Gartner's security service edge fundamentally changes how companies should be delivering data protection in a cloud and mobile first world.

Do you live life on the edge? If you're a rock climber, skydiver, or striving to be a TikTok dance influencer, the answer might be yes. Putting yourself out there requires risk but can be rewarding. Why? When you are able to confidently look risk in the eye and say "I win," that dopamine hit makes you feel invincible! So, do you feel the same way about your data protection? Letting your data protection live on the edge might sound risky, but in reality it's a step in the right direction, and it dramatically transforms how you think and deliver data security.

Before we get too far into it, let's actually explore what the "edge" means. If you're familiar with Gartner's latest collection of letter-soup offerings for the security industry, you probably know where this is going. Secure access service edge (SASE) and its better half, security service edge (SSE), are frameworks that define how organizations should think about cloud security platforms. In short, organizations are being encouraged to double down on SSE, which unifies all security services into a zero-trust cloud platform. SSE follows the user over any connection, drives down risk with always-on protection, and ditches the cost and complexity of point products like SWG, DLP, VPN, CASB, firewalls, and sandboxes. It's the next big thing, but how does this change data protection?

Let's start with the traditional view of data protection, which has been driven by DLP and CASB vendors over the last several years. The discussion focuses on how users interact with data, how the data is handled (sometimes dangerously), and how the internal threat to your data should be controlled. It's the standard data-protection pitch you've probably heard multiple times. Well, here are the real questions: What about the _external_ threat? Which has the most potential to damage your organization: internal or external threats? I often talk to customers that know they are losing data due to accidental user error but have come to accept it as background noise. Those same customers, when a data breach happens, spring into action with the force of a thousand caffeinated SOC employees. See my point? Now, please don't get me wrong — the internal threat shouldn't be neglected, but it's clear that the best strategy should masterfully combine both external and internal data threat protection. This is why SSE is such a powerful concept — if delivered correctly.

Since SSE focuses on incorporating data protection into a larger zero-trust, cyber-threat story, we should understand what that means. Like any great architecture, it starts with a strong foundation. In the case of SSE, that foundation without a doubt is inline proxy inspection, which enables SSL inspection. Want to keep data from leaking to the Internet? Want full visibility to find and classify sensitive data? Want to stop data exfiltration during a breach? They all require full, scalable SSL inspection. Inline inspection sets up everything else, which is why it's so important to get that part right. But there's a big caveat here — your inline security cloud needs to prove that it can deliver when the going gets tough. If it can't perform or scale, everyone across the organization will immediately know there's a problem.

After that, stopping external and internal threats with SSE becomes easy. First, start with SWG to block risky destinations and content. This prevents external threats like phishing and ransomware from targeting your users and data. Add to that a helping of sandbox and AI/ML to quickly stop zero-days and advanced threats. Now, move to DLP, which is the core building block of great data protection. Define this to find and control your sensitive content and then send it hunting across your data in motion and at rest in your clouds (with CASB). Since you're already inline, and everything is unified, you only have one policy, which reduces complexity and alert noise. You get full control over user and cloud app activity, and can ensure data isn't accidentally or maliciously lost. Once you've tackled the basics, you can move on to other aspects of data protection, like browser isolation for BYOD or UEBA to quickly zero in on suspicious activity. Best of all, services can be easily added as you grow.

Hopefully, you're beginning to see that the right SSE platform can drastically change how you deliver data protection. It applies a more holistic approach to securing data, and equally focuses on external and internal threats, while drastically reducing cost, complexity, and overall risk. So as you look to evolve your data protection strategy, remember to live life on the edge! And maybe keep those TikTok videos to yourself.

**About the Author**

    

Steve Grossenbacher is Director of Product Marketing at Zscaler, where he currently focuses on data protection. Prior to Zscaler, Steve held marketing, competitive, sales engineering and support positions at McAfee and Xerox Engineering Systems. With more than 20 years of experience in the network and security industry, he has helped companies navigate the ever-changing world of IT and currently helps organizations securely transform their networks to a cloud-first architecture

Is Your Data Security Living on the Edge?

A sprawling, multiyear operation nabs a suspected SilverTerrier BEC group ringleader, exposing a massive attack infrastructure and sapping the group of a bit of its strength.

Business email compromise (BEC) attacks have caused billions of dollars in losses to businesses globally in recent years — but now international law-enforcement has notched up another victory in the battle against them.

Interpol on Wednesday announced that "Operation Delilah" has resulted in Nigerian police arresting the suspected head of SilverTerrier, aka TMT, which is a massive BEC operation that has been active since at least 2015, impacting thousands of businesses and individuals across four continents. The 37-year-old Nigerian man, who the Interpol did not name, was apprehended at the Murtala Muhammed International Airport in Lagos as he attempted to re-enter the country after fleeing ahead of the police in 2021.

