Generative AI combined with user awareness training creates a security alliance that can let organizations work protected from ChatGPT.

ChatGPT has taken the world by storm since late November, sparking legitimate concerns about its potential to amplify the severity and complexity of the cyber-threat landscape. The generative AI tool's meteoric rise marks the latest development in an ongoing cybersecurity arms race between good and evil, where attackers and defenders alike are constantly in search of the next breakthrough AI/ML technologies that can provide a competitive edge.

This time around, however, the stakes have been raised. As a result of ChatGPT, social engineering is now officially democratized — expanding the availability of a dangerous tool that enhances a threat actor's ability to bypass stringent detection measures and cast wider nets across the hybrid attack surface.

**Casting Wide Attack Nets**

Here's why: Most social engineering campaigns are reliant upon generalized templates containing common keywords and text strings that security solutions are programmed to identify and then block. These campaigns, whether carried out via email or collaboration channels like Slack and Microsoft Teams, often take a spray-and-pray approach resulting in a low success rate.

But with generative AIs like ChatGPT, threat actors could theoretically leverage the system's Large Language Model (LLM) to stray away from universal formats, instead automating the creation of entirely unique phishing or spoofing emails with perfect grammar and natural speech patterns tailored to the individual target. This heightened level of sophistication makes any average email-borne attack appear far more credible, in turn making it far more difficult to detect and prevent recipients from clicking a hidden malware link.

However, let's be clear that ChatGPT _doesn't_ signify the death sentence for cyber defenders that some have made it out to be. Rather, it's the latest development in a continuous cycle of evolving threat actor tactics, techniques, and procedures (TTPs) that can be analyzed, addressed, and alleviated. After all, this isn't the first time we've seen generative AIs exploited for malicious intent; what separates ChatGPT from the technologies that came before it is its simplicity of use and free access. With OpenAI likely moving to subscription-based models requiring user authentication coupled with enhanced protections, defending against ChatGPT attacks will ultimately come down to one key variable: fighting fire with fire.

**Beating ChatGPT at Its Own Game**

Security operation teams must leverage their own AI-powered large language models (LLMs) to combat ChatGPT social engineering. Consider it the first _and_ last line of defense, empowering human analysts to improve detection efficiency, streamline workflows, and automate response actions. For example, an LLM integrated within the right enterprise security solution can be programmed to detect highly sophisticated social engineering templates generated by ChatGPT. Within seconds of the LLM identifying and categorizing a suspicious pattern, the solution flags it as an anomaly, notifies a human analyst with prescribed corrective actions, and then shares that threat intelligence in real-time across the organization's security ecosystem.

The benefits are the reason why the rate of AI/ML adoption across cybersecurity has accelerated in recent years. In IBM's 2022 "Cost of a Data Breach" report, companies that leveraged an AI-driven security solution alleviated attacks 28 days faster, on average, and reduced financial damages by more than $3 million. Meanwhile, 92% of those polled in Mimecast's 2022 "State of Email Security" report indicated they were already leveraging AI within their security architectures or planned on doing so in the near future. Building on that progress with a stronger commitment to leveraging AI-driven LLMs should be an immediate focus moving forward, as it's the only way to keep pace with the velocity of ChatGPT attacks.

**Iron Sharpens Iron**

The applied use of AI-driven LLMs like ChatGPT can also enhance the efficiency of black-box, gray-box, and white-box penetration testing, which all require a significant amount of time and manpower that strained IT teams lack amidst widespread labor shortages. Considering time is of the essence, LLMs offer an effective methodology for streamlining pen-testing processes — automating the identification of optimal attack vectors and network gaps without relying on previous exploit models that often become outdated as the threat landscape evolves.

For example, within a simulated environment, a "bad" LLM can generate tailored email text to test the organization's social engineering defenses. If that text bypasses detection and reaches its intended target, the data can be repurposed to train another "good" LLM on how to identify similar patterns in real-world environments. This helps to effectively inform both red and blue teams on the intricacies of combating ChatGPT with generative AI, while also providing an accurate assessment of the organization's security posture that allows analysts to bridge vulnerability gaps before adversaries capitalize on them.

**The Human Error Effect**

It's important to remember that only investing in best-of-breed solutions isn't a magic bullet to safeguard organizations from sophisticated social engineering attacks. Amidst the societal adoption of cloud-based hybrid work structures, human risk has emerged as a critical vulnerability of the modern enterprise. More than 95% of security breaches today, a majority of which are the result of social engineering attacks, involve some degree of human error. And with ChatGPT expected to increase the volume and velocity of such attacks, ensuring hybrid employees follow safe practices regardless of where they work should be considered nonnegotiable.

