Differences in how the National Vulnerability Database (NVD) and vendors score bugs can make patch prioritization harder, study says.

A new study this week is sure to raise more questions for enterprise security teams on the wisdom of relying on vulnerability scores in the National Vulnerability Database (NVD) alone to make patch prioritization decisions.

An analysis by VulnCheck of 120,000 CVEs with CVSS v3 scores associated with them shows almost 25,000 — or some 20% — had two severity scores. One score was from NIST, which maintains the NVD, and the other from the vendor of the product with the bug. In many cases, these two scores differed, making it hard for security teams to know which to trust.

**High Rate of Conflict**

Approximately 56%, or 14,000, of the vulnerabilities with two severity scores had conflicting scores, meaning the one assigned by NIST and the score from the vendor did not match. Where a vendor might have assessed a particular vulnerability to be of moderate severity, NIST might have assessed it as severe.

As one example, VulnCheck pointed to CVE-2023-21557, a denial-of-service vulnerability in the Windows Lightweight Directory Access Protocol (LDAP). Microsoft assigned the vulnerability a "high" severity rating of 7.5 on the 10-point CVSS scale. NIST gave it a score of 9.1, making it a "critical" vulnerability. Information on the vulnerability in the NVD provided no insight on why the scores differed, VulnCheck said. The vulnerability database is peppered with numerous other similar instances.

That high conflict rate can set back remediation efforts for organizations that are resource-strapped in vulnerability management teams, says Jacob Baines, vulnerability researcher at VulnCheck. "A vulnerability management system that heavily relies on CVSS scoring will sometimes prioritize vulnerabilities that aren't critical," he says. "Prioritizing the wrong vulnerabilities will squander vulnerability management teams' most critical resource: time."

VulnCheck researchers found other differences in the way NIST and vendors included specific information about flaws in the database. They decided to look at cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerabilities in the NVD.

The analysis showed the primary source — typically NIST — assigned 12,969 of the 120,000 CVEs in the database as an XSS vulnerability, while secondary sources listed a much smaller 2,091 as XSS. VulnCheck found that secondary sources were much less likely to indicate that an XSS flaw requires user interaction to exploit. CSRF flaw scores showed similar differences.

"XSS and CSRF vulnerabilities always require user interaction," Baines says. "User interaction is a scoring element of CVSSv3 and is present in the CVSSv3 vector." Examining how often XSS and CSRF vulnerabilities in NVD include that information provides insight into the scale of scoring mistakes in the database, he says.

**Severity Scores Alone Not the Answer**

Severity scores based on the Common Vulnerability Severity Scale (CVSS) are meant to give patching and vulnerability management teams a straightforward way to understand the severity of a software vulnerability. It informs the security professional whether a flaw presents a low, medium, or severe risk, and often provides context around a vulnerability that the software vendor might not have provided when assigning a CVE to the bug.

Numerous organizations use the CVSS standard when assigning severity scores to vulnerabilities in their products, and security teams commonly use the scores to decide the order in which they apply patches to vulnerable software in the environment.

Despite its popularity, many have previously cautioned against solely relying on CVSS reliability scores for patch prioritization. In a Black Hat USA 2022 session, Dustin Childs and Brian Gorenc, both researchers with Trend Micro's Zero Day Initiative (ZDI), pointed to multiple issues like the lack of information around a bug's exploitability, its pervasiveness, and how accessible it might be to attack as reasons why CVSS scores alone are not enough.

"Enterprises are resource constrained, so they typically have to prioritize which patches they roll out," Childs told Dark Reading. "However, if they get conflicting information, they can end up spending resources on bugs that are unlikely to ever be exploited."

Organizations often rely on third-party products to help them prioritize vulnerabilities and decide what to patch first, Childs notes. Often, they tend to give preference to the CVSS from the vendor rather than another source like NIST.

"But vendors can't always be relied on to be transparent on the real risk. Vendors don't always understand how their products are deployed, which can lead to differences in the operational risk to a target," he says.

Childs and Bains advocate that organizations should consider information from multiple sources when making decisions around vulnerability remediation. They should also consider factors such as whether a bug has a public exploit for it in the wild, or whether it is being actively exploited.

"To accurately prioritize a vulnerability, organizations need to be able to answer the following questions," Baines says. "Does this vulnerability have a public exploit? Has this vulnerability been exploited in the wild? Is this vulnerability being used by ransomware or APT? Is this vulnerability likely to be Internet-exposed?"

Discrepancies Discovered in Vulnerability Severity Ratings

An OpSec slip from the North Korean threat group helps researchers attribute what was first suspected as a ransomware attack to nation-state espionage.

Security researchers on Feb. 2 reported that they have detected a cyberattack campaign by the North Korean Lazarus Group, targeting medical research and energy organizations for espionage purposes. 