The arrest marks the culmination of a year-long investigative effort that was led by the Interpol's Africa desk and involved law-enforcement agencies from multiple countries. Three security vendors — Palo Alto Networks, Group-IB, and Trend Micro — also supported the effort by providing information on the BEC effort and its operators to the investigating entities. And Interpol also flagged CyberTOOLBELT as providing "ad hoc support" to the investigative effort.

**Notching Up Arrests**

The latest arrest brings to 15 the total number of individuals who have been arrested in recent years for their alleged involvement in BEC scams out of Nigeria — a hotbed of activity for this type of threat for years. In January, Nigeria's police, acting on information from Interpol, arrested 11 individuals for allegedly defrauding or attempting to defraud some 50,000 organizations worldwide via BEC scams. Six of the individuals were identified as belonging to SilverTerrier. At the time of the January arrests, law enforcement authorities recovered one laptop that contained a staggering 800,000 usernames and passwords that appeared to belong to victim organizations.

    

The suspect. Source: Group-IB

That 10-day operation was code-named "Falcon II"; it was preceded by another in November 2020 dubbed "Falcon I," when three alleged SilverTerrier members were arrested for their involvement in BEC scams that compromised 500,000 organizations worldwide.

Pete Renals, principal researcher for Unit 42 at Palo Alto Networks, says researchers from the company have been tracking the Nigerian individual who was arrested recently since at least 2017. He notes that while this person is suspected to be a ringleader, it's hard to say what exactly the individual's role was within SilverTerrier because of the sheer number of people who are part of the group and the amorphous nature of their malicious activities. 

"It is difficult to draw boundaries around subgroups or affix certain roles to actors, as these groups are often time-bound, fluid in organization, and the individual role of a specific actor usually evolves over time," Renals says.

**A Massive Operation**

That said, Unit 42's research shows that the arrested individual likely owned the infrastructure that served as the command- and-control (C2) for malware such as ISRStealer, a keystroke logging tool; Pony, a password stealer; and the LokiBot information stealer, Renals notes. 

The security vendor says it also identified more than 240 domains that the threat actor had registered under various aliases. Fifty of those domains were used as C2 infrastructure for malware the threat actors used in their BEC campaigns. 

Significantly, the arrested individual provided a street address that belonged to a major US financial institution in NY when registering the domains, Palo Alto Networks said. The same individual also shared social-media connections with at least three of the BEC operators who were previously arrested as part of Operation Falcon II.

The string of arrests since late 2020 has highlighted the growing ability of international law enforcement authorities, cybersecurity vendors, and other stakeholders to work together in tracking down major BEC operators. Even so, BEC remains a major cyberscourge to organizations worldwide. 

According to statistics maintained by the FBI, BEC attacks caused a staggering $43 billion in actual and attempted losses worldwide between June 2016 and last December. In that time frame, there were some 241,200 BEC incidents involving victims in all 50 US states and 177 countries. Approximately 116,400 individuals and organizations in the US reported being targeted by a BEC scam during that period, causing over $14.7 billion in losses.

Renals says the sheer scope of BEC activity has made it challenging to stop. "The BEC threat landscape is extremely active and constantly evolving," he says. "As a threat type, it has grown over the years to become the most prevalent and costly form of malicious cyber activity targeting our organizations."

While Nigeria has been the center of BEC activity in recent years, there have been similar scams originating from other countries as well, he says. "We also see BEC schemes originate from Malaysia and India, and we see facilitation of BEC schemes in most developed nations to include money mules laundering the money from the attacks," Renals says.

Interpol's Massive 'Operation Delilah' Nabs BEC Bigwig

Open source software community initiative utilizes blockchain technology.

**Sunnyvale & San Diego, Calif., May 25, 2022** — (swampUP 2022) – JFrog Ltd. (“JFrog”) (NASDAQ: FROG), the Liquid Software company and creators of the JFrog DevOps Platform, today introduced Project Pyrsia, an open-source software community initiative that utilizes blockchain technology to secure software packages (A.K.A Binaries) from vulnerabilities and malicious code. Available for sign-ups immediately, Project Pyrsia is an open-source-based, decentralized, secure build network and software package repository aimed at helping developers establish chain of provenance for their software components, creating greater confidence and trust.

“Open-source is everywhere, and while it has always been seen as a seed for innovation and modernization, the recent rise of software supply chain attacks has made every organization vulnerable,” said Shlomi Ben Haim, Co-Founder and CEO, JFrog. “Led by developers and for developers, JFrog is proud to work with the community on developing Project Pyrsia so everyone can continue to embrace open source with confidence, while protecting the software supply chain.”

Open-source software is a critical element of nearly every technology we use today – from our operating systems and browsers to the applications and services on which we depend to run our lives. Yet there’s no question the volume, sophistication and severity of software supply chain attacks has increased in the last year. In recent months the JFrog Security Research team tracked over 20 different open-source software supply chain attacks – two of which were zero-day threats. While open-source components are designed to make development more efficient, not knowing where your software comes from makes it hard-to-spot risks–seeding doubt and uncertainty about its safety.

