No longer the realm of lone wolves, the world of cybercrime is increasingly strategic, commoditized, and collaborative.

Just as you keep up with the latest news, tools, and thought leadership in order to protect and secure your organization from cybercriminals, your adversaries are doing the same thing. They are connecting on forums, evaluating new software tools, talking with potential buyers, and searching for new ways to outsmart your security stack.

A peek into their world shows they have advanced capabilities that often outmaneuver well-funded security teams and corporate security tools, especially when pitted against legacy solutions like signature-based antiviruses. Many security operations centers (SOCs) fail to prioritize real threats, while wasting time trying to solve others that they can realistically never scale to meet.

Security defenders need to move beyond the mental image of the lone hooded figure sitting in a dimly lit basement as cigarette smoke wisps up from a dirty ashtray. Let's take stock of the world of cybercrime as it exists today: strategic, commoditized, and collaborative (especially if the criminals have money to spend).

**Strategic Intent Backs Every Attack**

Adversaries always have a business purpose; there’s a plan for every piece of malware. To begin, cybercriminals snoop around for access to your environment, looking for something they can steal and potentially resell to someone else. While an attacker may not know _exactly_ what they want to do once they gain access to your environment, they tend to recognize value when they see it.

They may perform reconnaissance by looking for misconfigurations or exposed ports to exploit, a process often made trivially easy by known CVE databases and free open-port scanners. Initial compromise can also be accomplished by stealing a user’s credentials to access the environment, a process that’s sometimes even easier, before moving laterally to identify key assets.

**The Cyber Weapons Black Market is Maturing**

Cybercriminals have developed a sophisticated underground marketplace. Tools have evolved from relatively inexpensive and low-tech products into those with advanced capabilities delivered via business models familiar to legitimate consumers, like software as a service (SaaS). Threat hunters are witnessing the commoditization of hacking tools.

Phishing kits, pre-packaged exploits, and website cloning tools used to be very common. Designed to mimic website login pages, such as Microsoft Office 365 or Netflix, these tools were quite effective at capturing users’ credentials for many years.

Over the past two decades, though, the security community responded to this type of activity with techniques like pattern recognition, URL crawling, and shared threat intelligence. Tools like VirusTotal have made it a common practice for the discovery of malicious files to be shared with the wider security community almost instantaneously. Naturally, adversaries are well aware of this and have adapted.

**A New Phishing Methodology**

Today’s adversaries have also learned to capitalize on the rise of multi-factor authentication (MFA) by hijacking the verification process.

One new type of phishing kit is called EvilProxy. Like kits of the past, it mimics website login pages to trick users into giving away their login credentials. Unlike phishing kits of the past that were sold as one-time purchases, this new methodology — sold by specialists in access compromise — operates via a rental model, whereby the seller rents out space on their own server for running phishing campaigns.

They host a proxy server that operates like a SaaS model. The service costs about $250 for 10 days of access. This allows the SaaS providers to make more money and enables them to collect statistics they can then publish on hacker forums to market their products and compete against other sellers.

New kits have built-in protections to defend their phishing environment from unexpected visitors. Since they obviously don’t want web crawlers indexing their sites, they use bot protection to block crawlers, nuanced virtualization detection technology to ward off security operations teams doing reconnaissance through a virtual machine (VM), and automation detection to prevent security researchers from crawling their kit websites from different angles.

**The “Adversary in the Middle” Scenario**

In the context of bypassing MFA, acting as a reverse proxy to the authentic login page content creates big problems for typical phishing detection. By sitting between the user and the target website, the reverse proxy server allows the adversary to gain access to the username, password, and session cookie that is set after MFA is completed. They can then replay the session back into a browser and act as the user on that destination.

To the user, everything looks normal. By using slight variations of names in the URLs, the cybercriminals can make the site seem completely legitimate, with everything working as it should. Meanwhile, they have gained unauthorized access through that user, which can then be exploited for their own purposes or auctioned off to the highest bidder.

**The Adversary’s Business Model**

In addition to new phishing methodologies, malware is sold openly on the Internet and operates in a sort of gray space, floating between legal and illegal. One such example is BreakingSecurity.net, which markets the software as a remote surveillance tool for enterprise.

Every piece of malware has a price point associated with it to drive an outcome. And these outcomes have a clear business intent, whether it’s to steal credentials, generate cryptocurrency, demand a ransom, or gain spy capabilities to snoop around a network infrastructure.

Nowadays the creators of these tools are partnering with the buyers through affiliate programs. Similar to a multi-level marketing scheme, they say to the affiliate buyer of the tool, “Come to me when you get in.” They even offer product guarantees and 24/7 support of the tool in exchange for splitting the profits. This allows them to scale and build a hierarchy. Other types of cybercriminal entrepreneurs sell pre-existing compromises to the highest bidder. There are multiple business models at play.

**Today’s Reality: Case for an Advanced Cloud Sandbox**

Security teams should understand what today’s adversaries do and how quickly their actions can play out. The advanced malware on the market now is even more severe than phishing. Whether it’s Maldocs that evade filters, ransomware, information stealers, remote access trojans (RATs), or post-exploitation tools that combine toolsets, threat actors are more advanced than ever before—and so are their business models.

Countermeasures based on standard sandboxes doesn’t provide much in the way of inline prevention. Detection that combines cloud and AI can stop the stealthiest threats inline, in real time, and at scale.

If you’re not evolving with adversaries, you're falling behind. Because today’s cybercriminals are as professional and on their game as you.

Read more _Partner Perspectives_ from Zscaler.

Of Exploits and Experts: The Professionalization of Cybercrime

Market drivers include new regulations, increasing automobile complexity, and new vehicle types.

**BOULDER, Colo., Dec. 1, 2022 /PRNewswire/ —** A new report from Guidehouse Insights explores the global market for automotive cybersecurity solutions.

Automotive cybersecurity is the protection of connected vehicle systems, including software and communication networks, from tampering of any kind. Underlying the need for automotive cybersecurity is the increasingly complex technology of modern vehicles. According to a new report from Guidehouse Insights, paralleling increasing sales of connected vehicles, the market for automotive cybersecurity solutions is expected to grow steadily over the next 10 years, with revenue reaching more than $445.4 billion by 2031.

"The outlook for the automotive cybersecurity market over the next 10 years is strong. With vehicles becoming more reliant on electronic-based features and greater connectivity, the need for protection is high and growing," writes report author Karen Marcus, research analyst with Guidehouse Insights. "Interconnected systems involve small computers, or electronic control units for specific functions, multiple communication protocols, internal and third-party software, automation features, and cloud connectivity. Each of these components alone and working together creates potential attack vectors that must be protected."

Automotive manufacturers and their suppliers are increasingly driven by new regulations that require them to integrate cybersecurity solutions as a condition of approval for new designs; often, they are working to update their processes and systems before regulations go into effect. Other market drivers include increasing automobile complexity, new vehicle types, and shared vehicle services. Barriers to growth include resistance from research and development teams, high rates of employee resignation, and a chip shortage, all of which impact the industry's ability to provide service as quickly or thoroughly as its leaders would like, according to the report.

The report, "Automotive Cybersecurity Market Overview," analyzes the global market for automotive cybersecurity solutions, examines the key technologies in vehicles that require protection, and looks at the competitive landscape. It provides market outlooks for annual vehicle sales and revenue across six world regions—North America, Western Europe, Eastern Europe, Asia Pacific, Latin America, and Middle East & Africa—during the ten-year analysis period 2022 to 2031. An executive summary of the report is available for free download on the Guidehouse Insights website.

**About Guidehouse Insights**

Guidehouse Insights, the dedicated market intelligence arm of Guidehouse, provides research, data, and benchmarking services for today's rapidly changing and highly regulated industries. Our insights are built on in-depth analysis of global clean technology markets. The team's research methodology combines supply-side industry analysis, end-user primary research, and demand assessment, paired with a deep examination of technology trends, to provide a comprehensive view of emerging resilient infrastructure systems. Additional information about Guidehouse Insights can be found at www.guidehouseinsights.com.

