security, the tools they're using, the tools they want to use in the future, and the skills they need to scale and secure on multiple cloud platforms. The survey, which was conducted in January 2023, used a random sample of US IT leaders and has a margin of error of +/- 6.9% at the 95% confidence level.

**About Valtix**

Valtix is on a mission to protect every workload, every app architecture, across every cloud. Deployable in just 5 minutes, Valtix was built to combine robust multi-cloud security with cloud-first simplicity and on-demand scale. Powered by a cloud-native architecture, Valtix provides an innovative approach to cloud network security called Dynamic Multi-Cloud Policy™, which links continuous visibility with advanced security controls. The result: security that is more effective, adaptable to change, and aligned to cloud agility requirements. Join 4 of the top 10 pharmaceuticals and leaders across every industry – sign up free in minutes.

Valtix Survey: 95% of Organizations Say Multi-cloud Is a 'Strategic Priority' but Only 58% Have the Security Architecture to Support It

**NEW YORK****,** **Feb. 7, 2023** **/PRNewswire/ --** DataDome, the global leader in advanced bot and online fraud management, today released its inaugural "E-Commerce Holiday Bot & Online Fraud Report" which analyzes bot traffic during fraudsters' busiest time of year – the holiday season. The study identifies and quantifies the proliferation of bots, aggregating and analyzing traffic data of more than 110 billion requests made in Q4, 2022 across a range of e-commerce sites DataDome protects.

"During flash sales events such as Black Friday and Cyber Monday, e-commerce platforms typically face at least five times - and sometimes up to 30 times - more bot attacks than on normal days," said Benjamin Fabre, CEO & Co-Founder of DataDome. "As bad bots become more sophisticated and difficult to thwart, staying ahead of them is imperative. This holds true particularly during flash sales and the busy holiday season, when the impact of these attacks is maximized."

DataDome analyzed the website, mobile app and API traffic of e-commerce businesses it protects, across clothing, footwear, ticket, and electronic retail among other companies located in the United States, Europe, Australia, and Asia. Key observations from the report include:

*   The United States **was the #1 direct source of bot attacks.** The US generated 10 times the number of bot attacks compared to China, the second country of origin for the most bot attacks against online retailers and e-commerce platforms during this period. Attackers tend to choose IP addresses/proxies located in the same country as the website they target in order to appear more human and bypass traditional geo-blocking techniques. Many of the e-commerce sites DataDome protects are in the US, which helps explain why so many attacks appear to have originated from the US.
*   **E-commerce bots are becoming increasingly sophisticated in their ability to mimic human behavior and bypass basic security tools.** The availability of high-quality proxies has made it easy for attackers to leverage IPs from the home location of their target business. And attackers paid premium prices for ISP proxies, proving both the increasing ROI of online fraud, especially scalping, around Black Friday and other limited sales, and the effectiveness of ISP proxies in helping cybercriminals avoid detection by more basic bot mitigation tools and web application firewalls (WAFs).
*   **98% of the attacks were from scraping and scalping bots:** Numbering in the billions, scraping bots, considered a gateway automated threat that often leads to more aggressive and damaging attacks, were used to test the availability of products and target the limited infrastructure resources during the busy holiday season. Scalping attacks followed, as fraudsters tried to snag as much inventory as possible to resell for profit later.
*   **Some industries saw more impact than others:** Industries that saw the most bot traffic include clothing & footwear and electronic goods—especially hot ticket items, such as gaming consoles and luxury or limited edition merchandise. The biggest attack DataDome observed in Q4 2022 targeted a large US retailer with ~66M malicious bot requests in less than two hours.

"Fraudsters are getting easier access to more sophisticated bots and technology every day. As the ease and ROI of online fraud increase, so do the frequency and intensity of bot attacks," said Antoine Vastel, PhD, Head of Research at DataDome. "Yesterday's basic bot mitigation measures are no match against today's evolving threats—especially bots that use ISP proxies and machine learning to mimic human behavior. Now more than ever, it is critical that retailers protect all endpoints from attacks, as threats target the weakest link in their infrastructures."