Thus, JFrog and other open-source technology leaders, including Docker, DeployHub, Futureway, and Oracle – worked together to establish the Project Pyrsia network for validating the source and security of open-source software packages. With Pyrsia, developers can confidently use open-source software knowing their components have not been compromised, without needing to build, maintain, or operate complex processes for securely managing dependencies.

“At JFrog we believe open-source security will only be successful if we provide the community with the same tools and services that are available to enterprises,” said Stephen Chin, VP of Developer Relations, JFrog. “The combination of an open-source, customizable architecture, and a robust, active community makes Pyrsia the most transparent and trustworthy way to obtain secure software packages. We’re grateful for the help of our industry partners and the community for joining us in securing open source so it can remain a true fountain of innovation.”

Pyrsia aims to seamlessly integrate with the package management systems developers are already using today, so they can certify their software components without foregoing compatibility, security, or efficiency. Utilizing standards like Sigstore’s Cosign and Notary V2 allows developers to quickly access their containers leveraging the Pyrsia network. Using digital signatures, developers receive an immutable chain of evidence for their code, providing peace of mind from knowing the exact source of their packages.

To help guide developers on the process of using Pyrsia for validating software components, a select few entities will build and publish images that will be available for everyone’s use -otherwise known as ‘bootstrapping’ the project. Organizations interested in supporting Pyrsia can volunteer their resources to help establish the project’s first distributed network. From there, Project Pyrsia’s decentralized framework will help provide:

· An independent, secure build network for open-source software

· Trustworthiness of software packages

· Completeness of known open-source software dependencies

For more information on Project Pyrsia or to sign-up to be a contributor visit https://pyrsia.io/. You can also learn more about the project in this blog or chat directly with JFrog Community leaders and Project Pyrsia experts during swampUP 2022 taking place in San Diego, May 25 – 26. For more information and to register visit https://swampup.jfrog.com/.

**Supporting Quotes from Industry Partners**

_“The DeployHub team’s focus is firmly rooted in securing the supply chain, and there is no better place to start than fully auditing the build and package step. To that end, Pyrsia is the first open-source project to introduce improvements in this area via a ‘consensus build network.’ Disruption in this area is long overdue. DeployHub is proud to be part of this innovative team.” – Steve Taylor, CTO DeployHub, Inc._

_“At Docker we feel this is an exciting time for the community to work together on innovation around the supply chain and its core, critical components for build and packaging. We are excited to join and work together with the community on Project Pyrsia. There is a huge opportunity to build new kinds of infrastructure over the core container primitives that will foster innovation and better developer experiences.” – Justin Cormack, CTO, Docker_

_“Open-source project Pyrsia is developing a third-party attested, decentralized, distributed software package network that delivers secure, transparency and integrity for the open-source software package supply chain. Futurewei is committed to collaborating with open-source communities to accelerate the innovations for digital transformation via open-source, open standard, and open ecosystems. As open-source software becomes more pervasive, securing the open-source software supply chain becomes a critical issue. We are thrilled to be a founding member of Project Pyrsia and delighted to have the opportunity to collaborate with other members to accelerate Pyrsia for a secure and trusted open-source software supply chain ecosystem – bringing value to the open-source community.”– David Lai, Director, Cloud Infrastructure and Platform Architecture Open-Source Ecosystem Partnerships, Futurewei Technologies, Inc._

JFrog Launches Project Pyrsia to Help Prevent Software Supply Chain Attacks

Experience Centre features emerging Mastercard products and solutions for securing digital payments on a global scale, including those developed locally in Vancouver.

**MAY 25, 2022**

  
Today, Mastercard unveiled the "Experience Centre” at its _Global Intelligence and Cyber Centre of Excellence_ (“Centre of Excellence”) in Vancouver, BC, where local, national and international tech communities are invited to collaborate on cyber security innovation. The Experience Centre also features emerging Mastercard products and solutions that are already securing digital payments on a global scale, including those developed locally in Vancouver.

“Rapid advancements in digital technology have changed the way we shop, pay, work and interact, but with increased convenience comes increased risk,” said Sasha Krstic, President of Mastercard Canada. “Building on the world-class innovations developed at our Centre of Excellence in Vancouver, this new Experience Centre offers a venue for much-needed industry collaboration to anticipate and neutralize ever-expanding cyber threats to our global digital economy.”

Announced in 2020, Mastercard’s _Global Intelligence and Cyber Centre of Excellence_ is leading innovation in cyber and intelligence (C&I), artificial intelligence (AI) and the Internet of Things (IoT). Research from the Centre is already enhancing Mastercard solutions, combining the Centre’s biometric security algorithms with existing cyber capabilities is creating new approaches to enhance online security. In just two-and-a-half years, the Centre of Excellence is making quick progress against its long-term goals, such as:

*   **filing more than 30 local patents** that will secure cyberspace by building confidence in our connected devices, reducing the presence of malicious bots, bad human actors, and establishing a seamless experience for online interactions; and
*   **creating and maintaining more than 230 quality tech jobs to date,** ranging from software engineers to data scientists to product and program managers, with many more roles to fill.

