Cloud-native threats are costing cloud customer victims money as cryptojackers mine their vulnerable cloud instances.

Threats against cloud-native infrastructure are on the rise, particularly as attackers target cloud and container resources to power their illicit cryptomining operations. In the latest twist, cybercriminals are wreaking havoc on cloud resources to both propagate and run cryptojacking enterprises in costly schemes that cost victims some $50 in cloud resources for every $1 worth of cryptocurrency that the crooks mine off of these compute reserves.

That's according to a new report out today from Sysdig, which shows that while the bad guys will indiscriminately attack any weak cloud or container resources they can get their hands on to power money-making cryptomining schemes, they're also cleverly strategic about it. 

In fact, many of the most crafty software supply chain attacks are in large part designed to spawn cryptominers via infected container images. Attackers not only leverage source code dependencies most commonly thought of in offensive supply chain attacks — they also leverage malicious container images as an effective attack vehicle, according to Sysdig's "2022 Cloud-Native Threat Report." 

Cybercriminals are taking advantage of the trend within the development community to share code and open source projects via premade container images via container registries like Docker Hub. Container images have all the required software installed and configured in an easy-to-deploy workload. While that's a serious time saver for developers, it also opens up a path for attackers to create images that have malicious payloads built in and then to seed platforms like DockerHub with their malicious wares. All it takes is for a developer to run a Docker pull request from the platform to get that malicious image running. What's more, the Docker Hub download and installation is opaque, making it even harder to spot the potential for trouble.

"It’s clear that container images have become a real attack vector, rather than a theoretical risk," the report explained, for which the Sysdig Threat Research Team (TRT) went through a monthslong process of sifting through public container images uploaded by users worldwide onto DockerHub to find malicious instances. "The methods employed by malicious actors described by Sysdig TRT are specifically targeted at cloud and container workloads."

The team's hunt surfaced more than 1,600 malicious images containing cryptominers, backdoors, and other nasty malware disguised as legitimate popular software. Cryptominers were far and away the most prevalent, making up 36% of the samples.

"Security teams can no longer delude themselves with the idea that 'containers are too new or too ephemeral for threat actors to bother,'" says Stefano Chierici, senior security researcher at Sysdig and co-author of the report. "Attackers are in the cloud, and they are taking real money. The high prevalence of cryptojacking activity is attributable to the low risk and high reward for the perpetrators."

**TeamTNT and Chimera**

As a part of the report, Chierici and his colleagues also did a deep-dive technical analysis of the tactics, techniques, and procedures (TTPs) of the TeamTNT threat group. Active since 2019, the group according to some sources has compromised over 10,000 cloud and container devices during one of its most prevalent attack campaigns, Chimera. It's best known for cryptojacking worm activity and according to the report, TeamTNT continues to refine its scripts and its TTPs in 2022. For example, it now connects scripts with the AWS Cloud Metadata service to leverage credentials associated with an EC2 instance and gain access to other resources tied to a compromised instance.

"If there are excessive permissions associated with these credentials, the attacker could gain even more access. Sysdig TRT believes that TeamTNT would want to leverage these credentials, if capable, to create more EC2 instances so it could increase its cryptomining capabilities and profits," the report said.

As part of its analysis, the team dug into a a number of XMR wallets used by TeamTNT during mining campaigns to figure out the financial impact of cryptojacking. 

Utilizing technical analysis of the threat group's operational practices during the Chimera operation, Sysdig was able to find that the adversary cost its victims $11,000 on a single AWS EC2 instance for every XMR it mined. The wallets the team recovered amounted some 40 XMR, meaning that the attackers drove up a cloud bill of nearly $430,000 to mine those coins. 

Using coin valuation from earlier this year, the report estimated the value of those coins equals about $8,100, with back-of-envelope figuring then showing that for every dollar the bad guys make, they cost victims at least $53 in cloud bills alone.

Container Supply Chain Attacks Cash In on Cryptojacking

The team's annual survey finds that the right development culture is better than technical measures when it comes to shoring up software supply chain security practices. An additional benefit: Less burnout.

Companies that focus on trusting their developers, looking beyond blame, and striving for strong cooperation tend see greater adoption of measures that contribute to more secure software supply chains.

According to the annual 2022 Accelerate State of DevOps published on Sept. 28 by Google Cloud's DevOps Research and Assessment (DORA) team also found that DevOps teams that focused on good security practices had a lower rate of burnout, with low-security teams having 1.4 times greater odds of voicing high levels of stress.

While technical infrastructure did help, the survey shows that starting with, or developing, the right culture is extremely important.

For instance, the DORA survey at the heart of the report measured DevOps teams' adherence to 13 different aspects measured by the Supply-chain Levels for Software Artifacts (SLSA) security framework, which calls for building product releases using centralized continuous integration/continuous development (CI/CD) systems, storing change histories indefinitely, defining software builds through scripts, and isolating the build process. And even though the majority of companies had completely or moderately implemented all of the 13 practices, those that had more collaborative and less blame-oriented cultures did better, the DORA survey found.

"More open, generative cultures ... tend to have positive effects for organizational performance as well as for the people who work there," says Todd Kulesza, one of the authors of the report and a senior user-experience (UX) researcher at Google Cloud. "What we want to see is — if there is a security problem — we want the engineers to feel empowered and safe to bring attention to that. You don't want your developers to sweep things under the rug, especially in terms of the security."

The survey unfortunately found that there's work to do on the collaborative front: Many software developers feel there is a gulf between programmers and application-security teams.