The full research report, "E-Commerce Holiday Bot & Online Fraud," is available here. On February 16, 2023 at 12:00p EST, DataDome's Head of Research will host a webinar that dives into the report's findings.

For more information about DataDome's fraud detection and prevention, visit www.datadome.co/.

**About DataDome**

DataDome's bot and online fraud protection detects and mitigates attacks with unparalleled accuracy and zero compromise. Our machine learning solution analyzes 1 trillion data points per day to adapt to new threats in real time. Our 24/7 SOC experts protect hundreds of high-profile brands worldwide, including Reddit, Patreon, and AngelList. A force multiplier for IT security teams, DataDome is fully transparent, easy to deploy, and frictionless for consumers. In 2022, DataDome was named a Strong Performer in the Forrester Wave: Bot Management and ranked the top G2 Leader in Bot Detection & Mitigation for Fall 2022 and Winter 2023.

SOURCE DataDome

DataDome's Inaugural E-Commerce Holiday Bot & Online Fraud Report Reveals the U.S. as the Top Source of Bot Attacks

Security pros need to look beyond user education to find and disarm fraudulent actors.

The new year celebrations are behind us, and most of us have returned to our daily routines. This is as good a reminder as any that the spring scam season — or rather, tax season — is nearly here.

In all seriousness, the opening of the tax season most often brings with it a new crop of scams to defraud honest, hard-working people.

Of course, it is not just tax season that heralds scams. Nearly all big events, whether they are natural disasters, health crises, economic downturns, major sporting events, or otherwise, seem to bring with them their fair share of scams. Educating our end users as to the dangers of these scams and the potential for fraud losses is necessary but woefully insufficient.

But enterprises need to do even more to effectively combat scams. They need to protect their end users in ways that are not dependent on the end user themselves. Simply put, enterprises cannot rely solely on educating end users to reduce fraud losses.

Though there are undoubtedly numerous ways in which enterprises can combat scams, I'd like to discuss five techniques that enterprises can use to help avoid fraud losses resulting from scams.

**1\. Incorporating the User Layer**

It may sound radical, but the first step to combatting scams is accepting that a certain percentage of them will succeed against end users. Only when enterprises embrace this idea can they begin to reduce fraud losses resulting from scams. If we assume that a certain number of end users will be scammers and/or fraudsters that have taken over or otherwise compromised a legitimate end user's account, that allows us to understand that we need to look at the user layer.

In other words, we need insight into user behavior, device information, and network/environment information in order to add important context and enrich our understanding of who might be interacting with our online application. We can look for unusual activity, suspicious behavioral patterns, and strange device, network, and environment information that might help us realize that it is not the legitimate user who is interacting with the application. That can tip us off to when a legitimate end user has fallen prey to a scam.

**2\. Reducing Noise**

Say that an enterprise needs to look at 50, 100, or 200 suspicious events in a given day — including scam-related events. If those events are found in a work queue of 500 or 1,000 events, this is doable. If, on the other hand, those events are buried in a pile of noise and false positives numbering in the hundreds of thousands or even millions, this is considerably more challenging. Thus, an important component to combatting scams is to get them noticed in the first place.

In other words, it is important to significantly reduce the amount of noise and the volume of false positives that the fraud team needs to wrestle with on a daily basis.

**3\. Tightening Logic**

Related to the above point, a key reason for overabundance of false positives is alert logic that is not tight enough or precise enough. By incorporating the user layer, more precise logic, and more analytically clever rules, enterprises can significantly reduce the volume of false positives and noise that they must contend with. Tightening alert logic is a very effective way to increase the chances that scams will be detected before significant fraud losses have been incurred.

**4\. Performing Post-Transaction Analysis**

It is often the case that enterprises focus on real-time or near-real-time fraud detection and mitigation. This is, of course, extremely important and a noble goal. It would be naive, however, to believe that we are not overlooking or missing significant fraud losses that we are unable to detect in real time.

Analyzing data post-transaction — or "offline," if you will — allows us to identify suspicious or unusual activity that may be buried deep in the data. This allows us to identify reliable patterns, including around scams, that we can turn into real-time or near-real-time detection. This improves our fraud detection capabilities as a whole and helps us to reduce our risk of fraud losses.