“We are achieving this unprecedented level of cyber security innovation by attracting top talent from across Canada and the world to work smarter, better and faster in a creative, inclusive environment embedded in Vancouver’s vibrant tech community,” said Sasha Krstic. “Mastercard’s Centre of Excellence is not only making digital payments safer for consumers and businesses everywhere, it’s helping cement Canada’s role as a global powerhouse in cyber security innovation.”

  
Investing in Canadian Innovation

Mastercard has significantly expanded its technology footprint in Canada over the past five years. In 2020, Mastercard announced **a $510 million CAD investment** **to establish the _Global Intelligence and Cyber Centre of Excellence_ in partnership with the Government of Canada** to achieve their shared vision of building a better, more secure digital economy for everyone by leveraging Canadian innovation. This builds on the acquisitions of Vancouver-based NuData Security and Toronto-based Ethoca.

As part of its ongoing commitment to strengthening Canadian innovation, **Mastercard has proudly invested more than $6.3 million in strategic partnerships and knowledge-sharing** across Canada’s entire tech ecosystem through the _Global Intelligence and Cyber Centre of Excellence_ to-date. These investments are designed to:

*   scale C&I research and development (R&D) and bring Canadian innovations to market faster, making the global digital economy more secure;
*   nurture next-gen Canadian talent and expand STEAM opportunities for underrepresented groups, as true cyber security demands that diverse talent drive inclusive innovation; and
*   provide small businesses and entrepreneurs with the same cyber security tools and protection as larger enterprises so Canada’s economy can continue to thrive.

  
Strategic partnerships and community investments announced by Mastercard include:

*   **Digital Main Street:** creating engagement tools that help Canadian “mom and pop” businesses become more cyber aware, as well as 10 post-graduate internship spaces at the Mastercard _Global Intelligence and Cyber Centre of Excellence_ over five years;
*   **Canadian Federation of Independent Business (CFIB):** creating gamified, mobile-first cyber training for small- and medium-sized businesses;
*   **Pow Wow Pitch:** sponsoring a new tech stream in the Indigenous Entrepreneurship Program;
*   **Mitacs:** creating 50 internships at Mastercard’s _Global Intelligence and Cyber Centre of Excellence_ for graduate students across Canada over five years;
*   **University of New Brunswick:** funding the Mastercard Research Chair in IoT and a new Cyber Security Research Lab;
*   **Rogers Cybersecure Catalyst:** accelerating cyber security training and young leader development at Toronto Metropolitan University;
*   **Science World:** developing STEAM training for girls in grades 2 to 9 through the “Tech-Up” program; and
*   **Girls4Tech:** expanding cyber programming for Canadian girls.

  
“Vancouver and Canada more broadly are brimming with talent and expertise in a range of STEM fields, including cyber and intelligence,” said Mansur Mirani, VP of the Mastercard Global Intelligence and Cyber Centre of Excellence in Vancouver. “Investments across our tech ecosystems, especially in diverse communities, unlocks additional potential in our knowledge economy that will keep Canada on the forefront of global cyber security innovation for generations to come.”

Mastercard Launches Cybersecurity “Experience Centre”

Company will detail enhancements to Vulnerability Management, Detection and Response solution next month.

FOSTER CITY, Calif., May 25, 2022 /PRNewswire/ -- Qualys, Inc. (NASDAQ: QLYS), a pioneer and leading provider of disruptive cloud-based IT, security and compliance solutions, today announced it is holding the Qualys Security Conference (QSC) San Francisco in tandem with RSAC on June 7-8.

At the event, Qualys will unveil significant updates to the company's Vulnerability Management, Detection and Response (VMDR) solution. The new enhancements redefine how enterprises manage cybersecurity risk with an unprecedented capability to prioritize and remediate at scale.

Through keynotes, live demonstrations, customer presentations, training sessions and networking, the Qualys customer community will dive into the profound impact of the digital journey and converse on best practices and case studies on risk management and security automation.

The week will feature talks from Qualys experts, customer success stories and a feature keynote at the Cloud Security Alliance CxO Trust Summit:

**Qualys QSC San Francisco Featuring VMDR Live  
**QSC San Francisco will be held in person at the Palace Hotel in San Francisco. To view the full schedule and to register for the event, visit the website.

**Highlights include:**

*   **Sumedh Thakar, President and CEO:** Security Automation for the Digital Journey
*   **Nagi Prabhu, Chief Product Officer:** Bringing the Unified Power of the Qualys Cloud Platform to Address Today's Security Challenges
*   QSC customer presentations from **First American Financial** and others.
*   **VMDR LIVE:** Redefining Cybersecurity Risk Management with VMDR
    *   Introducing VMDR 2.0 with TruRisk
    *   Fireside chat with Brian Penn, **Aflac**
    *   Join VMDR Live virtually at www.qualys.com/vmdr-live.
*   **Qualys Cocktail Reception:** Come network with Qualys experts, customers and industry practitioners on Tuesday, June 7 at 6:00 pm PT at the Palace Hotel.
*   **Training Sessions:** On Wednesday, June 8, Qualys will lead two training courses, including an introduction to Qualys VMDR and How to Manage and Secure Your Container Assets.