That reality heightens the importance of implementing user awareness training modules as a core component of their security framework — employees who receive consistent user awareness training are five times more likely to identify and avoid malicious links. However, according to a 2022 Forrester report, "Security Awareness and Training Solutions," many security leaders lack extensive understanding of how to build a culture of security awareness and revert to static, one-size-fits-all employee training to measure engagement and influence behavior. This approach is largely ineffective. For training modules to resonate, they must be scalable and personalized with entertaining content and quizzes that align with employees' areas of interest and learning styles.

Combining generative AI with well-executed user awareness training creates a robust security alliance that can enable organizations to work protected from ChatGPT. Don't worry cyber defenders, the sky isn't falling. Hope remains on the horizon.

Why ChatGPT Isn't a Death Sentence for Cyber Defenders

From prevention and detection processes to how you handle policy information, having strong cyber insurance coverage can help mitigate cybersecurity attacks.

Enterprise cybersecurity is a team sport involving multiple players. It encompasses everything from technology vendors to cyber insurance providers and cyber defense platforms. And while many organizations have implemented plans for prevention and detection, they often fail to consider remediation.

Despite the best preparations, cyberattacks may be inevitable. That's why it's important to have specific remediation policies like cyber insurance in place to mitigate the effect of potential future breaches. Keep reading to learn how enabling certain security features can help obtain favorable cyber insurance coverage.

**Determining Your Risk, Right-Sizing Your Coverage**

While all businesses run the inherent risk of cyberattacks, the scale of your operations and type of industry you operate in will impact the type of threat you experience and, consequently, the rate you will pay for cyber insurance. Organizations must understand their risk profiles if they want to ensure they're getting the best cyber insurance rate possible.

Small businesses, for example, are more likely to be hacked by outside actors. In part, this is because threat actors have scaled their operations to identify vulnerable targets. Small businesses are also less likely to enable basic cyber hygiene practices that can protect against 98% of online attacks. Large businesses, on the other hand, are disproportionately at risk from insider attacks simply due to the size of their attack surface. These kinds of threats can take the shape of phishing attacks, email compromises, stolen credentials, and more.

Another tool that companies can use to improve their cyber insurance rates is the insurance underwriting application itself. Companies can use this application as a blueprint to identify which steps they should take to most effectively protect themselves. Similar services exist in the marketplace, including Microsoft’s zero-trust maturity assessment quiz or built-in tools like Microsoft Secure Score.

**Vulnerability Management Has Evolved**

Much like risk profiles, vulnerability management can change based on the size of your company and the space you work in. For small businesses, it's about making yourself a difficult target by conducting regular security scans and enabling basic security hygiene features to ensure a base level of protection. Larger entities also need to worry about external threats, but they have the added responsibility of monitoring internal threats as well. Ultimately, it comes down to understanding your attack surface and spending the time to identify where you are most vulnerable. If you want to optimize your coverage, cyber insurance providers will want to see that you're taking proactive steps to guard against potential threats.

Vulnerability management has also evolved alongside the growth of technology. In the past, cybersecurity was focused on perimeter defense — locking down network ports and devices. Today, the growth of remote work and expansion of attack surfaces has created a much stronger focus on identity management. Employees can take their work identities — and by extension, their network access credentials — with them wherever they go. So it's important companies use tactics like verifying explicitly, employing least-privileged access, and always assuming abreach to guard against modern threat vectors. Following these security hygiene practices can help ensure that you're getting a competitive insurance rate.

Finally, companies should treat all cyber insurance communications and policy documents as highly sensitive information. If threat actors know how much coverage your company has, they're able to use this information to demand the highest possible ransom payment in exchange for restoring services or releasing data. Companies should not only safeguard their policy documents, but they should also protect any email communications or applications that disclose sensitive information about their insurance policies.

While cybersecurity can seem overwhelming, businesses have a wealth of resources that they can turn to when looking for better ways to protect themselves. From prevention and detection processes to ensuring coverage with things like cyber insurance, organizations can better mitigate the effects of a cybersecurity attack. Microsoft Security has information on emerging threats and the latest security features that defenders can enable to help obtain favorable cyber insurance coverage.

How to Optimize Your Cyber Insurance Coverage

Five months after AWS customers were alerted about three vulnerabilities, nearly none had plugged the holes. The reasons why underline a need for change.

It's a familiar story: A feature designed for convenience is used to sidestep security measures. In this presentation from Black Hat USA 2021, a pair of researchers show how they found three separate ways to hop between accounts on AWS. Even though fixes for those vulnerabilities were released quickly, the holes reveal that cloud services do not offer the level of isolation expected. The long-term solution may mean changing how the cybersecurity sector handles CVEs.

For the first two isolation breaches, Wiz.io CTO Ami Luttwak and head of research Shir Tamari altered the path prefixes on AWS CloudTrail and Config to allow a user to write to another user's S3 bucket. The third method used the AWS command line to download files from another user's account via the serverless repository.

Sending the logs from several S3 buckets to one is intended for the convenience of an admin who runs several instances, Luttwak and Tamari said in their presentation, "Breaking the Isolation: Cross-Account AWS Vulnerabilities."

"I learned from this behavior that CloudTrail can write to resources that are owned and managed in other accounts," Tamari added. "And for me, a security researcher, there is a concern."

**Customers Notified, So What Happened?**

While Amazon did not have the power to fix the configurations for customers itself — because the fixes involved setting the source account you want, which only the user can decide — it contacted all affected customers to explain the potential problem and how to fix it. Yet when Wiz.io went back after five months, it found that 90% of accounts had not applied the fixes.

Luttwak pointed out that the security team AWS messaged often didn't get the warnings because of the sheer number of accounts they run.

"How do you know this is an important fix to do?" he asked. "And the more we thought about it, the more we understood, this is a big, big problem."

Right now, the system of CVEs allows organizations to check on the latest vulnerabilities, complete with a numerical system of classifying severity and links to vendors' fixes. That works pretty well in most areas of IT. However, cloud vulnerabilities may not get assigned CVE numbers.

"This is because cloud services, as we currently understand them, are not customer controlled," wrote Cloud Security Alliance IT director Kurt Seifried and research analyst Victor Chin. "As a result, vulnerabilities in cloud services are generally not assigned CVE IDs."

**The Amazon Exception**

CVEs take pains to point out that cloud services vulns can indeed receive a CVE ID, as long as the owner of the software is the CVE numbering authority (CNA) reporting them. Rule 7.4.4 says the CNA "may" assign a CVE number if it owns the product or service, even if it is not customer controlled and the fix requires customers to take action.

But here's the sticky wicket: Rule 7.4.5 states, "CNAs MUST NOT assign a CVE ID to a vulnerability if the affected product(s) or service(s) are not owned by the CNA, and are not customer controlled."

In short, the real reason why these AWS vulnerabilities were not issued CVEs is that Amazon is not a CNA partner. Microsoft can issue CVEs for its own products and services, as can Google. Whether the appropriate fix is changing the rules to allow any CNA to assign IDs to vulns whose fixes are out of customers' hands or to sign up Amazon as a CNA depends on your perspective. In June 2022, Wiz.io took matters into its own hands by establishing a community database of cloud vulnerabilities to fill the gap.

As Luttwak said, "There's hundreds of services in AWS, and many of them are getting more and more cross account capabilities, because cross account is the main strategy today for organizations using AWS. So the attack surface is just growing."

Why Some Cloud Services Vulnerabilities Are So Hard to Fix

Hackers can't steal a credential that doesn't exist.

The rise of the cloud has made business more agile, flexible, and streamlined, which is why over 90% of enterprises has committed to a multicloud strategy. But complexity creates seams where secrets leak out. Recent high-profile breaches at Microsoft and airports have made misconfigured S3 buckets a cybersecurity trope. However, configuration issues aren't the only problem: access creep is just as dangerous, and common, according to recent figures.

Overprivileging happens when a service or account requests or requires all the permissions it might possibly ever use, usually in order to avoid having to go back and request new permissions if the need arises later. This would not be a not great situation even at a single-server level, but as various services and vendors interact, each granted its own high level of permissions, the chance of compromise builds.

In its end-of-year summary for 2022, cloud security company Permiso reported that cloud security posture management (CSPM) vendors use only a fraction of the permissions they are granted: just more than 1/10th, or 11%. This shrinks to 5.3% across all users and roles. That's a lot of unlocked doors that nobody needs to open.

The results of its analysis jibe with the results from a CloudKnox survey from two years ago, which found that 90%-95% of identities on AWS, Azure, Google Cloud Platform, and vSphere use no more than 2%-5% of the permissions granted.

"Most teams assume that these secrets are only being used by the individuals or workloads they have been provisioned to, but in reality, these secrets are often shared, rarely rotated, are long-lived and not single-use, so just like passwords, they become more vulnerable as they age," the Permiso team wrote.

And therein lies the problem. Organizations are usually pretty strict about setting up permissions for human users, but they tend to allow the requested default permissions for machine identities. This leads to a situation in which threat actors need only find a way into one overly broadly permissioned account in order to gain privileged access over much of the corporate cloud. "You may have your database perfectly locked down, but if a service that has access to that database has the permissions for anyone to get in, your database is as good as compromised," Kendall Miller, president of Kubernetes governance service FairWinds, warned in 2021.

And for the year 2022, Permiso flatly declared, "All of the incidents we detected and responded to were a result of a compromised credential," rather than a misconfigured cloud resource.

The key to managing this risk is to audit permissions and institute strong identity access management (IAM) policies for all users, not just humans. That begins with determining what data an application actually needs access to — and what it doesn't. A software org chart might prove helpful in tracing out the routes of access among apps and assigning or restricting permissions.

Cloud Apps Still Demand Way More Privileges Than They Use

A broken access control vulnerability could have led to dangerous follow-on attacks for users of the money-management app.

A finance app called "Money Lover" has been found leaking user transactions and their associated metadata, including wallet names and email addresses.

That’s according to Trustwave, which published its findings in a blog post on Feb. 7.

Money Lover, developed by Vietnam-based Finsify, is a tool for managing personal finances — budgeting, tracking expenses, and so on. It’s available in Google Play for Android, the Microsoft Store for PCs, and the App Store for iOS, where it enjoys a 4.6-star rating from more than 1,000 reviewers, who may or may not have been affected by the vulnerability.

Though the app leaked no actual bank account or credit card details, "the potential danger to their customers’ accounts will surely affect both the financial vendor and customer monetarily," wrote Karl Sigler, a senior security research manager at Trustwave. "And when you have a financial institution that loses a customer's trust, they will likely see a reputation hit."

**The Money Lover Bug**

Troy Driver, a Trustwave security researcher and Money Lover user, became curious about Money Lover's security. So, using its Web interface, he routed its traffic through a proxy server, where he discovered a problem: From the Web sockets tab of his browser’s developer tools window, he could see the email addresses, wallet names, and live transaction data associated with every one of the app's shared wallets (wallets managed by two or more users).

It was a classic case of broken access controls, where he — an otherwise authorized user — was able to view data that should have been kept outside of his permissions.

"Based on the small amount of information in the blog," Stephen Gates, security evangelist at Checkmarx, speculates to Dark Reading, "I would suspect that an API in use has an API1, API2, and/or API3 vulnerability,” aka broken object level authorization, broken user authentication, and excessive data exposure, respectively (all forms of broken access control).

Such vulnerabilities are extremely common. Every few years or so, the Open Web Application Security Project (WASP) releases a Top 10 list, using extensive testing and surveys of industry professionals to track the most common web security vulnerabilities. In its latest 2021 iteration, broken access controls made the No. 1 spot on the list.

Broken access isn’t just prevalent, though — it’s dangerous. "If the app has one or more of the above vulnerabilities," Gates adds, "it’s just a matter of time before attackers craft the perfect request to possibly gain access to even more data."

**The Implications of the Bug**

While the sensitive data in this case isn't all that sensitive (i.e., not payment card details or credentials), users would be advised not to pooh-pooh cases like this, as they can lead to more pointed attacks further down the line. For example, cross-referencing email addresses with past leaks could potentially lead to account takeover or impersonation.

Even the basic metadata leaked by Money Lover could be something to go on, for hackers that like to use every part of the animal, as it were.

"For instance," Sigler explains, "a scenario could occur where an attacker reaches out to one of the users sharing a wallet via email and suggests that funds aren't seen in a specific shared wallet name and transaction ID. The attacker could then recommend the person transfer money to a different account or maybe log in to 'check' the transaction but provide a link to a credential capture webpage."

Sigler puts it bluntly: "There is no reason for any Money Lover user to be able to see the transactions of any other user. Tightening up permission to just authorized users is an important security control."