"High-friction approaches to security can be frustrating for developers and ineffective overall, as people try to avoid the friction points," the report stated. "The developers we spoke with wanted to do the right thing, and often discussed frustration that shipping features or fixes consistently took priority over potential security issues."

**Supply Chain Security: Critical Barometer for DevOps Performance**

In its eighth year, the DevOps Research and Assessment (DORA) team's annual report has strived to identify best practices among teams that use the DevOps approach to software development. In 2021, the DORA group found that software supply chain security had become a critical component of high-performing DevOps organizations, so this year, the researchers focused on determining what led to successful outcomes on that front.

    

Most DevOps teams have adopted SLSA practices. Source: Google Cloud's 2022 DORA report.

In the survey, Google focused on adoption of security practices that are part of supply chains.

In addition to DevOps teams' adherence to the SLSA framework, the survey asked developers the degree to which they comply with dozens of security practices that form the Secure Software Development Framework (SSDF) created by the US National Institute of Standards and Technology (NIST).

Organizations that had highly cooperative teams that shared risks and responsibilities, and prioritized learning over blame — so-called "generative" cultures — were more likely to adopt more than two dozen of those security practices, the survey of DevOps practitioners found.

"A lot of these practices — I'm not going to say that they are 100% established across organizations — but a lot of these practices have 50% or more of practitioners reporting that it is established or very well established," says John Speed Meyers, a co-author of the report and a security data scientist at software supply chain security firm Chainguard. "There is a lot of room for improvement, but these things are not so hard that no one is doing it."

The survey also measured developer burnout, based on how highly they rated their agreement with statements such as "my feelings about work negatively affect my life outside of work" and "I am indifferent or cynical about my work." Teams that did not focus on security were 40% more likely to agree or strongly agree with these statements.

In addition, teams that had the worst change failure rates and took the longest to deploy — anywhere from once a month to once every six months — also had high rates of burnout.

Google Cloud DORA: Securing the Supply Chain Begins With Culture

Shocking phishing numbers (more than 1 million in a single quarter) are being driven by vishing, smishing, and other lures that target mobile devices.

Last quarter saw a record-shattering number of observed phishing attacks, fueled in large part by attempts to target users on their mobile devices. 

The latest Anti-Phishing Working Group (APWG) "Phishing Activity Trends Report" for the second quarter of 2022 found 1,097,811 observed phishing attacks, the most the group has ever measured in its history. 

The financial sector remained the top target for phishing lures (27.6%), along with other bombarded sectors, including webmail and software-as-a-service providers, social media sites, and cryptocurrency. 

But much of the rise in phishing volume is due to a new threat actor focus on mobile devices, specifically vishing (voice phishing) and smishing (SMS phishing) attacks, the report noted. 

"We're seeing a huge increase in mobile phone-based fraud, with smishing and vishing collectively seeing a nearly 70% increase in volume as compared to Q1 totals," Matthew Harris, senior product manager of fraud at Opsec said in reaction to the APWG findings. "We are still seeing fraud coming in via the typical OTT apps (WhatsApp, WeChat, Facebook Messenger, etc.), but the SMS-based fraud is really the kicker here," 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Phishing Attacks Crushed Records Last Quarter, Driven by Mobile

With provisional agreement reached on the Digital Operational Resilience Act, the clock is now ticking for banks and information and communications technology (ICT) services companies with European operations. Here's what you need to know.

On May 11, 2022, the European Union (EU) reached provisional agreement on the new Digital Operational Resilience Act (DORA). Despite the phrasing, there's nothing "provisional" about DORA. In fact, one of the world's most far-reaching cybersecurity regulations for financial services and their supply chains is mostly a done deal.

All that remains prior to formal adoption, expected sometime this October, primarily involves a handful of technical changes and translation into the 24 official languages of the EU's member states.

DORA represents the EU's response to the ever-increasing number of cyberattacks against financial institutions. It's designed to strengthen the security of EU financial firms, such as banks, insurance companies, investment firms, and more, by imposing resilience requirements and regulating the supply chain. But, as I noted in an earlier post, the tenets of DORA extend far beyond the EU and its financial sector.

DORA's uniform requirements for the security of network and information systems encompass not only enterprises in the financial sector but also critical third-party vendors providing information and communications technology–related services to the financial sector, such as cloud platforms and data analytics.

Indeed, DORA's reach extends to basically any enterprise offering information and communications technology (ICT) services that is considered critical to the supply chain supporting the European financial sector — regardless of whether or not that enterprise or service is based inside the EU. In fact, under DORA, the complexity of the supply chain or the lack of EU presence are both considered risk factors.

**Mandating New Regulatory Perspectives**

DORA is unique in that it brings a new and different level of regulatory scrutiny to a wide variety of global enterprises. DORA's requirements _mandate_ — not merely suggest — compliance with its provisions. Just as important, the impact of this new level of regulatory scrutiny differs depending on the point of view of the enterprise.

Financial institutions accustomed to a regulatory environment primarily designed to assess financial risk and stability will now have to take the potential risk posed by their ICT operations just as seriously. Financial institutions are accustomed to address risk in the form of capital requirements. DORA takes a different approach by mandating specific behavior and performance-based requirements. From the point of view of financial institutions, that elevation of risk has consequences across multiple aspects of their business, such as how they consume technology and how they transform their business by transitioning to new technologies like cloud computing. This includes overall risk management strategies and capabilities, supply chain security, and organizational staffing and policies for ensuring proper ICT risk assessment and compliance.