The attribution was made by threat intelligence analysts for WithSecure, which discovered the campaign while running down an incident against a customer it suspected was a ransomware attack. Further investigation — and a key operational security (OpSec) slip-up by the Lazarus crew — helped them uncover evidence that it was actually part of a wider state-sponsored intelligence gathering campaign being directed by North Korea.

"This was initially suspected to be an attempted BianLian ransomware attack," says Sami Ruohonen, senior threat intelligence researcher for WithSecure. "The evidence we collected quickly pointed in a different direction. And as we collected more, we became more confident that the attack was conducted by a group connected to the North Korean government, eventually leading us to confidently conclude it was the Lazarus Group."

**From Ransomware to Cyber Espionage**

The incident that led them to this activity began through an initial compromise and privilege escalation that was achieved through exploitation of known vulnerabilities in an unpatched Zimbra mail server at the end of August. Within a week, the threat actors had exfiltrated many gigabytes of data from the mailboxes on that server. By October, the attacker was moving laterally across the network and using living-off-the-land (LotL) techniques along the way. By November, the compromised assets started beaconing to Cobalt Strike command-and-control (C2) infrastructure, and in that time period, attackers exfiltrated almost 100GB of data from the network. 

The research team dubbed the incident "No Pineapple" for an error message in a backdoor used by the bad guys, that appended <No Pineapple!> when data exceeded segmented byte size.

The researchers say they have a high degree of confidence that the activity squares up with Lazarus group activity based on the malware, TTPs, and a couple of findings that include one key action during the data exfiltration. They discovered an attacker-controlled Web shell that for a short time connected to an IP address belonging to North Korea. The country has fewer than a thousand such addresses, and at first, the researchers wondered if it was a mistake, before confirming it wasn't.

“In spite of that OpSec fail, the actor demonstrated good tradecraft and still managed to perform considered actions on carefully selected endpoints," says Tim West, head of threat intelligence for WithSecure.

As the researchers kept digging into the incident, they were also able to identify additional victims of the attack based on connections to one of the C2 servers controlled by the threat actors, suggesting a much broader effort than originally suspected, in keeping with espionage motives. Other victims included a healthcare research company; a manufacturer of technology used in energy, research, defense, and healthcare verticals; and a chemical engineering department at a leading research university. 

The infrastructure observed by the researchers has been established since last May, with most of the breaches observed taking place in third quarter of 2022. Based on the victimology of the campaign, the analysts believe the threat actor was intentionally targeting the supply chain of the medical research and energy verticals.

**Lazarus Never Stays Down for Long**

Lazarus is a long-running threat group that's widely thought to be run by North Korea's Foreign Intelligence and Reconnaissance Bureau. Threat researchers have pinned activity to the group dating as far back as 2009, with consistent attacks stemming from it over the years since, with only short periods of going to ground in between. 

The motives are both financial — it's an important revenue-generator for the regime — and spy-related. In 2022, numerous reports emerged of advanced attacks from Lazarus that included targeting of Apple's M1 chip, as well as fake job posting scams. A similar attack last April sent malicious files to targets in the chemical sector and IT, also disguised as job offers for highly attractive dream jobs.

Meanwhile, last week the FBI confirmed that Lazarus Group threat actors were responsible for the theft last June of $100 million of virtual currency from the cross-chain communication system from the blockchain firm Harmony, called Horizon Bridge. The FBI's investigators report that the group used the Railgun privacy protocol earlier in January to launder more than $60 million worth of Ethereum stolen in the Horizon Bridge heist. Authorities say they were able to freeze "a portion of these funds."

Lazarus Group Rises Again, to Gather Intelligence on Energy, Healthcare Firms

Enterprises often don't know whose responsibility it is to monitor for spoofed brand sites and scams that steal customers' trust, money, and personally identifiable information.

Impersonation stands at the heart of so many cybercriminal schemes today. Whether used to fuel traditional phishing or malware propagation attacks, business email compromise, advertising fraud, or e-commerce fraud, there's nothing quite so effective as piggybacking off the trust and goodwill of a brand to lure people into a scam.

Brand impersonation can be a particularly thorny problem for CISOs, especially when the threats stray from the typical malicious email attacks that security practitioners have grown up fighting. Today, retailers, product creators, and service providers increasingly face a whole host of brand theft and impersonation ploys that stretch far beyond the common phishing scam.

Criminals are making a killing setting up scam sites that masquerade as a brand's property to sell counterfeit or gray-market merchandise, to fence stolen goods, or to process payment and never send the product at all. According to the US Federal Trade Commission (FTC), consumers have lost more than $2 billion to these kinds of scams since 2017.