**Qualys at RSAC  
**Attendees with RSAC credentials are welcome to join the following RSAC events to network with industry peers and learn more about Qualys:

*   **CxO Trust Summit at RSAC****: Jonathan Trull, CISO at Qualys:** Measuring the Maturity of Your Cloud Security Program. June 6, 8:30 am – 3 pm PT, RSAC – Moscone Center South, level 3
*   **DevOps Connect – DevSecOps @RSAC****:** Connect with the Qualys DevOps team to learn more about VMDR and our cloud-based IT, security and compliance solutions. June 7, 8:30 am – 4 pm PT, RSAC – Moscone Center South

**About Qualys**  
Qualys, Inc. (NASDAQ: QLYS) is a pioneer and leading provider of disruptive cloud-based Security, Compliance and IT solutions with more than 10,000 subscription customers worldwide, including a majority of the Forbes Global 100 and Fortune 100. Qualys helps organizations streamline and automate their security and compliance solutions onto a single platform for greater agility, better business outcomes, and substantial cost savings.

The Qualys Cloud Platform leverages a single agent to continuously deliver critical security intelligence while enabling enterprises to automate the full spectrum of vulnerability detection, compliance, and protection for IT systems, workloads and web applications across on premises, endpoints, servers, public and private clouds, containers, and mobile devices. Founded in 1999 as one of the first SaaS security companies, Qualys has strategic partnerships and seamlessly integrates its vulnerability management capabilities into security offerings from cloud service providers, including Amazon Web Services, the Google Cloud Platform and Microsoft Azure, along with a number of leading managed service providers and global consulting organizations. For more information, please visit www.qualys.com.

Qualys to Unveil VMDR 2.0 at Qualys Security Conference in San Francisco

Corelight Investigator aids threat hunting and investigation through intelligent alert aggregation, built-in queries and scalable search

SAN FRANCISCO, May 25, 2022 /PRNewswire/ -- Corelight, the leader in open network detection and response (NDR), today announced Corelight Investigator, a SaaS-based solution that extends the power of open-source driven network evidence to SOC teams everywhere. Investigator delivers advanced capabilities for transforming network and cloud activity into evidence in a fast, intuitive platform that is easy to deploy and use.

Based on insights learned from savvy defenders in the Zeek open source community, Corelight Investigator provides not only advanced analytics and open access to the best network evidence, but the ability to do custom evidence enrichment unique to each environment. With Corelight Investigator, security teams can quickly accelerate threat hunting and investigations by mapping threat activity across the MITRE ATT&CK® framework and reduce alert volume with intelligent alert scoring.

"We believe that evidence is at the heart of cybersecurity for any organization," said Brian Dye, CEO of Corelight. "We have the privilege of working with defenders of critical infrastructure that can afford data lake architectures and in-house analytics teams to execute their evidence-driven cyber strategy. Corelight Investigator brings the design patterns of those elite defenders to the broader enterprise by combining advanced analytics and threat hunting capability with the power of Zeek, the industry de-facto standard for network evidence."

**Full network visibility with next-level analytics  
**Corelight Investigator brings complete visibility of the network, both on-premise and in the cloud, with evidence that spans months and years, not days and weeks. Customers can leverage machine learning, behavioral analysis, threat intelligence and signatures, mapped to the MITRE ATT&CK framework, to enable broad coverage of network-centric threats.

This evidence leads to specialized detections and enables the threat hunting necessary for advanced, persistent, and personalized attacks. In addition, it supports custom enrichment of network evidence - such as asset information, vulnerabilities, or per-asset context - and links threat hunting and incident response through custom alerts, queries, and dashboards.

"Unlike competitive 'closed' solutions, Corelight Investigator brings a new level of openness to the SaaS NDR market that enables customers to fully understand the logic behind machine learning based detections, and freely integrates these alerts with their existing tools for the broadest coverage," said Clint Sand, senior vice president of product for Corelight.

**Powered by open source and novel research  
**"Along with the advanced analytics that Corelight Labs provides, another advantage of Corelight Investigator is its ability to harness the analytical power of the open source Zeek and Suricata communities. That provides broad-based threat coverage including rapid zero-day response capabilities," said Vern Paxson, co-founder and chief scientist for Corelight. "The open-source nature of Zeek helps us illuminate _why_ a detection happened, as well as rich information about its surrounding context."

Corelight Investigator customers can access richly detailed, interlinked Zeek logs including access to DNS responses, file hashes, SSL as well as logs created by Corelight Labs - which continually creates new analytics for evolving threats and vulnerabilities using cross-customer visibility with the speed of SaaS – for both investigating those alerts and enabling threat hunting.

"As attacks continue to evolve and grow in sophistication, security teams need NDR solutions that provide not only timely and accurate detections, but the supporting context to respond quickly and effectively," said John Grady, senior analyst with ESG. "Corelight meets these requirements by bringing rich network evidence from its decades-long open source Zeek heritage, combined with novel analytics from an array of inferences, making it a powerful contender in the space."

**University of Missouri powers network visibility with Corelight Investigator  
**For many organizations, it is not possible to staff a full security or development team dedicated to parsing the expansive volumes of network traffic. This is true for the research and support services team at the University of Missouri that needed a solution that could provide full network visibility without the management overhead and other fine-tuning often required with competing solutions.

"We are a large university and we need to have full network visibility," said Aaron Scantlin, security analyst at University of Missouri. "It was simple to set up, which means the rest of my time is spent doing advanced analysis and other work."

In addition, Corelight Investigator quickly identifies threats on the network so the team can take immediate action as well as provides access to the raw data for additional investigation.

"Corelight Investigator ingests events so that we can query them in a snap," said Scantlin. "It improves our security posture by providing instant access to events we need to act on."

**Pricing and availability  
**Corelight Investigator joins the Corelight Sensor product portfolio and will be generally available in June. Corelight customers and prospects can contact sales directly for pricing information. More information Corelight Investigator can be found on the Corelight website.

**About Corelight  
**Corelight provides security teams with network evidence so they can protect the world's most critical organizations and companies. Corelight's global customers include Fortune 500 companies, major government agencies, and large research universities. Based in San Francisco, Corelight is an open-core security company founded by the creators of Zeek®, the widely-used network security technology. For more information, www.corelight.com.

Corelight Announces New SaaS Platform for Threat Hunting

Cylance co-founder Ryan Permeh has joined full time as an operating partner.

**WEST PALM BEACH, Fla.** – May 25, 2022 – SYN Ventures, the only VC firm founded and led exclusively by former Fortune 500 CISOs and C-level security leaders, today announced the closing of its $300M Fund II. The closing comes less than 12 months since the launch of its debut fund and continues the firm’s focus on early-stage cybersecurity, industrial security, national defense, privacy, regulatory compliance, and data governance start-ups.

In addition to the closing of Fund II, the firm announced that Co-founder and former Chief Scientist of Cylance, Ryan Permeh, has joined full time as an Operating Partner.

“As cybersecurity has come to the forefront of every human on the planet, the pace of innovation is exploding for both our industry and adversaries,” said Jay Leek, Managing Partner at SYN Ventures. “Adding Ryan, one of the most successful and connected entrepreneurs in our industry, to our team is incredible validation of our investment thesis and mission of protecting all companies big or small, the United States and our allies.”

SYN investments include Adlumin, Boldend, Halcyon, Metabase Q, Netography, Pangea, Phosphorus, Query.ai, SecZetta, Sevco Security, ShiftLeft, SynSaber, TrackerDetect, Revelstoke, Transmit Security, and others. The team combines over 100 years of operational security experience with investing acumen and a trusted network of dozens of CISOs that actively help entrepreneurs accelerate the growth of their companies to better protect against the ever-evolving threat landscape. Some of the firm’s CISO advisors include Cradlepoint CISO, Ben Carr; Chipotle CISO, Dave Estlick; Vista Equity Partners Managing Director and CISO, Adrian Peters; USAA CSO, Jason Witty, and more.

“Joining Jay, Patrick and the SYN team is an exciting next chapter in my career. After decades in executive leadership roles starting at McAfee, I’ve been blessed to work with the people and technologies that have been instrumental in the emergence of cybersecurity as an industry,” said Permeh. “As an entrepreneur, I couldn’t have done what I did without fantastic venture partners, including Jay and Patrick, to bring my vision to life and scale a company to become one of the first unicorns in the industry. Security is in my blood, and I’m excited to share my experience and expertise to help the next generation of entrepreneurs disrupt the industry and evolve the fabric of security.”

**About SYN Ventures**

SYN Ventures is a venture capital firm focused on investing in disruptive and innovative security companies in the cybersecurity, industrial security, national defense, privacy, regulatory compliance, and data governance industries. The firm’s dedicated security team has a proven track record with over 100 years of security investing and operational experience. SYN also has a highly distinguished network of seasoned security advisors and CISOs. For more information on SYN Ventures, please visit https://www.synventures.com/

Cybersecurity-Focused SYN Ventures Closes $300 Million Fund II

According to the findings, vishing attacks have overtaken business email compromise as the second most reported response-based email threat since Q3 2021.

MINNEAPOLIS, May 23, 2022 /PRNewswire-PRWeb/ -- Vishing (voice phishing) cases have increased almost 550 percent over the last twelve months (Q1 2022 to Q1 2021), according to the latest Quarterly Threat Trends & Intelligence Report from Agari and PhishLabs, both of which are part of the HelpSystems cybersecurity portfolio.

In Q1 2022, Agari and PhishLabs detected and mitigated hundreds of thousands of phishing, social media, email, and dark web threats targeting a broad range of enterprises and brands. The report provides an analysis of the latest findings and insights into key trends shaping the threat landscape.

According to the findings, vishing attacks have overtaken business email compromise (BEC) as the second most reported response-based email threat since Q3 2021. By the end of the year, more than one in four of every reported response-based threat was a vishing attack, and this makeup continued through Q1 2022.

"Hybrid vishing campaigns continue to generate stunning numbers, representing 26.1% of total share in volume so far in 2022," said John LaCour, principal strategist at HelpSystems. "We are seeing an increase in threat actors moving away from standard voice phishing campaigns to initiating multi-stage malicious email attacks. In these campaigns, actors use a callback number within the body of the email as a lure, then rely on social engineering and impersonation to trick the victim into calling and interacting with a fake representative."

Additional Key Findings

*   Social media impersonation attacks are on the rise. Since Q2 2021, the volume of brand impersonations increased 339% and executive impersonations 273%. According to the findings, brands prove to be convenient targets for threat actors, especially when associated with retail counterfeit operations. However, for some unique attacks, executive accounts are preyed on to make the spoofs seem more realistic.
*   Credential theft email scams continue to be the most common email threat type reported by employees, contributing to nearly 59% of all threat types encountered. Credential theft reports increased 6.9% in volume from Q4 2021.
*   The malware landscape continues to be ever changing. Qbot was once again the payload of choice for threat actors attempting ransomware attacks, but Emotet reemerged in Q1 and was the second leading payload.
*   While nearly half of all phishing sites rely on a free tool or service for staging, Q1 2022 was the first quarter in five consecutive quarters where paid or compromised services (52%) outnumbered free solutions for the use of staging phishing sites.

"As the variety of digital channels organizations use to conduct operations and communicate with consumers expands, bad actors are provided with multiple vectors to exploit their victims," added LaCour. "Most attack campaigns are not built from scratch; they are based on reshaping traditional tactics and incorporating multiple platforms. Therefore, to remain secure, it's no longer effective for organizations to only look within the network perimeter. They must also have visibility into a variety of external channels to proactively gather intelligence and monitor for threats.

"Additionally, security teams should invest in partnerships that will ensure the swift and complete mitigation of attacks before they result in reputational and financial damage."

Additional Resources

To learn more about the report findings, attend the live webinar at 2 PM EST on Tuesday, May 24 or watch on-demand: https://www.phishlabs.com/webinars/details/?commid=541642.

To access the complete Agari and PhishLabs Quarterly Threat Trends & Intelligence Report, visit: https://info.phishlabs.com/quarterly-threat-trends-and-intelligence-may-2022.

About Agari by HelpSystems  
Agari restores trust to your inbox by increasing overall email deliverability and preserving brand integrity. It does this through an identity-centric approach that uniquely learns sender-receiver behavior. This model protects customers, partners, and employees from devastating phishing and socially engineered attacks, such as inbound business email compromise, supply chain fraud and account takeover-based attacks, as well as from outbound email spoofing. Visit http://www.agari.com to learn more.

About PhishLabs by HelpSystems  
PhishLabs by HelpSystems is a cyber threat intelligence company that delivers Digital Risk Protection through curated threat intelligence and complete mitigation. PhishLabs provides brand impersonation, account takeover, data leakage and social media threat protection in one complete solution for the world's leading brands and companies. For more information visit http://www.phishlabs.com.

About HelpSystems  
HelpSystems is a software company focused on helping exceptional organizations secure and automate their operations. Our cybersecurity and automation software protects information and simplifies IT processes to give our customers peace of mind. We know security and IT transformation is a journey, not a destination. Let's move forward. Learn more at http://www.helpsystems.com.

Vishing Attacks Reach All Time High, According to Latest Agari and PhishLabs Report

Google has disclosed a nasty set of six bugs affecting Zoom chat that can be chained together for MitM and RCE attacks, no user interaction required.

A vulnerability chain discovered in Zoom's chat functionality can be exploited to allow zero-click remote code execution (RCE), threat hunters have revealed.

Google's Project Zero uncovered an attack path that would allow cyber adversaries to silently force a victim to connect to a man-in-the-middle (MitM) server — no user action needed. From there, attackers can intercept and modify client update requests and responses in order to send the victim a malicious update, which will automatically download and execute, thus allowing RCE.

The only capability needed to carry this off successfully is the ability to send messages to the victim over Zoom chat, Project Zero researcher Ivan Fratric noted in a posting that was made public on Tuesday.   

"With the massive popularity and broad reach of Zoom, any vulnerability that could allow a remote compromise like this is of concern," Mike Parkin, senior technical engineer at Vulcan Cyber, tells Dark Reading. "While an attack appears to require the threat actor to be on an active Zoom call with the target, the wide prevalence of the platform and the number of large group meetings means it shouldn’t be difficult for a malicious actor to find suitable victims."  