DORA also changes the regulatory perspective of ICT organizations. Up to now, they've been regulated primarily on data-related issues, such as data privacy, and data breach notification, based on concerns about personal data and political objectives like digital sovereignty. Groundbreaking rules, such as the General Data Protection Regulation (GDPR) in Europe, and the more recent California Consumer Privacy Act (CCPA) in the United States, come to mind.

ICT organizations might also have other regulatory obligations on security, or have been classified as critical infrastructure, depending on where they are located, such as under the Network and Information Security Directive (NIS) in Europe, the Cybersecurity Act 2018 in Singapore, or sector-specific legislation for specialized industries, such as telecoms in the United States.

Now, if ICT companies are servicing financial institutions in the EU, they most likely will be subject to DORA as well. So, in addition to their prior regulatory frameworks, those ICT providers designated as offering a critical service will suddenly be regulated under DORA in a way that very much feels as if they are becoming _extensions_ of the EU financial institutions they're servicing. Regardless of how one looks at it, that's a dramatic change — for both financial institutions and ICT providers.

But that's not all. DORA changes the perspective for the EU's regulatory establishment. Regulators who are experts on financial institution compliance must now extend their scope to include ICT providers offering critical services, such as cloud providers, data analytics services, and other non-financial businesses. In countries with complex regulatory structures, there will also be the need to cooperate with other bodies tasked with regulating these additional types of non-financial industries.

**Meeting the Challenges**

DORA requires EU financial institutions to assess their own cybersecurity and risk management maturity. Understanding and managing their supply chain risk performance will be central to this effort.

In general, financial institutions are adept at stress tests for determining security and financial stability. It's a different challenge to extend those kinds of tests to other organizations. So, for the EU's financial sector, how to manage vendors, risk management, and operational capabilities in an ever more complex and extended supply chain poses the biggest puzzle.

For example, a financial institution might be headquartered in Europe but have all its support activities outsourced to businesses based in India. These support services may not technically be financial institutions. But DORA will require the financial institution to assess if the vendor is critical to its operations and apply the relevant DORA requirements to that relationship.

For enterprises not based in the EU, the key question is one of jurisdiction and market access. Financial institutions or ICT providers operating outside the EU are not affected. But if the enterprise is a financial institution or ICT service provider servicing the EU finance sector in any way, it will most likely be subject to DORA — directly or indirectly.

**Countdown to 2024**

Unless something changes in the final text, DORA goes into effect 24 months after its official adoption. Realistically, that is likely to be somewhere near the close of 2024. The good news is that this provides plenty of time for organizations to prepare for compliance. Most importantly, it is not too long for inclusion in a typical enterprise budget cycle.

But before that deadline sneaks up on you, start preparing _now_. Here are five key steps:

*   Use the time until 2024 wisely.
*   Understand where you are. Search, find, and identify your compliance gaps.
*   Determine what you need to remediate your gaps.
*   Educate and get buy-in from senior management.
*   Budget for the 24 months.

The clock is ticking.

The Countdown to DORA

The previously identified ransomware builder has veered in an entirely new direction, targeting consumers and business of all sizes by exploiting known CVEs through brute-forced and/or stolen SSH keys.

The powerful Chaos malware has evolved yet again, morphing into a new Go-based, multiplatform threat that bears no resemblance to its previous ransomware iteration. It's now targeting known security vulnerabilities to launch distributed denial-of-service (DDoS) attacks and perform cryptomining.

Researchers from Black Lotus Labs, the threat intelligence arm of Lumen Technologies, recently observed a version of Chaos written in Chinese, leveraging China-based infrastructure, and exhibiting behavior far different than the last activity seen by the ransomware-builder of the same name, they said in a blog post published Sept. 28.

Indeed, the distinctions between earlier variants of Chaos and the 100 distinct and recent Chaos clusters that researchers observed are so different that they say it poses a brand-new threat. In fact, researchers believe the latest variant is actually the evolution of the DDoS botnet Kaiji and perhaps "distinct from the Chaos ransomware builder" previously seen in the wild, they said.

Kaiji, discovered in 2020, originally targeted Linux-based AMD and i386 servers by leveraging SSH brute-forcing to infect new bots and then launch DDoS attacks. Chaos has evolved Kaiji's original capabilities to include modules for new architectures — including Windows — as well as adding new propagation modules through CVE exploitation and SSH key harvesting, the researchers said.

**Recent Chaos Activity**

In recent activity, Chaos successfully compromised a GitLab server and unfurled a flurry of DDoS attacks targeting the gaming, financial services and technology, and media and entertainment industries, along with DDoS-as-a-service providers and a cryptocurrency exchange.

Chaos is now targeting not only enterprise and large organizations but also "devices and systems that aren't routinely monitored as part of an enterprise security model, such as SOHO routers and FreeBSD OS," the researchers said.

And while the last time Chaos was spotted in the wild it was acting more as typical ransomware that entered networks with the purpose of encrypting files, the actors behind the latest variant have very different motives in mind, the researchers said.

Its cross-platform and device functionality as well as the stealth profile of the network infrastructure behind the latest Chaos activity appears to demonstrate that the aim of the campaign is to cultivate a network of infected devices to leverage for initial access, DDoS attacks, and cryptomining, according to the researchers.