**Stealing a Brand**

For the businesses that are imitated, these scam sites at best erode the brand's trustworthiness and value. At worst, they steal sales and could even threaten the very existence of a small or emerging business.

"We've had a close shave with brand impersonation at Code Galaxy. Someone created a business profile — website, social media profiles, and everything — with our own brand identity. They went to advertise the same services we offer at ridiculously lower prices, only that they didn't even offer the services. They simply made away with the money," says Marliis Reinkort, CEO and founder of Code Galaxy, an online coding school for kids. She explained that her team didn't notice the fraud until it had not only scammed potential customers but also made the entire market think her business had drastically cut prices. "That single occurrence was a wake-up call for me. The reputational damage dealt a huge blow to the business for a while."

It's understandable that startups like Code Galaxy would struggle to detect brand impersonation due to resource constraints, but even enterprises with mature security functions can have a hard time systematically rooting out impostors that leech off their brand. Utilizing techniques like website spoofing through typosquatting and lookalike URLs, brand impersonation attacks often aren't attacking a company's owned infrastructure — making them very difficult for incident responders to detect in a security operations center (SOC) setting using traditional security alerting tools.

"The external attack surface for brand impersonation are built and launched by bad actors entirely on the Internet," says Ihab Shraim, CTO at CSC Digital Brand Services. "Therefore, the SOC security teams do not have the specific data feeds \[they need to detect impersonations\]."

**Tracking Mentions, Keywords**

To alleviate the gap, some companies proactively search online or use simple brand tracking tools. This is how Reinkort and her team have responded since Code Galaxy's costly brush with brand impersonation.

"We actively track brand mentions and keywords related to the business, even when misspelled," she says. "Brand mentions should just be for engagement and troubleshooting. We ended up discovering two brand impersonations by simply tracking mentions that mirror our keywords and acting words."

But the increasing volume of online marketplaces means that organizations trying to scan for keywords and mentions are likely to bump into scalability issues.

"Brand impersonation is hard to track due to the vast number of digital marketplaces that have materialized in the past decade," says Doug Saylors, partner and co-lead of cybersecurity for global technology research and advisory firm ISG. "Simply scanning the Internet for similarly named products, websites, and product descriptions is no longer sufficient to identify and remove fraudulent information."

**Whose Job Is It?**

Additionally, because attackers are essentially committing trademark violations in these instances, and because irate victims often call the spoofed company's customer service asking for the product they paid for or to return defective products, it is often unclear within larger organizations whose responsibility it even is to go after the impostors once they're detected.

"This has not been in the realm of security practitioners in a consistent way for very long," says Josh Shaul, CEO of Allure Security, an online brand protection company that's part of a growing category of firms focused on detecting scam sites and remediating through actions like takedowns.

He explains that when he goes out to the market and talks to companies, sometimes they'll say they've got incident response (IR) looking at the problem. At other companies, they say the legal team is on it. At still others, they see it as a customer service or marketing problem. Meanwhile, the attacks keep mounting, and the company struggles with quickly orchestrating mitigation efforts like takedown requests and communication with registrars.

CISOs will need to take a systematic and multi-disciplinary approach to solve the brand impersonation problem. That begins with registering trademarks and setting up domains and social media presence for the brand, and then extends to include domain monitoring and using threat intelligence to identify impersonation attempts.

"It's odd, because to me this is all in the realm of the security \[professional\]," Shaul says. "The trademark is an important piece, but it's a fraud problem and a security incident problem. People are stealing from you, and you're trying to prevent the theft."

Why CISOs Should Care About Brand Impersonation Scam Sites

The average organization does business with 11 third parties, and 98% of organizations do business with a third party who has suffered a breach, an analysis finds.

Nearly every company does business with — or uses the products of — a third party that has suffered a compromise, thus increasing their security risks.

That's according to data science firm Cyentia Institute, which has issued an analysis that includes external measurements of security from more than 230,000 organizations provided by cybersecurity risk-management firm SecurityScorecard. It found that the average firm had around 10 third-party relationships, and hundreds of indirect fourth-party relationships, with the typical firm having 60 to 90 times more fourth parties than third parties. Nearly all firms (98%) had at least one third-party partner who had suffered a breach, the report stated.

The IT sector has the most third parties, with an average of 25, while the finance sector had the fewest, at 6.5. Those numbers quickly balloon when fourth-party relationships are included, as did their risk. The average firm has an indirect relationship with 200 fourth parties that have had a breach, the analysis found.

The research underscores the sprawling nature of third- and fourth-party relationships for corporations, and the dramatic increase in risk that they can cause, says Wade Baker, founder and partner at the Cyentia Institute.

"Risk goes downhill," he says. "The first parties are more likely to have good security \[risk\] scores than their third parties, and with fourth parties, the numbers really explode. You need to expect \[these firms and products\] to not be up to your standards for security."