**XMPP "Stanza Smuggling" Bug  
**Zoom chat uses a messaging protocol based on XML called XMPP. Fratric explained that messages are exchanged using short snippets of XML called "stanzas" that are sent over a single stream back and forth from client to server. The initial issue is the fact that the client and server don't see eye-to-eye when interpreting whether message code is well formed, leading to parsing inconsistencies.

"The clients use gloox library for XML parsing … and Zoom's server … uses fast\_xml for XML parsing, which in turn uses an XML parser called Expat," the researcher noted. "Indeed, it turns out that Expat and gloox parse XML in a different way and (at least one) exploitable inconsistency exists."

At issue is the fact that the server's Expat parser is lax when it comes to validating tag and attribute names, Fratric said. Specifically, it will forward tag names containing question marks (i.e., "<?xml ?>") to the client, even though it shouldn't. And when the client's gloox parser sees the question-mark sequence, it will reset the parser state so that anything coming after that will be considered a legitimate root node of the next stanza.

This makes it possible to escape the <message> tag safeguards, he noted, to add in whatever content the attacker would like: "The <message> tag here can, of course, be replaced with <iq> or any other tag and it will be accepted by the client as the data coming from the server." He dubbed this "stanza-smuggling."

Since attackers now have complete control over the message tag, that also means they can manipulate the "from" attribute, in order to spoof messages as if coming from another user. And, Fratric noted, they can also lead the victim's contacts to malicious websites for phishing or drive-by malware attacks. This is accomplished by altering the file-integration tag, to surreptitiously replace the URL that's opened when the user wants to share a file with another user, using Dropbox, Google Drive, SharePoint, and other cloud-based services.  

**Achieving Man-in-the-Middle Status  
**The MitM attack is accomplished by changing the <strem:error> tag. Using a specially crafted stanza, bad actors can create "a 'ClusterSwitch' task in the Zoom client, with an attacker-controlled 'web domain' as a parameter," Fratric said.

To trigger the attack, adversaries can simply type and send a message to the victim containing the magic string "iddqd" in the tag. That will cause the victim client to connect to the /clusterswitch endpoint on the attacker-provided domain, thus setting up the ability to see and modify traffic between the client and the Zoom Web server.

"From /clusterswitch endpoint, a client gets a list of domains to be used for various services," Fratric explained. "Since the attacker is already in the man-in-the-middle position, they can replace any of the domains with their own, acting as a reverse proxy and intercepting communications."

**Exploiting the Client Update Process  
**The escalation to arbitrary code execution was a logical next step, Fratric noted, given that Zoom clients will periodically query the update endpoint from Zoom's Web server to see if there's anything new to install.

"Since the attacker is already in the MitM position, they can, of course, replace these endpoints and serve arbitrary data," according to the researcher.

Fratric ran into a snag here, though: The client downloads two files as part of the update process, and verifies their legitimacy — the "Installer.exe" file must be signed by "Zoom Video Communications, Inc." to start with; once installed, it checks the hash of the second .cab file.

However, it turns out that attackers can get around these hurdles with a downgrade attack.

"I served Installer.exe and .cab from Zoom version 4.4 (from mid-2019)," the researcher explained. "The installer for this version is still properly signed; however, it does not do any security checks on the .cab file."

**Patch Now**

In all, Fratric reported a total of six security vulnerabilities, including four Zoom-specific issues fixed in version 5.10.4 of the Zoom client:  

*   CVE-2022-22784 (improper XML parsing)
*   CVE-2022-22786 (update package downgrade),
*   CVE-2022-22787 (insufficient hostname validation​​),
*   CVE-2022-22785 (improperly constrained session cookies)

There's unfortunately also a software supply chain issue at work: The two others (CVE-2022-25235, CVE-2022-25236) affect the Expat parser, which is open source and used in plenty of other applications, including wares from Aruba, F5, IBM, and Oracle, as well as the Red Hat Linux distro. They're patched in Expat version 2.4.5.

"Some or all parts of the chain are likely applicable to other platforms," Fratric said.

Zoom became a popular target for "Zoom-bombing" and other attacks in the wake of the work-from-home wave during the pandemic, calling into question the security of the platform and its encryption practices. The company implemented a raft of security changes to match it's heightened status, but nonetheless, bugs like these are somewhat inevitable, researchers noted.

"In 2020, we all instantly became hyper-connected to the Internet…and so did all of the systems we use," Mark Lambert, vice president of products at ArmorCode, tells Dark Reading. "Two years later, and it is clear that there is no looking back. Unfortunately, these types of vulnerabilities are inevitable given the speed that software is released to meet business goals. The only way for us to protect ourselves is to detect as soon as possible and react even quicker."

Managing the volume of software vulnerabilities and alerts is a difficult challenge for developers, he notes. "The only way for them to keep up with the pace of delivery is to operationalize application security and embed it into their DevOps pipeline."

Zero-Click Zoom Bug Allows Code Execution Just by Sending a Message

This year's finalists tackle such vital security concerns as permissions management, software supply chain vulnerability, and data governance. Winners will be announced June 6.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading