But there was a substantial drop in the overall number of critical vulnerabilities that the company disclosed last year, new analysis shows.

The number of privilege escalation bugs in Microsoft's products increased for the second year in a row in 2021, highlighting the growing risk this vulnerability category poses for organizations.

BeyondTrust recently analyzed data from Microsoft vulnerability disclosures in 2021 and found that 588 — or 49% — of the total 1,212 bugs that the company disclosed gave attackers a way to elevate privileges on compromised systems and networks. The number represented a 5% increase from the 559 privilege escalation bugs in Microsoft products that BeyondTrust counted in 2020, when such bugs also eclipsed all other categories of vulns in the company's technologies.

The trend is important because organizations sometimes tend to pay less attention to privilege escalation vulnerabilities than other bugs because often, they can only be exploited after an attacker has already compromised a system. "Elevation of privilege bugs do not get the same attention from organizations" as some other vulnerabilities, says Tim McGuffin, director of adversarial engineering at LARES Consulting. Most organizations focus on preventing initial compromise, which can come from remote code execution vulnerabilities and other flaws, he says. "But \[they\] often de-prioritize patches for EoP vulns and wait until quarterly or annual patch cycles."

**A New Trend**

The number of privilege escalation vulnerabilities in Microsoft's technologies increased last year even as the overall number of reported bugs in the company's products declined for the first time in years. The 1,212 bugs that Microsoft disclosed in 2021 was about 5% lower than the 1,268 bugs it reported in 2020. That was in sharp contrast to the previous four years, which saw a near doubling in bugs — from 451 in 2016 to 858 in 2019.

BeyondTrust also observed a 47% decrease in the number of critical vulnerabilities that Microsoft disclosed in 2021 — 104 compared to 196 in 2020. The number of Windows OS vulnerabilities, too, dropped dramatically in 2021 — from a record 907 vulnerabilities across Windows 7, Windows RT, Windows 8/8.1, and Windows 10 to just 507 last year.

Remote code execution vulnerabilities, which were the most common type of security issue in Microsoft products until 2019, ranked second last year at 326, followed by information disclosure vulnerabilities (119), spoofing (66), and denial of service bugs (55). Microsoft reported a total of 44 security bypass vulnerabilities last year and 3 issues related to tampering. BeyondTrust observed declines in other vulnerabilities such as in overflow, memory corruption, and cross-site scripting flaws in Microsoft technologies. Cumulatively, there were 215 fewer vulnerabilities across these three categories in 2021 compared to the prior year.

The vendor ascribed several likely reasons for the Microsoft vulnerability reductions last year, including better security and coding practices on Microsoft's part; end of life of Windows 7 and other products: and the shift of more enterprise workloads and services to the cloud.

**Fewer Critical Vulnerabilities**

"A drop in critical vulnerabilities reported from 196 to 104 is great news," says Richard Stiennon, chief research analyst at IT-Harvest. "Yet it's hard to derive insights from just the numbers."

The increase in privilege escalation vulnerabilities, for instance, is significant because it indicates that researchers are looking harder for these flaws in Microsoft products. "These are critical because an attacker will use them to ultimately get admin privileges and thus complete control of a system," Stiennon says. "APT groups usually have some sort of escalation exploits in their toolboxes to compromise their targets."

Microsoft's late-2021 adoption of the industry-standard CVSS format for reporting vulnerabilities also made it impossible to determine how many of the critical vulnerabilities it disclosed last year could have been mitigated by removing admin rights on user systems, BeyondTrust said.

The CVSS is derived from data that is designed to produce a numerical score relative to the severity of a vulnerability, says Christopher Hills, chief security strategist at BeyondTrust. "This is great for the overall audience in seeing which vulnerabilities have the highest severity," he says. "But it provides camouflage for those vulnerabilities that leverage privilege elevation because those are now buried in the report."

Between 2015 and 2020, some 75% of critical Microsoft vulnerabilities could have been mitigated by removing admin rights on user systems. There's little reason to believe that the situation has changed a whole lot now, according to BeyondTrust.

"With end user systems and remote access being the top attack vector for bad actors, there truly is no valid reason why users should have standing rights or admin rights on end user systems," Hills says. Removal of admin rights has the potential to impact end user productivity and foster a bad user experience, he admits: "But with today’s technology and the solutions available, there is no amount of end user productivity that could outweigh the cost of a breach or compromise."