That's because while many organizations have become more mature regarding their own cyber risks, few are cognizant of the extended risks, Cyentia and SecurityScorecard stated in the analysis.

"Many organizations are still unaware of the dependencies and exposures inherent to third-party relationships, and simply focus on managing their own security posture," the report stated. "Others are aware of those issues, but don't make vendor decisions based on security and/or require vendors to meet certain standards. Even firms that do establish third-party security requirements can struggle to continually monitor compliance and progress."

    

Almost all companies did business with a third party who had been compromised in the past 2 years. Source: Cyentia Institute and SecurityScorecard

Third-party and supply-chain risk have become significant issues in recent years. And CISOs have become increasing wary of their third-party providers, ever since the compromise of an HVAC supplier led to the breach of retail giant Target.

While the analysis looks at third-party risk, the definition of what a third party is extends not just to vendors and partners, but software providers and open source projects. Now-infamous attacks on software suppliers such as SolarWinds, and vulnerabilities in widely used software components such as Log4J, have raised the visibility of the risk that this arena poses.

The top 5 technologies included in third-party relationships within the data are Google Analytics, Google Tag Manager, Amazon Web Hosting, PHP, and Facebook products — all of which were involved in two-thirds (68%) of third-party relationships, the report stated.

"A lot of these third and fourth party relationships \[involve us\] both agreeing to adhere to certain policies just by virtue of using a product, and now I'm opening up myself to a certain degree of risk," Baker says.

**Risk Rises With Each Hop**

The analysis also found that third parties typically have a weaker security posture than the companies they served. Overall, there is a much higher likelihood that third parties will have security problems, meaning that companies can't assume that all of their third parties are as diligent about security.

"I view it in the same way as all of us knowing we have too many privileges — in general, people have access to more data than they need to do their job," Baker says. "It would be good to reduce the number of third parties, especially if they're not needed, and also be a little bit more choosy."

The data, however, does not suggest a clear path forward, beside becoming more aware of the problem. Baker does not necessarily recommend, for example, that organizations cut the bottom 25% of their third parties from their business. However, evaluating them more closely or more frequently might be more realistic, he says.

"If we really want to protect our supply chains, we've got to we've got to make the weakest link stronger," Baker says. "And I think the analysis is showing that there's a lot of weak links across third parties and fourth parties, and that is where the challenge lies."

Nearly All Firms Have Ties With Breached Third Parties

A new supply chain risk management office aims to help public and private sectors implement recent CISA policies and guidance.

The US Cybersecurity and Infrastructure Security Agency (CISA) plans to open an office focused on helping the public and private sectors protect their software and IT supply chains.

The new office will help organizations implement recently issued CISA policies and guidance related to managing cybersecurity supply chain risk, including issues stemming from malicious functionality, counterfeit components, or open source software (OSS) vulnerabilities, and more.

Former General Services Administration official Shon Lyublanovits will lead the new supply chain management risk division, Federal News Network (FNN) reported.

"We've got to get to a point where we move out of this idea of just thinking broadly about C-SCRM \[cybersecurity supply chain risk management\] and really figuring out what chunks I want to start to tackle first, creating that road map so that we can actually move this forward," Lyublanovits said at a recent event, as reported by FNN.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

CISA to Open Supply Chain Risk Management Office

Noting 13% year-over-year growth in fraudulent instruction as a cause of loss, report predicts organizations must get smarter about educating employees to spot fraudulent tactics.

**London, February 1, 2023 —** From tactics to implications, cybersecurity will see a subtle but important evolution in 2023 according to Beazley’s new _Cyber Services Snapshot_ report, which was released today. The report reveals that the cyber threat landscape will be influenced by greater incident complexity, the way threat actors use stolen data, and a rise in US class actions in 2023.

The report presents global data on incidents handled by Beazley Cyber Services including cause of loss by industry, ransomware vectors, business email compromise, and data exfiltration. These data points provide a real-time view into incidents reported to Beazley, revealing an ongoing picture of emerging cyber risk. In addition, all Beazley Cyber Services Snapshots feature insights from professionals on the front line of Beazley’s incident response teams around the world.

As a category, fraudulent instruction experienced big growth as a cause of loss in 2022, up 13% year-over-year. This trend continues to be quite high, especially when it comes to small organizations.

To combat this vulnerability, the report suggests, organizations must get smarter about educating employees to spot fraudulent instruction tactics like spoofed emails or domain names. Organizations are cautioned to watch for social engineering and spear phishing, bypassing of Multi-Factor Authentication, targeting of Managed Service Providers, and compromising of cloud environments as areas of vulnerability.