**Key Differences, and One Similarity**

While previous samples of Chaos were written in .NET, the latest malware is written in Go, which is rapidly becoming a language of choice for threat actors due to its cross-platform flexibility, low antivirus detection rates, and difficulty to reverse-engineer, the researchers said.

And indeed, one of the reasons that the latest version of Chaos is so powerful is because it operates across multiple platforms, including not only Windows and Linux operating systems but also ARM, Intel (i386), MIPS, and PowerPC, they said.

It also propagates in a far different way than previous versions of the malware. While researchers were unable to ascertain its initial access vector, once it takes hold of a system, the latest Chaos variants exploit known vulnerabilities in a way that shows the ability to pivot quickly, the researchers noted.

"Among the samples we analyzed were reported CVEs for Huawei (CVE-2017-17215) and Zyxel (CVE-2022-30525) personal firewalls, both of which leveraged unauthenticated remote command line injection vulnerabilities," they observed in their post. "However, the CVE file appears trivial for the actor to update, and we assess it is highly likely the actor leverages other CVEs."

Chaos has indeed gone through numerous incarnations since it first emerged in June 2021 and this latest version is not likely to be its last, the researchers said. Its first iteration, Chaos Builder 1.0-3.0, purported to be a builder for a .NET version of the Ryuk ransomware, but the researchers soon noticed it bore little resemblance to Ryuk and was actually a wiper.

The malware evolved across several versions until version four of the Chaos builder that was released in late 2021 and got a boost when a threat group named Onyx created its own ransomware. This version quickly became the most common Chaos edition directly observed in the wild, encrypting some files but maintain overwritten and destroying most of the files in its path.

Earlier this year in May, the Chaos builder traded its wiper capabilities for encryption, surfacing with a rebranded binary dubbed Yashma that incorporated fully fledged ransomware capabilities.

While the most recent evolution of Chaos witnessed by Black Lotus Labs is far different, it does have one significant similarity with its predecessors — rapid growth that is unlikely to slow anytime soon, the researchers said.

The earliest certificate of the latest Chaos variant was generated on April 16; this is subsequently when researchers believe threat actors launched the new variant in the wild.

Since then, the number of Chaos self-signed certificates has shown "marked growth," more than doubling in May to 39 and then jumping to 93 for the month of August, the researchers said. As of Sept. 20, the current month has already surpassed the previous month's total with the generation of 94 Chaos certificates, they said.

**Mitigating Risk Across the Board**

Because Chaos is now attacking victims from the smallest home offices to the largest enterprises, researchers made specific recommendations for each type of target.

For those defending networks, they advised that network administrators stay on top of patch management for newly discovered vulnerabilities, as this is a principal way Chaos spreads.

"Use the IoCs outlined in this report to monitor for a Chaos infection, as well as connections to any suspicious infrastructure," the researchers recommended.

Consumers with small office and home office routers should follow best practices of regularly rebooting routers and installing security updates and patches, as well as leveraging properly configured and updated EDR solutions on hosts. These users also should regularly patch software by applying vendors' updates where applicable.

Remote workers — an attack surface that has significantly increased over the last two years of the pandemic — also are at risk, and should mitigate it by changing default passwords and disabling remote root access on machines that don't require it, the researchers recommended. Such workers also should store SSH keys securely and only on devices that require them.

For all businesses, Black Lotus Labs recommends considering the application of comprehensive secure access service edge (SASE) and DDoS mitigation protections to bolster their overall security postures and enable robust detection on network-based communications.

Chaos Malware Resurfaces With All-New DDoS & Cryptomining Modules

Illumio Endpoint extends zero trust segmentation to see risk and set policy across macOS and Windows devices.

**Sunnyvale, Calif., Sept. 28, 2022 —** Illumio, Inc., the Zero Trust Segmentation company, today announced Illumio Endpoint®, a reimagined way to prevent breaches from spreading to clouds and data centers from laptops.

Hybrid work has expanded the attack surface, introducing new threats and making organizations more vulnerable, so it’s become increasingly important for employees to have secure access to applications and data wherever they are located. Unlike other Zero Trust Segmentation solutions, Illumio Endpoint lets your policy follow your teams’ laptops wherever they work, whether at home, in the office, or at a coffee shop. With Illumio Endpoint, the first device that gets infected will also be the last.

Organizations are more interconnected and vulnerable in hybrid workplaces, and the attack surface is growing increasingly complex. Additionally, attacks on hybrid work environments are more expensive, costing an average of about $600K more than the global average. Even with endpoint detection and response tools in place, endpoints still get breached — according to ESG, 76% of organizations experienced a ransomware attack in the past two years alone.

Illumio Endpoint includes:

· Extended visibility and segmentation policy controls for macOS and Windows devices, allowing organizations to see risk and stop attacks from spreading from laptops, workstations, and VDIs.

· A single, unified console to see and manage visibility and segmentation policy across endpoints, clouds, and data centers, making Zero Trust Segmentation easier, faster, and more efficient for security teams.

· Work from anywhere supports with segmentation policy that follows the device, so organizations have the confidence that their networks are secure, and their employees can remain productive while working from anywhere.

· The ability to control application access so users can only reach the necessary applications from their device, not the entire data center and cloud, minimizing the organization's risk from vulnerable or compromised endpoints.

  
"Before Illumio, we had only a slim idea of what kind of communications were running across our network. But with Illumio, we clearly see exactly what's connecting to individual endpoints,” said David Ault, VP of Information Security at Telhio Credit Union.