As of Jan. 27, the Money Lover app patched the vulnerability; users should update their apps to the latest version.

'Money Lover' Finance App Exposes User Data

For the moment, victims can decrypt data without paying a ransom. But Clop is a ransomware variant that has caused havoc on Windows systems, so that's bound to change.

A newly spotted version of the prolific Clop ransomware family holds both good and bad news for security teams.

The good news is the malware is faulty, and victims can relatively easily decrypt any data it encrypts without first having to pay a ransom for a decryption key. The bad news is the new malware also is the first Linux version of Clop, a particularly nasty ransomware variant associated with numerous high-profile attacks that have netted its operators hundreds of millions of dollars.

**Faulty Encryption**

Researchers from SentinelOne's SentinelLabs threat hunting team observed the latest Clop variant targeting Linux systems at a university in Colombia. Samples that the company analyzed showed the Linux code to have a similar logic as its more pernicious Windows relative, with minor differences involving API calls and other features unique to the different operating systems.

SentinelOne's analysis showed Clop's Linux version is still likely only in its initial development stages and missing many of the obfuscation and evasive capabilities that are present in Windows' versions of the malware. The security vendor assessed that the reason for this might have to do with the fact that not one of the 64 virus-detection engines on Virus Total are currently able to detect the Linux Clop variant.

Significantly, SentinelOne's researchers found the encryption logic in the Linux variant to be flawed. "The issue boils down to a couple of key differences between the Windows and Linux variants," says Antonis Terefos, threat intelligence researcher at SentinelOne.

The Linux version includes a hardcoded master key, which, when extracted, allows for decryption, he says. "The flaw allows for the simple extraction or discovery of what the RC4 'master key' is for a given sample," he notes, adding that SentinelOne has released a free decryptor for the variant.

The Windows version, on the other hand, contains a number of validation steps, along with a different key generation process, making it hard to retrieve the master key in similar fashion. Specifically, the Windows version generates an RC4 key for each encrypted file on a compromised system and then encrypts the encryption key itself and stores it on the system. Victims who pay the ransom receive a decryption key for decrypting the RC4 key, which is then used to decrypt the actual data.

**Other Differences Between Windows & Linux Clop Versions**

SentinelOne also discovered other differences between the Windows and Linux variants of Clop. The Windows variant, for instance, includes logic that excludes specific files, folders, and extensions on a system from encryption. With the Linux variant, on the other hand, paths targeted for encryption are hardcoded into the malware, Terefos says: "Therefore, there is no need to 'exclude' unwanted locations."

The new Clop version adds to a growing list of ransomware variants targeting Linux systems; other examples include Hive, Smaug, Snake, and Quilin. Researchers from Trend Micro who have been tracking the trend, reported a 75% increase in ransomware attacks that targeted Linux systems in the first half of 2022 compared with the prior year. In a September report, the security vendor reported observing some 1,960 instances where a threat actor used Linux ransomware in an attack attempt, compared with 1,121 in the same period in 2021.

**Mounting Attacker Interest in Linux Malware**

Since then, the situation has only gotten worse for Linux systems. During 2022 as a whole, Trend Micro identified some 27,602 attacks involving Linux malware, says Jon Clay, vice president of threat intelligence at Trend Micro. That represented a 628% increase over 2021, he notes, adding, "we are seeing many more ransomware groups targeting Linux systems."

The attacks are part of a broader increase in all kinds of malware targeting Linux environments, Clay says. As one example, he points to a 61% increase in cryptominers targeting Linux from 2021 to 2022. Others such as VMware have noted an increase in different kinds of malware tools targeting virtual machines and containers via Linux hosts. In a report last year, the company reported identifying more than 14,000 instances where attackers attempted to deploy the Cobalt Strike post-exploit toolkit on a Linux host.

Attacks targeting Windows systems continue to outnumber those directed at Linux environments by orders of magnitude. Still, the growing attacker interest in Linux is something enterprises cannot ignore. 

"Linux and cloud devices offer a rich pool of potential victims," Terefos says. "In recent years, many organizations have shifted toward cloud computing and virtualized environments, making Linux and cloud systems increasingly attractive targets for ransomware attacks."

The rise in cross-platform programming languages such as Rust and Go are another factor in the mix because they have lowered the barrier of porting malware to other platforms, Terefos notes. "We've seen this with other groups like Hive, Royal, LockBit, Agenda, etc. Successfully targeting cloud environments is an operational necessity for the future success of these groups."

