Risk reassessment is shaking up the cybersecurity insurance market, leading some organizations to consider their options, including self-insurance.

As the market for cybersecurity insurance evolves and matures, insurance giant Lloyd's of London is preparing to exclude most nation-state attacks from its coverage policies. In the wake of such changes, organizations are reassessing their cyber insurance strategies.

While the Lloyd's announcement does not explicitly exclude all nation-state or nation-inspired cyberattacks, it does solidify some definitions around what is and is not covered.

"This guidance will now be trickling down into cyber insurance policy providers' wordings," explains Chris Denbigh-White, security strategist at Next DLP.

Organizations must figure out what policies offer the best value and coverage, and look into other risk treatment measures, if they wish to understand the risks that cyber insurance cannot address, he says.

Self-insuring may allow companies to tailor their insurance coverage and costs more carefully.

**Opportunities and Risks in Self-Insurance**

"A well-implemented self-insurance strategy has the potential to give an organization granular control of costs and coverage," Denbigh-White says. "In the short term, it may offer a certain degree of cost savings, as its purpose would be to cover remediation of potential cyber incidents as opposed to generating income for a third-party insurer."

However, if a self-insured organization doesn't focus resources on improving security controls and capabilities to reduce the probability of an event that requires an insurance claim, it runs a serious chance of bankrupting at least its self-insurance fund — if not the entire company — through one or two events.

"Self-insurance requires an organization to be responsible for covering all losses," Denbigh-White says. "Whilst this may seem obvious, a self-insured organization can only draw on the money it has invested in its self-insurance to address any future claim."

In contrast, commercial insurance companies not only have access to funds from a multitude of client premiums, but they also may benefit from upstream support. This often includes reinsurance (underwriting) and maybe even backstopping from governments in certain cases.

In addition, the administrative burden of setting up such a self-insurance function within an organization may prove prohibitively complicated and costly. Self-insurance is not something organizations can just "switch to" in the same way they might change an external insurance provider, Denbigh-White notes.

"Implementing such a program requires in many cases a business function to be set up to support management, claims processing, regulatory communications, and day-to-day operations," he says.

**Saving Money Could Be Costly**

For organizations with the administrative and financial capacity, self-insurance could prove a viable approach. But for those without, it could prove an expensive enterprise that serves to cost more and protect less.

Bud Broomhead, CEO at Viakoo, says that self-insurance has the benefit of forcing the organization to focus on running an accurate risk assessment that is specific to its business.

"In the end, an organization can achieve significant cost savings through self-insurance, which is ultimately the main benefit," he says.

The main risk lies in getting it wrong. A self-insured organization that is the victim of an attack cannot offset its losses as it might through insurance. "'Black swan' risk is fully absorbed by the company and, because it was not considered in risk assessment, could be much more expensive," Broomhead adds.

**Improving Security Is an Insurance Strategy**

Bill Bernard, area vice president of Deepwatch, says the best insurance strategy is to avoid needing to use insurance.

"As an analogy, buying a car with automatic crash protection braking lowers the probability I'll have to file an auto insurance claim," he explains. This type of preventative thinking will be critical to successfully self-insure against cybersecurity incidents, he says.

The way to minimize the number of claims events is to have a robust security program, including a well-prepared capability to detect, respond, and recover from events before they become claim-generating events.

"Sadly, these capabilities have often been treated as cost centers by companies, and that thinking will have to change," Bernard says.

**Influence of Federal Regulations**

With new regulation coming to critical sectors — water, rail, aviation, and health have already received such — and an increased focus on third-party security, many organizations are shoring up controls to be able to better compete for government contract work.

"As controls improve, the conversation with the insurance company is worth revisiting to demonstrate those controls to hopefully result in lower cost of coverage," says Mike Hamilton, CISO of Critical Insight. "Further, with the federal government examining becoming a reinsurer along the lines of the TRIP program, insurance companies are being given more breathing room, and this may result in lowered premiums as well."

Adds Next DLP's Denbigh-White: "In relation to the US market specifically, I will be watching closely for further announcements around a potential federal backstop for cyber insurance."

Hamilton points out that self-insurance is alternately called "no insurance."

"If an insufficient amount is set aside, a cyber event could be existential," he says. "On the other hand, rolling those dice for a year and making investments in controls will have the effect of lowering premium costs, as risk has been demonstrably reduced."

**Broader Changes in the Cyber Insurance Market**

Much like car insurance based on a device in your vehicle that reports back to the insurance company how you drive, cyber insurance needs data to price risk through continuous monitoring of a client's cybersecurity practices, Hamilton says,

"Eventually, insurance companies will begin bundling this service as a condition of being insured," he explains.

Denbigh-White predicts greater emphasis will be placed on risk management, with insurers requiring a greater level of "proof" that robust cybersecurity measures are not only in place but effective in their stated purpose.