“At first glance, things hardly seem particularly new as we enter 2023: threat actors are still using the same kinds of ransomware vectors to attack, and we’re still talking about the same need for education and controls,”said Russ Cohen, Beazley’s Head of US Cyber Services.“But look beneath the surface, and it quickly becomes evident that targeted organizations are facing greater incident complexity than ever before. As threat actors bring new sophistication to their techniques and adapt to improved cybersecurity efforts, more and more companies will realize they can no longer count on the default configuration of off-the-shelf IT solutions and tools.”

Beazley provides best-in-class support, services, and tools to help insureds mitigate risk and recover quickly in the event of a breach.

Greater Incident Complexity, Shift in How Threat Actors Use Stolen Data, Will Drive the Cyber Threat Landscape in 2023, Says Beazley Report

Move will strengthen position as a leader in the identity governance and analytics market.

**NOVATO, Calif. — (****BUSINESS WIRE****) —** Radiant Logic, the Identity Data Fabric company, announced today that it has entered into a definitive agreement to acquire Brainwave GRC, a leader in Identity Governance and Analytics (IGA) headquartered in France. Together, Radiant Logic and Brainwave GRC address a broad set of identity use cases, and the acquisition accelerates the companies’ shared vision of an Identity Data Fabric that uses the science of data to ensure the right information is in place to make the right policy decisions.

“Demand is increasing for cyber security, governance and compliance solutions that help companies address the continually evolving security threats, especially as regulatory environments and fines become more prevalent,” said Joe Sander, CEO of Radiant Logic. “By joining forces with Brainwave we will be able to unlock tremendous value for current and future customers by unleashing the power of identity data to help truly transform an organization’s IT landscape. Our combined platform will allow organizations to add unprecedented agility and flexibility in their infrastructure and business processes, while improving business continuity and security posture and reducing the total cost of ongoing regulatory compliance and IAM or IGA programs.”

Cyril Gollain, CEO and co-founder of Brainwave GRC, stated: “Merging with Radiant Logic is the natural next step for Brainwave GRC, providing transformative value for both our customers and employees alike. Together, this combined platform offers exceptional new insight into the role of identity data in the enterprise, and accelerates innovations in the area of analytics and IGA. We are delighted to benefit from Radiant Logic’s proven success, and when combined with our experience and reach in EMEA, it will allow us both to further expand and flourish.”

The acquisition will strengthen both Radiant Logic and Brainwave GRC’s respective market positions as identity, analytics and intelligence experts by offering a new lightweight data-centric governance capability and a market-defining identity data intelligence platform. By combining their unique capabilities into a single platform, customers can speed time-to-value by eliminating burdensome IGA deployments and focusing on what really matters to audit and compliance teams—getting the right data, which can be trusted, in a timely manner.

The identity analytics and intelligence insights resulting from Radiant Logic + Brainwave’s data-driven approach will give unprecedented insight into near real-time user behavior within an enterprise environment, transforming how organizations detect cyberattacks, fraudulent activity, lateral movement from insider threats, and more. Radiant + Brainwave is a winning combination that will provide an unmatched Zero Trust and Identity-First Security foundation for enhanced data security, reduced audit and compliance costs, and improved understanding and visibility of malicious activity.

Established in 2010 in France, Brainwave GRC has a strong reputation in helping companies across EMEA ensure compliance and protect their assets from fraud and cyber threats. Brainwave GRC provides essential Access Governance reports that include access risks, accounts, attestations, and out-of-the-box reports for major compliance frameworks—a common requirement in highly regulated markets. Their light IGA capabilities complements Radiant Logic’s identity data management expertise, and is in-line with its strategic direction to expand its offerings in the IGA market segment.

“We have strived to provide the absolute best value to our customers and truly believe this future product integration will not only streamline IAM and IGA infrastructure, but bring the value of data science and advanced analytics to the identity space,” said John Pritchard, Chief Product Officer, Radiant Logic. “The Brainwave platform will be a core component in driving RadiantOne’s new identity intelligence capabilities, realizing the vision of an Identity Data Fabric.”

“The winning combination of Radiant Logic and Brainwave will provide unmatched capabilities for an identity-first approach to security,” says Sebastien Faivre, CTO and Brainwave co-founder. “We believe that by combining our background in identity analytics with Radiant’s identity data management expertise, we can deliver innovative new solutions utilizing artificial intelligence and machine learning capabilities which can only be enhanced by ingesting the clean data from the RadiantOne platform.”

Brainwave will maintain independent operations for the near-time, while both platforms continue to be supported, invested in, and integrated over time. The transaction is subject to customary closing conditions. Terms of the acquisition were not disclosed.