McGuffin says the decline in reported Microsoft vulnerabilities last year could also have to do with other reasons. Some countries have modified their vulnerability disclosure processes so that newly discovered vulnerabilities must be reported to the government first — and only then can be reported to the vendor, he notes. "Those same countries have also restricted citizens' ability to participate in competitions like Pwn2Own, where vulnerabilities would be publicly disclosed after the competition," he notes.

And because researchers sometimes focus on specific areas and technologies, that also can have an impact on the number of vulnerabilities discovered in a particular category, McGuffin says. "As an example, one vulnerability in the \[Windows\] print spooler service prompted several other researchers to dig deeper, and we're up to over a dozen RCE and PrivEsc vulns in the spooler now," he says.

Microsoft Elevation-of-Privilege Vulnerabilities Spiked Again in 2021

Notable new infection chain uses PDF to embed malicious files, load remote exploits, shellcode encryption, and more, new research shows.

When it comes to packaging malware, the file format of choice remains Microsoft Word or Excel, but a recent attack using a PDF file to lure in victims caught the attention of researchers.

The campaign _—_ observed by HP Wolf Security _—_ sent the malicious PDF as an email attachment. Once opened, it used a variety of tactics to evade detection, embed malicious files, load remote exploits, and shellcode encryption, according to the researchers.

"Embedding files, loading remotely hosted exploits, and encrypting shellcode are just three techniques attackers use to run malware under the radar," the HP Wolf team reported on the malicious PDF attack in a recent blog post. "The exploited vulnerability in this campaign (CVE-2017-11882) is over four years old, yet continues being used, suggesting the exploit remains effective for attackers."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

New Attack Shows Weaponized PDF Files Remain a Threat

Decentralized finance lost $1.8 billion to cyberattacks last year — and 80% of those events were the result of vulnerable code, analysts say.

Decentralized finance (DeFi) platforms — which connect various cryptocurrency blockchains to create a decentralized infrastructure for borrowing, trading, and other transactions — promise to replace banks as a secure and convenient way to invest in and spend cryptocurrency. But in addition to attracting hordes of new users with dreams of digital fortune, cybercriminals have discovered them to be an easy target, wiping out wallets to zero balances in a moment, tanking whole markets while profiting, and more, according to a new report.  

Analysts with Bishop Fox found that DeFi platforms lost $1.8 billion to cyberattacks in 2021 alone. With a total of 65 events observed, 90% of the losses came from unsophisticated attacks, according to the report, which points to the lax cybersecurity practices of the sector.  

DeFi averaged five attacks per week last year, with most of the them (51%) coming from the exploitation of "smart contracts" bugs, the analysts found. Smart contracts are essentially records of transactions, stored on the blockchain.  

Other top DeFi attack vectors include cryptowallets, protocol design flaws, and so-called "rug-pull" scams (where investors are lured to a new cryptocurrency project that is then abandoned, leaving targets with a worthless currency). But taken together, 80% of all events were caused by the use (and re-use) of buggy code, according to the report.

"The desire to develop quickly and save time, or perhaps just the lazy disinclination to review or recreate one's own code, too often leads to the use of untested, and therefore ultimately vulnerable, code," the report says. 

And indeed, as users and DeFi platforms themselves try to reinvent banking — and a complex new infrastructure to support it — administrators can't overlook the importance of security basics, Dylan Dubeif, senior security consultant at Bishop Fox tells Dark Reading.   

"No matter how innovative or sophisticated your project is, don't forget about security by ignoring what seems minor or basic," he says. "A trivial vulnerability can end up costing you the most."

**DeFi Smart-Contract Vulns** A prime example is the May 28 BurgerSwap Dex smart-contract-related DeFi breach, which led to a $7.2 million loss. That attack leveraged vulnerabilities that are so well known that their use here seemed confounding, according to the report. These included exploiting a missing x\*y≥k check\*\* and mounting re-entrancy attacks, according to the report. The weaknesses allowed attackers to leverage well-known tactics such as flash-loan abuse and the use of fake tokens.

"We can't emphasize it enough — maintain a recurring audit process and test each piece of code before it goes into production," the report says. "In decentralized finance, even the shortest line of vulnerable code can lead to a total loss of project tokens and the collapse of the project." 

Last August, Cream Finance took a major financial hit at the hands of cybercriminals, losing nearly $29 million before the attack was discovered (418,311,571 in Amp Coin and 1,308.09 in Ethereum cryptocurrency).

The hack was made possible due to a re-entrancy bug in its smart-contracts function, introduced by the $AMP tokens used by the exchange.

