A successful multi-orbit cryptography test beamed quantum-agile data up to two different satellites and back down to Earth.

Developers of post-quantum cryptography have successfully created a trial, data-transmission channel from Earth to satellites in multiple orbits that would be resistant to the hacking of the future.

The idea is to protect data routed via satellite clusters from being harvested and decrypted by quantum computers and to protect the operational technology communications that keep the arrays functioning. The challenge lies in maintaining resource-intensive, post-quantum protection along multiple hops as a signal is beamed around a cluster, with a data transmission rate that's acceptable for military and commercial real-time communications (and other applications).

During the test, carried out by QuSecure and Accenture, a data-transmission channel protected by both classical RSA-2048 and post-quantum encryption was opened to a low-Earth orbit (LEO) satellite and switched to a higher-altitude geosynchronous orbit (GEO) satellite, and then beamed back down to Earth.

"As more organizations are increasingly relying on space technology to provide solutions, resiliency, and more relevant information, security of those systems and the data is paramount," said Paul Thomas, space innovation lead for Technology Innovation at Accenture, in a statement.

**A Multi-Orbit Quantum Action Plan**

Once efficient quantum computing becomes a reality, the expectation is that clusters of them will have enough gas in the tank to break RSA-2048 encryption, something that even the most powerful of today's computers are incapable of achieving.

And presumably, when that happens, there will be legions of cybercriminal types pouring out of the woodwork to decrypt the many classified secrets that organizations, governments, and critical infrastructure (including satellite arrays) use to ward off mass operational disruption.

Granted, the timing on that breakthrough remains a moving target, but the satellite test is a step towards prepping for that doomsday scenario. Also, by employing post-quantum encryption now, it can protect against any "steal now, decrypt later" plans on the part of cyberattackers who might be stockpiling encrypted data in anticipation of a literal quantum leap.

"Outer space is getting more crowded and contested every day and providing reliable space-based security is critical in today's global economy," said Tom Patterson, quantum and space security lead at Accenture.

Post-Quantum Satellite Protection Rockets Towards Reality

In a Solar Winds-like attack, compromised, digitally signed versions of 3CX DesktopApp are landing on user systems via the vendor's update mechanism.

Security researchers are sounding the alarm on what may well be another major SolarWinds or Kaseya-like supply chain attack, this time involving Windows and Mac versions of a widely used video conferencing, PBX, and business communication app from 3CX.

On March 30, multiple security vendors said they had observed legitimate, digitally signed versions of the 3CX DesktopApp bundled with malicious installers landing on user desktops via the company's official automatic update process, as well as via manual updates. The end result is a data-stealing malware being implanted as part of a likely cyber-espionage effort by an advanced persistent threat (APT) actor.

The potential impact of the new threat could be huge. 3CX claims some 600,000 installations worldwide with over 12 million daily users. Among its numerous big-name customers are companies like American Express, Avis, Coca Cola, Honda, McDonald's, Pepsi, and Toyota.

CrowdStrike assessed that the threat actor behind the campaign is Labyrinth Chollima, a group that many researchers believe is linked with the cyber-warfare unit of North Korea's intelligence agency, the Reconnaissance General Bureau (RGB). Labyrinth Chollima is one of four groups that CrowdStrike has assessed are part of North Korea's larger Lazarus Group.

The threat is still very much an active one. "Currently, the very latest installers and updates available on the public 3CX website are still the compromised and backdoored applications that are noted as known bad by numerous security firms," says John Hammond, senior security researcher at Huntress.

**Enterprise App Trojanized With Malicious Installers**

The weaponized app arrives on a host system when the 3CX Desktop Application automatically updates, or when a user grabs the latest version proactively. Once pushed to a system, the signed 3CX DesktopApp executes a malicious installer, which then beacons out to an attacker-controlled server, pulls down a second-stage, information-stealing malware from there, and installs it on the user's computer. CrowdStrike, one of the first to report on the threat on March 29, said in a few instances it had also observed malicious hands-on-keyboard activity on systems with the Trojanized 3CX app.

In a message early on March 30, 3CX CEO Nick Galea urged users to immediately uninstall the app, adding that Microsoft Windows Defender would do that automatically for users running the software. Galea urged customers that want the app's functionality to use the Web client version of the technology while the company works on delivering an update.

A security alert from 3CX CISO Pierre Jourdan identified the affected apps as Electron Windows App, shipped in Update 7, version numbers 18.12.407 & 18.12.416 and Electron Mac App version numbers 18.11.1213, 18.12.402, 18.12.407, & 18.12.416. "The issue appears to be one of the bundled libraries that we compiled into the Windows Electron App via GIT," Jourdan said.

**Attackers Likely Breached 3CX's Production Environment**

Neither Jourdan nor Galea's messages gave any indication of how the attacker managed to gain the access they needed to trojanize a signed 3CXDekstopApp.exe binary. But at least two security vendors that have analyzed the threat say it could have only happened if the attackers were in 3CX's development or build environment — in the same manner that SolarWinds was compromised.

"Although only 3CX has the complete picture of what happened, so far, from the forensics, we assess with high confidence that the threat actor had access to the production pipeline of 3CX," says Lotem Finkelstein, director of threat intelligence & research at Check Point Software. "The files are signed with 3CX certificates, the same as used for the previous benign versions. The code is built in a way that it keeps working as it normally should but also adds some malware."

Finkelstein says Check Point's investigation confirms that the Trojanized version of the 3CX DesktopApp is being delivered through either manual download or regular updates from the official system.

Dick O'Brien, principal intelligent analyst at Symantec Threat Hunter team, says the threat actor does not appear to have touched the main executable itself. Instead, the APT compromised two dynamic link libraries (DLLs) that were delivered along with the executable in the installer. 

"One DLL was replaced with a completely different file with the same name," O'Brien says. "The second was a Trojanized version of the legitimate DLL \[with\] the attackers essentially appending it with additional encrypted data." The attackers have used a technique, known as DLL sideloading, to trick the legitimate 3CX binary to load and execute the malicious DLL, he says.

O'Brien agrees that the attacker would have needed access to 3CX's production environment to pull off the hack. "How they did that remains unknown. But once they had access to the build environment, all they had to do was drop two DLLs into the build directory."

**Potentially Broad Impact**

Researchers at Huntress tracking the threat said they had so far sent out a total of 2,595 incident reports to customers warning them of hosts running susceptible versions of the 3CX desktop application. In these instances, the software matched the hash or identifier for one of the known bad applications. 

"The final stage of the attack chain as we know it is reaching out to the command-and-control servers, however, this appears to be on a set timer after seven days," says Huntress' Hammond. A Shodan search that Huntress conducted showed 242,519 publicly exposed 3CX systems, though the issue's impact is broader than just that set of targets.

"The updates received by the signed 3CX Desktop Application are coming from the legitimate 3CX update source, so at first blush, this looks normal," he adds. "Many end users did not expect the original and valid 3CX application to suddenly be setting off alarm bells from their antivirus or security products, and in the early timeline where there was not much information uncovered, and there was some confusion over whether the activity was malicious or not, he says.

**Shades of SolarWinds & Kaseya**

Hammond compares this incident to the breaches at SolarWinds and at Kaseya. 

With SolarWinds, attackers — likely linked with Russia's Foreign Intelligence Service — broke into the company's build environment and inserted a few lines of malicious code into updates for its Orion network management software. Some 18,000 customers received the updates, but the threat actor was really targeting only a small handful of them for subsequent compromise. 

The attack on Kaseya's VSA remote management technology resulted in more than 1,000 downstream customers of its managed service provider customers being impacted and subsequently targeted for ransomware delivery. The two attacks are examples of a growing trend of threat actors targeting trusted software providers and entities in the software supply chain to reach a broad set of victims. Concerns over the threat prompted President Biden to issue an executive order in May 2021 that contained specific requirements for bolstering supply chain security.

Automatic Updates Deliver Malicious 3CX 'Upgrades' to Enterprises

Business email compromise scams are moving beyond just stealing cash, with some threat actors fooling companies into sending goods and materials on credit, and then skipping out on payment.

Some cybercriminals are flipping their playbook on business email compromise (BEC) scams and, rather than posing as vendors seeking payment, are now posing as buyers, taking their profits in easily sold commodities.

By adopting the identity of a known company, criminal actors are able to order various goods in bulk, get beneficial terms of credit, and disappear before the manufacturer discovers the fraud, stated the FBI in a recent advisory on the trend. The scheme has become more common in specific sectors, with targets including construction materials, agricultural supplies, computer technology hardware, and solar-energy systems, according to the agency.

This form of fraud also allows attackers to escape the notice of financial institutions, which have become very skilled at tracking currency movement and clawing back funds, says Sourya Biswas, technical director of risk management and governance at NCC Group, a consultancy.

"BEC targeting commodities may have electronic records regarding the ordering, dispatch, and receipt of goods, but not for the last-mile piece where those goods are sold," he says. "Considering the types of commodities targeted — construction materials, computer hardware, etc. — these are typically easy to sell in pieces for cash to multiple buyers without triggering red flags."

This is not the first time that commodity theft has come to light. Last summer, BEC criminal groups targeted food manufacturers, stealing sugar and powdered milk by the truckload. In 2021, fraudsters used similar methods, posing as an electrical contracting company, to have 35 MacBooks worth almost $110,000 delivered to a business address, but switched the destination at the last minute.

**Same Tactics, Different Outcome**

In its advisory, the FBI noted that the tactics used by the criminal groups mimics those of more traditional BEC scams, with threat actors taking control of, or spoofing, legitimate domains of US companies, researching the proper employees to contact at a vendor, and then emailing requests to the vendor that appear to originate with the legitimate company.

However, commodities-fraud operations are harder to uncover than funds-focused BEC fraud. For instance, the criminal groups will often apply for Net-30 or Net-60 terms for payment by providing fake credit references and fraudulent tax forms to vendors, giving them lead time to fence the goods and disappear before suspicion might arise, the FBI stated in the advisory.

"Victimized vendors assume they are conducting legitimate business transactions fulfilling the purchase orders for distribution," the advisory stated. "The repayment terms allow criminal actors to initiate additional purchase orders without providing upfront payment."

**A Significant Evolution for BEC**

Commodities scams are decades old, especially with easy-to-resell electronics, says Roger Grimes, data-driven defense evangelist at KnowBe4, a cybersecurity services firm.

"If you know a little industry vernacular and how supply chains work, it's easier to convince the victims of the scam," he says. "It's also harder to trace the resell of those goods once the fraudster has obtained possession of them. But it also isn't every fraudster's first choice of how to get paid, because it significantly cuts down on profit margin."

The difference now is the interest in the gambit by cybercriminals previously carrying out BEC scams focused on fraudulent money transfers. 

The transition to targeting commodities is being driven by necessity in some cases, because BEC fraud is squarely on organizations' radars these days. In its "Internet Crime Report 2022," the FBI noted that its Recovery Asset Team (RAT) has recovered nearly three-quarters (73%) of all funds stolen by BEC groups since 2018. And financial institutions have become better at detecting fraud and cutting off funds more quickly, which has forced attackers to adapt, says Dmitry Bestuzhev, senior director of cyberthreat intelligence at BlackBerry.

"Financial institutions on both sides — sending or receiving funds — have been working to make it harder for the BEC operators," he says, adding that, for attackers, by "focusing on goods purchasing, it's an easier way to escape the monitoring algorithms ... so even if it's a two-step operation, it's still safer in terms of traceability and anti-fraud, prevention algorithms."

In addition, the simplicity of the scam has made the social-engineering aspects more effective. By asking for payment for goods, impersonating someone in authority, and using the language expected of business transactions, attackers are able to fool non-tech-savvy business people, says the NCC Group's Biswas.

Paying attention to advisories, such as the FBI's public service announcement, and building processes that can withstand social-engineering attacks is important, he says.

For instance, employees should be trained to spot obvious red flags. While compromising a legitimate company's email server provides a more convincing identity with which to conduct fraud, most criminal groups just use variants on the company name, such as changing a "company.com" domain to "co-pany.com" or "company-usa.com" domain, for example.

"Cybercriminals are always evolving, and defenders should evolve as well," Biswas says. "Any organization that pays for vendor services or supplies goods and services — that pretty much includes everyone — should always be on the lookout for ... new cybercrime tactics, techniques, and procedures (TTPs)."

BEC Fraudsters Expand to Snatch Real-World Goods in Commodities Twist

Network protocols can be used to identify operating systems and discern other device information.

Network security and asset management products have to be able to identify what operating systems are currently running in the organization. With this information, IT and security departments gain greater visibility and control over their networks.

Device and operating system information is trivial to collect if the device has a software agent installed. However, agents are not an option for some operating systems, especially those installed on embedded and Internet of Things devices. This is where passive OS fingerprinting comes in handy, since passive methods don't require installing software on devices and work for most operating systems. Passive OS fingerprinting involves matching uniquely identifying patterns in the host's network traffic and classifying the traffic accordingly. Several protocols from different network layers can be used for OS fingerprinting: MAC addresses, TCP/IP parameters, HTTP User-Agent strings, and DHCP requests.

The Open Systems Interconnection (OSI) model contains several protocols for the application, transport, network, and data link layers. As a rule of thumb, protocols at the lower levels of the OSI stack — such as MAC and IP — provide better reliability with lower granularity compared with those on the upper levels of stack, and vice versa. Let's start at the bottom of the stack and move up.

**Start at the MAC Address**

The medium access control (MAC) protocol uses a unique physical identifier hardcoded into the device during manufacturing. The 12-digit hexadecimal number — the MAC address — is commonly written out as six pairs divided by hyphens. The left most six-digit long string represents the manufacturer's unique identifier and the right most six represent the serial number of the device's network interface card. For example, the six left-most digits of a MacBook laptop's MAC address would be 88:66:5a, which is the string affiliated with Apple.

By looking at the manufacturer's unique identifier, network administrators can infer the type of device running in the network and, in some cases, even the operating system.

**TCP/IP Tells Tales**

The TCP/IP stack is a more granular source of information. Most operating systems set unique values in the parameters within the packet headers, making it possible to identify the OS by looking at these values. Some of the most common parameters used in OS fingerprinting are initial time to live (TTL), Windows Size, "Don't Fragment" flag, and TCP options (values and order). For example, if a device has an outgoing packet's IP header with the "Don't fragment" flag set, TTL with the value of 64, Windows size of 65535, and a specific set of TCP options (02, 01, 03, 01, 01, 08, 04, 00), that's enough to identify it as running MacOS.

**HTTP Has a Wealth of Info**

Several protocols in the application layer are also useful for identifying the device's operating system type and the exact version or distribution. In some cases, these fields can be configured by the user and, thus, are less reliable.

The most common application protocol used in OS fingerprinting is HTTP, via the header's User-Agent field. The field, added by the application (such as a Web browser), includes information such as the application, operating system, and underlying device of the client. For example, the HTTP request to the server could contain a User-Agent field that identifies the client as a Firefox browser running on a Windows 7 OS: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0.

The User-Agent field is not the only indicator the HTTP protocol contains. Most operating systems have a built-in connectivity test that automatically runs when the device connects to a public network. For example, Network Connectivity Status Indicator (NCSI), an Internet connection awareness protocol in Microsoft's Windows operating systems, consists of a sequence of specifically crafted DNS and HTTP requests and responses that indicate if the host is located behind a captive portal or a proxy server.

**DHCP Identifies Hosts**

The DHCP protocol, used for IP assignment over the network, provides several indicators that can be used to identify the host. DHCP is composed of 4 steps: discovery, offer, request, and acknowledge (DORA). For example, a Windows host broadcasting DHCP messages over the local network and receiving replies from the DHCP server will be sending a unique vendor class identifier "MSFT 5.0," and the parameter request list would contain a sequence of values common to Windows hosts.

Combined with the order of the DHCP options themselves, the indicators are sufficient to identify the host as a Windows OS.

**Wrapping Up**

While some protocols provide better accuracy than others, there is no "silver bullet" for the task of OS identification, and the different options provide different types of information. Rather than fingerprinting based on a single protocol, you might consider a multiprotocol approach, such as combining the HTTP User-Agent with lower-level TCP options.

How to Solve IoT's Identity Problem

The vulnerability would have allowed an unauthenticated attacker to execute code on a container hosted on one of the platform's nodes.

Microsoft has patched what researchers called a "dangerous" flaw in its Azure Service Fabric component of the company's cloud-hosting infrastructure. If exploited, it would have allowed an unauthenticated, malicious actor to execute code on a container hosted on the platform.

Researchers from Orca Security discovered the cross-site scripting (XSS) flaw — which they dubbed Super FabriXss — in December and reported it to Microsoft, which issued a fix for it in March's round of Patch Tuesday updates, the researchers said in a blog post published March 30, revealing the technical details of the bug.

They also demonstrated how attackers can take advantage of the flaw — which makes Azure Service Fabric Explorer versions 9.1.1436.9590 or earlier vulnerable to exploit — in a presentation at Microsoft's BlueHat IL 2023 in Tel Aviv today. 

Super FabriXss, tracked as CVE-2023-23383 with a CVSS rating of 8.2, is the second XSS flaw so far that Orca researchers discovered in Azure Service Fabric Explorer. Part of Microsoft's Azure cloud computing platform, Azure Service enables packaging, deployment, and management of stateless and stateful microservices and containers on large-scale distributed systems.

The first XSS vulnerability, dubbed FabriXss and detailed by Orca researchers in October, did not pose as severe a risk as its successor, the researchers said. FabriXss, also patched quickly by Microsoft in a Patch Tuesday update, would have allowed an attacker to gain full administrator permissions on the Service Fabric cluster.

**Exploiting Super FabriXss**

With Super FabriXss, a remote unauthenticated attacker can execute code on a container hosted on one of the Service Fabric nodes, which "means that an attacker could potentially gain control of critical systems and cause significant damage," Lidor Ben Shitrit, cloud security researcher at Orca Security, wrote in the post.

Using Super FabriXss, an attacker could craft a malicious URL that, when clicked, initiates a multi-step process eventually leading to the creation and deployment of a harmful container on one of the cluster nodes, Shitrit tells Dark Reading.

Specifically, researchers demonstrated at BlueHat how they could escalate a reflected XSS vulnerability in Azure Service Fabric Explorer to an unauthenticated RCE by abusing the metrics tab and enabling a specific option in the console: the "Cluster Type" toggle, Shitrit wrote in the post.

"To exploit this vulnerability, a victim (an authenticated Service Fabric Explorer user) must first click on the malicious URL and then be guided to click on the Cluster Type under the Events tab," he explains to Dark Reading. "Once exploited, sensitive cluster data could be revealed to the attacker, potentially allowing them to expand the attack to a larger surface."

The vulnerability itself arises from a vulnerable "Node Name" parameter, which can be exploited to embed an iframe in the user's context, Shitrit said in the post. This iframe then retrieves remote files from a server controlled by the attacker, eventually leading to the execution of a malicious PowerShell reverse shell.

"This attack chain can ultimately result in remote code execution on the container \[that\] is deployed to the cluster, potentially allowing an attacker to take control of critical systems," he wrote.

**Mitigation & Implications for Azure Users**

Orca reported the vulnerability to the Microsoft Security Response Center (MSRC) on Dec. 20, and an investigation into the issue begun later that month, on Dec. 31, the researchers said. Orca researchers and MSRC communicated several times regarding the impact of the flaw before Microsoft assigned CVE-2023-23383 to the vulnerability and issued a patch for it on March 14 that automatically fixed the issue for customers.

While no further action is necessary by Azure Service Fabric users, the flaw does, once again, highlight the inherent danger of unpatched flaws in cloud-based architectures that an enterprise deploys, he tells Dark Reading. These vulnerabilities "can pose higher risks compared to on-premises solutions," Shitrit says.

"With cloud-based systems, organizations often depend on third-party providers, leading to a larger attack surface and less control over security measures," he adds. "Additionally, it's important to consider the multi-tenant nature of cloud environments and the significance of maintaining proper isolation between tenants."

To address risks posed by cloud-based flaws like Super FabriXss, he suggests that organizations maintain a regime of cloud security hygiene. This includes regularly applying patches, monitoring security, addressing vulnerabilities, training employees on best practices, applying network segmentation, enforcing least-privilege permissions, collaborating with providers, and creating a robust incident response plan, Shitrit says.

"These combined efforts help ensure a secure and resilient cloud environment," he says.

Microsoft Patches 'Dangerous' RCE Flaw in Azure Cloud Service

Risk reassessment is shaking up the cybersecurity insurance market, leading some organizations to consider their options, including self-insurance.

As the market for cybersecurity insurance evolves and matures, insurance giant Lloyd's of London is preparing to exclude most nation-state attacks from its coverage policies. In the wake of such changes, organizations are reassessing their cyber insurance strategies.

While the Lloyd's announcement does not explicitly exclude all nation-state or nation-inspired cyberattacks, it does solidify some definitions around what is and is not covered.

"This guidance will now be trickling down into cyber insurance policy providers' wordings," explains Chris Denbigh-White, security strategist at Next DLP.

Organizations must figure out what policies offer the best value and coverage, and look into other risk treatment measures, if they wish to understand the risks that cyber insurance cannot address, he says.

Self-insuring may allow companies to tailor their insurance coverage and costs more carefully.

**Opportunities and Risks in Self-Insurance**

"A well-implemented self-insurance strategy has the potential to give an organization granular control of costs and coverage," Denbigh-White says. "In the short term, it may offer a certain degree of cost savings, as its purpose would be to cover remediation of potential cyber incidents as opposed to generating income for a third-party insurer."

However, if a self-insured organization doesn't focus resources on improving security controls and capabilities to reduce the probability of an event that requires an insurance claim, it runs a serious chance of bankrupting at least its self-insurance fund — if not the entire company — through one or two events.

"Self-insurance requires an organization to be responsible for covering all losses," Denbigh-White says. "Whilst this may seem obvious, a self-insured organization can only draw on the money it has invested in its self-insurance to address any future claim."

In contrast, commercial insurance companies not only have access to funds from a multitude of client premiums, but they also may benefit from upstream support. This often includes reinsurance (underwriting) and maybe even backstopping from governments in certain cases.

In addition, the administrative burden of setting up such a self-insurance function within an organization may prove prohibitively complicated and costly. Self-insurance is not something organizations can just "switch to" in the same way they might change an external insurance provider, Denbigh-White notes.

"Implementing such a program requires in many cases a business function to be set up to support management, claims processing, regulatory communications, and day-to-day operations," he says.

**Saving Money Could Be Costly**

For organizations with the administrative and financial capacity, self-insurance could prove a viable approach. But for those without, it could prove an expensive enterprise that serves to cost more and protect less.

Bud Broomhead, CEO at Viakoo, says that self-insurance has the benefit of forcing the organization to focus on running an accurate risk assessment that is specific to its business.

"In the end, an organization can achieve significant cost savings through self-insurance, which is ultimately the main benefit," he says.

The main risk lies in getting it wrong. A self-insured organization that is the victim of an attack cannot offset its losses as it might through insurance. "'Black swan' risk is fully absorbed by the company and, because it was not considered in risk assessment, could be much more expensive," Broomhead adds.

**Improving Security Is an Insurance Strategy**

Bill Bernard, area vice president of Deepwatch, says the best insurance strategy is to avoid needing to use insurance.

"As an analogy, buying a car with automatic crash protection braking lowers the probability I'll have to file an auto insurance claim," he explains. This type of preventative thinking will be critical to successfully self-insure against cybersecurity incidents, he says.

The way to minimize the number of claims events is to have a robust security program, including a well-prepared capability to detect, respond, and recover from events before they become claim-generating events.

"Sadly, these capabilities have often been treated as cost centers by companies, and that thinking will have to change," Bernard says.

**Influence of Federal Regulations**

With new regulation coming to critical sectors — water, rail, aviation, and health have already received such — and an increased focus on third-party security, many organizations are shoring up controls to be able to better compete for government contract work.

"As controls improve, the conversation with the insurance company is worth revisiting to demonstrate those controls to hopefully result in lower cost of coverage," says Mike Hamilton, CISO of Critical Insight. "Further, with the federal government examining becoming a reinsurer along the lines of the TRIP program, insurance companies are being given more breathing room, and this may result in lowered premiums as well."

Adds Next DLP's Denbigh-White: "In relation to the US market specifically, I will be watching closely for further announcements around a potential federal backstop for cyber insurance."

Hamilton points out that self-insurance is alternately called "no insurance."

"If an insufficient amount is set aside, a cyber event could be existential," he says. "On the other hand, rolling those dice for a year and making investments in controls will have the effect of lowering premium costs, as risk has been demonstrably reduced."

**Broader Changes in the Cyber Insurance Market**

Much like car insurance based on a device in your vehicle that reports back to the insurance company how you drive, cyber insurance needs data to price risk through continuous monitoring of a client's cybersecurity practices, Hamilton says,

"Eventually, insurance companies will begin bundling this service as a condition of being insured," he explains.

Denbigh-White predicts greater emphasis will be placed on risk management, with insurers requiring a greater level of "proof" that robust cybersecurity measures are not only in place but effective in their stated purpose.

"Policies may move beyond simple exclusions and become increasingly tailored, allowing customers to choose coverage that addresses their specific needs and risk profile," he says. This may include insurers supporting hybrid arrangements where clients have decided to self-insure a proportion of their risk.

Adds Denbigh-White: "Overall, 2023 will see a definite maturing of the cyber insurance industry and a greater understanding of its place within customers' risk mitigation strategies."

Organizations Reassess Cyber Insurance as Self-Insurance Strategies Emerge

The investment will fund global commercial rollout and R&D efforts to debilitate fraudsters.

**NEW YORK****,** **March 30, 2023** **/PRNewswire/ --** DataDome, a leading provider of AI-powered online fraud and bot management, today announced its Series C funding round of $42 million. This round was led by InfraVia Growth, with participation from existing investors Elephant, ISAI, and others, to support DataDome on its mission to rid the web of bot-driven cyberattacks and fraud.

Malicious bots are growing more advanced by the second to circumvent security measures, and the rise of human-bot combinations and AI-powered bots have facilitated the consistent bypass of usual point-in-time, static barriers like WAFs, traditional CAPTCHAs, and user validation databases. What's more, silos between security and fraud mitigation enable attackers to take advantage of vulnerabilities and launch attacks that cut across the whole customer journey, profiting along the way. Online businesses are bearing the consequences of automated cyberattacks and online fraud, and it's a costly situation to be stuck in. Enterprises need a solution that puts them back in the driver's seat and empowers them to fight fraud.

"Bots have become a common path to fraud. In 2022 alone, DataDome stopped, in real time, over 250 billion online fraud attempts," said Benjamin Fabre, CEO and co-founder of DataDome. "Because of how our product is built and deployed, we have a unique lens into attack vectors and can see across silos to stop attacks in their tracks. This is why enterprises like Rakuten, Reddit, and AngelList trust us to protect their digital properties."

"This cash infusion will fund global commercial rollout and R&D efforts to ensure that our offering continues to raise the bar, and stays well ahead of bot developers and fraudsters," continued Fabre. "In InfraVia, we have an investor who trusts in and shares our vision, and brings years of valuable experience helping companies scale globally. Threat actors don't stand a chance."

DataDome's bot and online fraud solution assesses the intent of a visit in real time, every time, to detect and mitigate attacks on mobile apps, websites, and APIs with unparalleled accuracy and zero compromise. Such performance is made possible by the solution's ability to adapt machine learning algorithms in real time, at the edge. DataDome protects 300+ enterprises from account takeover, scraping, payment fraud, DDoS, credential stuffing, and more. 

"We were genuinely impressed by the sophistication of DataDome's solution, as well as the company's growth trajectory, especially in the US," said Guillaume Santamaria, Partner at InfraVia. "DataDome perfectly embodies our commitment to growth technology companies, and we fully endorse the team's vision of bot management as a foundation for fighting online fraud. We are very much looking forward to the next phase of DataDome's evolution and global scale."

Follow DataDome on Twitter and LinkedIn for regular updates on threat research, customer case studies, and to ensure your bot protection is ready to tackle the most sophisticated attacks.

**About DataDome**

DataDome's bot and online fraud protection detects and mitigates attacks with unparalleled accuracy and zero compromise. Our machine learning solution analyzes 3 trillion data points per day to adapt to new threats in real time. Our 24/7 SOC experts protect hundreds of high-profile brands worldwide, including Reddit, Patreon, and AngelList. A force multiplier for IT security teams, DataDome is fully transparent, easy to deploy, and frictionless for consumers. In 2022, DataDome was named a Strong Performer in the 

 and ranked the top G2 Leader in Bot Detection & Mitigation for Fall 2022 and Winter 2023.

**About InfraVia**

InfraVia is a leading independent private equity firm, specialized in infrastructure and technology investments. InfraVia supports entrepreneurs and industrial players in their growth and digital strategy, accelerating their transformation to sizable platforms. Since 2008, InfraVia has raised EUR 10 billion of capital and invested in 50 companies across 13 European countries.

In 2020, InfraVia launched a new investment strategy dedicated to European B2B high-growth tech companies and raised a EUR 501m fund. The team plans to make 15 single investments of EUR 10 million to EUR 50 million to help some of the best European entrepreneurs realize their ambitions. Since inception, InfraVia Growth has participated in the funding rounds of Jobandtalent, Sightcall, Paysend, Foodles, Botify, Packhelp, Ometria, Paack, Xempus, Stratio and lastly DataDome.

www.infraviacapital.com

SOURCE DataDome

DataDome Closes $42M in Series C Funding to Advance the Fight Against Bot-Driven Cyberattacks and Fraud

SASE reduces security & connectivity costs and improves employee experience.

**LONDON****,** **March 30, 2023****/PRNewswire/ --** Socura, a UK-based cyber security managed services specialist, today announced the launch of its Managed SASE (Secure Access Service Edge) service in partnership with Palo Alto Networks' Prisma. Market industry researchers expect SASE to be a $60bn industry by 2027 fuelled by the rise of flexible working, which was enshrined into UK law in December 2022, whereby millions of UK employees were granted the right to request flexible working hours throughout their employment.SASE it is still an emergent and complex technology that the majority of MSSPs do not offer in 2023. Socura is one of the first UK security companies to offer SASE as a managed service, and it hopes it will give them an edge over legacy MSSPs that specialise solely in securing traditional on-premises environments.

By combining SASE with its Managed SOC (Security Operations Centre) service, Socura expects the new service to appeal primarily to SMEs and public sector organisations. These organisations often lack the in-house security resources needed to manage and monitor a SASE deployment on a 24/7 basis. 

SASE is designed for today's hybrid workforce and functions like a network security wrapper around an entire company, no matter where its endpoints are located. It's Zero Trust Network Access model enables organisations to create role-based access controls, granting their users access only to selected applications and services based on their identity, location, privileges, and device type and posture. SASE also converges security and networking functions onto the same platform. This enables organisations to control their perimeter, secure remote devices, lower costs, and eliminate latency and traffic issues.

"The moment that UK workforces went remote en masse in 2020, every business had a tricky twofold security problem; decentralised access to company data and loss of control over environments from which the data was being accessed," said Socura CEO, Andy Kays. "Legacy solutions were designed for occasional remote working and were a useful stopgap when the first lockdowns were announced. Three years later, many organisations have failed to update their security strategies despite embracing hybrid work. SASE offers a solution; fast deployment and reduced costs, whilst enabling organisations to adopt a 'never trust, always verify' approach to employee access — a perfect fit for the era of flexible working."     

**Notes for Editors** 

The Socura SASE service is available to customers immediately, see below for key benefits:

*   **Flexibility:** With a cloud-based infrastructure, Socura can deliver security services such as threat prevention, cloud web gateway, sandboxing, CASB, IoT security, DNS security, credential theft prevention, data loss prevention, and more.
*   **Cost savings:** Instead of buying and managing multiple point products, using a single service will dramatically reduce costs, and IT resource requirements.
*   **Increased performance:** With massively scalable cloud infrastructure and over 100 global points of presence, Socura connects customers to wherever their resources are located with minimal latency.
*   **Zero Trust:** Socura's approach removes trust assumptions when users, devices, and applications interconnect. Its SASE service provides complete session protection, regardless of whether a user is on or off the corporate network.

*   **Threat prevention:** In addition to the inherent advanced network threat prevention capabilities of the SASE/SSE platform, customers can opt to combine the Managed SASE service with Socura's award-winning Managed Detection and Response (MDR) service to provide enhanced coverage that includes endpoints, identity, and more.
*   **Data protection:** Data protection policies, defined within the SASE service, will help to prevent unauthorised access and abuse of sensitive data, helping customers meet necessary regulatory and compliance measures.
*   **Powered by an industry leader:** Socura's Managed SASE service is built upon the award-winning Prisma® SASE, from industry leader Palo Alto Networks.

**About Socura**

Socura offers a 24/7 Threat Detection and Response managed service via its nationally distributed, UK-based SOC team. The service acts as a trusted extension of clients' in-house capabilities, delivering swift detection and containment of cyber threats.

Socura helps make the digital world a safer place for its clients and changes the way organisations think about cyber security. It blends technical expertise and industry experience with a people-centric approach to security. Socura has innovation in its DNA, and is pushing the boundaries to deliver high-value cyber security services for clients.

Socura Launches Managed SASE (MSASE) Service

Don't count on securing end users for system security. Instead, focus on better securing the systems — make them closed by default and build with a security-first approach.

It's common among cybersecurity professionals to point to the end user as a top area of risk in securing the organization. This is understandable. Systems and software are under our control, but users are unpredictable, that unruly variable that expands our threat surface to each geographically dispersed user, personal device, and all-too-human foibles and flaws.

Certainly, threat actors target our users quite successfully — I'm not here to dismiss this obvious truth. But what is equally certain is this: _W__e cannot train our way out of this problem._ Enterprises pour significant investments into user security-awareness training, and still, they suffer embarrassing, costly breaches. So, focusing primarily on securing the end user isn't a sound strategy.

**Secure Systems With New Strategy in Mind**

Fact: your users are a major risk factor. According to Verizon's "2022 Data Breach and Investigations Report," 35% of ransomware infections began with a phishing email. Fact: This is despite escalating investments in security-awareness training over many years. The cybersecurity awareness training market is projected to grow from $1,854.9 million in 2022 to $12,140 million by 2027. Fact: Even with all these investments, ransomware (just as one attack type) is also expected to grow aggressively, despite many organizational efforts, including training.

Sad, unavoidable fact: Our users are still going to make mistakes — we're all human, after all. A survey conducted to prove the need for more security training, in my view, proved its inability to stop the cyber crisis: Four out of five surveyed had received security awareness training; between 26% and 44% (based on age demographic) continued to click on links and attachments from unknown senders anyway.

**Don't Just Count on Securing the User**

We should conclude that organizational security must not rely heavily on securing the user, that they will be compromised, and then begin securing systems with this assumption in mind. Thus, even if an end user is breached, the amount of systemic damage that's done by that compromise shouldn't be large if proper security measures are employed and orchestrated correctly.

Should we be training our end users? Absolutely, emphatically, yes. Strong security requires a layered approach, and that means buttressing your security by securing every doorway to your systems. But we must start removing end-user risk from the equation. This requires some difficult choices and significant leadership buy-in to these choices.

**How Can We Disarm Users as a Top Risk?**

Organizations must better block access and orchestrate security controls. Systems are too open by default; we must make them closed by default, evaluate each for risk, and then open access by exception and with full intentionality. Users can't click or open what they can't access, and in the organizations we assess or remediate post-breach, we see employees and systems having far greater access than necessary in the course of work. Companies should layer on stronger security orchestration across their people, process, and technology so that, should a threat actor gain access through an improper click anyway, there are controls designed to stop their lateral movement and harvesting/escalation of credentials.

Organizations can take proactive measures to reduce user risk, including: blocking access to personal email accounts; filtering HTTPS traffic with deep-packet inspection; blocking Internet access to nonuser subnets/VLANs by default; requiring all user traffic to be inspected and filtered all the time — no matter the endpoint; disallowing all but IT-approved file-sharing systems and password vaults; and enabling security features in tools such as firewalls and endpoint detection and response (EDR).

**Why Isn't This Being Done Already? The Barriers**

Blocking access to personal sites and platforms and slower systems access incurred by filtering/inspection can cause a degree of user and leader dissatisfaction. Some of the tools needed are also costly.

IT needs a stronger voice, expressing problems, solutions, risks, and results of failure in terms leaders can both hear and understand, so that proper controls and associated costs can be allocated. Users can then be educated from the top down on why these controls are necessary; thus, security awareness education can shift from "don't click and here's why" to include "We block most things by default, and here's why." Leaders that still choose not to make more aggressive investments have skin in the game on the level of risk they're choosing to accept for the organization.

Often, IT teams are also short on staff or expertise: they can't mitigate risks they can't see; educate on threats they don't know; or enable tools on which they are untrained. Teams without this visibility should consider in-depth assessments of controls, configurations, and orchestration from qualified experts.

One thing is certain: No matter how much training we provide, users will always be fallible. It's essential to minimize users' options to click in the first place, and then ensure that, when they do, there are controls in place to disrupt the progression of the attack.

Stop Blaming the End User for Security Risk

ISPM is a combination of identity attack surface management, and risk reduction, as well as identity threat prevention, detection, and response.

Identity security startup Spera came out of stealth with $10 million in seed funding and a platform to protect enterprises from identity-driven threats.

Spera is carving out a segment of the already crowded identity and access market with what it calls identity security posture management — a combination of identity attack surface management, risk reduction, and identity threat prevention, detection, and response. Spera's platform creates a real-time, continuously updated, risk and context-based inventory of identities and access across cloud and on-premises environments, the company said in a release announcing the company's launch. The resulting inventory is then analyzed, assessed, and normalized so that security teams can use the granular insights for remediating identity-driven attacks. This allows security professionals to identify or mitigate partially offboarded users, overprovisioned employees, unused and risky privileges, compromised credentials, and other identity risks.

According to IBM's Cost of a Data Breach report, identity-based attacks involving compromised credentials and phishing were the two most common and costly attack vectors of 2022. Spera has helped solve more than 75% of critical issues within the first weeks of deployment, the company said.

"As far as identity security is concerned, security teams can't see who accesses what resource, using what identity," said Richard Reinders, VP of Information Security at Gravity Payments, said in the announcement.

YL Ventures, which led the funding round, has been "bullish on the identity space" for some time, John Brennan, senior partner at YL Ventures, said in the announcement. "\[Despite\] a massive allocation of budget to IAM solutions, existing IAM tools failed to deliver on their promise," Brennan said.

Spera's founders are Dor Fledel, CEO, and Ariel Kadyshevitch, CTO.

Source

DARKReading