With a focus on creating technologies for other markets, Israel continues to be a valued destination for venture capital in cybersecurity outside the US and Europe.

Source: thinkhubstudio via Shutterstock

Though funding for cybersecurity startups began slowing globally in late 2022, Israeli startups continue to win significant cybersecurity investments, even with the nation's ongoing military operation in Gaza and escalating regional tensions.

The continued investment shows that Israel continues to be one of the strongest hubs for tech innovation in the US outside of Silicon Valley, says Or Shoshani, CEO and co-founder of Tel Aviv-based Stream.Security. His company, a cloud detection and response firm, garnered its first round of funding — a $26 million Series A — in March 2022 at the tail end of the boom. Earlier this month, the company was awarded a Series B round for $30 million.

"I've been traveling more than I've been doing in the last four years. Why? Just to show that we are here to support our customers, and we have built a business that is truly resilient, regardless of where we are and regardless of the state \[of affairs\] Israel is experiencing."

Following a two-year drought, cybersecurity startup companies are seeing an uptick in investment internationally, with the value of deals expected to grow by 45% in 2024 — a reversal of fortunes compared to the 40% decrease in 2022 and 49% drop in 2023, according to data from cybersecurity investment-advisory firm Altitude Cyber.

Related:Microsoft VS Code Undermined in Asian Spy Attack

Following a peak in Q4 2021, investment in cybersecurity firms tapered off for two years. It's starting to return. Top: Number of deals. Bottom: Value of deals in billions of US$. Source: Altitude Cyber

The investment focus of Altitude Cyber's clients, for example, remains the US, Israel, and Europe, followed by the rest of the world, says Dino Boukouris, founder and managing partner at the firm.

"We don't anticipate that trend will change any time soon," he says. "Even with the geopolitical climate we're in, Israel has continued to deliver, the US cyber market remains as strong as ever, and Europe \[and the\] UK continue to innovate and produce really great cyber companies."

**Cybersecurity Springs Back**

Israel's research and development centers took off during the US regulatory assault on encryption in the 1990s and the migration of chip design to many of the technology parks around Tel Aviv and Haifa during the past two decades. On the cybersecurity side, the nation has developed "outsized" capabilities, according to a recent history of Israel's evolution in cybersecurity.

Similar to Silicon Valley, going out for a cup of coffee often means running into two or three entrepreneurs that are going to tell you about their latest idea, says Jacques Benkoski, general partner at US Venture Partners, an investor in Stream.Security.

With the country's focus on cybersecurity and the density of talent and education available in a small area, innovation naturally follows, he says. 

Related:Under-Resourced Maintainers Pose Risk to Africa's Open Source Push

"When you look at the history of venture capital, you have nodes of innovation that are characterized by a catalytic density of talent — you look at places like Silicon Valley, you look at places like Tel Aviv, and you just have a lot of people that are focused on the same thing," he says. "And from the acceleration through dialogues and the collisions \[of ideas\] between those people comes more innovation" than other parts of the world.

Yet, one aspect of Israel's venture-capital scene is that investors do not want to fund companies solving local problems. Instead, the focus is on creating technologies and businesses that address issues in the US, Europe, and worldwide, Benkoski say.

"We typically invest in companies that see the US as their primary market — it's actually an investment condition," he says. Second rounds of venture capital for companies like Stream.Security are often to develop a stronger presence in their primary market, he adds.

**Broadening Out Cybersecurity Investment**

While the country's cybersecurity ecosystem certainly has its adherents, other investors see a focus on local ecosystems to be desirable. Ukraine has historically had a strong cybersecurity community — albeit mixed with its share of cybercriminal groups — and that could see a resurgence if Russia ends its war, says Ron Gula, president of Gula Tech Adventures, an investment firm.

Related:Software Productivity Tools Hijacked to Deliver Infostealers

"I'm hopeful that the Ukraine war will end soon, and believe the tech ecosystem there will emerge as a rival to the Israeli ecosystem," he says.

Other areas of the world also offer substantial benefits for investment. In addition to expanding its investment into Israel, Forgepoint Capital plans to focus on Latin America and the Asia-Pacific regions, where the mobile-first ecosystem requires a tailored approach to cybersecurity, managing director J. Alberto Yépez says.

"Other geographies have more of a built-in enterprise industry infrastructure to support local innovation, with established institutions taking an active role to drive collaboration and better anticipate and address their customers' needs," he says, adding that the firm has partnered with global financial institutions to help innovate. "We aim to address a critical gap in growth funding for startups in Europe while expanding our purview into Latin America and Israel," he says.