**5\. Studying Behavioral Patterns**

An important part of post-transaction analysis that is worth mentioning separately is the study of behavioral patterns. As alluded to above, as careful as scammers and fraudsters try to be, they often leave clues behind that can help us detect that it is them and not the legitimate end user interacting with the online application.

The subtler the clues, the more important it is to study behavioral patterns in depth. Doing so can facilitate the discovery of fraudster "tells" that we can then leverage to more accurately detect scams.

While end-user education is necessary to limiting scam-related fraud losses, it is not sufficient. To truly tackle the scam problem, enterprises must embrace a variety of approaches, some of them outside of the box of conventional wisdom. The investment is most often worth it, however, as it can yield results in the form of significantly reduced fraud losses.

5 Ways to Survive Scam Season — or Rather, Tax Season

Three ways to stay safe in an economically uncertain 2023.

Last month, a Wall Street Journal article highlighted how chief information security officers (CISOs) will increasingly see budgets constrained based on the growing economic uncertainty facing companies in 2023. So, how should CISOs manage through this uncertainty? Let's start by acknowledging several planning constraints:

*   **Regulatory expectations** are nonnegotiable for corporate resourcing purposes and are likely to increase. New time-bound incident reporting regulations for public companies and critical infrastructure operators are pending, and the Biden administration's soon-to-be-released National Cybersecurity Strategy is likely to call for fuller use of existing regulatory authorities across sectors.
*   **Threat actors** are as active as ever and increasingly looking to identify and exploit weaknesses in core security technologies intended to defend us. The recent acknowledgment of source code theft at Okta, a leading provider of cloud-based multifactor authentication and single sign-on solutions, as well as the breach at password manager LastPass, put this in larger relief.
*   Given the **rapid proliferation of software across technology environments**, it is practically impossible for most organizations to ensure that all systems are fully hardened and patched.

Given these constraints, here are three steps that could help better optimize cybersecurity investments in a constrained spending environment:

**1\.** **Shine a light on underlying business and technology complexity.** Variances in the number of systems, applications, privileged users, third parties, employee attrition, and geographic presence all influence risk and what's required to defend an organization. Indeed, recent research by IBM Security highlights how increasing complexity (e.g., cloud migrations, third-party involvement, etc.) has tended to amplify incident response costs. It's foolhardy to impose limits on security spending without also considering whether at the same time, we are reducing complexity in the underlying business and technology environment that CISOs are being asked to defend. Measuring changes in the complexity of the underlying "attack surface" — that is, the set of points on the boundary of a system, a system element, or an environment where an attacker can try to enter, cause an effect on, or extract data from — should be a precondition to considering adjustments or restraints on cybersecurity resources.

**2\.** **Prioritize threat-informed defenses.** Cost constraints put a premium on prioritizing defenses based on behaviors that adversaries are known to use and critical software systems they are likely to target (including, but not limited to, identity and access management systems noted above). MITRE's ATT&CK framework not only comprehensively maps out threats and how they link to specific mitigations and detections — many of these mitigations and detections are achievable through technologies already in place, particularly as infrastructure providers incorporate security features into their offerings. Investing in defenses against prevalent threats can provide outsized risk reduction benefit. The Cybersecurity and Infrastructure Security Agency (CISA) recently released a set of Cybersecurity Performance Goals intended to "help establish a common set of fundamental cybersecurity practices for critical infrastructure, and especially help small and medium-sized organizations kickstart their cybersecurity efforts." Each of the goals is mapped to specific MITRE threat techniques.

As important, companies should invest at least some resources in validating that the controls theoretically in place are there in practice and operating as intended. CISA, the FBI, and the NSA jointly issued guidance last fall where they "recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory." Too often, we see incidents where the initial access was achieved through a misconfigured asset or undocumented security exception. Finally, the resilience aspect of threat-informed defense is critical: If a ransomware incident occurs, offline backups and up-to-date incident response plans will be key to minimizing damage.