“The hybrid workforce is here to stay, which exposes organizations to a more complex attack surface and more risk, particularly on the endpoint,” said Mario Espinoza, Chief Product Officer at Illumio. “It’s important to have tools that can detect and respond to an identified breach, but unidentified attacks can spread throughout the organization to access critical data and assets when Zero Trust Segmentation is not in place to proactively contain the breach. With Illumio Endpoint, security leaders will gain the comprehensive protection needed to build resilience to attacks throughout their hybrid IT and as employees work from anywhere.”

“Ransomware and other cyberattacks often involve end user devices somewhere in the attack chain, moving laterally on to other higher-value assets,” said Dave Gruber, Principal Analyst, ESG. “Because attackers continue to find ways in and move laterally fast, prevention, detection and response mechanisms can fall short stopping these fast-moving attacks. Containment strategies such as Zero Trust Segmentation across endpoint devices can proactively stop ransomware and other fast-moving attacks from spreading to critical infrastructure and assets, reducing risk.”

To learn more about Illumio Endpoint visit: https://www.illumio.com/products/illumio-endpoint.

**About Illumio** 

Illumio, the Zero Trust Segmentation company, stops breaches and ransomware from spreading across the hybrid attack surface. The Illumio ZTS Platform visualizes all traffic flows between workloads, devices and the internet, automatically sets granular segmentation policies to control communications, and isolates high-value assets and compromised systems proactively or in response to active attacks. Illumio protects organizations of all sizes, from Fortune 100 to small business, by stopping breaches and ransomware in minutes, saving millions of dollars in application downtime, and accelerating cloud and digital transformation projects.

Illumio Introduces New Solution to Stop Endpoint Ransomware from Spreading Across the Hybrid Attack Surface

ZecOps extends Jamf's mobile security capabilities by adding advanced detections and incident response.

**MINNEAPOLIS, Sept. 26, 2022 (GLOBE NEWSWIRE) —** Jamf (NASDAQ: JAMF), the standard in Apple Enterprise Management, today announced it signed a definitive agreement to acquire ZecOps Inc., a leader in mobile detection and response.

This acquisition uniquely positions Jamf to help IT and security teams strengthen their organization's mobile security posture, accelerating mobile security investigations from weeks to minutes, leverage known indicators of compromise (IOC) at-scale, and identify sophisticated 0- or 1-click attacks on a much deeper scale.

"I am very excited to bring ZecOps' market-leading advanced mobile detection and response capabilities into the Jamf platform," said Dean Hager, CEO, Jamf. "We believe ZecOps has built a differentiated solution that meets a very important need for many organizations — the ability to thoroughly detect and investigate threats that target mobile users so they can confidently use these powerful devices for work. This capability further propels our goal of continuing to bridge the gap between what Apple provides and the enterprise requires."

Mobile devices now account for 59% of global website traffic, and according to the 2022 Verizon Mobile Security Index, close to half (45%) of companies said that they have suffered a compromise involving a mobile device in the past 12 months.

ZecOps will bring important capabilities to the Jamf platform to help address the growing trend of targeted mobile attacks. Jamf offers robust management and mobile security capabilities for iOS devices; however, access to deeper insights into potential security exploits is technically challenging and requires physical access to the device, which is difficult in a remote work environment. ZecOps is a robust, unparalleled solution that provides the deepest layer of insight and assurance for security-conscious customers with high-value targets that need something more. ZecOps provides the same level of visibility currently available for macOS through Jamf Protect but for iOS, making it capable of detecting the kinds of sophisticated mobile threats that Apple's Lockdown mode aims to prevent. With ZecOps, users can have both Lockdown mode and ZecOps software operating at the same time.

**Advanced threat hunting on mobile devices**  
Advanced protection of mobile devices requires a layered approach. Proactive investigation and analysis complement device management and mobile threat defense for more advanced detections and preventative protections. ZecOps enables advanced threat hunting by capturing and analyzing logs from iOS and Android devices at the operating system layer, allowing security operations and incident response teams to perform automatic or on-demand mobile cyber investigations.

**Digital forensics and incident response**  
Security teams are already drowning in data. Event logs, analyst reports, third-party threat intelligence feeds, and more are produced regularly for applications, endpoints, and network infrastructure. Mobile has historically been left out of this data feed. Many investigation teams lack expertise in modern mobile platforms. ZecOps' sophisticated digital forensics capabilities provides Security Operation Center (SOC) teams with unique mobile threat intelligence to uncover zero-day attacks. ZecOps does the heavy lifting for SOC teams, saving months of work per investigation. The solution automatically constructs a timeline of suspicious events and indicators of compromise to demonstrate when and how a device was impacted.

**Privacy conscious**  
Data privacy is extremely important to Jamf. ZecOps shares Jamf's commitment to safeguarding user data by ensuring log collection doesn't include the user's material personal data such as photos, videos, text messages and call logs, and only leveraging low-level system information and diagnostics data to the cloud for analysis. ZecOps analysis can also take place on-premises to meet various organizations' and governments data privacy requirements.

"We founded ZecOps to catch hidden 0-click and 1-click attacks," said Zuk Avraham, co-founder and CEO, ZecOps. "By combining with Jamf, we can offer our customers a truly powerful mobile threat intelligence and threat hunting capabilities that will keep up with the evolving threat landscape without compromising the user experience."

This transaction is subject to the satisfaction of customary closing conditions and is expected to close in the fourth quarter. Terms of the transaction were not disclosed.

**About Jamf**  
Jamf's purpose is to simplify work by helping organizations manage and secure an Apple experience that end users love and organizations trust. Jamf is the only company in the world that provides a complete management and security solution for an Apple-first environment that is enterprise secure, consumer simple and protects personal privacy. To learn more, visit www.jamf.com.

**About ZecOps**  
ZecOps develops the world's most powerful platform to discover and analyze mobile cyber attacks. Used by world-leading enterprises, governments and individuals globally, ZecOps Mobile Detection and Response platform provides a realistic and scalable approach to mobile threat hunting. ZecOps enables automated discovery of 0-day attacks and Advanced Persistent Threats (APTs), delivering anti cyber-espionage capabilities within minutes.

**Forward-Looking Statements**  
This release relates to a pending acquisition of ZecOps, Inc. ("ZecOps") by Jamf Holding Corp. ("Jamf", "we", our" or "us"). This release contains forward-looking statements within the meaning of the "safe harbor" provisions of the Private Securities Litigation Reform Act of 1995, regarding the anticipated benefits of the acquisition, and the anticipated impacts of the acquisition on our business, products, financial results, and other aspects of our and ZecOps' operations. You can identify forward-looking statements by the fact that they do not relate strictly to historical or current facts. These statements may include words such as "anticipate," "estimate," "expect," "project," "plan," "intend," "believe," "may," "will," "should," "can have," "likely," and other words and terms of similar meaning in connection with any discussion of the timing or nature of future operating or financial performance or other events. These risks, uncertainties, assumptions, and other factors include, but are not limited to: the effect of the announcement of the acquisition on the ability of Jamf or ZecOps to retain key personnel or maintain relationships with customers, vendors, developers, community members, and other business partners; risks that the acquisition disrupts current plans and operations; the ability of the parties to consummate the acquisition on a timely basis or at all; the satisfaction of the conditions precedent to consummation of the acquisition; our ability to successfully integrate ZecOps' operations; our and ZecOps' ability to execute on our business strategies relating to the acquisition and realize expected benefits and synergies; and our ability to compete effectively, including in response to actions our competitors may take following announcement of the acquisition. Further information on these and additional risks, uncertainties, and other factors that could cause actual outcomes and results to differ materially from those included in or contemplated by the forward-looking statements contained in this release are included under the caption "Forward-Looking Statements" and elsewhere in our Form 10-Q for the quarter ended June 30, 2022, and other filings and reports we make with the Securities and Exchange Commission from time to time. Moreover, both we and ZecOps operate in a very competitive and rapidly changing environment, and new risks may emerge from time to time. It is not possible for us to predict all risks, nor can we assess the impact of all factors on our business or the acquisition, or the extent to which any factor, or combination of factors, may cause actual results or outcomes to differ materially from those contained in any forward-looking statements we may make. Forward-looking statements speak only as of the date the statements are made and are based on information available to us at the time those statements are made and/or our management's good faith belief as of that time with respect to future events. Except as required by law, we undertake no obligation, and do not intend, to update these forward-looking statements.

SOURCE: Jamf

Jamf Announces Intent to Acquire ZecOps, to Provide a Market-Leading Security Solution for Mobile Devices as Targeted Attacks Continue to Grow

Defend against phishing attacks with more than user training. Measure users' suspicion levels along with cognitive and behavioral factors, then build a risk index and use the information to better protect those who are most vulnerable.

Our approach to security awareness is flawed. And we must change it.

As Russian tanks creaked into Ukraine, CEOs and IT managers throughout the United States and much of the free world started sending out emails warning their employees about impending spear-phishing attacks.

It made sense: Spear-phishing was what Russians had used on Ukrainians many times in the past half of a decade, such as when they shut down the country's electrical grid on one of its coldest winter nights. It was also what the Russians had used against the Democratic National Committee and targets across the US.

At one end, the email missives from CEOs were refreshing. People were serious about the threat of phishing, which wasn't the case in 2014 when I started warning about its dangers on CNN.

At the other end, it was sobering. There wasn't much else organizations had figured out to do.

Sending messages to warn people was what AOL's CEO resorted to back in 1997, when spear-phishing first emerged and got its name. Budding hackers of the time were impersonating AOL administrators and fishing for subscribers' personal information. That was almost three decades ago, many lifetimes in Internet years.

In the interim, organizations have spent billions on security technologies and countless hours in security training. For context, a decade ago, Bank of America (BoA) was spending $400 million on cybersecurity. It now spends $1 billion per year on it. Yet thousands of its customer accounts in California were hacked last year.

And BoA isn't alone. This year, Microsoft, Nvidia, Samsung, LG, and T-Mobile — which recently paid out a $350 million settlement to customers because of a breach in 2021 — were hacked. All fell victim to spear-phishing attacks. No question that the employees in these companies are experienced and well-trained in detecting such attacks.

**Flawed Approach**

Clearly, something is fundamentally flawed in our approach, when you consider that after all this, email-based compromises increased by 35% in 2021, and American businesses lost over $2.4 billion due to it.

A big part of the problem is the current paradigm of user training. It primarily revolves around some form of cyber-safety instruction, usually following a mock phishing email test. The tests are sent periodically, and user failures are tracked — serving as an indicator of user vulnerability and forming the backbone of cyber-risk computations used by insurers and policymakers.

There is limited scientific support for this form of training. Most point to short-term value, with its effects wearing off within hours, according to a 2013 study. This has been ignored since the very inception of awareness as a solution.