One overhyped technology for investors? AI. While artificial intelligence has technology giants spending heavily — and nearly every cybersecurity firm boasts of AI features — the impact of AI startups on cybersecurity remains modest, says Altitude's Boukouris. But there have been some significant financing deals for AI-cybersecurity companies in past few years, including Protect AI ($60 million in Series B funding, HiddenLayer ($50 million, Series A), Witness AI ($28 million, Series A), and Cranium ($25 million, Series A), he says.

"Vendors specifically focused on security for AI/ML are still primarily in the early stages in terms of funding," he says. "We've only seen one significant M&A event so far, with Robust Intelligence being acquired by Cisco for around $300 million, which indicates that we are still in the early stages of security for AI."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Israel Defies VC Downturn With More Cybersecurity Investments

Neurodivergent talent can add so much to a cybersecurity team. How can companies ensure they have the right hiring and onboarding practices in place to help these employees succeed?

Source: Jess Rodriguez via Alamy Stock Photo

Hiring and retaining neurodivergent talent is a crucial step toward fostering a more inclusive and innovative cybersecurity workforce. But traditional hiring processes and standardized training programs can often create barriers for these individuals and lead companies to lose out on talent.

Here are eight tips for ensuring that your hiring and training processes are more inclusive and that neurodivergent candidates can succeed and thrive within your organization once they are on the job.

**1\. Embrace Performance-Based Interviews**

Traditional interviews may not showcase a neurodivergent candidate's full potential. Instead, use performance-based interviews where candidates can demonstrate their skills in a comfortable, simulated work environment. This provides better insight into their capabilities and reduces stress related to social interactions.

"Sitting in a room answering questions, especially when you're seeking a job that is going to have less social interaction, is not the way to do it," says Megan Roddie-Fonseca, a senior security engineer at Datadog and a neurodivergent person with autism and ADHD. "When it comes to showing my skill set, I'm going to be doing that on a computer, in an environment I'm comfortable with."

**2\. Communicate Clear Expectations**

Clarity is key when working with neurodivergent candidates. During interviews and onboarding, provide clear instructions and explain expectations thoroughly. Avoid using metaphors or vague language, which can create confusion for some candidates.

"Due to my auditory processing disorder, I often rely on written communication to fully process information," says Meghan Maneval, senior director of product marketing at LogicGate.

**3\. Use Flexible Interview Formats**

Allowing candidates to complete tasks at their own pace and in familiar environments can help them showcase their strengths without the added pressure of time constraints or sensory distractions.

"Many neurodivergent employees I have spoken with tell me they are at their best when they have time and mental space to solve a problem on their own, in their own way, and then bring it back to the team," says Jodi Asbell-Clarke, a senior researcher in neurodiversity in STEM education at the nonprofit TERC and author of Reaching and Teaching Neurodivergent Learners in STEM.

**4\. Develop Individualized Training Plans**

Neurodivergent employees often benefit from tailored training programs. Rather than a one-size-fits-all approach, offer flexible training options, such as self-paced modules, to accommodate different learning styles.

"Giving neurodivergent employees space for autonomy of thought during training can be beneficial," Asbell-Clarke says.

**5\. Build a Culture of Inclusion**

Foster open dialogue about neurodiversity and encourage conversations about the needs of neurodivergent employees. Create employee resource groups (ERGs) to provide a platform for neurodivergent voices and make sure they feel heard.

“It's a culture shift because a lot of people are afraid to bring up those things because people think they're silly or they'll feel like, you know, they're going to get fired or not be a candidate for hire because they made a request like this," Roddie-Fonseca says.

**6\. Implement Universal Design Principles**

Adopt universal design practices that benefit everyone in the workplace, whether or not they disclose a neurodivergent condition. Simple accommodations, such as allowing flexible workspaces, reducing sensory distractions, and providing access to tools, can help everyone thrive.

"Neurodivergence is already present in about 20% of the workforce, but not everyone will disclose it. So it's important to have support systems in place that everyone can access," says Liz Green, an occupational therapist and business consultant specializing in neurodiversity and inclusive design, who often works with cybersecurity clients.

**7\. Regularly Check in With Employees**

Create a culture of regular check-ins, where managers and employees can discuss accommodations, work environment preferences, and overall well-being. This ensures neurodivergent employees feel supported and understood. But do it in different ways so that the check-ins are not intrusive. This can be done with short check-in surveys, for example.

"Quick checks are very helpful," Green says. "Regular check-ins allow managers to understand how employees are doing and if any accommodations need adjustment."

**8\. Be Open to Learning and Adapting**

Creating an inclusive environment for neurodivergent employees requires a willingness to learn and adapt. Encourage managers to engage in ongoing training and education on neurodiversity and foster a workplace culture that supports continuous learning and improvement. Make sure that neurodivergent employees are included in all conversations and initiatives that are centered on inclusion.