**3\.** **Rationalize third-party risk management.** There are also several persistently vexing problems that no one organization can address and must instead be addressed at a sector or national level. Companies know that a cyber incident at a supplier can have cascading impacts on them, and they are increasingly mandating security audits and minimum baseline requirements as a condition of doing business. The problem is that there is no uniformity in this approach, leaving suppliers and customers to sort through a morass of requirements and attestations, which require more and more personnel resources to manage. Indeed "assessors" are increasingly becoming "assessees" when they are subjected to cyber-insurance renewal reviews. Sectorwide approaches are needed to bring greater uniformity to standards, reducing third-party compliance complexity and enabling repurposing of investment to threat-informed defense.

While many of these steps must be accomplished within the private sector, the federal government can help advance these steps. First, as we think about increased regulatory activity, we can help manage additional financial burdens by ensuring alignment on control expectations (in a manner that is threat-informed) across regulatory agencies (and ideally with sister programs in allied foreign governments) — i.e., so that companies subject to multiple regulatory programs can focus on a consistent set of expectations. Second, we should consider not just how regulations can penalize companies that fail to live up to expectations, but also how they can reward companies to go beyond them. Finally, by imposing standard baseline expectations and mechanisms for attestation across suppliers, as the federal government is trying to do with software security, we bring greater uniformity to third-party risk management.

Businesses are facing a highly complex business, technology, and threat environment. In a cost-constrained atmosphere, return on investment matters more than ever. We should thus be bringing as much accuracy as possible in how we align defenses to likely threats, and drive as much uniformity as we can in measuring cybersecurity performance in a transparent, accurate, and precise way.

Optimizing Cybersecurity Investments in a Constrained Spending Environment

New tech often requires new thinking — but that's harder to install.

Here's a provocative question: Is it possible, given the vast array of security threats today, to have too many security tools?

The answer is: You bet it's possible, if the tools aren't used the way they could be and should be. And all too often, they aren't.

New tools introduce new possibilities. Conventional thinking about security in a particular context may no longer be applicable exactly because the tech is new. And even if conventional thinking is applicable, it may require some modification to get the best use out of the tools.

That's a real problem for security executives. And the more powerful, sophisticated, and game-changing security tools may be, the higher the odds this problem will apply.

This is frequently the case with zero trust, since it differs so much from traditional security. New adopters sometimes expect a more high-powered firewall, and that's fundamentally not what they get. They've decided to invest in next-generation capabilities, yet they begin with a perspective that is often last generation in character, and it really diminishes their ROI.

**It's the Response, Not the Request, That's Risky**

The traditional perspective on corporate Web access, for instance, says that, within a business context, some sites are good and some sites are bad. Examples of good sites include tech media, industry partners and competitors, and news services. Examples of bad sites include gambling, pornography, and P2P streaming.

The traditional response is to whitelist the good sites, blacklist the bad sites, and call it a day. Beyond the fact that this line of thinking can lead security teams to make hundreds of rules about which sites to block and which sites to allow, I'd like to suggest it misses the point.

Today, we know that optimized cybersecurity is not so much about the perceived _character_ or _subject matter_ of a site. It's more about what kind of threats may be coming from the site to the organization, and what kind of data is leaving the organization for the site. That means you're going to need new approaches to asking and answering questions in both categories, and that, in turn, means new tools and a new understanding.

This situation comes up in the context of content delivery networks (CDNs). They represent a huge fraction of all Internet traffic and, for the most part, it's true that the content they deliver will be innocuous as a security threat. That's why many security admins have set up rules to allow all traffic from such sources to proceed to corporate users on request.

But is it really wise simply to whitelist an entire CDN? How do you know some of the sites it serves up haven't been compromised and aren't a de facto attack vector?

Furthermore — and this is where it gets interesting — what if you actually have a tool so powerful and so fast that it can assess CDN content, in or in very close to real time, for its potential as a security threat before it reaches users? Wouldn't you be wise to _use_ that tool, if properly configured, as opposed to _not_ use it?

In this scenario, the old assumption that no tool could be that powerful and fast, which used to be true, is now false. It's no more valid than the old assumption that CDN-sourced content must inherently be safe.

So to implement this new and more sophisticated perspective on Web access, it's pretty clear more is required than simply implementing new tech (rolling out new tools). People will have to be trained in the tech's feature set and capabilities, and processes will have to be adjusted to take that new info into account. If that doesn't happen, security admins who are simply given new tech will not be getting the best use out of it. They will be, if you'll forgive the term, a fool with a tool.

**Stay On Top of Capabilities and Configurations**

Streamlining your vendor security stack is always preferable to bolting on new tools with niche functionality. Otherwise, chief information security officers (CISOs) may end up trying to secure a supply closet, not knowing which locks are actually in effect. Even so, this isn't a one-and-done responsibility.

Suppose, for instance, it selects one partner for the network security, another for endpoint security, and a third specifically for identity management. Suppose all three partners are genuinely top tier.

If the organization's people and processes don't understand and take full advantage of the partners' capabilities, those capabilities will not deliver total value, and the organization will not be as protected as it could be. The number of security tools has essentially been reduced to three great tools, but the security architecture still needs ongoing attention.

In the age of the cloud, updates and features are being pushed constantly. That means configuring a new security tool once and stepping away isn’t enough. Because new functions can disrupt a business's operations in ways unforeseeable to a vendor, they are often turned off by default when first released. To be their most effective, security tools must be reconfigured regularly.

I'll conclude with a common example I see frequently. Because botnets are a major ongoing problem, it's important to have some bot detection/bot blocking capabilities in place. This may take the form of monitoring logs for things like compromised endpoints, which command-and-control servers may try to contact to deliver instructions.

This is precisely the kind of information security managers should be thrilled to get.

But because many departments don't have the time or inclination to analyze their logs, they don't benefit from the information contained within them. As a result, compromised endpoints aren't cleaned and no forensics are conducted to learn how they were compromised in the first place.

This brings me to my bottom line: Keep your eyes open, understand what new tech and new partners can do and capitalize on it to the best effect. Your organization and career will both benefit.

Read more _Partner Perspectives_ with Zscaler.

A Fool With a Tool Is Still a Fool: A Cyber Take

Security teams can use a blocklist containing tens of thousands of proxy IP addresses used by the pro-Russian hacktivist group to defend their organizations from DDoS attacks.

SecurityScorecard has pulled together a list of proxy IP addresses used by KillNet to launch distributed denial-of-service attacks (DDoS) against various entities around the world over the past year.

KillNet has taken responsibility for DDoS attacks against US-based hospitals and airports, as well as financial and government organizations in Germany. The pro-Russian group is targeting countries supporting Ukraine, especially NATO countries.

In a DDoS attack, the attack group cause thousands of connection requests and packets to be sent to the targeted entity's server or website per minute. The attack is made possible by bots – compromised systems that are being harnessed by the attack group. The sheer volume and size of these requests and packets can slow down the targeted system or even overwhelm it to the point where it is no longer available.

In January, KillNet's attacks took websites for 14 hospitals offline; affected organizations included University of Michigan Hospitals and Health Centers, Stanford Hospital, Duke University, and Cedars-Sinai. Knocking websites offline for days or disrupting network connectivity can interfere with patient care: Patients may be prevented from scheduling appointments and doctors may be unable to send and receive health information online. Both the US Department of Health and Human Services (HHS) and the American Hospital Association released warnings that KillNet posed a threat to healthcare organizations.

"While KillNet’s DDoS attacks usually do not cause major damage, they can cause service outages lasting several hours or even days," AHA said.

SecurityScorecard's blocklist, which lists tens of thousands of proxy IP addresses used by the hacktivists in previous DDoS attacks, can be particularly helpful for defenders at healthcare organizations. Security teams can use the list, which is regularly updated by SecurityScorecard's team of researchers, and deploy firewall rules to block malicious traffic from even entering the network. The list can also support network monitoring and investigations to identify and track attacker activities.

Right now, it is just DDoS attacks, but there is also the worry that other criminal groups – such as ransomware gangs – sharing KillNet's political views will join in to target these organizations.

"It is likely that pro-Russian ransomware groups or operators, such as those from the defunct Conti group, will heed KillNet's call and provide support," HHS warned. "This likely will result in entities KillNet targeted also being hit with ransomware or DDoS attacks as a means of extortion, a tactic several ransomware groups have used."