"Policies may move beyond simple exclusions and become increasingly tailored, allowing customers to choose coverage that addresses their specific needs and risk profile," he says. This may include insurers supporting hybrid arrangements where clients have decided to self-insure a proportion of their risk.

Adds Denbigh-White: "Overall, 2023 will see a definite maturing of the cyber insurance industry and a greater understanding of its place within customers' risk mitigation strategies."

Organizations Reassess Cyber Insurance as Self-Insurance Strategies Emerge

The investment will fund global commercial rollout and R&D efforts to debilitate fraudsters.

**NEW YORK****,** **March 30, 2023** **/PRNewswire/ --** DataDome, a leading provider of AI-powered online fraud and bot management, today announced its Series C funding round of $42 million. This round was led by InfraVia Growth, with participation from existing investors Elephant, ISAI, and others, to support DataDome on its mission to rid the web of bot-driven cyberattacks and fraud.

Malicious bots are growing more advanced by the second to circumvent security measures, and the rise of human-bot combinations and AI-powered bots have facilitated the consistent bypass of usual point-in-time, static barriers like WAFs, traditional CAPTCHAs, and user validation databases. What's more, silos between security and fraud mitigation enable attackers to take advantage of vulnerabilities and launch attacks that cut across the whole customer journey, profiting along the way. Online businesses are bearing the consequences of automated cyberattacks and online fraud, and it's a costly situation to be stuck in. Enterprises need a solution that puts them back in the driver's seat and empowers them to fight fraud.

"Bots have become a common path to fraud. In 2022 alone, DataDome stopped, in real time, over 250 billion online fraud attempts," said Benjamin Fabre, CEO and co-founder of DataDome. "Because of how our product is built and deployed, we have a unique lens into attack vectors and can see across silos to stop attacks in their tracks. This is why enterprises like Rakuten, Reddit, and AngelList trust us to protect their digital properties."

"This cash infusion will fund global commercial rollout and R&D efforts to ensure that our offering continues to raise the bar, and stays well ahead of bot developers and fraudsters," continued Fabre. "In InfraVia, we have an investor who trusts in and shares our vision, and brings years of valuable experience helping companies scale globally. Threat actors don't stand a chance."

DataDome's bot and online fraud solution assesses the intent of a visit in real time, every time, to detect and mitigate attacks on mobile apps, websites, and APIs with unparalleled accuracy and zero compromise. Such performance is made possible by the solution's ability to adapt machine learning algorithms in real time, at the edge. DataDome protects 300+ enterprises from account takeover, scraping, payment fraud, DDoS, credential stuffing, and more. 

"We were genuinely impressed by the sophistication of DataDome's solution, as well as the company's growth trajectory, especially in the US," said Guillaume Santamaria, Partner at InfraVia. "DataDome perfectly embodies our commitment to growth technology companies, and we fully endorse the team's vision of bot management as a foundation for fighting online fraud. We are very much looking forward to the next phase of DataDome's evolution and global scale."

Follow DataDome on Twitter and LinkedIn for regular updates on threat research, customer case studies, and to ensure your bot protection is ready to tackle the most sophisticated attacks.

**About DataDome**

DataDome's bot and online fraud protection detects and mitigates attacks with unparalleled accuracy and zero compromise. Our machine learning solution analyzes 3 trillion data points per day to adapt to new threats in real time. Our 24/7 SOC experts protect hundreds of high-profile brands worldwide, including Reddit, Patreon, and AngelList. A force multiplier for IT security teams, DataDome is fully transparent, easy to deploy, and frictionless for consumers. In 2022, DataDome was named a Strong Performer in the 

 and ranked the top G2 Leader in Bot Detection & Mitigation for Fall 2022 and Winter 2023.

**About InfraVia**

InfraVia is a leading independent private equity firm, specialized in infrastructure and technology investments. InfraVia supports entrepreneurs and industrial players in their growth and digital strategy, accelerating their transformation to sizable platforms. Since 2008, InfraVia has raised EUR 10 billion of capital and invested in 50 companies across 13 European countries.

In 2020, InfraVia launched a new investment strategy dedicated to European B2B high-growth tech companies and raised a EUR 501m fund. The team plans to make 15 single investments of EUR 10 million to EUR 50 million to help some of the best European entrepreneurs realize their ambitions. Since inception, InfraVia Growth has participated in the funding rounds of Jobandtalent, Sightcall, Paysend, Foodles, Botify, Packhelp, Ometria, Paack, Xempus, Stratio and lastly DataDome.

www.infraviacapital.com

SOURCE DataDome

DataDome Closes $42M in Series C Funding to Advance the Fight Against Bot-Driven Cyberattacks and Fraud

SASE reduces security & connectivity costs and improves employee experience.

**LONDON****,** **March 30, 2023****/PRNewswire/ --** Socura, a UK-based cyber security managed services specialist, today announced the launch of its Managed SASE (Secure Access Service Edge) service in partnership with Palo Alto Networks' Prisma. Market industry researchers expect SASE to be a $60bn industry by 2027 fuelled by the rise of flexible working, which was enshrined into UK law in December 2022, whereby millions of UK employees were granted the right to request flexible working hours throughout their employment.SASE it is still an emergent and complex technology that the majority of MSSPs do not offer in 2023. Socura is one of the first UK security companies to offer SASE as a managed service, and it hopes it will give them an edge over legacy MSSPs that specialise solely in securing traditional on-premises environments.

By combining SASE with its Managed SOC (Security Operations Centre) service, Socura expects the new service to appeal primarily to SMEs and public sector organisations. These organisations often lack the in-house security resources needed to manage and monitor a SASE deployment on a 24/7 basis. 

SASE is designed for today's hybrid workforce and functions like a network security wrapper around an entire company, no matter where its endpoints are located. It's Zero Trust Network Access model enables organisations to create role-based access controls, granting their users access only to selected applications and services based on their identity, location, privileges, and device type and posture. SASE also converges security and networking functions onto the same platform. This enables organisations to control their perimeter, secure remote devices, lower costs, and eliminate latency and traffic issues.

"The moment that UK workforces went remote en masse in 2020, every business had a tricky twofold security problem; decentralised access to company data and loss of control over environments from which the data was being accessed," said Socura CEO, Andy Kays. "Legacy solutions were designed for occasional remote working and were a useful stopgap when the first lockdowns were announced. Three years later, many organisations have failed to update their security strategies despite embracing hybrid work. SASE offers a solution; fast deployment and reduced costs, whilst enabling organisations to adopt a 'never trust, always verify' approach to employee access — a perfect fit for the era of flexible working."     

**Notes for Editors** 

The Socura SASE service is available to customers immediately, see below for key benefits:

*   **Flexibility:** With a cloud-based infrastructure, Socura can deliver security services such as threat prevention, cloud web gateway, sandboxing, CASB, IoT security, DNS security, credential theft prevention, data loss prevention, and more.
*   **Cost savings:** Instead of buying and managing multiple point products, using a single service will dramatically reduce costs, and IT resource requirements.
*   **Increased performance:** With massively scalable cloud infrastructure and over 100 global points of presence, Socura connects customers to wherever their resources are located with minimal latency.
*   **Zero Trust:** Socura's approach removes trust assumptions when users, devices, and applications interconnect. Its SASE service provides complete session protection, regardless of whether a user is on or off the corporate network.

*   **Threat prevention:** In addition to the inherent advanced network threat prevention capabilities of the SASE/SSE platform, customers can opt to combine the Managed SASE service with Socura's award-winning Managed Detection and Response (MDR) service to provide enhanced coverage that includes endpoints, identity, and more.
*   **Data protection:** Data protection policies, defined within the SASE service, will help to prevent unauthorised access and abuse of sensitive data, helping customers meet necessary regulatory and compliance measures.
*   **Powered by an industry leader:** Socura's Managed SASE service is built upon the award-winning Prisma® SASE, from industry leader Palo Alto Networks.

**About Socura**

Socura offers a 24/7 Threat Detection and Response managed service via its nationally distributed, UK-based SOC team. The service acts as a trusted extension of clients' in-house capabilities, delivering swift detection and containment of cyber threats.

Socura helps make the digital world a safer place for its clients and changes the way organisations think about cyber security. It blends technical expertise and industry experience with a people-centric approach to security. Socura has innovation in its DNA, and is pushing the boundaries to deliver high-value cyber security services for clients.

Socura Launches Managed SASE (MSASE) Service

Don't count on securing end users for system security. Instead, focus on better securing the systems — make them closed by default and build with a security-first approach.

It's common among cybersecurity professionals to point to the end user as a top area of risk in securing the organization. This is understandable. Systems and software are under our control, but users are unpredictable, that unruly variable that expands our threat surface to each geographically dispersed user, personal device, and all-too-human foibles and flaws.

Certainly, threat actors target our users quite successfully — I'm not here to dismiss this obvious truth. But what is equally certain is this: _W__e cannot train our way out of this problem._ Enterprises pour significant investments into user security-awareness training, and still, they suffer embarrassing, costly breaches. So, focusing primarily on securing the end user isn't a sound strategy.

**Secure Systems With New Strategy in Mind**

Fact: your users are a major risk factor. According to Verizon's "2022 Data Breach and Investigations Report," 35% of ransomware infections began with a phishing email. Fact: This is despite escalating investments in security-awareness training over many years. The cybersecurity awareness training market is projected to grow from $1,854.9 million in 2022 to $12,140 million by 2027. Fact: Even with all these investments, ransomware (just as one attack type) is also expected to grow aggressively, despite many organizational efforts, including training.

Sad, unavoidable fact: Our users are still going to make mistakes — we're all human, after all. A survey conducted to prove the need for more security training, in my view, proved its inability to stop the cyber crisis: Four out of five surveyed had received security awareness training; between 26% and 44% (based on age demographic) continued to click on links and attachments from unknown senders anyway.

**Don't Just Count on Securing the User**

We should conclude that organizational security must not rely heavily on securing the user, that they will be compromised, and then begin securing systems with this assumption in mind. Thus, even if an end user is breached, the amount of systemic damage that's done by that compromise shouldn't be large if proper security measures are employed and orchestrated correctly.

Should we be training our end users? Absolutely, emphatically, yes. Strong security requires a layered approach, and that means buttressing your security by securing every doorway to your systems. But we must start removing end-user risk from the equation. This requires some difficult choices and significant leadership buy-in to these choices.

**How Can We Disarm Users as a Top Risk?**

Organizations must better block access and orchestrate security controls. Systems are too open by default; we must make them closed by default, evaluate each for risk, and then open access by exception and with full intentionality. Users can't click or open what they can't access, and in the organizations we assess or remediate post-breach, we see employees and systems having far greater access than necessary in the course of work. Companies should layer on stronger security orchestration across their people, process, and technology so that, should a threat actor gain access through an improper click anyway, there are controls designed to stop their lateral movement and harvesting/escalation of credentials.

Organizations can take proactive measures to reduce user risk, including: blocking access to personal email accounts; filtering HTTPS traffic with deep-packet inspection; blocking Internet access to nonuser subnets/VLANs by default; requiring all user traffic to be inspected and filtered all the time — no matter the endpoint; disallowing all but IT-approved file-sharing systems and password vaults; and enabling security features in tools such as firewalls and endpoint detection and response (EDR).

**Why Isn't This Being Done Already? The Barriers**

Blocking access to personal sites and platforms and slower systems access incurred by filtering/inspection can cause a degree of user and leader dissatisfaction. Some of the tools needed are also costly.

IT needs a stronger voice, expressing problems, solutions, risks, and results of failure in terms leaders can both hear and understand, so that proper controls and associated costs can be allocated. Users can then be educated from the top down on why these controls are necessary; thus, security awareness education can shift from "don't click and here's why" to include "We block most things by default, and here's why." Leaders that still choose not to make more aggressive investments have skin in the game on the level of risk they're choosing to accept for the organization.

Often, IT teams are also short on staff or expertise: they can't mitigate risks they can't see; educate on threats they don't know; or enable tools on which they are untrained. Teams without this visibility should consider in-depth assessments of controls, configurations, and orchestration from qualified experts.

One thing is certain: No matter how much training we provide, users will always be fallible. It's essential to minimize users' options to click in the first place, and then ensure that, when they do, there are controls in place to disrupt the progression of the attack.

Stop Blaming the End User for Security Risk

ISPM is a combination of identity attack surface management, and risk reduction, as well as identity threat prevention, detection, and response.

Identity security startup Spera came out of stealth with $10 million in seed funding and a platform to protect enterprises from identity-driven threats.

Spera is carving out a segment of the already crowded identity and access market with what it calls identity security posture management — a combination of identity attack surface management, risk reduction, and identity threat prevention, detection, and response. Spera's platform creates a real-time, continuously updated, risk and context-based inventory of identities and access across cloud and on-premises environments, the company said in a release announcing the company's launch. The resulting inventory is then analyzed, assessed, and normalized so that security teams can use the granular insights for remediating identity-driven attacks. This allows security professionals to identify or mitigate partially offboarded users, overprovisioned employees, unused and risky privileges, compromised credentials, and other identity risks.

According to IBM's Cost of a Data Breach report, identity-based attacks involving compromised credentials and phishing were the two most common and costly attack vectors of 2022. Spera has helped solve more than 75% of critical issues within the first weeks of deployment, the company said.

"As far as identity security is concerned, security teams can't see who accesses what resource, using what identity," said Richard Reinders, VP of Information Security at Gravity Payments, said in the announcement.

YL Ventures, which led the funding round, has been "bullish on the identity space" for some time, John Brennan, senior partner at YL Ventures, said in the announcement. "\[Despite\] a massive allocation of budget to IAM solutions, existing IAM tools failed to deliver on their promise," Brennan said.

Spera's founders are Dor Fledel, CEO, and Ariel Kadyshevitch, CTO.

Spera Takes Aim at Identity Security Posture Management

Elon Musk, Steve Wozniak, and Andrew Yang are among more than 1,000 tech leaders asking for time to establish human safety parameters around AI.

More than 1,000 of technology's top talent names — including Twitter CEO Elon Musk, Apple co-founder Steve Wozniak, and politician Andrew Yang — have signed an open letter urging AI pioneers to pump the brakes on the AI development race, because of its potential danger to humanity.

"Powerful AI systems should be developed only once we are confident that their effects will be positive, and their risks will be manageable," the open letter, published on the Future of Life Institute site said, in part. "Therefore, we call on all AI labs to immediately pause for at least 6 months the training of AI systems more powerful than GPT-4."

The potential danger of unchecked training of large learning models (LLMs), as outlined in the letter, is nothing less than humans being fully replaced by more intelligent AI systems. 

**Real-Life SkyNet? Parsing AI's Danger to Humanity**

"Contemporary AI systems are now becoming human-competitive at general tasks, and we must ask ourselves: Should we let machines flood our information channels with propaganda and untruth?" the letter asks. "Should we automate away all the jobs, including the fulfilling ones? Should we develop nonhuman minds that might eventually outnumber, outsmart, obsolete, and replace us? Should we risk loss of control of our civilization?"

Possible harm from advanced AI is a worry even for its proponents: Greg Brockman, CEO of ChatGPT, which created OpenAI, recently told a crowd at SXSW he was concerned about AI's ability to both spread disinformation and launch cyberattacks. But those worries are a far cry from fears that AI could become sentient.

To be clear, the six-month pause is intended to give policymakers, and AI safety researchers, time to put safety parameters around the technology, the letter explained. The Pause Giant AI Experiments letter stresses that the group is not calling for a halt on all AI development, but rather wants developers to stop the rush to roll out new capabilities without fully understanding their potential harm.

Even so, skeptics might look at CEOs like Musk, with potential commercial interests at stake in slowing OpenAI's development of GPT-5, and dismiss the Pause AI Open Letter as little more than a public relations ploy.

"We have to be a little suspicious of the intentions here — many of the authors of the letter have commercial interests in their own companies getting a chance to catch up with OpenAI's progress," Chris Doman, CTO of Cado Security said in a statement provided to Dark Reading. "Frankly, it's likely that the only company currently training an AI system more powerful than GPT-4 is OpenAI, as they are currently training GPT-5."

**Will the "Pause AI" Open Letter Do Anything?**

Beyond the celebrity names, the varied backgrounds, and public points of view of the signatories makes the letter worth taking seriously, according to Dan Shiebler, researcher with Abnormal Security. Indeed, the signatories include some of the brightest academic minds in the AI field, including John Hopfield, Professor Emeritus of Princeton University, and the inventor of associative neural networks, and Max Tegmark, professor of physics at MIT's Center for Artificial Intelligence & Fundamental Interactions.

"The interesting thing about this letter is how diverse the signers and their motivations are," Shiebler said in a statement to Dark Reading. "Elon Musk has been pretty vocal that he believes \[artificial general intelligence\] (computers figuring out how to make themselves better and therefore exploding in capability) to be an imminent danger, whereas AI skeptics like Gary Marcus are clearly coming to this letter from a different angle." 

However, ultimately, Shiebler doesn't predict the letter will do anything to slow AI development.

"The cat is out of the bag on these models," Shiebler said. "The limiting factor in generating them is money and time, and both of these will fall rapidly. We need to prepare businesses to use these models safely and securely, not try to stop the clock on their development."

Still, shining a light on the safety and ethics considerations is a good thing, according to John Bambenek, principal threat hunter at Netenrich.

"While it's doubtful that anyone is going to pause anything, there is a growing awareness that consideration of the ethical implications of AI projects is lagging far behind the speed of development," he said via email. "I think it is good to reassess what we are doing and the profound impacts it will have."

Top Tech Talent Warns of AI's Threat to Human Existence in Open Letter

Attackers are targeting cryptocurrency accounts belonging to users in Russia and more than 50 other countries.

Threat actors are using Trojanized installers for The Onion Router (Tor) browser to distribute clipboard-injector malware that pilfers funds from cryptocurrency accounts and transfers it to their illicit wallets.

Researchers from Kaspersky who have been tracking the activity since at least January 2022 have determined the threat actors are mostly targeting users in Russia, a nation that blocked access to Tor's official site in December 2021. Of the 16,000 instances where Kaspersky has detected the malware so far, most of them were in Russia and Eastern Europe. However, the researchers also detected the threat in more than four dozen countries so far, including the US, Germany, Netherlands, China, and the United Kingdom.

**Quiet Theft**

Kaspersky's analysis showed that the threat actors behind the campaign have, so far, siphoned out about $400,000 from crypto wallets belonging to users who downloaded the weaponized Tor installer. Almost all of the compromised accounts — more than 90% — were Bitcoin accounts, followed by LiteCoin.

"Given that we only see a fraction of the real picture, the global number of infections may well be several or even tens of times higher," Kaspersky warned in a report this week.

Clipboard injector malware, aka a clipboard hijacker, intercepts and replaces the contents of a user's clipboard with malicious code or content. This type of malware is not new, it has been around for at least a decade. Over the past few years, cybercriminals have typically used the malware to replace cryptocurrency wallet information from a user's clipboard with their own crypto information — and then transferring coins from the victim's wallet to their own.

Though seemingly straightforward, clipboard injector tools can be hard to detect and handle, Kaspersky said. They don't exhibit any of the more obvious behaviors associated with typical malware such as communicating with an external system, causing pop ups, or slowing down an infected system. They often blend in with legitimate clipboard activity and any data that the malware replaces can be hard to detect because of how frequently data in a clipboard gets overwritten in the normal course of events.

"\[Clipboard injectors\] can be silent for years, show no network activity, or any other signs of presence until the disastrous day when they replace a crypto wallet address," Kaspersky said.

**New Distribution Vector**

Threat actors so far have typically used phishing emails, malicious websites, and other malware to distribute clipboard hijackers.

The campaign to distribute it via weaponized Tor installers is a spin that Kaspersky surmised was likely inspired by Russia's move to ban access to the browser.

Tor gives individuals a way to browse the Internet anonymously by routing their traffic through a network of volunteer-run servers around the world. Frequent Tor users — apart from cybercriminals — include human rights activities, journalists, and those seeking to circumvent censorship and surveillance. Tor has previously described Russia as a country with over 300,000 daily Tor users.

According to Kaspersky, threat actors began distributing Trojanized Tor bundles to Russian-speaking users in December 2021, soon after the country's move to block access. The bundles typically consist of the original torbrowser dot exe installer with a valid Tor Project digital signature, a command-line extraction tool in the RAR archive form with a randomized name, and a password-protected RAR archive.

When a user downloads the weaponized Tor browser bundle, the original torbrowser executable runs in the foreground. In the background, it also runs the extraction tool on the password-protected RAR archive, which sets into motion a set of actions that ends with the clipboard injector malware installed on the victim system.

The authors of the malware likely have used a cracked version of Enigma, a commercially available software protector, to pack the malware and make it harder to detect.

Once installed, the "malware integrates into the chain of Windows clipboard viewers and receives a notification every time the clipboard data is changed," Kaspersky said.

If the malware detects cryptocurrency information in the clipboard, it replaces the content with an attacker-controlled address for Bitcoin or another cryptocurrency. Kaspersky researchers who analyzed various samples of the malware found each sample to contain thousands of replacement addresses making it hard for defenders to create a deny list or to trace cryptocurrency theft, the security vendor said.

The ongoing campaign is not the first time malware authors have abused Tor's popularity in Russia to target users there for cryptocurrency theft. In 2019, ESET observed a Bitcoin-stealing campaign involving a Trojanized version of the Tor browser. The security vendor's investigation showed that some of the attacker-owned Bitcoin addresses in the campaign had been active since at least 2017.

Trojan-Rigged Tor Browser Bundle Drops Malware

A vulnerability with a 9.8 CVSS rating in IBM's widely deployed Aspera Faspex offering is being actively exploited to compromise enterprises.

A critical bug in IBM's popular Aspera Faspex file transfer stack that allows arbitrary code execution is catching the eye of increasing numbers of cybercriminals, including ransomware gangs, as organizations fail to patch.

Months after IBM released a patch for the critical vulnerability, it's being exploited in the wild, researchers with Rapid7 stressed this week, noting that one of its customers was very recently compromised by the bug, tracked as CVE-2022-47986. Immediate action is needed, the researchers said.

"We strongly recommend patching on an emergency basis, without waiting for a typical patch cycle to occur," Caitlin Condon, senior manager of security research at Rapid7, warned in a blog post.

**Under the Hood of a 9.8 CVSS IBM Vulnerability**

IBM Aspera Faspex is a cloud-based file exchange application that utilizes the Fast Adaptive and Secure Protocol (FASP) to allow organizations to transfer files at higher speeds than would be achieved over ordinary TCP-based connections. The Aspera service is used by large organizations like Red Hat and the University of California, according to Enlyft, and is so lauded that it has literally won an Emmy.

The vulnerability exists in Faspex's version 4.4.2 Patch Level 1, and carries a 9.8 out of 10 on the CVSS vulnerability-severity scale.

"By sending a specially crafted obsolete API call," IBM explained in a security bulletin published on Jan. 26, an attacker could remotely deploy their own code onto any target system running Faspex.

The bug was first reported to IBM back on Oct. 6, 2022, and remedied on Dec. 8, in 4.4.2 Patch Level 2.

Exploitation activity began shortly after the patch was issued earlier this year, when the IceFire ransomware group shifted from targeting Windows to Linux systems. In doing so, it encountered a technical problem: Windows is everywhere, but Linux is most often run on servers. For that reason, they shifted to a new intrusion method for that environment: exploiting CVE-2022-47986.

In the time since, other cybercriminal outfits have pounced on this easy yet powerful vulnerability. In February, an unknown threat actor used it to deploy Buhti ransomware, after the Shadowserver Foundation picked up on live attempts.

**Why Can't Everyone Just Patch Already?**

Rarely in life do severe problems have instant remedies, yet CVE-2022-47986 is utterly amenable with a simple upgrade to Patch Level 2, or the newest Patch Level 3, released March 20, according to Condon. Why, with such a simple solution just a few clicks away, is any organization still vulnerable?

Negligence may be the answer in many cases. "Folks don't necessarily have consistent regular patch cycles," Condon tells Dark Reading. "We're seeing vulnerable software and appliances still exposed to the Internet after months and sometimes years." Indeed, as of last month, there were nearly 140 instances of Aspera Faspex exposed on the Web, she noted.

In certain cases, though, "I would not be surprised if this is difficult to patch," Condon says. "A lot of our analysis involved simply trying to set up the software and get it to work. So whether it's a complex stack or just software that is finicky when you set it up, that can also mean that it is difficult to patch."

Companies that haven't already patched, and can't do so immediately, have limited options left to protect themselves. "Putting in a couple layers of defense there would be very helpful," Condon says, and taking Aspera Faspex offline is absolutely crucial.

Ultimately, the only surefire fixes are to either patch or abandon the software outright, she adds.

"We're aware that when we say 'Hey, if you can't patch, shut it down,' that's not necessarily practical for everyone,” she explains. “So at the very least, take it off the public Internet, and put any other controls you can think of in place."

Patch Now: Cybercriminals Set Sights on Critical IBM File Transfer Bug

Credential phishing emails are the clear favorite of threat actors, with a 478% spike last year, new research shows.

The sheer volume of phishing emails sent in 2022 spiked by a jaw-dropping 569% according to a just-released analysis.

After sifting through a global network of data from 35 million users, using artificial and machine learning analysis, Cofense researchers released their latest State of Email Security Report that details the astronomical rise of email phishing as a tactic among threat actors in 2022.

The email security report revealed five specific trends:

1.  The number of credential phishing emails sent spiked by 478%;
2.  Emotet and QakBot are the top malware families observed;
3.  For the eighth consecutive year, business email compromise (BEC) ranked as the top cybercrime;
4.  Web3 use jumped by 341%;
5.  And there was an 800% increase in the use of Telegram bots for exfiltration.

"The cybersecurity landscape is always evolving, so it is imperative to stay on top of the latest trends and tactics," Tonia Dudley, vice president and CISO at Cofense said about the email security report. "The increase in nation-state attacks and major incidents overall continues to apply pressure to drive visibility of an organization's security program by boards, corporate executives, and cyber insurers.”

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Phishing Emails Up a Whopping 569% in 2022

Security analysts expect little improvement until at least the second half of the year.

Financial activity in the cybersecurity industry declined sharply in the first quarter of 2023 compared to the same period in 2022, and analysts tracking the sector expect little improvement until at least the second half of the year.

Even that expectation is tinged with some uncertainty over how the market will respond — in the short and long term — to Silicon Valley Bank's (SVB) stunning collapse in mid March and the resulting impact on venture capital funding in the sector.

And meanwhile, next quarter in fact might be the slowest for cybersecurity startup funding in years, at least one researcher predicts.

**Continued Financial Headwinds for Cyber**

"Conservatism and expectations for continued headwinds throughout 2023 were the recurring themes across the public cybersecurity company annual earnings calls held throughout the first quarter," says Eric McAlpine, founder and managing partner at Momentum Cyber. "\[Strategic decision makers\] are approaching the rest of the year with great caution and that has downstream impact for everyone else in the ecosystem."

The cautionary tone comes amid lingering fears of a broad economic recession, falling stock prices and huge layoffs at technology giants such as Amazon, Meta, Microsoft, and Tesla. Though analyst firms such as IDC expect cybersecurity spending to increase 12.1% in 2023 to $219 billion, there are some fears that inflation and rising technology costs could dent the gains organizations are hoping to get from the increased spending.

McAlpine says that through Feb. 28, Momentum Cyber has tracked 32 cybersecurity M&A deals totaling $2.6 billion in disclosed deal value and 102 financing deals totaling $2.5 billion in value. That is down sharply from the M&A deal volume of $13.8 billion across 79 deals that Momentum Cyber tracked in the year-ago quarter. In Q2 last year, that number surged to a record $89.8 billon before dipping sharply in the last half of the year.

"Both M&A and financing deal count and dollar value are down considerably from the same period in 2022 as we continue to deal with turbulent markets," he says.

Market research firm Omdia reported a similar slowdown in the first quarter of 2023 with analyst Ketaki Borade describing the volume of M&A transactions so far this year as just over half of last year's volume in the same period: 44 versus 97 in 2022.

Notable M&A examples in the first quarter of 2023 include Thoma Bravo’s $1.1 billion acquisition of Magnet Forensics, Francisco Partners' purchase of Sumo Logic for $1.7 billion, and SailPoint's acquisition of SecZetta for an undisclosed sum in January.

**Broad Investment Slowdown, Including in VC**

It was not just M&A activity that slowed in the first three months of 2023. Venture capital and other investment activity in cybersecurity companies declined as well says Richard Stiennon, chief research analyst at market research firm IT-Harvest.

Stiennon says IT-Harvest tracked a total of 41 investments totaling some $1.35 billion in cybersecurity companies through March: "That is at an annual rate of only $8 billion \[which is\] considerably down from 2022, which saw investments of $17 billion, and 2021, which set an all-time high of $24 billion." 

Of the 41 investments, there were seven rounds of $50 million or more which accounted for $893 million of the total $1.35 billion, Stiennon says. There have been no initial public offerings (IPOs) so far this year.

Despite the general slowdown in cybersecurity M&A and investment activity, the first three months of 2023 had its share of major transactions. Easily the standout among them was Israeli cloud security vendor Wiz' capital raise of $300 million in a Series D financing round in February that valued the company at an astounding $10 billion, Stiennon says. That made Wiz the highest valued private cybersecurity firm ever.

Stiennon points to a $205 million growth funding round that identity management vendor Saviynt secured from AB Private Credit Investors and $180 million in equity investments and strategic financing that MDR vendor Deepwatch raised in February, as two other major deals in 2023's first quarter. Yet another was a $500 million capital raise by Alphabet spinoff Sandbox AQ in February.

**Hot Sectors**

As has always been the case, some segments within the cybersecurity industry received more love from investors than other segments. Rik Turner, an analyst with Omdia, identified the segments that have received the largest amounts of funding so far in 2023 as network security, security management, and SecOps. These sectors have perennially been attractive to investors, he says. 

"Others such as cloud, application, and data security are now also mainstays within the overall totals," Turner says. "\[The trend\] speaks to the growing amount of cloudification of app infrastructures, which was already underway before the pandemic, but was undoubtedly turbocharged by it."

Several of the technologies that investors are betting on are also — unsurprisingly — the areas where enterprise organizations are spending most of their security dollars on as well. In a recent Dark Reading virtual event, Chenxi Wang, founder and general partner of Rain Capital, identified cloud security, network security, identity and access management, SecOps, and application security as some of the top spending priorities for organizations currently.

In comments to Dark Reading, Wang says based on her observation, overall deal volumes and the velocity of strategic deals decreased in the first three months of 2023. "We observed the same thing on the venture side. Less companies are getting funded compared to last year."

**A Cautious Cyber-Investment Outlook for the Rest of 2023**

Wang and other industry analysts have a somewhat cautious outlook on M&A and investment activity in the cybersecurity sector for the rest of the year. 

One major issue is how SVB's demise will playout over the rest of the year. Wang believes — like many others — that the SVB collapse will make it harder for startups and early-stage companies — especially those with a high-risk appetite — to get funding. 

"In the long run, it means less companies will cross the chasm to scale up and become a sustainable business," she says.

McAlpine is less concerned about the short-term implications of SVB's implosion. The immediate slowdown in financial activity that the bank's collapse triggered has already begun reversing itself. But the longer-term impact may not be evident for years. 

"Going forward, we're advising companies to avoid putting all their eggs in one basket," he says. "Working with multiple banks, for example, \[such as\] one global bank and one regional bank, can help to avoid business interruptions during this period of volatility in the banking system."

He expects that things will start to loosen up sooner rather than later. Financing and M&A activity can't remain in a state of limbo forever, he says. Many companies will still need capital to reach the next stage of their business, even if they're able to adjust and extend their runway near term. "We also expect to see more companies take a parallel approach where they pursue financing and M&A at the same time," he says. "This gives them optionality if one or the other doesn't materialize at a valuation that's acceptable to founders and investors."

Steinnon, who expected a lot of funding that didn't happen last year to be pushed into 2023, says he is underwhelmed by what he has seen so far this year. But he predicts investment and M&A activity will begin ticking upward starting in the third quarter and will at least match 2020's total of $10 billion. 

He predicts that the second quarter of 2023 will be the slowest investment quarter in years in the cybersecurity industry. 

"Fallout from SVB's failure is going to have a negative impact on all funding, including in cybersecurity," he says. "I fully expect private equity to take advantage of decreased valuations \[and\] to snap up deals from the public and private sectors."

Source

DARKReading