**About Radiant Logic**

Radiant Logic, the enterprise Identity Data Fabric company, provides the cornerstone of complex identity architectures in today’s digital world. With Radiant, it’s fast and easy to put identity data to work, connecting many disparate data sources across legacy and cloud infrastructures in real-time, without disruption. Our solution creates a solid identity foundation that speeds the success of initiatives, including single sign-on, M&A integrations, identity governance and administration, cloud directory deployments, hybrid and multi-cloud environments, customer identity and access management, and more. From the Fortune 1000 to government agencies, organizations across the globe rely on Radiant to deliver meaningfully faster time-to-value and unprecedented IT agility, while building a secure, future-proof identity infrastructure that meets real-world business demands. Learn more at www.radiantlogic.com

**About Brainwave GRC**

Brainwave GRC is a pioneer in the identity analytics market. Named Cool Vendor by Gartner, Brainwave GRC solutions help solidify and reinforce IAM risk and compliance postures. Brainwave GRC derives intelligence through multicriteria analyses for data visualization, anomaly detection, smart access reviews and compliance controls specifically for identity and access events. It enables organizations to combat cyber risks, detect internal threats, remediate noncompliance access risks and perform fraud alert notifications with innovative solutions. Brainwave GRC strengthens your cybersecurity with preventive and predictive analytics.

Radiant Logic Signs Definitive Agreement to Acquire Brainwave GRC

**TAMPA BAY, Fla. — February 1, 2023 —** KnowBe4, Inc. (“KnowBe4”), the provider of the world’s largest security awareness training and simulated phishing platform, today announced the completion of its acquisition byVista Equity Partners (“Vista”), a leading global investment firm focused exclusively on enterprise software, data and technology-enabled businesses, for $24.90 per share in cash. 

“Today’s acquisition is a significant milestone for the entire KnowBe4 team. It’s representative of our achievements to date, as well as our potential for continued long-term growth,” said Stu Sjouwerman, founder, Chairman and Chief Executive Officer of KnowBe4. “Vista provides the resources and operational expertise to enhance customer value. We’re thrilled to embark on this next chapter and realize our goals for addressing cybersecurity’s weakest link.”

“The human element remains one of the most important yet neglected aspects of cybersecurity,” said Michael Fosnaugh, Co-Head of Vista’s Flagship Fund and Senior Managing Director. “The opportunity to scale a business that is truly mission-critical to enterprises around the world is core to Vista’s investment approach and value creation efforts. This, combined with Stu’s track record as a visionary founder and KnowBe4’s demonstrated product leadership, makes partnering with the Company very exciting.”

With the completion of the transaction, KnowBe4 shares have ceased trading and are no longer listed on the Nasdaq Global Select Market.

Morgan Stanley & Co. LLC served as financial advisor and Potter Anderson & Corroon served as legal counsel to KnowBe4’s Special Committee. Wilson Sonsini Goodrich & Rosati, Professional Corporation served as legal advisor to KnowBe4.

Guggenheim Securities, LLC served as financial advisor and Kirkland & Ellis LLP served as legal counsel for Vista.

**About KnowBe4**

KnowBe4, the provider of the world’s largest security awareness training and simulated phishing platform, is used by more than 56,000 organizations around the globe. Founded by IT and data security specialist Stu Sjouwerman, KnowBe4 helps organizations address the human element of security by raising awareness about ransomware, CEO fraud and other social engineering tactics through a new-school approach to awareness training on security. Kevin Mitnick, an internationally recognized cybersecurity specialist and KnowBe4’s Chief Hacking Officer, helped design the KnowBe4 training based on his well-documented social engineering tactics. Tens of thousands of organizations rely on KnowBe4 to mobilize their end users as their last line of defense.

**About Vista Equity Partners**

Vista is a leading global investment firm with more than $95 billion in assets under management as of September 30, 2022. The firm exclusively invests in enterprise software, data and technology-enabled organizations across private equity, permanent capital, credit and public equity strategies, bringing an approach that prioritizes creating enduring market value for the benefit of its global ecosystem of investors, companies, customers and employees. Vista's investments are anchored by a sizable long-term capital base, experience in structuring technology-oriented transactions and proven, flexible management techniques that drive sustainable growth. Vista believes the transformative power of technology is the key to an even better future – a healthier planet, a smarter economy, a diverse and inclusive community and a broader path to prosperity. Further information is available at vistaequitypartners.com. Follow Vista on LinkedIn, @Vista Equity Partners, and on Twitter, @Vista\_Equity.

Vista Equity Partners Completes Acquisition of KnowBe4

Killnet is building its profile, inspiring jewelry sales and rap anthems. But the impact of its DDoS attacks, like the ones that targeted 14 major US hospitals this week, remain largely questionable.

Pro-Russian hacktivist group Killnet this week launched distributed denial-of-service (DDoS) attacks on networks belonging to 14 major US hospitals in its continuing retaliation campaign against entities in countries the threat actor perceives as hostile to Russian interests in Ukraine.