Cloudflare's analysis shows an increase in DDoS activity against healthcare organizations and that there may already be multiple threat actors acting on behalf of KillNet.

"The attacks observed by the Cloudflare global network do not show a clear indication that they are originating from a single botnet and the attack methods and sources seem to vary," Cloudflare said last week. "This could indicate the involvement of multiple threat actors acting on behalf of Killnet, or it could indicate a more sophisticated, coordinated attack."

Keeping KillNet at Bay: Use the IP Address Blocklist

**LOS ANGELES****,** **Feb. 6, 2023** **/PRNewswire/ --** After nearly a year of rulemaking and over 1,000 pages of public comments later, the country's first dedicated data privacy agency on Friday approved regulations aimed at giving consumers unprecedented control over their private data.

The California Privacy Protection Agency (CPPA) unanimously voted Feb. 3 to send its first rulemaking package to the Office of Administrative Law (OAL) for final approval. The board will submit the package within two weeks and OAL has 45 days to approve it. That means regulations for the amended California Consumer Privacy Act (CCPA) will be on the books in April. Following the deletion of some pro-consumer regulations, no further changes were made to the law after 450 pages of public comment.

"Personal data selling is an invisible economy that is used to track and profile us. Although the agency declined to make some important changes to the regulations, the public needs these regulations now more than ever in order to take control of what is theirs," said Justin Kloczko, Consumer Watchdog's privacy advocate. 

The law empowers consumers with rights to stop companies from abusing their personal information, including:

**The ability to opt-out of data being shared with third parties.** Many pointed out that the original version of the law was flawed because it only prevented the 'sale' of data, but not the data sharing that fuels the business model of many social media and advertising companies. The pipeline sending private data to third-parties is now cut.

**Consumers can now prevent the use of sensitive data by first parties**, including based on race, location, sexual orientation, health and religious beliefs. Businesses must allow people to exercise their privacy preferences through a global signal sent to them, and through a "Do not Share/Sell My Information" homepage button.

**The right to delete or correct inaccurate personal information a business has compiled**, and to notify third parties of requested changes. CPRA also expands deletion requests by mandating businesses notify third parties who have the data.

**Businesses also must provide a list of categories of sensitive information collected,** whether personal information is sold or shared, and the length of time the business intends to retain each category of personal information.

**Data use needs to be proportionate to the purpose.** A company can't use data for a reason that's completely unrelated to the reason the consumer provided it. For example, a flashlight app cannot use your geolocation for it to function.

Originally intended to meet a July 1, 2022 deadline, the regulations were pushed back a couple of times by the small staffed agency, which saw the departure of two board members. There have been no modifications to the regulations since the last public comment hearing in October.

"Four-hundred and fifty pages of comment were considered, and we determined no further changes were necessary," said Lisa Kim, legal counsel to the privacy board, during Friday's board meeting.

Those changes the agency declined to make included closing a 15-day window to delete personal information.

"Even when someone opts out, personal information will still be sold because businesses are granted a two-week grace period. Businesses should be forced to honor a person's opt-out request just as soon as they are able to sell your data, which privacy experts say is mere seconds," said Kloczko.

In its reasons for declining to eliminate the window, the board said the maximum 15-day window balances consumer opt-out rights with the burden of businesses processing those rights. It also said, "Further analysis is required to determine if a regulation on this issue is necessary." It seems likely the issue will be revisited in the future.

The board also deleted the requirement that the business identify the names of the third parties that control the collection of personal information. Consumers deserve to know directly from those who shared or sold their data who exactly will be handling their personal information.

The board also declined to revert to its previous regulation stating that a consumer's opt out choice be displayed. A business is not required to display on its website whether it has processed a consumer's choice to opt-out of sale/sharing personal information, leaving people in the dark about whether they have exercised their privacy rights.

Enforcement of the law begins July 1. The board will soon be taking comments for its next round of regulations dealing with risk assessments, audits, and automated decision-making.