**About Guidehouse**

Guidehouse is a leading global provider of consulting services to the public sector and commercial markets, with broad capabilities in management, technology, and risk consulting. By combining our public and private sector expertise, we help clients address their most complex challenges and navigate significant regulatory pressures focusing on transformational change, business resiliency, and technology-driven innovation. Across a range of advisory, consulting, outsourcing, and digital services, we create scalable, innovative solutions that help our clients outwit complexity and position them for future growth and success. The company has over 15,000 professionals in over 55 locations globally. Guidehouse is a Veritas Capital portfolio company, led by seasoned professionals with proven and diverse expertise in traditional and emerging technologies, markets, and agenda-setting issues driving national and global economies. For more information, please visit www.guidehouse.com.

Guidehouse Insights Anticipates Market for Automotive Cybersecurity Solutions Will Grow to More Than $445 Billion by 2031

Ratings ranged from AAA to CC, with security effectiveness scores from 27% to 100%.

**AUSTIN, Texas, Dec. 1, 2022 /PRNewswire/ —** CyberRatings.org, the non-profit entity dedicated to providing transparency on cybersecurity product efficacy, has completed an independent test of eight market leading security vendors in its first-ever Cloud Network Firewall comparative evaluation. Forcepoint, Fortinet and Juniper's test reports were published earlier in the year, all with 'AAA' ratings. In this latest release of test reports, Check Point and Versa Networks received a 'AAA' rating. Palo Alto Networks received an 'AA,' Sophos an 'A,' and Cisco 'CC.'

The test covered capabilities considered essential in a firewall including basic routing, access control, SSL / TLS decryption, threat prevention (exploits), evasion, performance, stability and reliability, and management. Amazon Web Services (AWS) was the public cloud service chosen to run the test. Ratings were calculated using a scale from 0 to 800.

Key findings include:  

*   Cloud services assume a shared security model, where cloud providers are responsible for the infrastructure and customers are responsible for securing the applications running on the infrastructure.
*   Roughly 80% of web traffic is encrypted and firewall decryption is not on by default: Firewalls will not see/block attacks delivered via (encrypted) HTTPS unless configured to do so.
*   Security vendors are used to controlling the platform on which their products are installed. In the cloud, they do not have that control; vendors are learning how to operate under these new conditions and there will be challenges.
*   Supply Chain attacks are on the rise. Using the cloud means relying on third parties to maintain software supply chain integrity. APIs, code reuse, open-source libraries, not maintained code, and other shared resources introduce unknown risks.

Security effectiveness scores ranged from 27% to 100%. The security effectiveness tests verified how effectively the firewall protected control network access, applications, and users while preventing threats (exploits and evasions), blocking malicious traffic while under extended load, and remaining resistant to false positives. Exploit block rates ranged from 88.3% to 100%. All products achieved 100% for resistance to evasion techniques.

"Security is your problem, not Amazon's," said Vikram Phatak, CEO of CyberRatings.org. "If you are migrating your data center to the cloud, create a plan for securing it." Phatak added. "And if you needed a firewall for your data center, you probably need one for your cloud deployment."

There are different ways consumers can purchase security products for the cloud. The individual test reports reflect the bring-your-own-license model while the comparative report illustrates the pay-as-you-go pricing. Both pricing models provide consumers with options to compare pricing on items important to their own organizations.

The following products were evaluated:

**Check Point Cloud Network Firewall CloudGuard IaaS R81.20-581**

**AAA**

Cisco Firepower Threat Defense for AWS Version 7.2.0

CC

Forcepoint Cloud Network Firewall v6.11

AAA

Fortinet Cloud Network Firewall v7.0.5 Build 0304(GA)

AAA

Juniper Cloud Network Firewall 22.1R1.1

AAA

Palo Alto Networks Cloud Network Firewall PA-VM-AWS-10.2.2

AA

Sophos Cloud Network Firewall SFOS 19.0.0 GA-Build317

A

Versa Networks Cloud Network Firewall Versa-FlexVNF-21.2.3

AAA

To read the CyberRatings reports go to CyberRatings.org.

Cloud Network Firewall test tools were provided by Keysight (CyPerf and Breaking Point), and TeraPackets Threat Replayer.

**About CyberRatings.org**

CyberRatings.org is a non-profit 501(c)6 entity dedicated to quantifying cyber risk and providing transparency on cybersecurity product efficacy through testing and ratings programs. To become a member, visit www.cyberratings.org.

CyberRatings.org Announces Results from First-of-its-Kind Comparative Test on Cloud Network Firewall

Know what you need to fix today and what you don’t.

**EVERGREEN, Colo., December 1, 2022** **—** Phylum, The Software Supply Chain Security Company, today announced the addition of Automated Vulnerability Reachability to its software supply chain security platform capabilities. With the ability to focus only on fixing what matters_, s_ecurity pros can end the deluge of false positives and developers can innovate with greater speed and confidence. This new introduction, combined with Phylum’s ability to block and prioritize open-source code risks, provides organizations with the most comprehensive software supply chain security available in the market.

Vulnerabilities represent a clear and present danger to the integrity of the software supply chain, but the massive amount of noise and false positives that come with traditional detection methods drain resources and leave organizations overwhelmed.

"Vulnerability management has been a frustrating and persistent challenge for security teams for well over a decade. Phylum has automated the answer to the question, 'Do I actually call the code triggering this vulnerability?' Addressing this question reduces customer false positive vulnerability issues by 90% or more and enables security teams to engage their development teams with supply chain issues that truly matter," said Peter Morgan, co-founder and president of Phylum.

Most vulnerability management approaches do not account for the nuances of open-source libraries. In library code, the parts of the library used are just as important as the package name and version, and not accounting for this data results in an astronomically high false positive rate. For example, an organization might use a package for signing build packages that contains a known Heartbleed vulnerability. But since the organization is only using it for code signing and not using the part of OpenSSL where that vulnerability exists, it isn't reachable. The Phylum Platform recognizes this nuance and informs the user accordingly.

Organizations that use Phylum save precious developer time, make more critical fixes and improve overall security posture by leveraging:

1.  Deep source analysis and call tracing that identifies which vulnerabilities impact projects, and which ones don’t.
2.  Graph-powered analysis that identifies inter-package call paths to prioritize the most impactful bugs that need fixing.
3.  Automated, continuous policy enforcement that provides alerts if vulnerability functions change due to new development needs.

Since software projects are made up of anywhere from 70%-90% of open-source code, Phylum first blocks software supply chain attacks trying to enter environments from open-source packages. This alleviates the burden of having to do extensive remediation once source code is built. Automated Vulnerability Reachability then continuously monitors the code in the event any development, package or author changes result in new vulnerabilities.

The Phylum Software Supply Chain Security Platform is purpose-built to address persistent and evolving software supply chain security challenges. Regardless of the maturity stage of an appsec program, Phylum is designed to address immediate needs and scale with an organization to meet future needs.

Automated Vulnerability Reachability will be available in Q1 2023 via SaaS and On-Prem. Book a demo here.

**About Phylum**  
Phylum is on a mission to secure the universe of code. Its platform automates software supply chain security to block new risks, prioritize existing issues and allow users to only use open-source code that they trust. The company is built by a team of career security researchers and developers with decades of experience in U.S. Intelligence Community and commercial sectors. Phylum is the winner of the Black Hat 2022 Innovation Spotlight Competition and was named a Top Infosec Innovator by Cyber Defense Magazine. Learn more at https://phylum.io, read The Phylum Research Blog, and follow us on LinkedIn and Twitter.

Phylum Expands Its Software Supply Chain Security Capabilities, Introduces Automated Vulnerability Reachability

CI Fuzz CLI, the open source fuzzing tool with just three commands, integrates fuzz testing directly into the software development workflow.

The open source security tool CI Fuzz CLI now supports Java, according to Code Intelligence, the company behind the project.

Back in September, Code Intelligence announced CI Fuzz CLI, which lets developers run coverage-guided fuzz tests directly from the command line to find and fix functional bugs and security vulnerabilities at scale. CI Fuzz CLI can be integrated into common build systems such as Maven and Bazel; integrated development environments (IDEs), and continuous integration/continuous delivery (CI/CD) tools such as Jenkins. Initially, the tool supported C, C++, and CMake. The latest update, which includes the Junit integration, allows Java developers to run fuzz tests directly from the IDE.

Fuzz testing – or fuzzing – refers to when the tester throws a lot of data ("fuzz") against an application to see how the application reacts. Because the input data includes random and invalid inputs, developers can uncover issues which could result in memory corruptions, application crashes, and security issues such as denial-of-service and uncaught exceptions.

The latest guidelines for software verification from the National Institute of Standards and Technology includes fuzzing among the minimum standard requirements. Google recently reported more than 40,500 bugs in 650 open source projects have been uncovered through fuzz testing. The company launched OSS-Fuzz in 2016 in response to the Heartbleed vulnerability, a memory buffer overflow flaw that could have been detected by fuzz testing.

While fuzz testing is slowly gaining traction within the open source community, it is not yet widely used by developers outside open source and information security, Code Intelligence says. Part of that is because fuzzing is a specialized skill and many security teams don't have the knowledge and experience to use fuzz testing tools effectively. Code Intelligence says CI Fuzz CLI lowers the barrier to entry for fuzzing because the tool has only three commands. By allowing developers to run the tool from the command line or within the IDE makes fuzzing more accessible, the company says.

The fact that the tool integrates into the developer workflow means it can automatically fuzz the code whenever there is a new pull or merge request, the company says.

“Code Intelligence helps developers ship secure software by providing the necessary integrations to test their code at each pull request, without ever having to leave their favorite environment. It’s like having an automated security expert always by your side,” Thomas Dohmke, CEO of GitHub, said in a statement.

CI Fuzz CLI Brings Fuzz Testing to Java Applications

If unpatched, a host of GPU Display Driver flaws could expose gamers, graphic designers, and others to code execution, denial of service, data tampering, and more.

A new update from Nvidia for its GPU Display Driver includes fixes for a full 29 security vulnerabilities, seven with a base score of more than 7. 

The company's graphics cards are built to accelerate computing processing to support real-time or data-intensive applications. As such, they're known for their use by gamers, graphic designers, and other creative producers, and for artificial intelligence and machine learning. Impacted software products for the update specifically include GeForce, Studio, Nvidia RTX, Quadro, NVS, and Tesla.

The most serious of the bugs are two flaws that exist in the user mode layer for Windows versions, both of which could allow an unauthorized user to execute code, escalate privileges, launch denial-of-service attacks, and achieve data compromise and disclosure, according to the chipmaker:

*   **CVE‑2022‑34669** (CVSS score of 8.8): An unprivileged regular user can access or modify system files or other files that are critical to the application.
*   **CVE‑2022‑34671** (CVSS score of 8.7): An unprivileged regular user can cause an out-of-bounds write.

The display driver for Linux also received a number of updates in this latest security update. 

"Earlier software branch releases that support these products may also be affected," the Nvidia security update said. "If you are using an earlier branch release for which an update version is not listed above, upgrade to the latest branch release." 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Nvidia GPU Driver Bugs Threaten Device Takeover & More

The framework has ties back to a Spanish exploit broker called Variston IT, and offers a one-stop shop for compromising Chrome, Defender and Firefox.

Google's Threat Analysis Group (TAG) has discovered a cyberattack framework dubbed Heliconia, built to exploit zero-day and n-day vulnerabilities in Chrome, Firefox, and Microsoft Defender. It likely has connections to a gray-market spyware broker called Variston IT, which highlights how this shadowy segment is flourishing.

The Heliconia threat consists of three modules:

*   Heliconia Noise for compromising the Chrome browser, escaping the sandbox, and installing malware;
*   Heliconia Soft, a Web framework that deploys a PDF containing a Windows Defender exploit for CVE-2021-42298 that allows privilege escalation to SYSTEM and remote code execution (RCE);
*   And the Heliconia Files package which contains a fully documented Firefox exploit chain for Windows and Linux, including CVE-2022-26485 for RCE.

TAG became aware of the threat after receiving an anonymous submission to the Chrome bug reporting program. Upon further investigation, the Heliconia framework's source code was found to contain a script that points back to Variston IT, a Barcelona-headquartered entity that claims to provide "custom security solutions."

Commercial spyware is often sold by organizations claiming to be legitimate companies, for "use by law enforcement." However, mounting evidence shows that too often, these brokers don't vet their clients, "putting advanced surveillance capabilities in the hands of governments who use them to spy on journalists, human rights activists, political opposition and dissidents," according to a TAG posting on Wednesday.

Researchers noted that Variston IT is firmly in the middle of this proliferating market — a space that has seen sanctioning by the United States and others against organizations like the infamous NSO Group, creator of the Pegasus spyware.

"The commercial surveillance industry is thriving and has expanded significantly in recent years, creating risk for Internet users around the globe," TAG researchers added. "While surveillance technology may be legal under national or international laws, they are often used in harmful ways to conduct digital espionage against a range of groups."

So far, none of the modules has been seen in current attacks in the wild, but TAG researchers noted that they've likely been deployed in the past, including using the exploits they contain as zero-days before they were fixed.

Google TAG Warns on Emerging Heliconia Exploit Framework for RCE

New protective measures work behind the scenes, with little impact on the customer experience.

Every bank and financial institution is having a serious conversation about security. In 2021, data breaches grew 79%, impacting 300 million people in the US. Simultaneously, more people are banking online than ever before. Today, 67% of banking customers access and manage their accounts digitally, either through a mobile app or a computer. Banks have the salient task of renewing customer confidence and creating secure digital platforms — but it can't come at the cost of customer experience. Through a robust technology platform, best practices, and financial technology (fintech) partnerships, banks can amplify the safety of online banking without derailing the industry's explosive growth.

**Debunking Myths About Digital Banking**

There is an ugly rumor going around that digital banking is less secure than traditional brick-and-mortar banking — but nothing could be further from the truth. Reputable online banking platforms are backed by the same Federal Deposit Insurance Corporation (FDIC) coverage as any other banking institution, meaning individual accounts are protected against fraud for up to $250,000.

Moreover, digital banks are built with sophisticated technology, and they already have the infrastructure in place to implement layered security and data protection. This makes them inherently less vulnerable to cybercrime than traditional banks. In digital banking, two-step authentication and data encryption are already a standard, and online banks are adopting advanced technologies like smart fraud monitoring systems that use machine learning and advanced data gathering to identify fraudulent activity. Financial institutions across the board are making the biggest investment in AI technology as a key to fraud prevention.

Many of these protective measures are happening behind the scenes, and operate with little impact on the customer experience. They work in real time to verify customer identity, protect information, minimize human error, and block fraudulent transactions.

**Creating a Frictionless Experience**

Security must be integrated into the customer journey, from the moment a customer opens a bank account through routine banking activity. Banks collect and store personal information as well as handle transactions with direct parties and counterparties, making it critical to have fraud prevention measures at each touchpoint through the customer experience. Standard best practices start with vendor management, risk assessment, and ongoing compliance monitoring.

Proper vendor management creates a protected platform and mitigates the risk of a cyber breach by securing front-end systems and conducting thorough due diligence of each partner. This process is a natural foray into strong risk assessment practices, which involve a deep review of partners, existing compliance disclosures, and financial risk. Compliance monitoring is the final piece of the puzzle. A survey from Ncontracts found that nearly 90% of financial institutions are concerned about regulatory compliance, but banks should think of regulators as partners in establishing a solid security program. Quality compliance ensures banks better understand and anticipate emerging risks before they have an opportunity to impact security or the customer experience.

**The Importance of Fintech Partnerships**

Fintech partnerships are an optimal way to access the technology infrastructure required to build a secure network. Last year, 65% of banks partnered with a fintech company; 35% of banks invested in a fintech; and 89% of banks said that fintech relationships were important to the institution.

This symbiotic relationship is becoming a mainstay in the industry because banks can leverage existing technology to develop strong data modeling and data governance practices rather than building the technology from scratch — and they work. Among banks that partnered with a fintech to improve fraud losses, 83% said the partnership helped the bank meet that objective. Fintechs also benefit by tapping into the bank's data to create a robust tech stack between the two enterprises.

While fintech partnerships have a lot of benefits, they are not a solution for every organization, and alignment of objectives, culture, and business strategy is critical to making the relationship successful. Vetting prospective fintech partners should explore the mechanics of core and digital systems integration, confirm relevant technology experience in tools like application programming interface (API), and identify key points of contact to ensure there is a dedicated staff to oversee the partnership.

By leveraging technology, pursing fintech partnerships, and establishing best practices, banks can protect their digital platform from cybercrime and data breaches without diminishing quality service and convenience. Security will become a seamless part of the customer experience. The only hint it's happening will be missing fraud alerts in your inbox.

How Banks Can Upgrade Security Without Affecting Client Service

Signal messaging app zero-day vulnerabilities have sparked a $1.5M bidding match, as gray-market exploit brokers flourish in today's geopolitical climate.

Gray-market exploit brokers are alive and kicking, with the latest sign of this flourishing market coming in the form of a bidding war for Signal messaging app zero-days from a relatively new entrant. 

Russia-based OpZero went on the record recently with a $1.5 million offer for Signal remote code execution (RCE) exploits, more than tripling the relatively stable high-water mark for that app offered by American firm Zerodium.

Cybersecurity experts say that this particular bidding war indicates the Russian government's desperation to gain surveillance capabilities over Ukrainians utilizing Signal to communicate. But the price movement on this front also offers a microcosmic look into the broader reliance of gray-market customers (most typically governments) on intermediary brokers.

**The Shadowy "Gray Hat" World of Cybersecurity Exploit Brokers

These brokers are sometimes independent dealers, other times thinly cloaked fronts for nation-state intelligence agencies, who buy from security researchers interested in cashing in on their exploit work. 

The market works on an "ask me no questions, and I'll tell you no lies" basis, researchers say. Brokers have no scruples in working with both white- and black-hat security experts — and exploit developers don't ask how or by whom their exploits will be used. The arrangements put this market in a swampy middle ground between the vendor-oriented, highly structured vulnerability bug-bounty market and the chaotic and overtly criminal dealings of the Dark Web, dominated by black hats.

"Exploit brokers function as market makers by contracting with suppliers (security researchers) managing an inventory of exploits, and selling to buyers (actors who deploy offensive cyber-operations)," according to a recent paper on the gray-market exploit world presented at the 21st Workshop on the Economics of Information Security (WEIS’22) in Tulsa, Okla., earlier this year. 

"In doing so, brokers can more efficiently manage transaction costs relative to suppliers and buyers directly contracting with each other. Additionally brokers provide a layer of insulation against reputation and legal fallout," the paper explained, adding that the price of exploits has grown by 1,240% over the last six years in the gray market.

****War in Ukraine Sparks Signal Exploit Bidding War**

Perhaps one of the most public and prolific players in the market is Zerodium, an American firm with an obscured customer list of "government institutions mainly from Europe and North America," according to the company's FAQ. 

The firm offers as much as $2 million for iOS flaws and presents many public offers for exploits in a range of operating systems and applications. The company has had a standing offer since 2017 of "up to" $500,000 for exploits of Signal and other social messaging apps, including Facebook Messenger, WhatsApp, and Telegram.

The entrance of OpZero into this mix with an offer of three times that amount, which has experts such as security researcher The Grugq postulating that the company is a stand-in for Russian intelligence services that are "desperate" for Android and Signal exploits.

"Android has an almost 80% market share in Ukraine, and Signal has over 2 million daily active users," The Grugq recently wrote. "Android phones with Signal are robust security platforms. They’re not military equipment, but they’re perfectly capable of providing protection against a wide range of security threats. Including nation state level threat actors. Russia appears to be lacking an Android or Signal capability."

New Exploit Broker on the Scene Pays Premium for Signal App Zero-Days

New investment will accelerate growth and expansion of SaaS identity-hygiene platform.

**NEWARK, N.J., Nov. 30, 2022 /PRNewswire****/** — SPHERE Technology Solutions (SPHERE), a leader in identity hygiene, announced today a $31 million Series B investment led by Edison Partners, a Princeton-based leading growth equity firm, with participation from existing investor Forgepoint Capital. As part of the transaction, Edison General Partner Lenard Marcus will join SPHERE's board of directors.

As cyberattacks escalate in number and severity, Identity Hygiene has become foundational to enterprise security, digital transformation, and mandatory compliance. The increasing needs around ensuring identities have access to only the required resources has been in direct response to the rise in ransomware attacks and bad actors who take advantage of wide open and mismanaged access.

SPHERE immediately shrinks the attack surface of these threats through an automated platform that provides visibility and remediation of identity hygiene risks along with tech-enabled managed services, delivering expertise to accelerate these crucial programs. SPHERE's current customers are some of the largest and most highly regulated organizations globally, ranging from financial institutions to healthcare providers and more. With this investment, SPHERE will expand its SaaS offering, channel ecosystem and alliances, and sales and marketing to accelerate growth.

"As a company founded and operated by a team of security practitioners, we developed a mission-critical solution well before the market even deemed it mission-critical," said Rita Gurevich, founder and CEO of SPHERE. "We've experienced the problems that our customers encounter firsthand, and understand the time, dedication, and resources it takes to solve the complex issues they face every day. We're thrilled to have the support of Edison Partners and Forgepoint Capital for our next chapter of growth."

For over 13 years, SPHERE has enabled IT and Security teams to adopt a Zero Trust model by finding and fixing any type of identity access issue across any resource — in a fraction of the time these complex capabilities would take manually. The platform SPHEREboard provides an end-to-end workflow for end-user and privileged account controls, across cloud and on-premises systems and infrastructure, remediates open, excessive and inappropriate access, and provides an evergreen path for sustainability.

"Identity management, and more broadly information security, starts with the ability to ensure that the only parties with access to sensitive or operational data are those identified by management," said Marcus. "SPHERE's platform enables enterprises to improve their identity hygiene and maintain compliance. Its managed services offerings enable it to service the mid-market and large enterprises, where the problem is pervasive. Edison Partners is also proud to support female trailblazers like Rita Gurevich, who are closing the gender diversity gap in a historically male-dominated industry."

SPHERE continues to build significant traction and earn industry accolades that recognize the company's growth, leadership and commitment to diversity, a source of passion for Gurevich ever since she began building the company from the ground up. SPHERE was honored as a Gold Winner in the 2022 Globee Cyber Security Excellence Awards, named a finalist in the annual SINET 16 Awards, and selected by the Timmy Awards for Best Tech Workplace for Diversity in New York. A proven leader and innovator in cybersecurity, Gurevich was named by _SC Magazine_ as a top "Women to Watch" in 2022. She was also selected as the only female finalist for the _SC Awards_ "Security Executive of the Year."

"Our focus is to invest in the most innovative cybersecurity companies and SPHERE's combination of automation and expertise is unmatched in the industry," said Forgepoint Capital Managing Director Don Dixon. "Major corporations including many of the world's leading financial institutions rely on Sphere for its ability to effectively address two critical use cases – Zero trust initiatives and regulatory requirements for identity entitlements. We're excited to continue our partnership and to welcome Lenard and Edison to the board of directors."

**About SPHERE**

SPHERE is an award-winning, woman-owned cybersecurity business focusing on improving security and enhancing compliance. SPHERE's identity hygiene solution puts the controls in place to secure an enterprise's most sensitive data, create the right governance processes for systems and assets, and ensure organizations are compliant with the regulations surrounding their respective industries. For more information, please visit www.SPHEREco.com.

**About Edison Partners**

Edison Partners is a leading growth equity firm providing the financial and intellectual capital that CEOs and their executive teams need to grow and scale their companies. The firm's team brings more than 275 years of combined investing, operating and sector experience to each investment, accessible via the Edison Edge value creation platform, which is tailored to each business' strategy, stage and operating needs. Edison targets high-growth financial technology, healthcare IT and vertical SaaS and marketplace companies located outside Silicon Valley with $10 million to $30 million in revenue. Investments also include buyouts, recapitalizations, spinouts, and secondary stock purchases. Edison's active portfolio has created aggregated market value exceeding $10 billion. Edison Partners manages $1.6 billion in assets. For more information on Edison Partners, please visit edisonpartners.com and follow on LinkedIn.

**About Forgepoint Capital**

Forgepoint Capital is a leading cybersecurity venture capital firm that invests in transformative companies protecting the digital future. As the most active sector-focused firm in cybersecurity and infrastructure software, Forgepoint has the largest dedicated investment team and portfolio of over 40 companies. The firm brings over 100 years of proven company-building experience and its Advisory Council of more than 80 industry leaders to support entrepreneurs advancing innovation globally. Founded in 2015, Forgepoint is proud to partner with category-defining companies such as 1Kosmos, Area 1 Security (Cloudflare), Attivo Networks (SentinelOne), BehavioSec (RELX), Bishop Fox, Cysiv (Forescout), Huntress, IDX (ZFOX), Noname Security, NowSecure, ReversingLabs, SPHERE, Uptycs and more as they achieve their market potential. Learn more at forgepointcap.com or follow Forgepoint on LinkedIn.

SOURCE: SPHERE

Source

DARKReading