Organizations should brace for mass exploitation of CVE-2023-22515, an uber-critical security bug that opens the door to crippling supply chain attacks on downstream victims.

A China-sponsored advanced persistent threat (APT) tracked as Storm-0062 is responsible for the in-the-wild exploitation of the recently disclosed critical bug in Atlassian Confluence Server and Confluence Data Center, Microsoft has announced. And it turns out that proof-of-concept exploits are now available for it, portending mass exploitation.

The flaw (CVE-2023-22515) was disclosed last week, with Atlassian acknowledging that it had been exploited as a zero-day in the wild prior to that. The vulnerability was at first labeled a privilege escalation problem, but it's remotely exploitable without authentication and should be seen as more akin to a code-execution tool, according to researchers — an assessment borne out by its 10 out of 10 ranking on the CVSS vulnerability-severity scale.

Accordingly, Atlassian subsequently updated its advisory to label the bug a broken access control issue.

Microsoft this week delivered additional details on the zero-day campaign, which it said has been active since Sept. 14. In a series of tweets, it identified four IP addresses that were observed sending related CVE-2023-22515 exploit traffic; also, it noted that "any device with a network connection to a vulnerable application can exploit CVE-2023-22515 to create a Confluence administrator account within the application."

In tandem with that attribution, a former computer science student and "security enthusiast" who goes by the handle s1r1us dropped a proof of concept (PoC) on GitHub; researchers at Rapid7 published a detailed analysis of the vulnerability that could offer plenty of breadcrumbs to PoC developers.

**Who Is Beijing-Sponsored Storm-0062?**

The Storm-0062 APT is also known as DarkShadow or Oro0lxy, Microsoft pointed out. Both names are aliases for Chinese state hackers Li Xiaoyu and Dong Jiazhi, who were indicted by the US Department of Justice in 2020 for probing for "vulnerabilities in computer networks of companies developing COVID-19 vaccines, testing technology, and treatments."

They remain at large, presumably in China, and have a history of state-sponsored hacking in tandem with various associates that goes back to at least 2009.

Microsoft offered no details on the victimology of the latest attacks but noted in its annual Digital Defense Report issued last week that Chinese state-sponsored campaigns typically reflect the Chinese Communist Party's (CCP) dual pursuit of global influence and intelligence collection, and thus cast a wide net.

"Cyber threat groups \[in China\] continue to carry out sophisticated worldwide campaigns targeting US defense and critical infrastructure, nations bordering the South China Sea, and even China's strategic partners," according to the report. "Some Chinese cyber activity may also indicate possible avenues of response in the event of a future geopolitical crisis."

**Atlassian: Open to Software Supply Chain Attack**

The stakes are high when it comes to the bug. Confluence collaboration environments can house sensitive data on both internal projects as well as its customers and partners — which means that intruders lurking inside its files can gather all the intel they need to mount follow-on attacks on those third parties.

Tom Kellermann, senior vice president of cyber strategy at Contrast Security, notes that this kind of zero-day exploit is "purpose-built to pollute the application, thus allowing these Chinese cyber spies to use Confluence as an attack vector into a myriad of organizations."

He adds, "This represents a systemic supply chain attack. A majority of businesses and government agencies use it, and it can be hijacked to facilitate island hopping."

He also warns that businesses should brace for mass exploitation waves, since there are now public road maps for leveraging this particular vulnerability, and Confluence has a history of being popular with cybercrime types.

China's "People's Liberation Army has a vast cyber-spy network, much of which focuses on arming \[the country\] with zero-days," Kellermann says. "Initially, this vulnerability required an APT to exploit, but now with the details being disclosed, a mass compromise could be ensuing."

To protect themselves, "organizations with vulnerable Confluence applications should upgrade as soon as possible to a fixed version: 8.3.3, 8.4.3, or 8.5.2 or later," Microsoft advised. "Organizations should isolate vulnerable Confluence applications from the public Internet until they are able to upgrade them."

Kellerman adds that beyond patching, businesses must increase threat hunting for evidence of this specific APT group, and says that deploying runtime security is "imperative to mitigate exploitation or zero-days."

Microsoft: Chinese APT Behind Atlassian Confluence Attacks; PoCs Appear

Cisco's $28 billion purchase of Splunk was the biggest story, but there were other big security acquisitions and investments during a richer-than-expected quarter.

Cisco's massive $28 billion acquisition of Splunk in September was the financial highlight of a quarter during which several other vendors also made strategic purchases to position themselves for emerging enterprise requirements around cloud, application, and identity security.

The acquisitions added to a better-than-expected quarter ended Sept. 30, 2023, with venture funding also picking up steam after a slowdown earlier this year following the collapse of Silicon Valley Bank. IPO activity showed early signs of a revival for the first time since late 2021 and provided further evidence of the resilience of the sector against economic conditions that have roiled other verticals.

The most active security segments included services; consulting; application governance, risk, and compliance (GRC); security operations; and identity and access management.

**Reasonable Valuations Drive Acquisition Interest**

The third quarter's M&A activity continued a gradual consolidation of the security industry as big players got bigger through acquisitions and smaller players looked for opportunities to make profitable exits.

"It appears to have been quite an active quarter, even without Cisco's $28 billion acquisition of Splunk, and there are some good reasons for this," says Rik Turner, an analyst at Omdia. With IPO activity still not fully revived, some venture capital firms are looking for quicker exits, resulting in a lot of cybersecurity companies being available at reasonable prices. "That’s why there are currently stories circulating about the likes of Dig and Talon being in negotiation to be acquired by Palo Alto \[Networks\], for instance. Even SentinelOne — which is currently public — is also said to be on the hunt for an acquirer," Turner says.

Cisco's purchase of Splunk positioned the company as one of the industry's foremost players in the next-generation SIEM market, a cloud and analytics-driven alternative to traditional security information and event management technologies.

The Splunk acquisition — Cisco's largest ever — was one of more than several the company has made this year to insert itself into multiple hot cybersecurity segments. Others include identity management vendor Oort, AI/ML software vendor Armorblox, network performance monitoring vendor Accedian, and cloud security vendors Lightspin and Valtix.

**A Gradual Reshaping of the Industry**

Cisco was not alone in its attempts this quarter to buy its way into lucrative and emerging security segments. The most prominent among them included CrowdStrike's purchase of application security posture management vendor Bionic for a reported $350 million; Check Point's $490 million deal for secure remote access vendor Perimeter 81; Thales' $3.6 billion acquisition of Imperva in July, and Tenable's $265 million cash and restricted stock purchase of cloud-native application protection platform vendor Ermetic.

"Strategic technology buyers are actively looking to round up their offerings by acquiring innovative solutions and teams with the subject matter expertise that will help them stay relevant and competitive in emerging market segments," says Alberto Yépez, managing director of Forgepoint Capital. "Sponsors are also actively looking for acquisitions that will help them add capabilities to the platform companies they own in order to expand their addressable market and increase their rate of growth."

Yépez identified the managed security services market as a segment that garnered considerable interest from acquirers last quarter — and through the year in general. Much of the activity was in response to growing demand for security services from companies that were either struggling to find professionals or were looking to outsource security functions.

"We expect more activity in this segment in the next four to six quarters. It is primed for consolidation," Yépez says. M&A activity so far this year suggests that cloud security and compliance are sectors with lots of potential for consolidation, given how overcrowded the segments are with emerging companies, he adds.

Momentum Cyber recorded a total of 63 M&A deals in the third quarter with a total value of $34.9 billion. Of those, eight involved transactions of $100 million or more.

"While the majority of 2023 has centered around continued headwinds in a difficult market, strategic activity did see an uptick in deal volume across both M&A and financing toward the back half of the third quarter," Momentum analyst John Gould says. Momentum anticipates the trend will continue into 2024. "Strategic investors are becoming more opportunistic in M&A markets, as evidenced by a number of key deals this past quarter," Gould says.

**Investment Activity Showed Signs of a Rebound**

Increased VC activity in the third quarter also suggested that investors have finally put behind them the disruption caused by Silicon Valley Bank's spectacular collapse in March.

All signs point to total venture funding in cybersecurity hitting $10 billion in 2023, matching the record-setting year of 2020, says Richard Stiennon, chief research analyst at IT-Harvest. That total is less than half of the all-time record of $24 billion in 2021, he says. But "considering the failure of Silicon Valley Bank early in the year and the devastating impact that had on VCs, investments are not too shabby," Stiennon says.

IT-Harvest's data showed there was some $7.5 billion invested through the end of September in the cybersecurity sector, with the GRC segment once again attracting the most investments, at $1.6 billion. At the other end of the spectrum was the API security segment with just four investments totaling just $15.9 million so far this year, and email security with only $12.2 million in investor funding.

Investment activity in the third quarter included some big rounds, such as the $238 million that Cato Networks raised in equity investment in September. The financing round valued Cato at $3 billion and brought to $773 million in total that the secure access service edge technology provider has raised so far. Cato is one of several companies in the third quarter that hinted at going public in the near term, Stiennon says. "There are signs of life on Wall Street with companies like Palo Alto Networks, CrowdStrike, and Zscaler up 63% to 95% from their lows on Jan. 6," he notes.

Other major investments that Momentum tracked in the third-quarter included OneTrust's $150 million in July, SpyCloud's $110 million growth round in August, Resilience's $100 million Series D round, and Nord Security's $100 million in September.

"IPO rumors are also heating up for the first time in a while going into 2024," Gould says. "Later-stage security startups, including Cato Networks and Rubrik, have been rumored to be considering going public next year as the market looks to rebound from a dead period in traditional IPO activity since late 2021," he says.

Cloud Security Demand Drives Better Cyber-Firm Valuations — and Deals

CISA flags use-after-free bug now being exploited in the wild.

The Cybersecurity Infrastructure & Security Agency (CISA) this week added to its catalog of known exploited vulnerabilities an Adobe Acrobat Reader use-after-free bug.

Adobe Acrobat and Reader Document Cloud Versions 22.003.20282 and 22.003.20281 and earlier contain the flaw (CVE-2023-21608), as do Adobe Acrobat and Reader 20.005.30418 and earlier. The use-after-free vuln allows an attacker to remotely execute malicious code on a compromised account, and execute the exploit when a victim opens the rigged PDF file.

CISA recommends applying the latest updates to the affected software, which was patched in January of this year. Researchers who discovered and reported the vuln shared details of their findings in a February 2023 blog post.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Adobe Acrobat Reader Vuln Now Under Attack

The Israeli-Hamas war will most assuredly impact businesses when it comes to ramped-up cyberattacks. Experts say that Israel's considerable collection of cybersecurity vendors be a major asset on the cyber-front.

Following the attacks on Israel by Hamas over the past days, when Prime Minister Benjamin Netanyahu warned Israelis "to brace themselves for a long and difficult war," attention turns to those cybersecurity vendors located in the Israeli tech hub and how they may contribute to the war effort.

Chris Pierson, CEO of BlackCloak, believes Israel's "substantive cybersecurity intelligence and strike capability" will serve it well, including having some of the best commercial cybersecurity companies in the world.

JP Castellanos, director of threat intelligence at Binary Defense, says that, particularly in light of potentially destructive attacks against IT or critical infrastructure, it is likely that Israeli cybersecurity companies will do all they can to help with the current crisis. "That means becoming more visible, not less," Castellanos says.

**Attacks Ramp Up During Wartime**

On the cyber front of the Gaza crisis, hacktivists have already begun preparing targets and offering their wares to the highest bidders, who may be looking to cause politically motivated website disruption on public-facing services. And indeed, there was a wave of notable distributed denial-of-service (DDoS) cyberattacks on Oct. 7 and Oct. 8, including one attack which reached 1.26 billion daily requests, while another other reached 346 million daily requests on Oct. 7, and 332 million daily requests the following day.

"Looking at these DDoS attacks in terms of requests per second, one of the impacted sites experienced a peak of 1.1 million requests per second," says João Tomé, content editor at Cloudflare.

But experts say they expect other kinds of attacks against companies and organizations in Israel to ramp up, carried out by both state-backed and non-state-backed operators with much larger arsenals than a DDoS botnet. Pierson for instance says the targets for attacks could be civilians as well as infrastructure and military targets.

"The most likely targets would be infrastructure as a whole - telecommunications, power, finance, and logistical transportation," he says.

It's already starting: Yossi Appleboum, CEO of Sepio Systems and a former member of the Israel Defense Force's Unit 8200, says cyberattacks against his company had increased by 100% in the last week.

Carlos Perez, research practice lead at TrustedSec, says retaliatory cyberattacks become more common during geopolitical crises, but says that many of these risks have been ongoing for Israeli companies, and they will continue to be vulnerable, as we have seen in the past. However Perez believes some companies will be ready, others will not. "It depends mainly on business buy-in and budgets: they do get targeted with a larger volume of attacks than most organizations, which puts them at a higher risk level."

**Call in the Reservists**

The Israeli military has summoned roughly 360,000 reservists — roughly four percent of Israel's 9.8 million population. Thus, the question for many companies in the region, is whether this will lead to staff leaving their day jobs, and for cybersecurity vendors, whether that will affect cyber defense.

Pierson says he expects those with special cyber intelligence training to be called to augment military teams on the ground, and expects those who have previously served their country to volunteer help and assistance for the war effort — and that could impact some operations. However, he does not foresee a change in marketing or external presence activities for most cybersecurity companies in Israel at the moment. 

Castellanos meanwhile believes with reservists being drafted, this would cause a momentary staff shortage until the conflict resolves. However, he adds that "in the case of cybersecurity vendors, I would imagine that Israel would take a balanced approach to this, because they certainly don't want to weaken the very vendors who will be playing a critical role in protecting Israel's national interests."

For his part, Sepio's Appleboum says some activities and features may be delayed or postponed due to staff shortages, but companies will prioritize what is important, "and this may affect current customers. Future planning can wait a bit."

Gaza Conflict: How Israeli Cybersecurity Will Respond

The best incident-response plans cover contingencies and are fine-tuned in stress tests to ensure collaboration, remediation, and recovery efforts align.

Cyberattacks continue to rise, with a staggering 38% increase in global incidents last year. Attacks on digital identities are skyrocketing, cloud attacks are increasing, and ransomware continues to plague organizations in every industry. As the threat surface expands and the concept of a network "perimeter" becomes less and less defined, the issue is when a business will be attacked, not if it will be. That means businesses need to think not just in terms of prevention, but mitigation — and that starts with a plan.

**Uniting Competing Priorities**

There are a lot of competing priorities during a breach. The CFO will be concerned with the financial impact. The CMO and sales teams will be worried about reputation and customer messaging. The CTO, CIO, and other technology leaders will be focused on remediation, business continuity, and future prevention. Waiting until a breach happens to pressure-test the balance between those priorities isn't ideal. That means it's important to make a plan — several plans, in fact:

*   **Business continuity plan (IT/finance).** This should include specific instructions for recovery from a wide range of potential problems. Is a disaster-recovery process in place? Are there external providers or resources to contact? How can you get in touch with them? Are there backups that can be restored? Where are they, and who owns them? This plan should encompass all the necessary processes to ensure business continuity in the event of an incident.
*   **Crisis communications plan (marketing/PR).** It's critical to have a plan that defines who is in charge of messaging to internal stakeholders, customers, your board, and the public at large. Uncertainty can lead to confusion, which can make communication less effective and cause additional headaches. It's important to include detailed instructions regarding who the key decision makers are and which teams will have input into those decisions.
*   **Incident response plan (security).** This plan should detail the steps that security and technology teams need to take to address a potential incident. That means knowing how to identify, contain, and remediate a threat, but it also means knowing how to recover from an incident and apply its lessons in the future. One of the most important steps is to appoint an incident commander to lead the response efforts. This person supports the above plans and is responsible for decisions and communications to other parts of the organization. The CISO should provide oversight, but consult with other security leaders, including the incident commander, as well as third-party experts.

These plans cannot be made in isolation — they need to be aligned with one another, and leaders need to proactively collaborate. Otherwise, competing plans may wind up forcing people to work at cross purposes, creating unintentional conflict. This means it's important to not just draw up plans, but to stress-test them as well.

**Testing Your Plans: Tabletops**

Tabletop exercises are scenario-based breach simulations. They're usually run internally, though they often involve external consultants who can provide an objective perspective. They may come with a variety of different scenarios, and the exercise is run much like other, traditional tabletop games. An exercise might start with a technology problem and escalate through the PR response to a major breach. It might even get to a point where bankruptcy papers need to be drawn up. It sounds bleak, but knowing what to do in a worst-case scenario is important.

The goal here is to ensure that not only do the individual players know their roles during a security incident, but that they work well together. If there are places where the business recovery plan and incident recovery plan come into conflict, it's important to know that well ahead of time. If there are gaps in coverage where those plans are insufficient, they need to be refined and improved. It's especially important to test the places where communication and collaboration are required. If security controls failed to catch something, it's important to know _why_. Tabletop exercises help businesses assess their current standing while identifying opportunities to reduce risk and optimize their resources.

**People Are as Important as Technology**

Security breaches are stressful. There's often significant risk to the business, as well as people's livelihoods, so tensions can run high. People react to times of stress differently, and that's OK — but it's also why it's important to have a plan in place that takes emotion out of the equation by providing clear, step-by-step guidance. Security technology gets most of the attention, but it's important to remember that technology isn't the only — or even the most important — thing that needs to be tested. A breach affects the whole organization, from IT and security to finance and sales. When an incident occurs, it's important to know that everyone understands the role they play in achieving a positive outcome.

Addressing a Breach Starts With Getting Everyone on the Same Page

The novel technique helps hide the cybercriminal campaign's efforts to steal credit card information from visitors to major websites, and it represents an evolution for Magecart.

The collection of cybercriminal groups behind the infamous Magecart payment-card theft campaigns have come up with a previously unseen technique to hide their credit card skimming code, escaping notice for several weeks and infecting major e-commerce sites, including significant brands in the food and retail industries.

The obfuscation technique hides JavaScript code in a comment in a targeted site's 404 default page, Akamai stated in an advisory on Oct. 9. Other pages on the site have been modified only slightly to include a call to a nonexistent folder ("icons"), which triggers the 404 error, thus fetching the malicious page.

The entire attack code is contained in a comment with a specific placeholder, so the attacker's script can retrieve it, Roman Lvovsky, a security researcher at Akamai, explained in the company's advisory.

"This concealment technique is highly innovative and something we haven't seen in previous Magecart campaigns," he said. "The idea of manipulating the default 404 error page of a targeted website can offer Magecart actors various creative options for improved hiding and evasion."

**Hiding in 404 Pages: A Tactics Evolution**

Magecart attacks are a category of post-exploitation techniques for skimming credit card information and other user data from websites using obfuscated JavaScript, hijacking of forms, and malicious redirects. The embedded code often escapes notice by hiding in the complexity of modern websites, which rely heavily on third-party components, open source Web frameworks, and code obfuscated to protect intellectual property. Cybercriminals groups can hide their malicious content by either inserting it among the other obfuscated code or by compromising a third-party source of code or content.

Over the summer, for example, a Chinese-speaking threat group compromised Web-facing applications to skim credit card numbers in the Asia-Pacific region, and more recently, North American and Latin America, in a campaign dubbed "Silent Skimmer."

    

The payload hides the original credit-card form, overlaying it with a fake one. Source: Akamai

Similar to techniques hiding code in CSS files and images, adding code to the comments of a default 404 page escapes notice because many of the scanners used to detect attacks today were not designed to search such pages, says Ben Baryo, a cybersecurity researcher with Human Security, a bot- and fraud-protection service.

"While most scanners might report a missing resource, it’s likely that a 404 response won’t be analyzed," he says. "This detection evasion technique is mostly useful against synthetic scanners — which tend to ignore content in requests that aren’t returning 200 OK HTTP code — and manual inspections."

**Magecart Code Obfuscation & Overlays**

The modification to the default 404 pages are part of the Magecart campaign's efforts to deliver a payload — typically, the display of a fake form to collect credit card details — and maintain persistence. The cybercriminals used a fake form overlaying an original page's credit card information form to grab financial details from the targeted user, according to Akamai's advisory.

"When the user submits data into the attacker's fake form, an error is presented, the fake form is hidden, the original payment form is displayed, and the user is prompted to re-enter their payment details," Akamai's Lvovsky said, adding: "Submitting the fake form initiates an image network request to the attacker's C2 \[command-and-control\] server, carrying all the stolen personal and credit card information as a Base64-encoded string in the query parameter."

A 404 page is typically a first-party object — meaning that it resides on the same server as the home page and not a third-party service. This helps the attacker bypass some security measures, such as Content Security Policy (CSP) headers, he said.

Yet while the technique results in hard-to-discover modifications, it is not necessarily stealthy, says Human Security's Baryo. Because the 404 attack is kicked off by a call to the nonexistent "icons" resource, the technique could be considered noisy, which Magecart groups attempt to avoid.

"We haven’t seen this particular technique in the wild," he says. "We do not generally see other groups following this approach as this delivery method attracts unwanted attention as to why a nonexistent resource is being loaded on a particular page and by which script."

**Could PCI DSS Solve Magecart?**

The Payment Card Industry (PCI) Security Standards Council has attempted to solve the problem of Magecart attacks with the latest version of its Data Security Standard (DSS), which bolsters two security requirements to protect payment pages. Requirement 6 ("Develop and Maintain Secure Systems and Software") directs e-commerce sites to use secure development and maintenance to ensure that unauthorized code can't be injected into websites, while Requirement 11 ("Test Security of Systems and Networks Regularly") charges website owners to conduct ongoing monitoring of systems and networks to detect changes.

Online merchants — even ones that outsource all storage, processing, and transmission of account data to payment service providers — will have to abide by the PCI-DSS 4.0 requirements, says Jeff Zitomer, senior director of product management for Human Security.

"Modern websites ... source code at runtime from across the Internet to deliver critical business functionality," he says. "This forever-changing Nth-party code bypasses traditional security controls and enjoys nearly unlimited access in the browser, \[allowing\] attackers \[to\] exploit this attack surface through malicious script attacks."

The standard is currently considered a best practice but will become mandatory in early 2025.

Magecart Campaign Hijacks 404 Pages to Steal Data

An SEO poisoning campaign is spreading the RecordBreaker/Raccoon Stealer and LummaC2 infostealers by attempting to confound software certificate checks.

Attackers are employing a new type of certificate abuse in an attempt to spread info-stealing malware, with the aim of collecting credentials and other sensitive data. In some instances, the goal is to steal cryptocurrency from Windows systems.

The campaign uses search engine optimization (SEO) poisoning to deliver search results featuring malicious pages promoting illegal software cracks and downloads. In the background, the pages deliver remote access Trojans (RATs) known as LummaC2, and RecordBreaker (aka Raccoon Stealer V2) researchers from South Korea-based AhnLab revealed in a blog post on Oct. 10.

Notably, the malware uses abnormal certificates featuring Subject Name and Issuer Name fields that have unusually long strings, which means they require specific tools or infrastructure to inspect the certificates and are not visible in Windows systems.  
Specifically, the signature strings include Arabic, Japanese, and other non-English languages, along with special characters and punctuation marks, diverging from the typical English character string structures, the researchers noted.

The latest sample currently in circulation consists of a string with a URL-encoded malicious script designed to download and execute PowerShell commands from a specific address, although the sample observed by researchers was unsuccessful in both downloading and execution.

"Similar samples of this kind have been consistently distributed with slight structural variations for over two months, suggesting a specific intent behind this action," researcher KDH of the AhnLab Security Emergency Response Center wrote in the post.  
In addition to its delivery through websites promoting illegal cracks and downloads — such as a legitimate .NET installer — the researchers also observed RaccoonStealer V2 being distributed through YouTube and other malware.

**Novel Type of Certificate Abuse**

While the certificates likely would fail any signature verification since they are incorrect, they could confuse and thus slip past some defenses. Indeed, certificate abuse is a common tactic used by threat actors, but they typically go about it in a different way.

"Malware often disguise themselves with normal certificates," KDH wrote. "That is, typically threat actors deliver malware that have legitimately signed certificates that can be verified, thus appearing to be authentic software that is then cleared to be successfully downloaded and executed."

That's the tactic that threat actors responsible for the prolific RedLine and Vidar stealer malwares were recently seen using, distributing ransomware payloads signed with Extended Validation (EV) certifications that allowed them to slip past email security, researchers from TrendMicro revealed in a recent blog post.

Like those stealers, LummaC2 and Raccoon Stealer are both familiar to security researchers and have various malicious functionality, but the primary focus is on stealing data from the systems they infect.  
"Upon infection, they can transmit sensitive user information such as browser-saved account credentials, documents, cryptocurrency wallet files, etc., to the threat actor, potentially resulting in severe secondary damages," according to the post.

"Furthermore, an additional piece of malware designated by the threat actor gets installed, enabling continuous malicious behaviors."  
While it's clear that the long-string certificate technique is being tinkered with and only partially successful thus far, users should be aware of the approach. The AhnLab researchers urged Windows users to take caution when downloading software online, especially from sites known for delivering illegal versions of popular applications. They also provided various indicators of compromise and a list of command-and-control domains associated with the delivery of both LummaC2 and Raccoon Stealer V2.

Data Thieves Test-Drive Unique Certificate Abuse Tactic

Cisco's $28 billion purchase of Splunk was the biggest story, but other security majors made strategic acquisitions as well in a better-than-expected quarter.

Cisco's massive $28 billion acquisition of Splunk in September was the financial highlight of a quarter during which several other vendors also made strategic purchases to position themselves for emerging enterprise requirements around cloud, application and identity security.

The acquisitions added to a better-than-expected quarter ended Sept. 30, 2023, with venture funding too picking up steam after a slowdown earlier this year following the collapse of Silicon Valley Bank. IPO activity showed early signs of a revival for the first since late 2021 as well and provided further evidence of the resilience of the sector against economic conditions that have roiled other verticals.

Security segments that witnessed the most activity included services, security consulting, application GRC, security operations and identity and access management.

**Reasonable Valuations Drive Acquisition Interest**

The third-quarter's M&A activity continued a gradual consolidation of the security industry as big players got bigger through acquisitions and smaller players looked for opportunities to make profitable exits.

"It appears to have been quite an active quarter, even without Cisco’s $28bn acquisition of Splunk, and there are some good reasons for this," says Rik Turner an analyst at Omdia. With IPO activity still not fully revived, some venture capital firms are looking for quicker exits, resulting in a lot of cybersecurity companies being available at reasonable prices. "That’s why there are currently stories circulating about the likes of Dig and Talon being in negotiation to be acquired by Palo Alto, for instance. Even SentinelOne—which is currently public--is also said to be on the hunt for an acquirer," Turner says.

Cisco's purchase of Splunk positioned the company as one of the industry's foremost players in the next generation SIEM market, a cloud and analytics-driven alternative to traditional security information and event management technologies.

The acquisition—Cisco's largest ever—was one of more than half-a-dozen purchases the company has made this year to insert itself into multiple hot cybersecurity segments. Others include identity management vendor Oort, AI/ML software vendor Armorblox, network performance monitoring vendor Acedian and cloud security vendors Lightspin and Valtix.

**A Gradual Reshaping of the Industry**

Cisco was not alone in its attempts to buy its way into lucrative and emerging security segments. Q3, 2023 had several other vendors making similar moves. The most prominent among them were CrowdStrike's purchase of application security posture management vendor Bionic for a report $350 million; Check Point's forking out of some $490 million for secure remote access vendor Perimeter 81; Thales' $3.6 billion acquisition of Imperva in July and Tenable's $265 million cash and restricted stock purchase of cloud native application protection platform vendor Ermetic.

"Strategic technology buyers are actively looking to round up their offerings by acquiring innovative solutions and teams with the subject matter expertise that will help them stay relevant and competitive in emerging market segments," says Alberto Yépez managing director of Forgepoint Capital. "Sponsors are also actively looking for acquisitions that will help them add capabilities to the platform companies they own in order to expand their addressable market and increase their rate of growth."

Yépez identified the managed security services market as a segment that garnered considerable interest from acquisition hunters last quarter—and through the year in general. Much of the activity was in response to growing demand for security services from companies that were either struggling to find professionals or were looking to outsource the security function to others.

"We expect more activity in this segment in the next four to six quarter. It is primed for consolidation," he says. M&A activity so far this year suggests that cloud security and compliance are sectors with lots of potential for consolidation given how overcrowded the segments are with emerging companies, Yépez notes.

Momentum Cyber recorded a total of 63 M&A deals in Q3, 2023 with a total disclosed value of $34.9 billion. Of those, eight involved transactions of $100 million or more. Active M&A sectors in Q3 2023 according to Momentum included security consulting and services, managed security services, security operations, incident response, threat intel and identity and access management.

"While the majority of 2023 has centered around continued headwinds in a difficult market, strategic activity did see an uptick in deal volume across both M&A and financing toward the back half of Q3," says Momentum analyst John Gould. Momentum anticipates the trend will continue into 2024. "Strategic investors are becoming more opportunistic in M&A markets as evidenced by a number of key deals this past quarter," Gould says.

**Investment Activity Showed Signs of a Rebound**

Activity in the third quarter also suggested that investors are finally putting the disruption caused by Silicon Valley Bank's spectacular collapse in March, behind them.

All signs point to total venture funding in cybersecurity hitting $10 billion in 2023, matching the record setting year of 2020 says Richard Stiennon, chief research analyst at IT-Harvest. That total is less than half of the all-time record of $24 billion in 2021, he says. But "considering the failure of Silicon Valley Bank early in the year and the devastating impact that had on VCs, investments are not too shabby," Stiennon says.

IT-Harvest's data showed there was some $7.5 billion invested through the end of September in the cybersecurity sector with the GRC segment—once again—attracting the most investments at $1.6 billion. At the other end of the spectrum was the API security segment with just four investments totaling a paltry $15.9 million so far this year and email security with an even smaller $12.2 million in investor funding.

Investments activity in Q3, 2023 included some big rounds such as the $238 million that Cato Networks raised in equity investment in September. The financing round valued Cato at $3 billion and bought to $773 million in total that the secure access service edge technology provider has raised so far. Cato is one of several companies in the third quarter that hinted at going public in the near term Stiennon says. "There are signs of life on Wall Street with companies like Palo Alto Networks, CrowdStrike, and Zscaler up 63% to 95% from their lows on January 6," he notes.

Other major investments that Momentum tracked in the third-quarter included OneTrust's $150 million later stage venture capital raise in July, SpyCloud's $110 million growth round in August, Resilience's $100 million Series D round and Nord Security's $100 million growth raise in September.

"IPO rumors are also heating up for the first time in a while going into 2024," Gould says. "Later-stage security startups including Cato Networks and Rubrik have been rumored to be considering going public next year as the market looks to rebound from a dead period in traditional IPO activity since late 2021," he says.

Reasonable Valuations Drove Mergers and Acquisition Activity in Q3, 2023

The latest NIST Cybersecurity Framework draft highlights four major themes that organizations should pay attention to for managing risk.

Global cyberattacks have risen sharply over the last few years, increasing by 38% in 2022, according to Check Point. Combine this with the increasing cost of a data breach, averaging $9.44 million in the US and $4.25 million globally in 2022, preventing cyberattacks is at the top of everyone's mind going into 2024.

In early August, the National Institute of Standards and Technology (NIST) shared an update to its Cybersecurity Framework (CSF). The new draft reflects its inclusive and responsive attitude towards risk management for mitigating the cost and frequency of cyberattacks. As the gold standard for building a cybersecurity program and reducing cyber-risk, CSF 2.0 includes feedback from Fortune 500 companies on the front lines of cyberattacks.

To help enterprises keep up with the ever-evolving cyber threat landscape, NIST highlights the following four major themes that have direct business impacts on managing risk. Chief information security officers (CISOs) should keep the following principles in mind as they work to help secure their organizations and reduce cybersecurity risk in 2024.

**Emphasize Continuous and Quantitative Risk Assessment**

Continuous risk assessment is the cornerstone of a robust cybersecurity program. It is crucial for improving risk posture, enabling organizations to understand their most critical IT assets, the threats affecting them, security weaknesses, and the likelihood of these weaknesses getting exploited. Further, the Cybersecurity and Infrastructure Security Agency (CISA) recommends that organizations conduct cyber-risk assessments regularly to better understand their security posture. And the benefits of these regular assessments can include improving cyber resiliency and meeting cyber insurance requirements.

For organizations looking to implement near real-time risk assessment, automation and artificial intelligence (AI)-based tools are critical for keeping up with the sheer volume of risks. As bad actors begin to use AI for harm, it is critical to learn how to use it for good. Such tools enable enterprises to discover assets, prioritize vulnerabilities, and define the likelihood and potential impact of risks to organizations even as the attack surface evolves.

This recommendation in the NIST updated framework further refines CISOs' deep understanding of the complexities associated with cybersecurity risk measurement. However, the continuous risk assessment process is not up to the CISO alone; investments and buy-in must span all departments of the organization. The entire organization must view this as a means to better use the data it takes in.

**Prioritize Continuous Improvement**

Creating a culture of continuous improvement is more than just a concept. It emphasizes that cybersecurity isn't _just_ about implementing the next incremental category or subcategory recommended by NIST; it's a journey towards adopting a holistic stance with organization-wide support. For example, the software you patched and secured yesterday may be vulnerable to a new exploit today. So, constant adaptation and improvement are essential to keeping all your surfaces free from attacks that can pop up in a moment's notice.

NIST's updated draft embraces this attitude by introducing a new Improvement category in the Identify function. The draft also includes updates to definitions of the implementation tiers and additional factors, including cybersecurity risk management, governance, and third-party risks. This showcases a more holistic approach to managing risk.

**Strengthen Supply Chain Risk Management**

Attacks on the supply chain have become a focal point for bad actors over the past few years. Look no further than the SolarWinds attack and the Log4j exploitation. And there aren't any signs of a slowdown, as Gartner predicts that 45% of global organizations will be impacted by a supply chain attack by 2025. These attacks prove that most organizations struggle to create a software bill of materials (SBOM) for their in-use applications, which produces a gap in protection.

In the updated draft, NIST addresses supply chain risk management by warning organizations that agility and accuracy matter. The draft includes an example of contractually requiring suppliers to provide and maintain a component inventory, which could also be described as an SBOM. When so much of your organization's operations depend on the supply chain remaining intact, you must bring precision to the forefront of risk management to better stay ahead of any incoming attack.

**Enhance Implementation Examples**

While the first draft of the NIST framework included some suggested implementation examples, there were not enough. By adding additional examples, organizations looking to NIST for cybersecurity guidance have additional resources to apply best practices mentioned in the framework. Having as many practical application examples as possible provides CISOs and other security leaders with clear, actionable steps to implement better security measures.

The additional examples included in the updated draft can empower organizations looking to NIST for guidance on cybersecurity to apply best practices. The inclusion of the additional implementation angles shows that NIST is interested in creating a more functional, real-word, and responsive cybersecurity management process.

With increasing complexity and tools sprawl, the ever-expanding attack surface, and increasing regulatory pressures, automated and AI-powered tools that provide a single pane of glass view will be critical. This updated framework provides actionable steps for CISOs to adapt and better align their organization with the dynamic nature of the cybersecurity landscape for 2024 and beyond.

Reassessing the Impacts of Risk Management With NIST Framework 2.0

Threat intel experts see a reduced focus on desktop malware as threat groups prioritize passwords and tokens that let them access the same systems as remote workers.

Every day more than 8,000 Microsoft threat intelligence experts, researchers, analysts, and threat hunters analyze trillions of daily signals to uncover emerging threats and deliver timely, relevant security insights. 

While a good portion of this work is dedicated to threat actors and the infrastructure that enables them, we also focus on nation-state groups to contextualize their activities within the broader scope of geopolitical trends. This is critical in uncovering the "why" behind criminal activity, as well as preparing and protecting vulnerable audiences who may become the target of future attacks.

Read on to learn more about how Chinese nation-state tactics, techniques and procedures (TTPs) and threat activity have evolved over time.

**Adapting Is the Name of the Game**

As with most global industry sectors, COVID-19 led to a number of changes within the Chinese cyber-espionage landscape. The near-overnight shift in the number of employees working from their offices to their individual homes meant companies had to enable remote access to sensitive systems and resources that were previously restricted to corporate networks. In fact, one study found that telework jumped from 5% to 50% of paid US work hours between April and December 2020. Threat actors took advantage of this change by attempting to blend in with the noise, masquerading as remote workers in order to access these resources.

Additionally, because enterprise access policies had to be deployed so quickly, many organizations didn't have adequate time to research and review best practices. This created a gap for cybercriminals, enabling them to exploit system misconfigurations and vulnerabilities. 

As a consequence of this trend, Microsoft threat intelligence experts are seeing fewer instances of desktop malware. Instead, threat groups appear to be prioritizing passwords and tokens that enable them to access sensitive systems used by remote workers.

For example, Nylon Typhoon (formerly NICKEL) is one of the many threat actors that Microsoft tracks. Originally founded in China, Nylon Typhoon leverages exploits against unpatched systems to compromise remote access services and appliances. Once the nation-state actor achieves a successful intrusion, it uses credential dumpers or stealers to obtain legitimate credentials, access victim accounts, and target higher-value systems. 

Recently, Microsoft observed a threat group believed to be Nylon Typhoon conducting a series of intelligence collection operations against China's Belt and Road Initiative (BRI). As a government-run infrastructure project, this incident activity likely straddled the line between traditional and economic espionage.

**Common TTPs Deployed by Chinese Nation-State Groups**

One significant trend that we've observed coming out of China is the shifting focus from user endpoints and custom malware to concentrated resources that exploit edge devices and maintain persistence. Threat groups successfully using these devices to gain network access can potentially remain undetected for a significant period of time.

Virtual private networks (VPNs) are one significant target. Although organizations have begun to implement more stringent security measures, such as tokens, multifactor authentication, and access policies, cybercriminals are adept at navigating these defenses. VPNs are an attractive target because, when compromised successfully, they eliminate the need for malware. Instead, threat groups can simply grant themselves access and log in as any user.

Another rising trend is the use of Shodan, Fofa, and similar databases that scan the Internet, catalog devices, and identify different patch levels. Nation-state groups will also conduct their own Internet scans to uncover vulnerabilities, exploit devices, and, ultimately, access the network. 

This means organizations have to do more than just device patching. An effective solution involves inventorying your Internet-exposed devices, understanding your network perimeters, and cataloging device patch levels. Once that has been achieved, organizations can focus on establishing a granular logging capability and monitoring for anomalies.

As with all cybersecurity trends, nation-state activity is ever-evolving, and threat groups are growing more sophisticated in their attempts to compromise systems and enact damage. By understanding the attack patterns of these nation-state groups, we can better prepare ourselves to defend against future threats.

_— Read more_ _Partner Perspectives from Microsoft Security__._

Source

DARKReading