SOURCE Consumer Watchdog

Consumer Watchdog Reports: CA Privacy Board OKs Landmark Personal Data Regulations, Some Key Protections Left Out

Cryptocurrency drainers are the latest hot ticket being used in a string of lucrative cyberattacks aimed at virtual currency investors.

There's a trendy new way to con cryptocurrency investors out of the contents of their wallets, no blockchain know-how required.

Threat actors are selling ready-made, spoofed crypto webpages to be served up as phishing lures, loaded with "crypto drainer" scripts that crack wallets and steal the balances in a snap.

In one instance, on a "top-tier Dark Web forum," according to researchers at Recorded Future, cybercrime group iSeeYou was offering a ready-to-use phishing page that when made live, purports to mint nonfungible tokens (NFTs). Instead, it deploys a crypto drainer that empties an unsuspecting victim's connected virtual currency wallet. And adding insult to injury, "once crypto wallets are compromised, no safeguards exist to prevent the theft of crypto assets," the researchers warned.

The gambit is easy to fall for: The phishing lures are certainly convincing, according to the researchers, who added that they convincingly spoof a range of entities, including cryptocurrency exchanges and NFT outlets. The lures often boost their credibility, as was the case in the the iSeeYou campaign, by including access to commonly used third-party services and extensions in the cryptocurrency space, the team said, such as MetaMask. 

"The use of legitimate services on crypto drainer phishing pages may increase the likelihood that the phishing page will pass an otherwise savvy user’s 'scam litmus test,'" according to the report.

The crypto drainer scams were observed in 2022, and Recorded Future raised the alarm in a report this week that they are becoming increasingly popular — so popular, in fact, that Recorded Future recently found 100 phishing pages lurking in the wild, loaded with crypto drainer malware.

"We have observed that Dark Web threat actors are highly interested in this tool," Ilya Volovik, threat intelligence analyst at Recorded Future, tells Dark Reading.

The interest is largely because the scripts are easy to deploy and cheap to acquire (the firm said crypto drainers can cost anywhere from $300 to $500). Sometimes they're even free, as was the case with iSeeYou — but there was a double-crossing catch in that case. 

"Remarkably, the threat actor who posted this crypto drainer phishing template did not charge other threat actors who wished to make use of their tool," Volovik explains. "Unremarkably, this was no act of charity — the crypto drainer was likely designed to defraud other cybercriminals of a portion of their illicit earnings."

In the right social engineering hands, crypto drainers are a potent threat, according to Volovik, who adds that they're helping to usher in a new business model for phishers.

"Designing crypto drainers requires coding skills that phishing specialists may lack," Volovik says. "As a result, many cybercriminals develop crypto drainers to sell or rent out as components in ready-to-go phishing packages; this is likely part of a greater trend toward phishing-as-a-service (PhaaS)." And that, he warns, means that advanced phishing campaigns can scale very quickly.

As cryptocurrency markets mature, it's up to individual services and platforms to keep crypto investors aware of the latest phishing expeditions. 

"Exchange platforms/crypto markets should probably provide education to their users about these crypto drainers and how cybercriminals use them," Volovik adds. "We want to educate the general populace to never send payments to unknown entities (a Nigerian prince or otherwise)."

**Cryptocurrency Cybercrime Is Booming**

Cryptocurrency investors continue to be a prime source of revenue for cybercriminals, with a record-breaking $3.8 billion stolen from crypto businesses in 2022 alone, according to new research from Chainalysis.

During the month of October, the biggest month ever for crypto cyberattacks according to the research firm, there were 32 separate cryptocurrency attacks, with losses totaling $775.7 million.

Much of the crypto cybercrime boom can be attributed to cyberattacks from North Korean state-backed actors, and the targets include crypto wallets, token protocols, decentralized finance (DeFi) protocols, and other centralized cryptocurrency services.

DeFi platforms are the loss leader, the report found, experiencing 82% of cryptocurrency theft for the year. These are platforms that allow cryptocurrency and government-backed fiat currency investors to make trades. Critically, DeFi platforms support a number of different cryptocurrencies like Bitcoin, Ethereum, Solana, and others, and operate outside of a traditional banking structure. Because DeFi platforms are built on the blockchain, an open source protocol, they present a unique opportunity for cybercriminals to get their hands on vast sums of money that would otherwise be protected by those traditional financial institutions.