Fresh, Buggy Clop Ransomware Variant Targets Linux Systems

Lazarus Group used a known Zimbra bug to steal data from medical and energy researchers.

A recent round of compromises that exploited unpatched Zimbra devices was an effort sponsored by the North Korean government and intended to steal intelligence from a collection of public and private medical and energy sector researchers.

Analysts with W Labs explained in a new report that due to an overlap in techniques — and thanks to a misstep by one of the threat actors — they were able to attribute "with high confidence" the recent round of cyber incidents against unpatched Zimbra devices as the work of Lazarus Group, a well-known threat group sponsored by the North Korean government. Lazarus operated this campaign and other similar intelligence-gathering efforts through the end of 2022.

The researchers named the campaign "No Pineapple" after an error message generated by the malware during their investigation. The threat actors quietly exfiltrated about 100GB of data, without waging any disruptive cyber operations or destroying information.

"The campaign targeted public and private sector research organizations, the medical research, and energy sector as well as their supply chain," the W Labs report added. "The motivation of the campaign is assessed to be most likely for intelligence benefit."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

DPRK Using Unpatched Zimbra Devices to Spy on Researchers

New malware demonstrates how threat actors are pivoting toward payment platform attacks, researchers say.

A new Android banking Trojan called PixPirate is targeting more than 100 million Brazilian Pix instant payment accounts.

The Pix payment platform was created and is operated by the Brazil Central Bank, and it's used to make instant mobile payments across Latin America using a variety of banks.

Researchers with the Cleafy TIR Team — who have been tracking the PixPirate Brazilian banking Trojan since late 2022 — released a report this week detailing PixPirate's intention to steal credentials and deploy its noteworthy automatic transfer system (ATS) used to make automatic fraudulent money transfers. Additionally, by abusing accessibility services, PixPirate also has the flexibility to steal credentials and launch ATS attacks across multiple bank user interfaces using the Pix platform.

The malware also can intercept and delete SMS messages, push malvertising efforts, and contains code protection that attempts to evade detection, the report said.

"PixPirate represents one of the emerging malware that will try and leverage the double edge blade mechanism related to instant payments," the Cleafy team added. "The introduction of ATS capabilities paired with frameworks that will help the development of mobile applications, using flexible and more widespread languages (lowering the learning curve and development time), could lead to more sophisticated malware that, in the future, could be compared with their workstation counterparts."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

New Banking Trojan Targeting 100M Pix Payment Platform Accounts

**SILICON VALLEY, Calif. & SAN SEBASTIÁN, Spain--(****BUSINESS WIRE****)--** Opscura Inc., an innovator in industrial control system (ICS) cybersecurity, announced today it has received $9.4M in Series A funding as it scales to engage further U.S. partners and customers seeking to protect and connect their critical operations. Founded in Spain as Enigmedia, the new global entity Opscura is also launching a new brand, global management team, and product upgrades in addition to the capital infusion led by Anzu Partners, with investments from Dreamit and Mundi Ventures.

Opscura’s technology adds a unique layer to the industrial cybersecurity ecosystem as manufacturers require greater efficiencies to protect thousands of vulnerable legacy devices they cannot take offline, and as the rapid build-out of new renewable energy critical infrastructure continues. To reduce the pervasive risks of ransomware, unauthorized access, and data theft, Opscura’s patented cloaking technology obscures deeper operational technology (OT) Level 2 network and Layer 2 data without disrupting operations.

“We have been impressed with the power and simplicity of Opscura’s security solution as part of our Schneider Electric Exchange™️ Technology Partner program,” says Francesc Juan, CTO Spain of Schneider. “Opscura addresses multiple ICS use cases, and unlike other offerings, simplifies the processes, people, and technology work involved in protecting critical infrastructure in deeper OT layers.”

Worldwide integrator partners such as Telefonica deploy Opscura to their customer segments that need simplified, yet robust, OT security for Zero Trust environments. Opscura works collaboratively within the ICS security ecosystem, and its technology is complementary to solutions from Claroty, Nozomi, Fortinet, and more. Customers across various industries, including renewable energy, transportation, manufacturing, government, and chemical also rely on Opscura to solve industrial cybersecurity, compliance, and digital transformation challenges.