"The most important thing is bringing forth the voices of the population," Green says. "It's about making an effort to listen and then act on what neurodivergent employees are saying."

**About the Author**

Contributing Writer, Dark Reading

Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online.

8 Tips for Hiring and Training Neurodivergent Talent

The innocuously named Russian-sponsored cyber threat actor has combined critical and serious vulnerabilities in Windows and Firefox products in a zero-click code execution exploit.

Source: Collection Chrisophel via Alamy Stock Photo

For a brief window of time in October, Russian hackers had the ability to launch arbitrary code against anyone in the world using Firefox or Tor.

On Oct. 8, researchers from ESET first spotted malicious files on a server managed by the Russian advanced persistent threat (APT) RomCom (aka Storm-0978, Tropical Scorpius, UNC2596). The files had gone online just five days earlier, on Oct. 3. Analysis showed that they leveraged two zero-day vulnerabilities: one affecting Mozilla software, the other Windows. The result: an exploit that spread the RomCom backdoor to anyone who visited an infected website, no clicks required.

Luckily, both issues were remediated quickly. "The attackers only had a really small window to try to compromise computers," explains Romain Dumont, malware researcher with ESET. "Yes, there was a zero-day vulnerability. But, still, it was patched really fast."

Dark Reading has reached out to Mozilla for comment on this story.

**A Zero-Day in Firefox & Tor**

The first of the two vulnerabilities, CVE-2024-9680, is a use-after-free opportunity in Firefox animation timelines — the browser mechanism that handles how animations play out based on user interactions with websites. Its power to afford attackers arbitrary command execution earned it a "critical" 9.8 rating from the Common Vulnerability Scoring System (CVSS). 

Related:Sneaky Skimmer Malware Targets Magento Sites Ahead of Black Friday

Importantly, CVE-2024-9680 affects more than just Firefox. Mozilla's open source email client "Thunderbird" is also impacted, as is the ultrasecretive Tor browser, which is built from a modified version of Firefox's Extended Support Release (ESR) browser.

In October, RomCom deployed specially crafted websites that would instantly trigger CVE-2024-9680 without the need for any victim interaction. Victims would unknowingly download the RomCom backdoor from RomCom-controlled servers, then quickly be redirected to the original website they thought they were visiting all along.

These malicious domains were made to mimic the real sites associated with the ConnectWise and Devolutions IT services platforms, and Correctiv, a nonprofit newsroom for investigative journalism in Germany. That these organizations are both political and economic in nature might not surprise those familiar with RomCom, which has always conducted opportunistic cybercrime, but in more recent times has added politically motivated espionage to its agenda. Its activity in 2024 has included campaigns against the insurance and pharmaceutical sectors in the US, but also the defense, energy, and government sectors in Ukraine.

Related:News Desk 2024: Can GenAI Write Secure Code?

It's unclear by what means of social engineering RomCom might have spread these malicious sites.

**What We Know of RomCom's Campaign**

Not content with only running code in a victim's browser, however, RomCom also employed a second vulnerability, CVE-2024-49039. This high-severity 8.8 CVSS-rated bug in the Windows Task Scheduler allows for privilege escalation, thanks to an undocumented remote procedure calls (RPC) endpoint unintentionally accessible to low level users. In this case, RomCom used CVE-2024-49039 to escape the browser sandbox and onto a victim's machine at large.

The damage that might've been done with such a powerful exploit chain, and exactly who was affected by it last month, remains unknown. What's clear at this point is that the overwhelming majority of targets were located in North America and Europe — particularly the Czech Republic, France, Germany, Poland, Spain, Italy, and the US — plus scattered victims in New Zealand and French Guiana.

Also, notably, none of the victims tracked by ESET were compromised via Tor. "Tor has some predefined settings that differ from Firefox, so maybe it would not have worked," Damien Schaeffer, senior malware researcher at ESET speculates. He notes, too, that RomCom's primary targets appeared to be corporations, which rarely use Tor.

Related:Israel Defies VC Downturn With More Cybersecurity Investments

Both CVE-2024-9680 and CVE-2024-49039 have since been patched — the former on Oct. 9, just 25 hours after Mozilla was notified of the issue, and the latter on Nov. 12.

"By now, I hope, the problem is more or less done," Schaeffer says. Still, for any given organization, "It'll depend on their policies. If you have good patch management, this would have been fixed in one day or so. But it's up to people to fix their stuff."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

'RomCom' APT Mounts Zero-Day, Zero-Click Browser Escapes in Firefox, Tor

New York state regulators punish insurers after cybercriminals illegally access customer info they then used to file scam unemployment claims during the COVID-19 pandemic.