The now-notorious FTX claimed it was the victim of a cyberattack in November, just hours after filing bankruptcy, which cost the DeFi platform $370 million on top of its already mounting losses. In September, DeFi platform Wintermute lost $160 million to a cyberattack it said was the result of a partner's bad code. And cybercrime group TA4563 was found using an Evilnum backdoor last July that allowed it to drain cryptocurrency out of DeFi platforms automatically.

**Cybersecurity for Cryptocurrency**

Erin Plante, Chainalysis' vice president of investigations, agrees with Volovik that defending cryptocurrency infrastructure, and investors, against cybercrime will require a commitment to user training, but she adds that the DeFi platforms and other crypto services need better in-house cybersecurity too.

"Cryptocurrency services should invest in security measures and training," Plante says. "For example, with North Korean-linked hackers in particular, sophisticated social engineering tactics that take advantage of the trusting and carelessness of human nature to gain access to corporate networks has long been a favored attack vector."

Moving forward, DeFi platforms should model cybersecurity efforts off the traditional finance system, the Chainalysis report advised, adding that robust code auditing practices, simulated attacks, monitoring for suspicious activity, and building in transaction fail-safes to slow down contract execution if suspicious activity is observed.

Crypto Drainers Are Ready to Ransack Investor Wallets

The fresh "ESXiArgs" malware is exploiting a 2-year-old RCE security vulnerability (tracked as CVE-2021-21974), resulting in thousands of unpatched servers falling prey to the campaign.

A global ransomware attack on VMware ESXi hypervisors is expanding, according to multiple government agencies and researchers, having already infected thousands of targets.

The attack, first flagged late Feb. 3 by the French Computer Emergency Response Team (CERT-FR), has already compromised more than 3,200 servers in Canada, France, Finland, Germany, and the US so far, according to tracking from Censys.

The avenue of compromise is an exploit for a 2-year-old remote code execution (RCE) security vulnerability (CVE-2021-21974), which affects the hypervisor's Open Service Location Protocol (OpenSLP) service.

The attack's goal appears to be the installation of a novel ransomware strain dubbed "ESXiArgs" — though the gang behind it is unknown, according to a Feb. 5 notice from French hosting provider OVHcloud, which has customers affected by the attacks.

"We \[previously\] made the assumption the attack was linked to the Nevada ransomware which was a mistake," according to the alert. "No material can lead us to attribute this attack to any group. Attribution is never easy and we leave security researchers to make their own conclusions."

The operators behind the attack are asking for around 2 Bitcoin ($23,000 at press time) to be delivered within three days of compromise; if the victims don't pay up, the ransom will increase and the gang will release sensitive data, they warned, according to a copy of the ransom note posted by a Dark Web monitor known as DarkFeed. However, cybersecurity firm Rapid7 noted in an analysis that there's no evidence of actual data exfiltration so far.

Instead, the encryption process seems to be the main goal, which is specifically targeting virtual machine files (.vmdk, .vmx, .vmxf, .vmsd, .vmsn, .vswp, .vmss, .nvram, and \*.vmem), according to the firm's assessment. "In some cases, encryption of files may partially fail, allowing the victim to recover data."

Also, "the malware tries to shut down virtual machines by killing the VMX process to unlock the files," Rapid7 explained; VMX, or Virtual Machine Executable, is a process that runs in the VMkernel that handles I/O commands. "This function is not systematically working as expected, resulting in files remaining locked," the alert added.

To avoid being caught up in the cyberattacks, admins should patch immediately, or, as a workaround, "the SLP can be disabled on any ESXi servers that haven’t been updated, in order to further mitigate the risk of compromise," according to the CERT-FR alert.

Also, "users and administrators are also advised to assess if the ransomware campaign-targeted port 427 can be disabled without disrupting operations,” Singapore's SingCERT advised in a notice over the weekend.

VMware remains a popular target for cybercriminals; just last week, exploit code emerged for other RCE bugs lurking in the virtualization specialist's product portfolio.

Source

DARKReading