“The … breach of the Cream Finance platform was facilitated by the latest in a long chain of smart-contract vulnerabilities introduced by human error (or possibly insider attacks),” Joe Stewart, a researcher with PhishLabs, noted at the time. "It is very easy to shoot yourself in the foot by something as simple as failing to include the correct function modifier in your code — exactly what happened to the author of the Cream Finance smart contract.”

Smart contracts become trickier to code-audit as well after they start interacting with each other, Stewart added.

“The increasing complexity of DeFi contracts that interact with one another (possibly even across different blockchains) make it difficult to predict all possible code paths that could lead to privilege escalation and loss of funds locked in the contract,” Stewart said.

**Front-End DeFi Attacks  
**The code used to create DeFi digital wallets and website interfaces has also proved to be an easy attack vector for scammers. 

In one attack on BadgerDAO last December, analysts said that attackers exploited a CloudFlare vulnerability to get an API key, which then allowed them to tweak the site's source code to divert funds to wallets in their control, the report explains. 

"In late September, users on a Cloudflare community support forum reported that unauthorized users were able to create accounts and were also able to create and view (Global) API keys (which cannot be deleted or deactivated) before email verification was completed," Badger said in a post-mortem statement about the breach. "It was noted that an attacker could then wait for the email to be verified, and for the account creation to be completed, and they would then have API access."  

**Flash-Loan DeFi Attacks  
**As mentioned earlier, another type of DeFi attack involves flash loans. A flash loan is an unsecured loan for buying and then selling a certain cryptocurrency; it can be requested by building a smart contract on the blockchain. Then the contract executes the loan and the trades, all in a flash.

In an attack, cybercriminals can use this function for price manipulation. For instance, last May the DeFi project PancakeBunny fell victim to this after an attacker mined a large amount of $Bunny tokens and then turned around and immediately sold them off. Not only can the cybercriminals make a fortune in this way, they can also tank the value of an entire cryptocurrency market in minutes.  

"Although \[this\] may seem painfully simple in retrospect, it _did_ occur, with not-insignificant consequences," the report says.   

The PancakeBunny DeFi project became prey on May 19. Attackers used a bug in the platform and a flash loan to throw the pool out of balance and miscalculate the exchange in the threat actor's favor. Worse yet, just days later, two forks (i.e., new DeFi communities developed from the same blockchain), MerlinLabs and Autoshark, were targeted using the same code and attack methodology. 

"Even though the teams from both projects were aware of having copied the PancakeBunny code with very few modifications, they nevertheless suffered the same attack five and seven days, respectively, after the initial project," the report says. 

**DeFi Servers  
**Servers storing private keys for cryptowallets are also a prime target for cybercriminals, the researchers warn. In several instances, wallets were swiped with stolen keys, the report says, sometimes with devastating losses; one wallet had a balance of about $60 million, for instance.

"Financial loss could have been avoided by auditing the companies’ underlying servers and adding technical and organizational measures (such as multisignature wallets) with zero-trust and least-privilege principles," the report states.

**Preventing the DeFi Pwn-apalooza  
**With so much cybercrime activity, what should be done? To answer that, the Bishop Fox team offered two important pieces of advice for users trying to navigate this new digital financial frontier. One, don't trust any system to be secure; and two, recognize that investments can evaporate in a second. 

The risk to users varies; in some cases, like the PolyNetwork breach, an attacker stole, then returned, $610 million in cryptocurrency and everyone recouped their losses. In other instances, hacked DeFi platforms weren't so lucky. 

Since there's no standard for responsibility, users should be prepared for the worst. "When we talk about DeFi, we are talking about investing in the fledgling cryptocurrency financial system that has yet to learn from its mistakes," the report states.

The researchers acknowledge that with so many parts of the business, defending DeFi platforms is particularly difficult.

"As the attack surface in DeFi projects is larger than usual," the report says, "teams must ensure that adequate precautions are taken to protect all assets."

DeFi Is Getting Pummeled by Cybercriminals

As states address privacy with ad-hoc laws, corporate compliance teams try to balance yet another set of similar but diverging requirements.

Connecticut became the fifth state to pass a consumer data privacy law with the signing of SB 6, titled "An Act Concerning Personal Data Privacy and Online Monitoring." The law, which goes into effect July 1, 2023, is similar to privacy laws in Virginia, Colorado, and Utah, but it falls short of some of the provisions and protections in California's California Consumer Privacy Act (CCPA) and its update, the California Privacy Rights Act (CPRA).

This latest state law on privacy further intensifies the pressure on corporate compliance departments to attempt to address the increasingly difficult task of meeting the reporting and coverage requirements of various privacy laws, and it puts pressure on the federal government to come up with a national law that clarifies consumer privacy rights, says Lisa Sotto, partner and chair of the privacy and cybersecurity practice at Hunton Andrews Kurth LLP, a Richmond, Va.-based law firm.

"It's completely insane complying with all of these \[privacy\] laws; it's virtually impossible," she says. There is no "highest common denominator" that permits organizations to comply with a given set of privacy regulations to ensure compliance with all of them. 

"It's a mess," Sotto says.

While all of the privacy laws have a lot in common, no two are identical. When you layer additional laws — such as those directed at privacy related to minors, healthcare, financial services, and other areas — on top of the five statewide laws, the matrix of compliance requirements becomes unwieldy.

**Ever-Growing Thicket of Privacy Laws**

Currently there is no national privacy law in the United States, but there is a patchwork of laws at the national and state levels that address varying areas of privacy. Among the federal laws are the Gramm-Leach-Bliley Act (GLBA), the Privacy Act of 1974, the Fair Credit Reporting Act, the Family Educational Rights and Privacy Act, the Health Insurance Portability and Accountability Act (HIPAA), and the Health Information Technology for Economic and Clinical Health Act (HITECH).

There are also industry rules, such as the Payment Card Industry Data Security Standard (PCI DSS), that dictate how companies should handle consumer privacy. Sometimes laws and industry rules are in direct conflict, such as when a data breach needs to be reported and to whom, forcing companies to choose which regulations to follow.

Add to those state and local laws, such as the New York State Personal Privacy Protection Law, as well as international laws, such as the European Union's General Data Protection Regulation (GDPR) — which holds individuals across the globe liable for mishandling the personally identifiable information (PII) of EU citizens — and compliance becomes unmanageable.

One huge challenge companies face when trying to manage compliance is determining exactly what the laws require and how they define privacy, which is open to interpretation. Forrester analyst Stephanie Liu says the Colorado law, for example, does not permit the sale of personal information for "valuable consideration." It explicitly does not say selling only for cash but rather anything of value.

However, Liu says, she has "talked to a couple of data brokers who said that they do not sell data. If a data broker is making that argument, then you've got a loophole there."

Comparing the Utah, Colorado, Virginia, and Connecticut laws, the "definition of sale" is where they tend to differ, Liu says. "It's a huge headache," she adds.

**Exactly the Same, Only Different**

While the Connecticut law specifically talks about guarding consumers' privacy rights from those who sell products directly to the state's citizens, not all privacy rights are covered by the law. Insurance, for example, is a huge part of the state's economy, but insurance companies are not covered by this new law. Instead, says Sotto, those companies are covered by the federal GLBA regulations.

Boards of directors have a fiduciary duty of oversight when it comes to cyber, she says, and that is forcing them to take a much closer look at privacy as well. Boards are taking a much more personal interest in privacy and compliance, especially now that recent laws can hold board members personally liable if a company is breached or if PII is stolen and made public.

Protecting personal privacy could have an impact on cyber insurance rates as well. Ransomware attacks that steal PII and threaten to make it public are very common today, and cyber insurance policies often include coverage for paying those ransom demands.

For cyber insurance carriers, notes Forrester senior analyst Jess Burn, that means very high legal costs are included under the premiums. Companies that are breached "need to work with their outside counsel on data breach notifications for every single affected state," Burns says. "In addition, if it's a B2C company, \[you have\] consumer notifications, credit monitoring, and all of those different fees that come along with it. Oh, and then the fines are going to come in as well."

Not every privacy issue is addressed in privacy legislation, and not all non-PII is addressed directly in state privacy laws. Data that might contain personal data about investors, for example, is often addressed under other legislation that is not privacy-specific. The Fair Credit Reporting Act, for example, covers some consumer privacy issues that overlap the state privacy laws, as do HIPAA and other healthcare legislation, but these do not necessarily contradict other laws.

"Connecticut exempts employee data from its law entirely," Burn says. "That's another area where it's interesting to see \[that\] sort of the uncertainty, if we're being honest about how states are approaching it."

New Connecticut Privacy Law Makes Path to Compliance More Complex

Company to debut its AD capabilities at the 2022 RSA Conference.

HERZLIYA, Israel, May 24, 2022 /PRNewswire/ -- XM Cyber, the multi-award-winning attack path management company, announced today a new security capability for Microsoft's Active Directory (AD). XM Cyber is the first in the industry to link the use of AD into the entire attack path, bringing multiple attack techniques together and offering a complete and accurate view of an organization's cybersecurity risk, across on-prem and cloud environments. With this new capability, enterprises gain end-to-end attack path visualization for easy understanding and prioritized remediation of all weaknesses before an attack can take place.

A chain of attack vectors (vulnerabilities, misconfigurations, user privileges, human errors, etc.) that enables lateral movement through an organization's network is called an attack path. Once an attacker is inside the network, they can move laterally, escalating their privileges and targeting systems to gain access to sensitive data and business-critical resources, and even gain access to the cloud environment by moving from a compromised enterprise AD user to the associated Azure AD user.

AD is widely used by enterprises around the world (including approximately 90% of Global Fortune 1000 companies) to connect and manage endpoints inside corporate networks. This makes it an attractive target for hackers seeking to obtain domain admin-level access. An attacker that has compromised an AD user can elevate privileges, conceal malicious activity in the network, execute malicious code, and gain access to the cloud environment to compromise assets. The XM Cyber Research team recently reported that 73% of the top attack techniques used to compromise critical assets in 2021 involved mismanaged or stolen credentials; and according to EMA research, at least 50% of organizational attacks are due to AD compromise.

"It is critical to make concentrated efforts to comprehensively secure and monitor AD, proactively look for threats and misconfigurations, and remediate to prevent dangerous actions from taking place," according to Gartner®. \[1\]

The XM Cyber Attack Path Management platform demonstrates how AD abuse comes into play across the entire attack path, bringing together multiple attack techniques to pinpoint the riskiest credentials and permissions across users, endpoints and services managed in AD. This enables organizations to direct resources to remediate the most impactful risks first using step-by-step guidance. The platform's comprehensive security posture analysis surfaces AD weaknesses in real time, correlating the likelihood of attacks that can compromise critical assets.

"Existing solutions provide security teams with limited visibility into which users can expose critical assets," said Boaz Gorodissky, CTO, XM Cyber. "Our unique ability to chain together AD attack techniques gives organizations the edge against attackers, enabling them to reduce their risk before the attack ever happens. We are committed to providing proactive security so CISOs can focus on maximizing resources to protect their most business-critical applications and data."

XM Cyber will debut its AD capabilities at the 2022 RSA Conference, taking place June 6-9 in San Francisco. Interested parties can book a personal demo here or visit us at booth #4328 at the Moscone North Expo. Learn more about XM Cyber Active Directory security here.

\[1\] Gartner, "Emerging Technologies and Trends Impact Radar: Security", Ruggero Contu, Mark Driver, et al, 12 October 2021. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

**About XM Cyber  
**XM Cyber is a leading hybrid cloud security company that is changing the way innovative organizations approach cyber risk. Its attack path management platform continuously uncovers hidden attack paths to businesses' critical assets across cloud and on-prem environments, enabling security teams to cut them off at key junctures and eradicate risk with a fraction of the effort. Many of the world's largest, most complex organizations choose XM Cyber to help eradicate risk. Founded by top executives from the Israeli cyber intelligence community, XM Cyber has offices in North America, Europe, and Israel.

XM Cyber Adds New Security Capability for Microsoft Active Directory

New analysis reveals basic regulatory password requirements fall far short of providing protection from compromise.

A new look at a database of more than 800 million known-breached passwords reveals that 83% of them met basic security standards set by five different standards agencies. 

Minimum password lengths prescribed by NIST, HITRUST for HIPPS, PCI, ICO for GDPR, and Cyber Essentials for NCSC ranged from seven to 10 and included requirements for password complexity, special characters, and numbers — but none were enough to keep compliant passwords off the breached list, according to a new report from Specops Software. 

"What this data really tells us is that there is a very good reason why some regulatory recommendations now include a compromised password check," said Darren James, product specialist at Specops Software, in a statement about the new password policy research. "Complexity and other rules might help but the most compliant password in the world doesn’t do anything to protect your network if it's on a hacker's compromised password list."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Strong Password Policy Isn't Enough, Study Shows

New features include context-aware, zero-trust data protection on local peripherals and devices.

SANTA CLARA, Calif. – May 24, 2022 – Netskope, the leader in Security Service Edge (SSE) and zero trust, today announced a key expansion of data protection capabilities to endpoint devices and private apps. The introduction of a patented endpoint data loss prevention (DLP) solution will enable Netskope Intelligent SSE customers to protect data everywhere it moves across the hybrid enterprise.