“Throughout our extensive diligence process, we were impressed with Opscura’s foundational approach to ICS and their ability to deliver a frictionless solution that ensures continuity of operations. We believe it has great potential to efficiently and effectively address the myriad unmet security needs that exist in critical brownfield OT networks,” said John Ho, Partner at Anzu Partners. “We look forward to supporting the Opscura team as they continue to scale the company, validate the technology’s capabilities across multiple ICS use cases, and demonstrate how to fully deliver the zero trust model in an OT context.”

Opscura’s funding reflects a shift in the appetite for diversified cybersecurity innovation from the government and investors. Spain, including the Basque region where Opscura’s R&D team is based, continues to invest in EU-wide cybersecurity growth. Opscura has earned multiple grants to continue its novel research into ultra-low latency encryption and data communications across industrial devices.

"The mission to reduce risk for industrial operators has no geographical boundaries, and we are excited to see Opscura's Spanish and U.S. technical talent collaborate to solve ICS security challenges,” said Rajeev Singh-Molares, Founding & Managing Partner at Mundi Ventures. “Opscura solves the immediate concern of protecting vulnerable industrial assets such as PLCs, and it has novel IP that can prepare companies as quantum progresses and data security compliance needs evolve.”

“Opscura is much needed in the ICS security ecosystem, with its focus on protecting and connecting at deeper levels of the network,” said Mel Shakir, Partner at Dreamit Ventures, Securetech. “Their collaborative approach across OT, IT and automation partners will expedite market traction.”

Opscura co-founders Gerard Vidal and Carlos Tomás will take on the Chief Technology Officer and VP Engineering roles, respectively, as part of a new global management team led by new Chief Executive Officer, David Hatchell. The Opscura executive team also includes Chief Product Officer Michael Garrison Stuber, Chief Customer Officer and Chief Information Security Officer Brian Brammeier, and Strategic Advisor Allison J. Taylor, who formerly served as interim Chief Marketing Officer.

“It’s time to take on the most pressing national cybersecurity problems and move the entire ICS ecosystem forward,” said David Hatchell, CEO at Opscura. “Together with our partners and talented technical teams, Opscura can help customers move beyond device visibility to protect our critical industrial assets and data.”

Opscura team members will be attending DISTRIBUTECH International in San Diego from February 7-9, 2023, and S4x23 in Miami from February 13-16, 2023. If you are interested in scheduling a meeting at either event, please reach out to \[email protected\]. For more information on the executive team and Opscura’s ICS security technology, visit https://www.opscura.io.

**About Opscura:** 

Opscura protects and connects industrial networks with easy-to-use innovations that are safe to use deep within operational infrastructure. Validated by global partners such as Schneider Electric, Opscura reduces operational risks by protecting vulnerable legacy industrial assets and data, eliminating deep-level attacker footholds, and enriching threat visibility data. Brownfield and greenfield global customers rely on Opscura for OT cloaking, isolation, and Zero Trust authentication, together with simplified IT-OT connectivity. Learn more about Opscura’s Spanish Basque region roots and follow us through https://www.opscura.io.

Industrial Cybersecurity Innovator Opscura Receives $9.4M in Series A Funding as Critical Operations Transform

The global assault on vulnerable VMware hypervisors may have been mitigated by updating to the latest version of the product, but patch management is only part of the story.

Organizations using older versions of VMWare ESXi hypervisors are learning a hard lesson about staying up-to-date with vulnerability patching, as a global ransomware attack on what VMware has deemed "End of General Support (EOGS) and/or significantly out-of-date products" continues.

However, the onslaught also points out wider problems in locking down virtual environments, the researchers say.

VMware confirmed in a statement Feb. 6 that a ransomware attack first flagged by the French Computer Emergency Response Team (CERT-FR) on Feb. 3 is not exploiting an unknown or "zero-day" flaw, but rather previously identified vulnerabilities that already have been patched by the vendor.

Indeed, it was already believed that the chief avenue of compromise in an attack propagating a novel ransomware strain dubbed "ESXiArgs" is an exploit for a 2-year-old remote code execution (RCE) security vulnerability (CVE-2021-21974), which affects the hypervisor's Open Service Location Protocol (OpenSLP) service.

"With this in mind, we are advising customers to upgrade to the latest available supported releases of vSphere components to address currently known vulnerabilities," VMware told customers in the statement.

The company also recommended that customers disable the OpenSLP service in ESXi, something VMware began doing by default in shipped versions of the project starting in 2021 with ESXi 7.0 U2c and ESXi 8.0 GA, to mitigate the issue.

**Unpatched Systems Again in the Crosshairs**

VMware's confirmation means that the attack by as-yet unknown perpetrators that's so far compromised thousands of servers in Canada, France, Finland, Germany, Taiwan, and the US may have been avoided by something that all organizations clearly need to do better — patch vulnerable IT assets — security experts said.

"This just goes to show how long it takes many organizations to get around to patching internal systems and applications, which is just one of many reasons why the criminals keep finding their way in," notes Jan Lovmand, CTO for ransomware protection firm BullWall.

It's a "sad truth" that known vulnerabilities with an exploit available are often left unpatched, concurs Bernard Montel, EMEA technical director and security strategist for security exposure management firm Tenable**.**

"This puts organizations at incredible jeopardy of being successfully penetrated," he tells Dark Reading. "In this case, with the … VMWare vulnerability, the threat is immense given the active exploitation."

However, even given the risks of leaving vulnerable systems unpatched, it remains a complex issue for organizations to balance the need to update systems with the effect the downtime required to do so can have on a business, Montel acknowledges.

"The issue for many organizations is evaluating uptime, versus taking something offline to patch," he says. "In this case, the calculation really couldn’t be more straightforward — a few minutes of inconvenience, or days of disruption."

**Virtualization Is Inherently a Risk**

Other security experts don't believe the ongoing ESXi attack is as straightforward as a patching issue. Though lack of patching may solve the problem for some organizations in this case, it's not as simple as that when it comes to protecting virtualized environments in general, they note.

The fact of the matter is that VMware as a platform and ESXi in particular are complex products to manage from a security perspective, and thus easy targets for cybercriminals, says David Maynor, senior director of threat intelligence at cybersecurity training firm Cybrary. Indeed, multiple ransomware campaigns have targeted ESXi in the past year alone, demonstrating that savvy attackers recognize their potential for success.

Attackers get the added bonus with the virtualized nature of an ESXi environment that if they break into one ESXi hypervisor, which can control/have access to multiple virtual machines (VMs), "it could be hosting a lot of other systems that could also be compromised without any additional work," Maynor says.

Indeed, this virtualization that's at the heart of every cloud-based environment has made the task of threat actors easier in many ways, Montel notes. This is because they only have to target one vulnerability in one instance of a particular hypervisor to gain access to an entire network.

"Threat actors know that targeting this level with one arrow can allow them to elevate their privileges and grant access to everything," he says. "If they are able to gain access, they can push malware to infiltrate the hypervisor level and cause mass infection."

**How to Protect VMware Systems When You Can't Patch**

As the latest ransomware attack persists — with its operators encrypting files and asking for around 2 Bitcoin (or $23,000 at press time) to be delivered within three days of compromise or risk the release of sensitive data — organizations grapple with how to resolve the underlying issue that creates such a rampant attack.

Patching or updating any vulnerable systems immediately may not be entirely realistic, other approaches may need to be implemented, notes Dan Mayer, a threat researcher at Stairwell. "The truth is, there are always going to be unpatched systems, either due to a calculated risk taken by the organizations or due to resource and time constraints," he says.

The risk of having an unpatched system in and of itself may be mitigated then by other security measures, such as continuously monitoring enterprise infrastructure for malicious activity and being prepared to respond quickly and segment areas of attack if a problem arises.

Indeed, organizations need to act on the assumption that preventing ransomware "is all but impossible," and focus on putting tools in place "to lessen the impact, such as disaster recovery plans and context-switched data," notes Barmak Meftah, founding partner at cybersecurity venture capital firm Ballistic Ventures.

However, the ongoing VMware ESXi ransomware attack highlights another issue that contributes to an inherent inability for many organizations to take the necessary preventative measures: the skill and income gaps across the globe in the IT security realm, Mayer says.

"We do not have enough skilled IT professionals in nations where wealthy companies are targets," he tells Dark Reading. "At the same time, there are threat actors across the globe who are able to make a better living leveraging their skills to extort money from others than if they took legitimate cybersecurity work."

Mayer cites a report by the international cybersecurity nonprofit (ICS2) that said to secure assets effectively, the cybersecurity workforce needs 3.4 million cybersecurity workers. Until that happens, "we need to ramp up training these workers, and while the gap still exists, pay those with the skills around the world what they are worth, so they don’t turn to being part of the problem," Mayer says.

Source

DARKReading