Source: Phanie - Sipa Press via Alamy Stock Photo

Two auto insurance companies will pay a hefty penalty for what the State of New York says was inadequate security that allowed hackers to compromise personal data of more than 12,000 state residents.

New York Attorney General Letitia James and New York State Department of Financial Services (DFS) Superintendent Adrienne A. Harris said the $11.3 million fines against Government Employees Insurance Co. (GEICO) and the Travelers Indemnity Co. follows what the state deemed "poor data security" practices that allowed cybercriminals to steal driver license numbers. Worse, at the height of the COVID-19 crisis, they used that info to file fraudulent unemployment claims. Specifically, the insurers were found to have violated a state regulation to "implement policies, procedures, and controls designed to protect consumer data as well as the financial institutions themselves," their statement said.

GEICO has been ordered to pay $9.75 million, and Travelers will pay $1.55 million.

“GEICO and Travelers offer drivers protection during times of emergencies, but these companies failed to protect consumers' personal information,” James said. “Data breaches can lead to serious fraud, and that is why it is important for all companies to take cybersecurity and data protection seriously.”

GEICO experienced a November 2020 compromise of its auto insurance quoting tool, allowing threat actors to steal driver license numbers from the company's public-facing website, New York regulators said.

"Despite being notified by DFS of an industry-wide cyberattack campaign to obtain driver's license numbers, and suffering, disclosing, and remediating separate cybersecurity incidents, GEICO failed to conduct a comprehensive review of its systems to prevent and detect future cyberattacks," the statement continued.

Following that breach, hackers pivoted to exploit a vulnerability in GEICO's quoting tool for insurance agents on a separate platform.

Both cyberattacks against GEICO exposed the personal information of about 116,000 New York residents, most of those leaked in the second compromise, the statement added.

Travelers too was breached through a similar cyberattack against its auto insurance quoting tool, this time a calculator used by independent agents. Despite receiving multiple alerts that threat actors were conducting these types of campaigns, in April 2021, hackers were able to use compromised credentials to generate reports with license numbers in plain text, exposing the data of 4,000 New Yorkers, the statement said.

Besides the penalties, these insurers have agreed to improve their cybersecurity practices including improving protections for private information, conducting a comprehensive data inventory, requiring authentication to access private data, implementing logging and monitoring, and enhancing threat response planning and procedures.

GEICO also agreed to conduct remedial measures, including comprehensive risk assessment and penetration testing, plus developing an action plan to address any resulting issues. Travelers agreed to review its systems, assess its own access controls, and improve protections against unauthorized access to nonpublic personal information, according to the regulators' statement.

Geico, Travelers Fined $11.3M for Lax Data Security

The APT, aka Earth Estries, is one of China's most effective threat actors, performing espionage for sometimes years on end against telcos, ISPs, and governments before being detected.

Source: 3D generator via Alamy Stock Photo

The Chinese threat actor known as Salt Typhoon has been spying on some high-value government and telecommunications organizations for several years now, recently debuting fresh backdoor malware, dubbed GhostSpider.

Salt Typhoon (aka Earth Estries, FamousSparrow, GhostEmperor, and UNC2286) is among the People's Republic's most cutting advanced persistent threats (APT). In a campaign stretching back to 2023, it has compromised more than 20 organizations. Those organizations tend to be of the highest order, from all corners of the globe, and their breaches have in some cases remained undetected for years. Most recently, it's been known for targeting US telcos, including T-Mobile USA, and ISPs in North America.

**Salt Typhoon's Arsenal of Malware**

With access to a targeted network, the APT that Trend Micro calls Earth Estries can deploy any one of its varied and powerful payloads, which it is consistently building out, according to a new analysis from the firm.

There's Masol RAT — a cross-platform tool it's used against Linux servers from Southeast Asian governments — and the modular SnappyBee (aka Deed RAT). The newly discovered GhostSpider, meanwhile, is a highly modular backdoor, adjustable for any particular attack scenario, according to Jon Clay, Trend Micro's vice president of threat intelligence.

Related:Sneaky Skimmer Malware Targets Magento Sites Ahead of Black Friday

"So, I can enact a specific module to do one specific thing, and it only does that one thing, and then if I need something else, I enact another module. And this does make it much more difficult for defenders and researchers to identify what's what," Clay says, because one instance of GhostSpider might look entirely different from another.

Besides its backdoors, the group also possesses a rootkit called Demodex, and Trend Micro has speculated that it might even have used Inc ransomware in some of its operations.

The diversity of Salt Typhoon's malware may be connected to the very nature of how it operates. According to the researchers, it is a structured organization of distinct, specialized teams. Its various backdoors, for example, are managed by different "infrastructure teams." The tactics, techniques, and procedures (TTPs) utilized in different attacks might vary significantly, with unique teams focusing in different geographic regions and industries — another reason why pinning down the Chinese APT has been so difficult over the years. "They are very sophisticated \[at\] gaining access, maintaining access, maintaining persistence, and wiping their tracks when they have done something to make it look like they were never there," Clay says.

Related:News Desk 2024: Can GenAI Write Secure Code?

**How Estries Gains Entry**

Earth Estries had been conducting long-term espionage attacks against governments and other targets since 2020. Around the middle of 2022, though, a switch flipped.

"In the past, they were doing a lot of phishing of employees," Clay recalls. "Now they're targeting Internet-facing devices using n-day vulnerabilities, finding any open ports \[or\] protocols, or applications that are running that they can exploit in order to gain access."

"N-day" refers to recently disclosed bugs that organizations might not have had a chance to patch yet. The group's favorite vulnerabilities have been dangerous (but now well-documented), including: 

*   The SQL injection bug CVE-2024-48788, which affects the Fortinet Enterprise Management Server (EMS)
    
*   CVE-2022-3236, a code injection issue in Sophos Firewalls
    

*   The four Microsoft Exchange vulnerabilities involved in ProxyLogon
    

"And we see this across the board," Clay notes. "Certainly, emails are still a big way to gain access to organizations, but it used to be 80%-plus \[of cases\]. I think now you're looking at a much smaller percentage of these attacks beginning with a phishing campaign."

Related:Israel Defies VC Downturn With More Cybersecurity Investments

**Chinese Island Hopping to Gov't Cyberattack Victims**

Often, Salt Typhoon doesn't exploit vulnerabilities directly in its target's network. Instead, it opts for a more tactful approach.

Since 2023, its victims have spanned no fewer than four continents — from countries as diverse as Afghanistan, India, Eswatini, and the US — with the greatest concentration being in Southeast Asia. These organizations have come from the telecommunications, technology, consulting, chemical, transportation, and nonprofit sectors, with a special emphasis on government agencies.

Not all of these organizations are necessarily the hackers' final destination, though. A nongovernmental organization (NGO), for example, may house interesting data worth stealing, or it might just provide a covert springboard for attacking a more important government agency. In 2023, for instance, researchers observed Salt Typhoon compromising consulting firms and NGOs that work with the US government and military, with the goal of more quickly and effectively breaching the latter.

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Salt Typhoon Builds Out Malware Arsenal With GhostSpider

Amazon Web Services' identity and access management platform has added new features that help developers implement secure, scalable, and customizable authentication solutions for their applications.

Source: GK Images via Alamy Stock Photo

Amazon Web Services (AWS) has announced updates to Amazon Cognito, its identity and access management service for Web and mobile applications. The service allows developers to secure machine-to-machine authentication, enable role-based access to AWS resources, and create sign-in and sign-up experiences in applications. 

Cognito now supports passwordless login with managed login, enabling users to integrate passwordless authentication methods, including passkeys, email one-time-passwords, and SMS one-time-passwords. 

The new features include a developer-focused console experience that streamlines onboarding via a wizard and use-case specific recommendations. This allows developers to configure their sign-in options and follow the system-provided instructions to create the application's sign-in and sign-up pages. A new user pool, a user directory for authentication and authorization, is automatically created, according to the blog post announcing the new updates. Amazon Cognito also supports major application frameworks and offers detailed instructions for integrating them using standard OpenID Connect (OIDC) and OAuth open source libraries.

Amazon has updated the pricing structure for Cognito, adding user pool feature tiers: Lite, Essentials, and Plus. New user pools are created at the Essentials tier by default, and users can switch between tiers depending on their needs. 

The Lite tier includes user registration, password-based authentication, and social identity provider integration. The Essentials tier includes expanded authentication and access control features, including managed login and passwordless capabilities and enhanced security features. The Plus tier offers more security features, including threat protection capabilities against suspicious logins and compromised credential detection. 

Pricing is based on monthly active users. The Essentials and Plus tiers are available in all AWS regions where Cognito is available, except AWS GovCloud (US) regions. 

**About the Author**

Contributing Writer

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

AWS Rolls Out Updates to Amazon Cognito

Cyberattackers have been targeting the online NFT marketplace with emails claiming to make an offer to a targeted user; in reality, clicking on a malicious link takes victims to a crypto-draining site.

Source: Mundissima via Alamy Stock Photo

Cyberattackers are targeting users of the OpenSea nonfungible token (NFT) platform with a phishing attack that lures users with the potential sale of items listed on the marketplace. The aim? Draining their cryptocurrency wallets dry.

Researchers at Cofense discovered the campaign, in which adversaries impersonate the OpenSea website and claim a user has a new offer on a listing on the site to try to bait them into clicking on a malicious link.

"The goal of the phishing scheme is to get recipients to connect their crypto wallets to the phishing page, which will drain their wallets," Cole Adkins of the Cofense Phishing Defense Center wrote in a post. "The phish presents itself as an offer on an NFT the recipient has listed on OpenSea, in hopes they will click on it and connect their wallet once redirected."

OpenSea is the largest marketplace for NFTs and thus "the go-to platform for many entry-level NFT enthusiasts looking to enter the crypto collectible market," who are likely unaware of the common tactics of phishers and thus can easily be fooled, he wrote.

The campaign demonstrates the speed with which attackers are targeting new and emerging technologies like NFT — which held little interest for people until OpenSea was launched in 2017 —  with custom campaigns tailored to their particular interests, he said. OpenSea marketplace currently has more than 2 million users with at least one transaction on the site, many of them enterprise users.

Related:Sneaky Skimmer Malware Targets Magento Sites Ahead of Black Friday

**OpenSea Brand Impersonation for the Phishing Lure**

The attack begins when targeted victims receive an email that appears to come from OpenSea. To a savvy user, it would be a clear phish, as the sender address is "administrator\[at\]motordna\[dot\]io," and thus unrelated to the NFT marketplace. However, the branding in the content of the email mimics OpenSea using a look that's similar to the site, and it could fool someone not keeping an eye out for phishing clues, according to Cofense.

"By branding the email as OpenSea and employing the same email format used for an actual notification from the OpenSea NFT marketplace, the threat actor hopes to ease the recipient’s suspicion so they will click the button in the email body," Adkins wrote.

Recipients are prompted to hit an "Access Now" button to direct to a purported offer that's come on one of their items on the marketplace, demonstrating the use of social engineering that adds urgency and aims to instill excitement at the potential of a sale, he wrote.

Users that click on the button are directed to a fake OpenSea webpage that's also been designed by attackers to appear legitimate. The page shows that an offer has been made on an NFT owned by the victim and they must accept it quickly by connecting to their crypto wallet via a "Connect Wallet" button, or else lose their chance at a sale. Clicking presents the user with multiple ways to access the wallet, such as via a QR code or signing in with credentials. Once this step is complete, an attacker can control the wallet and any credentials associated with it.

Related:News Desk 2024: Can GenAI Write Secure Code?

**NFT in the Crosshairs**

The campaign is not the first time OpenSea has been targeted by a potential threat actor. A couple of years ago, an employee of one of the marketplace's email vendors, Customer.io, accessed and downloaded the company's email list, ostensibly for future phishing attacks. The cybercriminal group Marko Polo also has impersonated OpenSea as a way to target its users for fraud.

While NFT hasn't quite gone mainstream yet, attackers are increasingly targeting those interested in the novel technology to expand their attack surface. These attacks will likely ramp up as the technology gains popularity, according to Cofense. "This … highlights why recipients must stay vigilant and up to date with common phishing threats in order to protect their assets," Adkins wrote.

Related:Israel Defies VC Downturn With More Cybersecurity Investments

Cofense recommends that users of OpenSea and other NFT marketplaces use the same online hygiene as any other e-commerce user when navigating access to their accounts. Best practices for protecting assets include avoiding clicking on links in emails from addresses or users they don't recognize, and learning to recognize common phishing and social-engineering tactics. The company also recommends that OpenSea users should check the sender field of any email that purports to be from the marketplace for suspicious-looking addresses that could alert them to foul play.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

OpenSea Phishers Aim to Drain Crypto Wallets of NFT Enthusiasts

Protection ranged from 0.38% to 50.57% for security effectiveness.

PRESS RELEASE

AUSTIN, Texas, Nov. 26, 2024 /PRNewswire/ -- CyberRatings.org (CyberRatings), the non-profit entity dedicated to providing confidence in cybersecurity products and services through its research and testing programs, has completed an independent "Mini-Test" of Cloud Service Provider (CSP) Native Firewalls from Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). Security effectiveness protection ranged from 0.38% to 50.57%.

In today's cloud-centric environment, businesses often face a critical choice regarding the security of their cloud infrastructure. They can rely on firewalls offered directly by Cloud Service Providers (CSPs) or use independent security vendor firewall offerings typically available through the respective CSP's marketplace. Security effectiveness is a crucial factor in selecting the right firewall solution, as it directly impacts the organization's ability to protect against cyber threats.

The CSP firewalls were tested against 522 exploits using Keysight's CyPerf v5.0 software testing platform, offering an evidence-based look at how well these native solutions withstand real-world security threats. Only known Common Vulnerabilities and Exposures (CVEs) from the last ten years with a severity of medium or higher were used to assess security effectiveness, usability, and protection. The exploit (CVE) types targeted servers and are typically relevant to cloud workload deployments.

"This was designed to be an entry level test," said Vikram Phatak, CEO of CyberRatings.org. "The exploits were straightforward; we didn't apply any evasions which is normally how attackers bypass security products. The number of missed exploits is concerning. Until cloud native firewalls demonstrate they have a higher level of security effectiveness to protect against cyber threats, we strongly recommend that customers consider third-party providers with a proven track record."

This test is part one of a two-part test. Part two will include a higher number of exploits, along with evasions and malware. The second part of the test will also compare cloud service provider native solutions against market leading third-party cloud network firewall providers.

The native firewalls were tested using Keysight's CyPerf v5.0 software testing platform. Enterprises can easily replicate the results with a 2-week free trial from Keysight. Further details of the strike library can be found here: https://www.keysight.com/us/en/products/network-test/cloud-test/cyperf.html

The test report is available for free at cyberratings.org.

About CyberRatings.org 

CyberRatings.org is a 501(c)6 non-profit organization dedicated to providing confidence in cybersecurity products and services through our research and testing programs. We provide enterprises with independent, objective ratings of security product efficacy to make informed decisions. To become a member, visit www.cyberratings.org and follow us on LinkedIn.

SOURCE  CyberRatings.org

CyberRatings.org Announces Test Results for Cloud Service Provider Native Firewalls

Findings reveal growing cybersecurity risks in ecommerce, exposing vulnerabilities in PII handling and lack of basic security protections like HTTPS and WAFs

PRESS RELEASE  
PALO ALTO, Calif., Nov. 26, 2024 – CyCognito today released a special report on the security risks facing ecommerce platforms during the holiday shopping season, highlighting the growing threats to customer data as Black Friday and Cyber Monday drive a surge in online activity. The findings showed that, despite ecommerce sites handling more sensitive data than ever, vulnerabilities continue to persist—especially in web applications and interfaces. 

With the holidays fast approaching, both retailers and shoppers need to be prepared for the risks of the seasonal rush. As they race to meet shopping demands, attackers are ready to exploit vulnerabilities in ecommerce assets, potentially stealing personal information or causing major disruptions,” said Emma Zaballos, Senior Researcher, CyCognito. “It’s crucial for retailers to prioritize ongoing security checks, ensuring their websites are prepared well ahead of peak shopping days. Otherwise, the consequences could be a far worse gift than any shopper expected.”

For this report, CyCognito’s research team aggregated and analyzed ecommerce web application assets across its customer base from November 2023 to October 2024. All findings are anonymized and normalized. These customers span multiple industry verticals and include a mix of small, medium, and large enterprises across the globe, including Fortune 500 companies.

Key findings:

*   Ecommerce Sites Handling Sensitive Data at Risk
    
*   Widespread Lack of HTTPS and WAF Protections
    
*   PII-Exposing Assets Lacking Security Protections
    
*   Certificate Validity and Trust Issues  
    

To view the full report, please visit this link.

About CyCognito

CyCognito is an exposure management platform that reduces risk by discovering, testing and prioritizing security issues. The platform scans billions of websites, cloud applications and APIs and uses advanced AI to identify the most critical risks and guide remediation. Emerging companies, government agencies and Fortune 500 organizations rely on CyCognito to secure and protect from growing threats. For more information, visit https://www.cycognito.com/

CyCognito Report Highlights Rising Cybersecurity Risks in Holiday E-Commerce

Imagine your car gossiping to insurance companies about your lead foot, or data brokers peddling your daily coffee run. Welcome to the world of connected cars, where convenience and privacy are locked in a head-on collision.

Source: santoelia via Alamy Stock Photo

COMMENTARY

If you drive an Internet-connected car, like I do, your real threat isn't a cop with a radar gun: It's your vehicle becoming a giant, metal snitch. Under your hood, through miles of circuitry, lies a dark secret: Data brokers are collecting every detail of your trip, from where you grab your morning coffee to that shortcut you take to avoid rush hour. They say it's for safety and a better driving experience, but regardless, the idea of our cars spying on us can be terrifying. However, before we admonish our all-seeing rides, we must be honest with ourselves — the convenience we opt into isn't the same as a full-blown invasion of privacy. 

I've been in cybersecurity for more than a decade, taking the fight to the worst threat actors and fending off market-shifting phishing attacks. I get the whole "privacy matters" spiel. But let's face it: We crave convenience and yet complete privacy on the road isn't always practical, especially when it comes to safety. 

My garage houses its own fleet of Teslas — three to be exact, including one for my teenage daughter (just to be clear, I'm not an Elon fanboy). I love these cars because they're packed with safety features that allow me to monitor and supervise our driving. This is important to me because teenagers and speeding go together like peanut butter and jelly. Age aside, who among us hasn't rolled through a stop sign in the wee hours? We all have imperfections, and for me and my family, that includes the occasional lapses in driving that I want to know about. 

Some folks might clutch their pearls at the thought of supporting tracking features, and in some cases they'd be right. I can scoff at the US Automobile Association's (USAA) attempt to totally track me with its SafePilot app just for an insurance discount. But Tesla's monitoring feature that lets me see where my daughter ghosts off to after curfew? Totally different.  

It's all about commonsense control. USAA wants to use my data to judge my driving and probably jack up costs down the road. Tesla's features, and others like it, skew toward safety and meaningful oversight (again, not an Elon fanboy).  

**Picking and Choosing Our Privacy Choices**

The point is, we're all picking and choosing when it comes to privacy, whether we know it or not. We crave convenience and control, even if it means sacrificing a bit of anonymity in the digital age. But is this the future we signed up for? Convenience at the expense of complete transparency? We willingly hand over our data to the tech giants — the Apples and Googles of the world — trusting them to be our benevolent data overlords. They assure us our information is anonymized, like a digital cloak of invisibility protecting our identities. And we just have to trust them. Here's the thing: I sleep soundly at night knowing my Internet-connected car's got my back (and my daughter's). 

That isn't to say this is a black-and-white issue. We do need a data reality check. Yes, personalized data collection can be a good thing. Suggesting that scenic rest stop on your road trip through Yosemite is super helpful. But the line gets blurry when that same data allows insurance companies to track your movements or marketers to manipulate you into buying an overpriced Chick-fil-A sandwich along your normal route home. 

In less safe, opted-in hands, our so-called anonymized data becomes a dystopian road map of our lives, influencing everything from insurance rates to targeted ads for the nearest repair shop (because, hey, after that questionable parking job, you must need one!). 

The bigger problem is the lack of transparency and accountability. Just how much anonymized data gets used for less helpful purposes remains unclear. We're quick to click "Accept" on those endless terms-of-service agreements faster than you can say "data breach." Suddenly, your reckless driving habits, gleaned from your helpful Internet-connected car, could torpedo your chances of getting an auto loan, or worse. It's like having a digital stalker whispering the worst, juiciest gossip about you to lenders. 

Even worse, malicious threat actors, particularly nation-state groups, lurk in these gray areas. They're exploiting vulnerabilities in data transmission protocols or storage systems to snag sensitive driver information — everything from real-time location to private conversations. This grants them a frightening level of control over individuals as well as the potential to disrupt critical infrastructure. 

**We Deserve a Say**

So, the next time you scoff at a car's "stalker" features, take a good look at your own smartphone, brimming with data-hungry apps. Maybe a little commonsense privacy hypocrisy is the price we pay for our self-driving, AI-powered future. In the meantime, we still deserve a say in how our data is used. We need stricter regulations and a healthy dose of skepticism toward "anonymous data" claims. Governments can incentivize research and development in secure data storage and anonymization techniques. This way, businesses can offer new services without compromising user privacy. 

Privacy isn't a luxury. It's a fundamental right. Let's not trade it away for the fleeting convenience of a perfectly optimized commute. This is a fight for our data, privacy, and the freedom to exist online without being constantly tracked and judged if we don't want it. Remember Rage Against the Machine? They're still my favorite band. I can't help but feel that one of their lyrics rings true here: "If we don't take action now, we settle for nothing later." If we don't take action now, we'll surrender our privacy bit by bit, until there's nothing left. 

**About the Author**

CEO & Co-Founder, Huntress

Kyle Hanslovan is CEO and co-founder of Huntress, where he protects 150,000 businesses and oversees millions of employees, and isn’t afraid to drop hot takes to disrupt herd mentality. He’s successfully raised nearly $200 million in venture capital and is passionate about entrepreneurship, innovation, radical candor, and social impact. Prior to this, he served 10 years in the US intelligence community and Air Force supporting offensive cyber operations. During this time, he won the World Series of hacking (DEF CON's CTF) and presented at most major cybersecurity conferences.

Source

DARKReading