There is another problem. Security awareness isn't a solution; it's a product with an ecosystem of deep-pocketed vendors pushing for it. There is legislation and federal policy mandating it, some stemming from lobbying by training organizations, making it necessary for every organization to implement it and users to endure it.

Finally, there is no valid measurement of security awareness. Who needs it? What type? And how much is enough? There are no answers to these questions.

Instead, the focus is on whether users fail a phishing test without a diagnosis of the why — the reason behind the failures. Because of this, phishing attacks continue, and organizations have no idea why. Which is why our best defense has been to send out email warnings to users.

**Defend With Fundamentals**

The only way to defend against phishing is to start at the fundamentals. Begin with the key question: What makes users vulnerable to phishing?

The science of security already provides the answers. It has identified specific mind-level or cognitive factors and behavioral habits that cause user vulnerability. Cognitive factors include _cyber-risk beliefs —_ ideas we hold in our minds about online risk, such as how safe it might be to open a PDF document versus a Word document, or how a certain mobile OS might offer better protection for opening emails. Many such beliefs, some flawed and others accurate, govern how much mental attention we pay to details online.

Many of us also acquire _media habits,_ from opening every incoming message to rituals such as checking emails and feeds the moment we awake. Some of these are conditioned by apps; others by organizational IT policy. They lead to mindless reactions to emails that increase phishing vulnerability.

There is another, largely ignored, factor: _suspicion_. It is that unease when encountering something; that sense that something is off. It almost always leads to information seeking and, armed with the right types of knowledge or experience, leads to deception-detection and correction.

It did for the former head of the FBI. Robert Muller, after entering his banking information in response to an email request, stopped before hitting Send. Something didn't seem right. In the momentary return to reason caused by suspicion, he realized he was being phished, and changed his banking passwords.

By measuring suspicion along with the cognitive and behavioral factors leading to phishing vulnerability, organizations can diagnose what makes users vulnerable. This information can be quantified and converted into a risk index, with which they can identify those most at risk, the weakest links, and protect them better.

Doing this will help us defend users based on a diagnosis of what they need, rather than a training approach that's being sold as a solution — a paradigm that we know doesn't work.

After billions spent, our best approach remains sending out email warnings about incoming attacks. Surely, we can do better. By applying the science of security, we can. And we must — because spear-phishing presents a clear and present danger to the Internet.

Time to Change Our Flawed Approach to Security Awareness

The "single pane of glass" that gathers and correlates all the information security professionals need doesn't exist, so it's up to us to create it.

When the Bloomberg Terminal was introduced in 1982, it changed Wall Street forever. The Terminal was a computing marvel, aggregating and correlating more data than ever imagined. From market data to global currencies, commodities and real estate to policy and politics, investors and traders had for the first time a centralized data platform for real-time, multidimensional visibility and analysis. 

After seeing the field differently, users developed new proprietary strategies that led to an explosion in new products, such as index options and mortgage-backed securities. Data analysis kicked off an age of discovery, and it made Wall Street the place to be in the 1980s and beyond.

Today, data analysis is a critical component of any cybersecurity program. Security teams must sift through a dizzying array of inputs and issues in order to separate the signals and noise. They must differentiate between legitimate and malicious activity and prioritize where to take action to mitigate risk and battle adversaries to protect their businesses and customers.

One could argue that artificial intelligence (AI) and machine learning (ML) are leading the much-needed age of advancement in cybersecurity. But thousands of companies are using AI and ML to develop thousands of cybersecurity solutions. Siloed implementations by vendors that have little incentive to collaborate have created massive complexity that ultimately still leaves businesses vulnerable to attacks and exploits. 

The Bloomberg Terminal for cybersecurity — the "single pane of glass" that gathers and correlates all the relevant information security professionals need to do their jobs efficiently — doesn't yet exist. So enterprises are left grappling with where they should begin.

**Protect the Most Critical Asset First**

The approach we have been using to reduce business risk and protect critical assets is not working or scaling to meet the complexity of today's environment or the attack landscape. The focus has been on protecting the infrastructure, the data center, and the devices using a complex web of barriers to limit access. Despite the attention that zero-trust security architectures have received, it seems that as an industry, we struggle to turn the rhetoric into architecture. Businesses are encouraged to move away from moats and castles and toward securing access and applications, but practitioners still tend to focus on building fences around their most critical assets instead of securing the assets themselves.

Yet data is arguably the enterprise's most important asset. Data breaches exposed 21 billion records in 2021. This is why cybercriminals target it and governments around the world regulate it. The business consequences of a data breach have never been higher. According to the 2022 "Cost of a Data Breach" report from IBM and Ponemon, the average cost of a data breach rose to a record $4.35 million in 2022.

As the enterprise transitions to the cloud, this shift dramatically increases the threat surface of an organization, since much of this activity is outside the visibility of the security teams. "The cloud" no longer means a public cloud vendor or two. The modern enterprise environment involves on-prem services, multiple cloud services, software as a service (SaaS), infrastructure as a service (IaaS), and platform as a service (PaaS) all securing managed and unmanaged devices, with hybrid employees and third parties all requiring access to business assets. Security professionals have no way to see it all, certainly not in a dashboard view.