Zero trust principles are critical to SSE, which describes the security stack needed to enable a modern Secure Access Service Edge (SASE) architecture. Data protection is of utmost importance throughout a SASE architecture—specifically, the need for security to move with data wherever it is accessed, and apply zero trust to determine the right level of access. Additionally, legacy and endpoint DLP offerings have failed enterprises by being siloed, complicated, and intrusive, hindering user productivity.

Netskope has been consistently recognized by top industry analysts for its advanced data protection capabilities. With today’s continued expansion of the Netskope Intelligent SSE platform, Netskope customers will be able to protect data across SaaS, IaaS, private applications, web, e-mail, and endpoint devices from a single converged data protection solution, leveraging machine learning, user and entity behavior analytics (UEBA), and insider threat mitigation capabilities to improve security efficacy, efficiency, and agility.

  
Notable features of Endpoint DLP include:

· Context-aware, zero trust data protection on local peripherals and devices, such as USB drives and printers

· Unified data classification, policy enforcement, and incident management for DLP across SaaS, IaaS, private apps, web, e-mail, and endpoint devices

· A patented lightweight endpoint agent with cloud-based inspection and contextual data protection policies that enhance the user experience

· Machine learning and Advanced Analytics to help simplify data classification and policy definition, lowering operational overhead

· UEBA, which makes it possible to identify and stop complex data loss scenarios such as insider risk, where users are unintentionally or even maliciously abusing their access to data

“No SASE or zero trust journey will be successful without data protection capabilities that can address all critical use cases in a way that is easy to deploy and doesn’t slow down users,” said John Martin, Chief Product Officer, Netskope. “The introduction of Endpoint DLP extends Netskope’s award-winning data protection capabilities that much further, to critical use cases with endpoint devices. While some competitors may offer unified policy and management or provide data protection for certain vectors, Netskope is the only vendor that can provide truly converged data protection across the full IT environment. We are very excited to deliver Endpoint DLP to customers as another Netskope game-changer.”

“With Netskope’s new eDLP, we can now offer single-pass data protection —across all vectors, from the cloud to the endpoint —with unified policies, within a single management console,” said Mick Coady, Global Vice President CyberSecurity Solutions, World Wide Technology. “As a Platinum Partner in Netskope’s Evolve partner program, we’re seeing the huge growth opportunity that Netskope’s Intelligent SSE approach represents. This new addition will accelerate that growth.”

A work-from-anywhere, or “hybrid,” environment makes it increasingly difficult to maintain security models based on implicit trust in any entity that wants to connect. Zero trust principles enable organizations to govern access to data based on behavior by users, devices, networks, and applications— increasing confidence in policy enforcement everywhere. By evaluating several contextual elements—user identity, device identity and security posture, time of day, geolocation, business role, sensitivity level of the data, and more—the resource itself can determine an appropriate level of confidence, or trust, only for that specific interaction and only for that specific resource. Using Netskope Intelligent SSE with zero trust principles applied throughout the environment, businesses become more agile, reduce risk, and streamline solution deployment and maintenance.

"DLP has been extremely complicated and cumbersome, and that's before you factor in cloud, web, email, private apps, and endpoints,” said Frank Dickson, IDC Group Vice President, Security & Trust. “Netskope looks to address complexity with integration, providing a unified cloud delivered solution. Compared to old school network and endpoint-based DLP solutions, having DLP in this integrated solution makes it dramatically easier to protect data wherever it may be and in a manner that is frictionless for end users. It is a win-win.”

Visit Netskope and take a demo of Intelligent SSE at Booth #S449 at RSA Conference, June 6-9, 2022, in San Francisco. For more on today’s announcement, read the Netskope blog.

**About Netskope**  
Netskope, a global cybersecurity leader, is redefining cloud, data, and network security to help organizations apply zero trust principles to protect data. The Netskope Intelligent Security Service Edge (SSE) platform is fast, easy to use, and secures people, devices, and data anywhere they go. Netskope helps customers reduce risk, accelerate performance, and get unrivaled visibility into any cloud, web, and private application activity. Thousands of customers, including more than 25 of the Fortune 100, trust Netskope to address evolving threats, new risks, technology shifts, organizational and network changes, and new regulatory requirements. Learn how Netskope helps customers be ready for anything on their SASE journey, visit netskope.com.