The attacks — like most Killnet attacks since Russia's invasion last February — appear to have done little to seriously disrupt network operations at any of the targeted organizations, which included Stanford Health, Michigan Medicine, Duke Health, and Cedars-Sinai.

**Designed to Garner More Support**

That said, they are likely going to garner Killnet more support from other like-minded hacktivists in Russia and elsewhere, and possibly even fuel investments into its operations from others, making them more dangerous in the process, security experts said this week.

"Killnet has been actively attacking anyone who supports Ukraine or goes against Russia for almost 12 months now," says Pascal Geenens, director of threat intelligence at Radware. "They have been dedicated to their cause and have had the time to build experience and increase their circle of influence across affiliate pro-Russian hacktivist groups."

Killnet surfaced last year, soon after Russia invaded Ukraine in February. Since then, the group has carried out a series of often high-profile DDoS attacks on organizations in critical infrastructure sectors in the US and multiple other countries. Their victims have included airports, banks, defense contractors, hospitals, Internet service providers, and the White House.

Killnet's latest DDoS campaign this week against hospitals in the US and medical institutions in multiple other countries, including Germany, Poland, and the UK, were likely motivated by the recent US-led decision by NATO countries to send battle tanks to Ukraine. However, the impact of these attacks remains questionable.

**Killnet's Questionable DDoS Impact**

Mary Masson, director of public relations at Michigan Medicine, for instance, says Killnet's DDoS attacks hit multiple of its websites on Jan. 30, including uofmhealth.org and mottchildren.org. Masson describes the attacks as causing "intermittent problems" for some of Michigan Medicine's public-facing websites hosted by a third-party service provider. 

"None of the sites impacted contain patient information, and all patient information is safe," she notes. "Patients were always still able to access the patient portal via myuofmhealth.org." The websites were all back to almost normal operations a day later, on Jan. 31.

Sally Stewart, associate director of media relations at Cedars-Sinai, describes Killnet's DDoS attack as having a similarly low impact on the hospital's operations: "The Cedars-Sinai website experienced a brief service interruption early Monday morning that has resolved. The website remains fully functional," Stewart said in an emailed statement to Dark Reading.

Stanford Healthcare and Duke Health did not immediately respond to Dark Reading's request for comment.

"They are not as disruptive as they claim to be," Geenens says, adding that Killnet’s main objective is attracting attention and getting their pro-Russian message heard. "They go after targets that are visible to the larger public, such as public websites of institutions, governments, and organizations." Often the resources the group has targeted are not business-critical. 

**A Mistake to Underestimate**

That does not mean the group can be ignored, however. In an advisory following the recent DDoS attacks, the American Hospital Association described Killnet as an active threat to the healthcare industry. 

"While KillNet’s DDoS attacks usually do not cause major damage, they can cause service outages lasting several hours or even days," the AHA warned. Killnet's links to Russia's Foreign Intelligence Service remain unconfirmed, AHA noted, "\[but\] the group should be considered a threat to government and critical infrastructure organizations, including healthcare."

Importantly, Killnet's pro-Russian DDoS crusade has also begun attracting many more followers and fans. Daniel Smith, head of cyber-threat intelligence at Radware, says the number of subscribers for @Killnet\_reserve on Telegram grew from about 34,000 subscribers to 85,000 subscribers in June 2022. "Just for comparison, IT Army of Ukraine has over 200,000 subscribers, but has been losing subscribers since March 2022," he says.

The group has focused quite a bit on publicity via its Telegram channel, which it also uses to encourage followers to conduct DDoS attacks of their own.

**Jewelry and Rap Anthems: Growing Killnet Support**

Radware's Geenens points to affiliate Russian groups such as NoName and the Passion Group offering their DDoS botnets to Killnet for carrying out attacks as one indication of the growing support it has begun attracting within Russia. 

Other signs of the support that Killnet has mobilized in recent months include a song in the gang's honor, titled “KillnetFlow (Anonymous diss)” by a Russian rapper, and the sale of Killnet-related jewelry by a Moscow-based jewelry maker called HooliganZ. Killnet has also received some $44,000 worth of financial support from a Dark Web marketplace called Solaris, according to Radware. 

"Killnet’s influence, reach, and skills are growing, and they are not showing signs of slowing down or retiring soon," Geenens warns.

It's unclear how, if at all, Killnet will leverage its growing support, or whether it will pivot to other, more dangerous forms of attack. Aleksandr Yamploskiy, co-founder and CEO at SecurityScorecard, notes how Killnet began as a financially motivated operation offering a botnet for hire. But it has since become more of a hacktivist collective, conducting a series of relatively low-sophistication DDoS attacks against targets it perceives to oppose the Russian invasion of Ukraine. "Killnet has historically made use of open proxy IP addresses and publicly available scripts in its attacks," he says.

What makes the group now potentially more dangerous are its growing reach and skills, Radware's Smith adds. A few months ago, Radware's assessment of the risk posed by a pro-Russian hacktivist group such as Killnet would have been low, he explains. "But after 12 months of building their experience," he says, "advancing their tools and growing their social network, I’m more likely to increase that risk to moderate."

While there's no reason for panic, it is better to err on the side of caution and be prepared. "Everyone in the security community knows it does not take extremely skilled or sophisticated actors to disrupt or cause impact to an organization or infrastructure," Smith adds.

Inside Killnet: Pro-Russia Hacktivist Group's Support and Influence Grows

Companies need to be aware of the work culture they foster. Diversity and inclusion aren't just buzzwords. Increasing female visibility and improving female mentoring to help women enter and advance within the cybersecurity industry are key steps forward.

Globally, about a quarter of cybersecurity jobs belong to women, which unfortunately doesn't quite correlate with the worldwide female population of 49.58%. We're not saying that every industry needs to have a perfect 50/50 split, but with cybersecurity being a male-dominated industry, it's time companies addressed the challenges women face when joining the cybersecurity workforce by striving for a more diverse workplace.

While progress has been made over the last decade (women occupied only 10% of cybersecurity jobs in 2013), more headway needs to be made. From a lack of industry role models to poor media representation and an absence of mentoring, women face a plethora of challenges in cybersecurity.

So, what are the top three obstacles women face?

**Underrepresentation in the Media**

The media plays a crucial role in creating and maintaining stereotypes. TV shows and films often push concepts and cliches that are then subconsciously accepted as fact by viewers.

Children are easily influenced by media stereotypes and, therefore, can be led into gendered thinking, particularly regarding jobs. This reasoning can then heavily influence a person's perception of the real world, including their life aspirations and career choices. For example, Navy recruitment went up 500% following the release of _Top Gun_, starring Tom Cruise.

In the 1990s, one show was proven particularly effective in persuading women to enter STEM occupations — _The X-Files_, with Gillian Anderson playing Dr. Dana Scully. A recent report looking into the "Scully effect" showed that as the only female STEM character on prime-time TV in the '90s, she had a significant impact on the female viewer base. The report revealed that 63% (PDF) of the women studied said Dana Scully increased their belief in the importance of STEM subjects.

These examples indicate how important representation is in the media and display how a lack of visibility can distort a viewer's perception of what they can achieve. It's time for the media to understand and recognize their influence and the stereotypes they enforce.

**Male-Dominated Workplaces Can Come With Several Issues**

With cybersecurity being made up of only about 25% women, this officially classes the industry as male dominated. Ask any woman; the thought of entering a workplace full of men isn't an enticing one. This is likely one of the reasons why, in 2021, only 6.5% (PDF) of US women worked in a male-dominated occupation.

With issues regarding the gender pay gap, sexual harassment, underrepresentation, lack of mentoring, and negative stereotyping, it's no wonder that women aren't running to join male-dominated workplaces en masse. For these points to be tackled, they need to be addressed from the top down. Cybersecurity leaders must be aware of the work culture they're fostering and be open to discussing and tackling any issues they find, however uncomfortable that may be.

A 2017 survey by the Pew Research Center found that women in male-dominated industries were more likely to be harassed than women working in female-dominated sectors. Therefore, businesses must create a safe space for employees, particularly women, to report any harassment and unwanted behavior at work. Another initiative for cybersecurity companies to establish is female mentor programs, which help to support their female workers, aid in their professional growth, and close the gender gap in cybersecurity.

**Lack of Industry Role Models**

While kids these days may not be hanging posters of their favorite celebrities in their bedrooms or lockers anymore, role models are still crucial. The importance of role models is often underplayed. Having a visible representation of what is possible encourages people to push boundaries, strive to be better, and be more ambitious.

Crest's report — "Exploring the Gender Gap in Cybersecurity" — found that 59% of women polled had a "mixed" experience within the cybersecurity industry as they received some support but also faced many challenges. The report identified two key areas for improvement: increasing female visibility and improving female mentoring to help women enter and advance within the industry.

The problem with a lack of role models is its knock-on effect. With fewer women in the industry to look up to, this can discourage women from entering and perpetuates disparity. It's time to disrupt this cycle.

Diversity and inclusion lead to a more rounded perspective, with various team members bringing different points of view, allowing them to solve new problems. While women's current obstacles in cybersecurity won't disappear overnight, identifying the issues and raising awareness welcomes opportunities for change and improvement. Cybersecurity is ready for a female revolution.

Source

DARKReading