**Protect the Whole Enterprise**

Few organizations speak with more CISOs than Gartner. According to "Gartner Predicts 2022," consolidated security platforms are the future:

_Vendors are increasingly divided into 'platform' and 'portfolio' camps, with the former integrating tools to make a whole that's greater than the sum of the parts, and the latter packaging products with little integration. Technology consolidation is not limited to one technology area or even to a closely related set of technologies; these consolidations are happening in parallel across many security areas._

The Bloomberg Terminal for cybersecurity may never exist in the way security professionals dream about, so it'll be up to them to envision and create their own version. This is harder than it might seem, as evidenced by the increasing disillusionment security practitioners feel with their security information and management (SIEM) implementations — where big data leads to big bills but not deep insights — and the growth of more specialized event management and extended detection and response (XDR) solutions. This will require a review of that sea of options to select the tools that make the most sense for each layer of the enterprise.

Could we end up with a handful of platforms built on open standards? For the sake of enterprise risk, and the people doing the work, let's hope so.

When Will Cybersecurity Get Its Bloomberg Terminal?

Malwarebytes achieves 250% year-over-year MSP partner growth, introduces new modules to enhance protection, detection, and resolution of threats for SMBs.

**SANTA CLARA, Calif., Sept. 27, 2022 / PRNewswire/ —** MalwarebytesTM, a global leader in real-time cyber protection, continues to expand its OneView platform capabilities as well as rapidly grow the company's Managed Service Provider (MSP) program. In addition to best-in-class endpoint security, MSPs can now access vulnerability assessment, patch management, and Domain Name System (DNS) filtering from Malwarebytes OneView.

"At Malwarebytes, we aim to serve the underserved, which is what our MSP partners are doing every day for SMBs," said Brian Thomas, Vice President of Worldwide MSP & Channel Programs at Malwarebytes. "I joined Malwarebytes with ambitious plans that are coming to life through our amazing team and unwavering commitment to help both new and existing MSP partners keep their clients safe while catapulting their businesses to new heights."

Delivering high-quality cybersecurity services and keeping customer environments free from malware requires a skilled team that can provide 24x7 coverage. Yet, many MSPs face constrained staff resources, skyrocketing costs and complexities of managing multiple solutions to uncover hidden threats. Today's MSPs require streamlined and simplified solutions to help them keep pace.

The Malwarebytes OneView platform empowers MSPs to deliver enterprise-class endpoint security products that drastically reduce customer malware infections and ransomware exposure. The easy-to-manage platform allows security analysts of all skill levels to be effective from a centralized cloud-based console. With different levels of protection capabilities and threat prevention modules, MSPs can offer the right product or service to each customer, tailored to their specific needs.

This quarter, Malwarebytes has continued to build upon OneView, adding three new modules that simplify breach prevention within the same cloud interface MSPs already trust for detection and remediation:

*   **Vulnerability and Patch Management**, which enables MSPs to take control of their full patching process, helping ensure defenses are up to date across their clients' environments.
*   **DNS Filtering**, which empowers organizations to regulate access to websites and other content on company-managed networks, which in turn reinforces the security of company data.
*   **Vulnerability Assessment**, which helps users understand exposure, identify vulnerabilities, and prioritize actions to update defenses across device and server operating systems and a wide range of third-party applications.

"The continued expansion of the OneView platform empowers us to help our customers with enhanced protection modules and expert support, reducing investments in time and resources needed to protect their organizations against increasingly complex vulnerabilities," said Daniel Mitchell, CEO of Alt-Tech. "Our partnership with Malwarebytes means stronger and simpler protection for our SMB customers, helping them successfully navigate potential threats."

Malwarebytes' initial MSP Program and OneView showed significant traction, resulting in over 250% YOY growth, with more than 2,700 new global MSP partners and strategic partnerships with Addigy, Atera, ConnectWise, Datto, GCN Group, Kaseya, Sherweb, TeamViewer and regional partner Soft Solutions. Based on business demand and future growth projections, Malwarebytes added more than 30 employees in the last six months across the MSP team, including Nadia Karatsoreos, who is dedicated to empowering MSPs to profitably grow their businesses. The company plans to continue expanding the MSP Program with further product innovation as well as additional resources and training.

"I am thrilled to be joining the Malwarebytes team during this pivotal time," said Nadia Karatsoreos, Senior MSP Growth Strategist at Malwarebytes. "MSPs have been tasked with keeping their clients safe from cyber threats, which is not an easy feat. They not only need the tools but also a supportive vendor so they can confidently sell and serve their customers. I'm so excited that I get to continue to help MSPs grow their businesses."

To read more about the latest threats and cyber protection strategies, visit our newsroom, or follow us on Facebook, Instagram, LinkedIn, TikTok, and Twitter.

**About Malwarebytes  
**Malwarebytes believes that when people and organizations are free from threats, they are free to thrive. Founded in 2008, Malwarebytes CEO Marcin Kleczynski had one mission: to rid the world of malware. Today, that mission has expanded to provide cyber protection for everyone. Malwarebytes provides consumers and organizations with device protection, privacy, and prevention through effective, intuitive, and inclusive solutions in the home, on-the-go, at work, or on campus. A world-class team of threat researchers and security experts enable Malwarebytes to protect millions of customers and combat existing and never-before-seen threats using artificial intelligence and machine learning to catch new threats rapidly. These capabilities have been lauded by independent third parties including, among others, MITRE Engenuity, MRG Effitas, AV-TEST (consumer and business), G2 Crowd and CNET. With threat hunters and innovators across the world, the company is headquartered in California with offices in Europe and Asia. For more information, visit https://www.malwarebytes.com.

**SOURCE:** Malwarebytes

Source

DARKReading