Netskope Expands Data Protection Capabilities to Endpoint Devices and Private Apps

New funding led by global cyber investor Paladin Capital Group, alongside existing investors Columbia Capital and Skylab Capital.

**ALEXANDRIA, Va., May 24, 2022**\--(BUSINESS WIRE)--Nisos, The Managed Intelligence CompanyTM, today announced $15 million in Series B funding led by global cyber investor Paladin Capital Group alongside existing investors Columbia Capital and Skylab Capital. The new funding will be leveraged to accelerate company growth with investments in the company’s Managed Intelligence services, the Nisos Intelligence PlatformTM, and additional staff to meet client’s increasing intelligence needs.

"Nisos provides a level of intelligence that is timely, relevant, and actionable. Their monitoring, analysis, and investigation services have been a critical component of our diligence process, enabling us to quickly quantify risk and accelerate acquisitions," said Jason Button, Lead for Security, Integration, and Mergers, Cisco Systems, Inc.

To date, the company has secured over $33 million in funding and experienced tremendous momentum, with a 140 percent increase in Q1 bookings year-over-year. In the last year, the company expanded internationally with the opening of its first European office, increased its headcount by 60 percent, and issued prominent, high visibility research that reveals cybersecurity issues and disinformation campaigns throughout the globe.

"While threat intelligence holds the promise of making protection efforts more precise, in many cases it does the exact opposite, overwhelming teams with terabytes of unorganized information. Managed Intelligence is addressing these shortcomings and empowering security teams with the right information at the right time so that they can effectively combat today's sophisticated adversaries," said Christopher Steed, Chief Investment Officer and Managing Director at Paladin Capital Group. "In this emerging space, Nisos is pioneering an innovative new approach with its unique ability to connect cyber and physical risk for more effective threat intelligence, enabling the company to triple its valuation in two years while also positioning itself for continued rapid growth."

As part of the company’s client enablement strategy, the new funding will be used to expedite product management and development, drive market awareness and elevate customer services and success. This includes plans to refine the Nisos Intelligence Platform to improve analyst and client experiences and build a foundation for additional growth ahead.

"Over the last year, Nisos has grown tremendously as we’ve expanded our platform and continued to add talented experts to address the needs of our growing client base, positioning us at the forefront of the Managed Intelligence market," said David Etue, CEO at Nisos. "This funding helps us expand our offerings and the company to meet accelerating demand from clients who increasingly understand the value of intelligence, and discover that the more they learn, the more resources and expertise they require."

**About Nisos**

Nisos is The Managed Intelligence CompanyTM. Our services enable security, intelligence, and trust & safety teams to leverage a world-class intelligence capability tailored to their needs. We fuse robust data collection with a deep understanding of the adversarial mindset delivering smarter defense and more effective response against advanced cyberattacks, disinformation and abuse of digital platforms. For more information visit: www.nisos.com

**About Paladin Capital Group**

Paladin Capital Group was founded in 2001 and has offices in Washington DC, New York, London, Luxembourg, and Silicon Valley. As a multi-stage investor, Paladin Capital Group’s core strength is identifying and supporting innovative companies that develop promising, early-stage technologies to address the critical cyber and advanced technological needs of both commercial and government customers.

Combining proven investment experience with deep expertise in global security, cyber technology, and cutting-edge research, Paladin has invested in more than 60 companies and has been a trusted partner to investors, entrepreneurs, and governments for over two decades. Follow the firm on Twitter @Paladincap and visit www.paladincapgroup.com.

Nisos Announces $15 Million in Series B Funding Round

Million-dollar crypto heists are becoming more common as the currency starts to go mainstream; prevention and enforcement haven't kept pace.

The attack against the Ronin Network in March was quickly speculated to be one of the largest cryptocurrency hacks of all time. Approximately $540 million was stolen from the cryptocurrency and NFT games company in a combination of USDC and Etherium, with $400 million of the stolen funds owned by customers playing the game Axie Infinity.

This attack was the latest in a string of thefts perpetrated against crypto and should be a jolt to both the digital asset and cybersecurity communities to bring the security of cryptocurrencies into line.

**A History of Heists  
**The current vogue of large-scale crypto heists goes as far back as the 2014 Mt. Gox hack (another cryptocurrency exchange built around a game, Magic: The Gathering), which went into bankruptcy after losing $460 million of assets.

However, the trend has been gathering pace. In the months leading up to the Ronin Network attack, cybercriminals stole nearly $200 million worth of cryptocurrency from the crypto trading platform BitMart, attacked 400 Crypto.com users, and orchestrated NFT-related scams, to name but a few incidents.

There is often an uncomfortable tendency to see these attacks as something that takes place in isolation in a remote part of the Internet when they actually have a huge impact on thousands of people. Axie Infinity, for example, has millions of players around the world, and in the wake of the Ronin Network attack, regular users reported losing tens of thousands of dollars. In some cases, this was their livelihood, with many players in the Philippines playing to win digital assets as a full-time job.

**Crypto Goes Mainstream  
**This demonstrates how digital assets have become more deeply ingrained into our society since the Mt. Gox hack. Cryptocurrency is now used by a far broader cross-section of the population (13% of Americans traded crypto in 2020), major companies now accept it as payment (such as Tesla), and nations have integrated cryptocurrencies into their economies.

El Salvador famously became the first country to adopt Bitcoin as an official currency in 2021, but many countries are now looking to join the party. The UK, for example, recently announced its intention to become a "global hub" for the crypto industry, proposing new regulations for stablecoins and even an NFT backed by the Royal Mint. President Biden’s Executive Order on Digital Assets, released in March, also acknowledged the growing role of cryptocurrencies in the US economy.

**The Knock-on Effects of a Hack  
**As digital assets become deeply ingrained into our lives, the attacks against them have wider societal impacts. For example, crypto is the currency of choice for cybercriminal activity and the Dark Web, including ransomware attackers, malware operators, scammers, human traffickers, dark-net market operators, and terrorist groups.

Their vulnerability and the ease in which they can be laundered therefore contributes to the coffers of cybercriminals. An analysis of wallets controlled by cybercriminals suggested that at least $8.6 billion of cryptocurrency was laundered in 2021. There is also evidence of stolen cryptocurrencies funding hostile nation-states, with North Korean groups reported to have stolen $400 million of cryptocurrency last year, potentially to offset financial sanctions.

This criminal activity also creates a burden on law enforcement around the world. In 2021, the Department of Justice launched the National Cryptocurrency Enforcement Team (NCET), focusing specifically on crime involving digital assets. In one single seizure this year, the task force obtained 94,000 Bitcoin ($3.6 billion), demonstrating the scale of the illegal market it is trying to tackle.

**Security and Regulation  
**First, crypto companies need to improve their cybersecurity — fast. The Ronin Network admitted that it took six days to notice that a hacker had exploited a security flaw and stolen $540 million worth of cryptocurrency. This level of security is unacceptable. If these organizations are asking users to trust them with assets, they must provide the security to protect them. If they don’t invest in security, the attacks will continue and users will very quickly lose confidence in these platforms.

Second, the increasing severity of these attacks supports the argument that crypto companies require greater regulation. Regulated financial institutions cannot afford to get away with the loss of millions in assets. Of course, attacks do happen, but regulations hold the security of regulated institutions to a sufficient standard that losses are mitigated. When these standards are not met, there are consequences put in place by the regulators.

We have to eliminate the perception that crypto hacks are inconsequential, only affecting those at the margins of society. They are not: Thousands of people are affected directly, with ever more joining the cryptocurrency world every day. Moreover, with cryptocurrencies funding the criminal community, these hacks will increasingly impact everyone whether you directly engage with digital assets or not.

Crypto Hacks Aren’t a Niche Concern; They Impact Wider Society

An analysis from Google TAG shows that Android zero-day exploits were packaged and sold for state-backed surveillance.

At least eight governments around the world have purchased a package of Android zero-day exploits from a company called Cytrox and are using them to install spyware on targets' mobile phones. The development highlights the sophistication of off-the-shelf surveillance offerings, according to a recent report. 

Google's Threat Analysis Group (TAG) said that by taking advantage of the time difference that keep some systems from being updated for hours after patches were released, the Cytrox exploits allowed governments to target Android users with malware to record audio, add CA certificates, and hide apps, Google's TAG said.

The report explained that the governments of Armenia, Côte d’Ivoire, Egypt, Greece, Indonesia, Madagascar, Serbia, and Spain are confirmed to have used the Cytrox exploits in at least three state-backed campaigns, adding there are likely others. 

"Our findings underscore the extent to which commercial surveillance vendors have proliferated capabilities historically only used by governments with the technical expertise to develop and operationalize exploits," the TAG report said, adding that the group is currently tracking more than 30 additional surveillance vendors with the capability of selling tools to state-backed actors. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading