Human-centric security leader will deliver passwordless technology across every major device, browser, and operating system.

**TORONTO, Nov. 3, 2022 /PRNewswire/ —** 1Password, a leader in human-centric security and privacy, today announced the acquisition of Passage, a developer-first passwordless authentication company. 1Password will use Passage's technology to launch a passwordless authentication platform for enterprises – enabling a safer, simpler, and more secure end-user experience across any platform or device.

"1Password is focused on empowering companies and consumers to have safer and simpler digital experiences. As the world evolves, that means helping companies and consumers navigate all the complexities on the path to a passwordless future," said Jeff Shiner, chief executive officer of 1Password. "With today's Passage acquisition, we are committing to giving businesses and end users what they want and deserve: the convenience of passwordless without compromising security."

Together, 1Password and Passage Identity will enable developers, businesses, and consumers to make progress toward a passwordless future by accelerating adoption of passkeys. Passkeys represent the opportunity to replace passwords in favor of more secure and seamless user experiences. With passkeys, the pain of forgotten passwords is a thing of the past, and users minimize exposure to phishing attacks. For businesses, passwordless authentication can improve top- and bottom-line revenue by eliminating forgotten customer passwords and reducing sign-up friction.

"Passwords are ubiquitous, but ever-changing requirements can make them a hassle to use, and that can harm the user experience and cause real ramifications for businesses," said Cole Hecht, co-founder and chief executive officer of Passage. "1Password's market leadership and human-centric mission make them a natural fit to achieve our shared vision of a secure, user-friendly experience that enables businesses to deliver a frictionless and safe experience to users on any device – no QR codes required."

The entire Passage team, including co-founders Cole Hecht (CEO) and Anna Pobletts (CTO), will bring their technical expertise and exclusive focus on passkey authentication to 1Password. The Passage team will continue to focus on developing passkey-first authentication for consumer-facing businesses. This solution will be available in beta in early 2023.

The FIDO Alliance is an open industry association focused on improving authentication standards to minimize password use and improve online security. "Enterprises around the world are rapidly adopting FIDO-based solutions in order to accelerate the journey toward a safer, passwordless future," said Andrew Shikiar, executive director and CMO of the FIDO Alliance. "With the Passage acquisition, 1Password has bolstered their solution offering which stands to help more companies reduce reliance on passwords in favor of user-friendly and unphishable FIDO authentication."

**About 1Password  
**1Password's human-centric security keeps people safe, at work and at home. Our solution is built from the ground up to enable anyone – no matter the level of technical proficiency – to navigate the digital world without fear or friction. The company's award-winning security platform is re-shaping the future of authentication, including passwordless. 1Password is trusted by over 100,000 businesses such as IBM, Slack, Snowflake, Shopify, and Under Armour and protects the most sensitive information of millions of individuals and families across the globe. The company's ultimate goal is to help consumers and businesses get more done in less time – with security and privacy as a given. Learn more at 1Password.com.

1Password Acquires Passage Identity to Power a Passwordless Future

During the 2022 holiday shopping season, US consumers will still be shopping digitally, despite cyberattacks and fraud attempts being top of mind.

**W****ASHINGTON, Nov. 3, 2022 /PRNewswire/ —** Iris® Powered by Generali, provider of a proprietary identity and cyber protection platform, today released the findings of its sixth annual _Holiday Shopping ID Theft_ survey, an annual survey that polls consumers on their holiday shopping habits and the cybersecurity and identity theft concerns they have surrounding their shopping plans. The key findings of this year's survey are listed below:

**Concerns About Data Breaches and Identity Protection Trend Higher**

*   Seven in 10 respondents (71%) express concerns about their personal and financial data being at risk during the holiday shopping season.
    *   Inflation remains the top concern for 69% of respondents, but data privacy remains the number two concern for nearly 40% of Americans.
*   Four in five Americans (82%) say that past data breaches have impacted their willingness to shop with a specific retailer.
    *   Two-thirds of respondents (67%) reported that data breaches would have some impact on their holiday shopping decisions, making them more hesitant to shop with a retailer affected by a data breach.
*   Nearly two-thirds of those surveyed (65%) would feel safer with identity theft protection services baked into a retailer's offering.
    *   Seven in 10 Millennials (72%) are the most likely of any demographic to shop with a retailer that offers identity theft protection services.

**Men and Millennials Most Likely to Spend Big this Holiday Season**

*   30% of men and 39% of Millennial shoppers plan to spend over $1,000 respectively during the holiday season, considerably higher than all other demographics.
*   Two in three shoppers (67%) will spend less than $1,000.
*   Women (73%) are more likely to spend less than $1,000 when compared with men (60%) during this holiday season.

**Online Shopping Remains the Retail King, But Over Half Will Shop at Brick-and-Mortar Stores**

*   Online shopping will account for 85% of consumer buying, remaining consistent with reports from 2021's _Holiday Shopping ID Theft_ survey.
    *   55% of respondents also reported that they plan to shop at brick-and-mortar stores, and in-person shopping numbers rival that of reports from 2017's survey.
*   Nine in 10 Gen Zers (89%), Millennials (91%), and Gen Xers (89%) plan to shop online compared to 79% of Baby Boomers.
    *   Two-thirds of Millennials (68%) and six in 10 Gen Zers/Gen Xers (61%) plan to use a cell phone to shop online, compared with just 31% of Baby Boomers.
*   One in three Americans (33%) trust e-retailers the most with their personal data this holiday shopping season, but nearly as many (29%) consider big box stores the most trustworthy.
    *   Local small businesses (18%) rank third in trustworthiness, followed by department stores (11%).
    *   Only 5% of American consumers trust social media platforms the most with their personal data this holiday shopping season.

**Debit Cards Will be the Primary Method of Payment for Holiday Shopping**

*   Eight in 10 (88%) of respondents reported that they plan to pay with a credit or debit card.
    *   Six in 10 respondents (60%) plan to use debit over credit cards, particularly Gen Z, Millennial, and Gen X shoppers.
    *   Nearly 40% of Millennial and Gen Z shoppers will take advantage of Buy Now, Pay Later apps, while over 40% of Baby Boomers and Gen X shoppers are more likely to use a credit card.

Paige Schaffer, CEO of Iris® Powered by Generali, commented on the findings, "Consumers view protecting their personal and financial data as a top priority this holiday season, and with good reason. Online shopping will still account for the bulk of purchases during the fourth quarter, and recent data breaches of large retailers clearly still weigh heavily on shoppers' minds. Consumers should be taking advantage of the most comprehensive identity theft protection and fraud protection services they can, as a large contingent of respondents (71%) expressed concerns about their personal and financial data being at risk during this holiday shopping season."

**Survey Methodology:**

This survey was conducted via an Online CARAVAN® survey conducted by Big Village among a sample of 1,009 adults ages 18 and older, live from October 10th through the 12th. Respondents were voluntary members of an online panel weighted by five variables – age, gender, geographic region, race, and education – using data from the U.S. Census Bureau to verify the accuracy of the results.

**About Iris® Powered by Generali:**

Iris® Powered by Generali is a B2B2C global identity and cyber protection company owned by the 190-year-old multinational insurance company, Generali, offering always-available identity protection and resolution experts (real people, 24/7/365) and tech-forward solutions that uncomplicate the protection process. Understanding that victimization has no geographical boundaries, we've got a solution no matter your customers' coordinates.

Iris® Powered by Generali Reports Four in Five Americans Less Willing to Shop at Stores With Data Breaches in 2022 Holiday Survey

Investment to advance efforts to detect and mitigate disinformation.

**WASHINGTON and SAN FRANCISCO, Nov. 2, 2022 /PRNewswire/ —** Alethea, a technology company that detects and mitigates disinformation, misinformation, and social media manipulation, raised $10 million Series A, led by Ted Schleinand Kevin Mandia of Ballistic Ventures.

Proceeds will be invested into Alethea's machine learning SaaS platform, Artemis (in closed beta), by growing its engineering and data science teams. Currently in use by household name brands, Artemis conducts multichannel analysis across billions of datapoints to identify disinformation and social media manipulation at its start. As a result, communicators and risk and intelligence teams have the insights they need to protect their brands, bottom lines, and market cap.

"Disinformation is the next iteration of information security, and communicators and risk professionals are on the front lines of protecting their organizations from the information that exists outside their systems," said Lisa Kaplan, Founder and CEO of Alethea. "We've earned our record of alerting customers to the unknown unknowns to help avoid crises. Our incident response capabilities during high-stress periods, such as short-seller attacks, protects our customers. To provide this protection at scale, we created the system that didn't exist – Artemis – to provide tailored insights into the disinformation, misinformation, and social media manipulation ecosystem."

"We have found the right partners with Ted, Kevin, and the Ballistic network to deliver this capability at scale. With the ability to operate in free economies and democracies at stake, we look forward to rapidly scaling our support to customers as they navigate the new digital reality," continued Kaplan.

"Alethea is on the cutting edge of the fight against misinformation, one of the biggest threats to our modern society," said Ted Schlein, Chairman and General Partner of Ballistic Ventures. "We invested in the company because we believe Alethea's proven technology is critical to helping corporations promote access to accurate information and a more secure world."

Alethea was represented by outside counsel, WilmerHale, in the transaction.

**About Ballistic Ventures**

Ballistic Ventures is a venture capital firm solely dedicated to early-stage cybersecurity and cyber-related companies. The founding partners, Kevin Mandia, Barmak Meftah, Ted Schlein, Jake Seid, and Roger Thornton, have spent their entire careers defending against every cyber threat conceivable. Collectively, they have founded, funded, and operated over 90 successful cybersecurity firms, led over 10,000 security professionals globally, and have 40+ years of experience in venture capital. Learn more at ballisticventures.com.

**About Alethea**

Alethea is a technology company helping the Fortune 500, private companies and nonprofits protect themselves from harms stemming from disinformation. Leveraging its multi-channel machine learning platform, Artemis, Alethea detects disinformation narratives across the internet, enabling customers to proactively defend against this pervasive threat. With Artemis-powered early detection, Alethea customers can protect their reputations, key assets, physical safety and market value. The company was founded in 2019 and is woman-owned. Learn more at www.aletheagroup.com.

Alethea Closes $10M Series A Financing Led by Ballistic Ventures

Award-winning email security leader expands best-in-class offerings with gateway-less deployment solution that streamlines security, increases visibility, and enhances efficacy for IT teams.

**LEXINGTON, Mass., November 1, 2022 —** Mimecast Limited (Mimecast), an advanced email and collaboration security company, today announced the launch and general availability of its Email Security, Cloud Integrated solution that will help enable organizations to Work Protected™. This gateway-less solution is designed to optimize protection for Microsoft 365 environments with scalable, best-in-class email and collaboration security. Typically deployed in less than 5 minutes, this solution is ideal for IT teams that need email security delivered the fastest way possible.

Mimecast’s Email Security, Cloud Integrated solution is designed to empower organizations of all sizes to address critical security challenges such as increasingly sophisticated attacks, an expanded hybrid attack surface, a growing skills gap and more. This new gateway-less deployment solution is engineered for organizations that want to secure their M365 environment without adding complexity or burdening overstretched teams.

“Backed by nearly two decades of email security expertise and a rich history of innovation, Mimecast is uniquely positioned to offer a flexible, gateway-less solution that helps organizations proactively enhance their security posture,” said David Raissipour, Mimecast Chief Technology & Product Officer. “With the evolving nature of today’s threat landscape, there isn’t a ‘one-size-fits-all’ email security solution designed to address the unique needs of every enterprise. Scalability is key. Mimecast’s Email Security, Cloud Integrated deployment solution enables us to scale our services so more organizations can Work Protected by securing their business communications, people, and data.”

“Microsoft 365 cloud-delivered email has become core to more than two-thirds of the world’s email communications infrastructure,” said Dave Gruber, Principal ESG Analyst with the Enterprise Strategy Group. “Despite native security and resilience capabilities included within M365, additional layered controls from companies like Mimecast are helping IT and security teams deliver increased levels of security and resiliency needed to support their business operation. This new Mimecast offering carries forward the comprehensive security solution that Mimecast is well known for, now available in a gateway-less deployment model, offering a fast-path to higher levels of security and resiliency.”

A free 30-day trial of Email Security, Cloud Integrated can typically be activated in under 5 minutes and is currently available to new customers located in the United States and the United Kingdom, with availability in additional countries continuing through 2023. To learn more about Email Security, Cloud Integrated and enroll in the free trial, visit https://www.mimecast.com/free-trial/.

**Mimecast: Work Protected™**

Since 2003, Mimecast has stopped bad things from happening to good organizations by enabling them to Work Protected. We empower more than 40,000 customers to help mitigate risk and manage complexities across a threat landscape driven by malicious cyberattacks, human error, and technology fallibility. Our advanced solutions provide the proactive threat detection, brand protection, awareness training, and data retention capabilities that evolving workplaces need today. Mimecast solutions are designed to transform email and collaboration security into the eyes and ears of organizations worldwide.

Mimecast Unveils Email Security, Cloud Integrated for Optimized Flexibility and Speed

**FOSTER CITY, Calif., Nov. 2, 2022 /PRNewswire/ —** Qualys, Inc. (NASDAQ: QLYS), a pioneer and leading provider of disruptive cloud-based IT, security and compliance solutions, today announced financial results for the third quarter ended September 30, 2022. For the quarter, the Company reported revenues of $125.6 million, net income under United States Generally Accepted Accounting Principles ("U.S. GAAP") of $27.7 million, non-GAAP net income of $36.8 million, Adjusted EBITDA of $54.9 million, GAAP net income per diluted share of $0.71, and non-GAAP net income per diluted share of $0.94.

"In Q3, we delivered another quarter of strong revenue growth and cash flow generation," said Sumedh Thakar, president and CEO. "We believe our extendable cloud-based platform is core to building a durable growth business over the long term. The launch of TotalCloud flexes the power of our platform by enabling cloud-native VMDR with accurate, comprehensive and unrestricted scanning options to uniquely secure cloud and container environments from build to run-time. We believe the Blue Hexagon acquisition allows us to further extend the Qualys Cloud Platform by transforming our massive data lake into a powerful, predictive analytics engine to perform real-time zero-day threat detection while advancing our value proposition and competitive differentiation in the market."

**Third Quarter 2022 Financial Highlights**

Revenues: Revenues for the third quarter of 2022 increased by 20% to $125.6 million compared to $104.9 million for the same quarter in 2021.

Gross Profit: GAAP gross profit for the third quarter of 2022 increased by 21% to $99.6 million compared to $82.5 million for the same quarter in 2021. GAAP gross margin was 79% for both the third quarter of 2022 and the third quarter of 2021. Non-GAAP gross profit for the third quarter of 2022 increased by 20% to $102.2 million compared to $85.1 million for the same quarter in 2021. Non-GAAP gross margin was 81% for both the third quarter of 2022 and the third quarter of 2021.

Operating Income: GAAP operating income for the third quarter of 2022 was $33.3 million compared to $32.0 million for the same quarter in 2021. As a percentage of revenues, GAAP operating income was 27% for the third quarter of 2022 compared to 30% for the same quarter in 2021. Non-GAAP operating income for the third quarter of 2022 increased by 11% to $48.0 million compared to $43.1 million for the same quarter in 2021. As a percentage of revenues, non-GAAP operating income was 38% for the third quarter of 2022 compared to 41% for the same quarter in 2021.

Net Income: GAAP net income for the third quarter of 2022 was $27.7 million, or $0.71 per diluted share, compared to $27.8 million, or $0.70 per diluted share, for the same quarter in 2021. As a percentage of revenues, GAAP net income was 22% for the third quarter of 2022 compared to 26% for the same quarter in 2021. Non-GAAP net income for the third quarter of 2022 was $36.8 million, or $0.94 per diluted share, compared to $34.2 million, or $0.86 per diluted share, for the same quarter in 2021. As a percentage of revenues, non-GAAP net income was 29% for the third quarter of 2022 compared to 33% for the same quarter in 2021.

Adjusted EBITDA: Adjusted EBITDA (a non-GAAP financial measure) for the third quarter of 2022 increased by 9% to $54.9 million compared to $50.3 million for the same quarter in 2021. As a percentage of revenues, Adjusted EBITDA was 44% for the third quarter of 2022 compared to 48% for the same quarter in 2021.

Operating Cash Flow: Operating cash flow for the third quarter of 2022 decreased by 13% to $42.2 million compared to $48.5 million for the same quarter in 2021. As a percentage of revenues, operating cash flow was 34% for the third quarter of 2022 compared to 46% for the same quarter in 2021.

**Third Quarter 2022 Business Highlights**

*   VMDR received industry recognition as it was named the Best Vulnerability Management solution in the industry-leading SC Awards  
    2022. 
*   Qualys upgrades CyberSecurity Asset Management, adding External Attack Surface Management (EASM) to enable continuous discovery of unknown internet-facing assets and the automatic assessment of an organization's risk posture.
*   In collaboration with IBM, Qualys has made the power of the Qualys Cloud Platform available for IBM zSystems - delivering our award-winning VMDR, policy compliance and asset management capabilities to help protect IBM zSystems environments.
*   At Black Hat 2022, Qualys was once again front and center showing attendees how the powerful Qualys Cloud Platform offers everything they need to tackle threats with automated workflows for rapid response and a clear picture of what it takes to reduce risk in their organizations.

**Financial Performance Outlook**  

Based on information as of today, November 2, 2022, Qualys is issuing the following financial guidance for the fourth quarter and full year fiscal 2022. The Company emphasizes that the guidance is subject to various important cautionary factors referenced in the sections entitled "Legal Notice Regarding Forward-Looking Statements" and "Non-GAAP Financial Measures" below.

Fourth Quarter 2022 Guidance: Management expects revenues for the fourth quarter of 2022 to be in the range of $129.7 million to $130.7 million, representing 18% to 19% growth over the same quarter in 2021. GAAP net income per diluted share is expected to be in the range of $0.52 to $0.54, which assumes an effective income tax rate of 26%. Non-GAAP net income per diluted share is expected to be in the range of $0.89 to $0.91, which assumes a non-GAAP effective income tax rate of 24%. Fourth quarter 2022 net income per diluted share estimates are  
based on approximately 39.0 million weighted average diluted shares outstanding for the quarter.

Full Year 2022 Guidance: Management now expects revenues for the full year of 2022 to be in the range of $488.6 million to $489.6 million, representing 19% growth over 2021, up from the previous guidance range of $488.0 million to $489.5 million. GAAP net income per diluted share is expected to be in the range of $2.52 to $2.54, up from the previous guidance range of $2.39 to $2.44. This assumes an effective income tax rate of 22%. Non-GAAP net income per diluted share is expected to be in the range of $3.60 to $3.62, up from the previous guidance range of $3.50 to $3.55. This assumes a non-GAAP effective income tax rate of 24%. Full year 2022 net income per diluted share estimates are based on approximately 39.5 million weighted average diluted shares outstanding.

**Investor Conference Call**

Qualys will host a conference call and live webcast to discuss its third quarter financial results at 5:00 p.m. Eastern Time (2:00 p.m. Pacific Time) on Wednesday, November 2, 2022. To access the conference call by phone, please register here and you will be provided with dial in details. A live webcast of the earnings conference call, investor presentation and prepared remarks can be accessed at https://investor.qualys.com/events-presentations. A replay of the conference call will be available through the same webcast link following the end of the call.

Qualys Announces Third Quarter 2022 Financial Results

With Microsoft’s announcement on Nov. 2 of its support for Azure AD Certificate-based authentication (CBA) for both iOS and Android devices, Yubico is excited to share that the YubiKey is currently the only external device that supports CBA on Android and iOS. Plus, the YubiKey is the only FIPS certified phishing-resistant solution available for Azure AD on mobile.

Yubico worked closely with Microsoft to ensure CBA on mobile became a reality.

Microsoft’s new support provides users with the same convenient smart card authentication method on mobile devices that they have on their desktops. CBA has been a staple of governments and high security environments for decades, long before the invention of FIDO U2F and FIDO2, mostly due to its reliability and effectiveness in physical environments. With Executive Order 14028 on Improving the Nation's Cybersecurity, the adoption of CBA and other phishing-resistant multi-factor authentication methods are mandated for civilian federal agencies in the US.

CBA is widely deployed across many industries, and remains a favorite amongst security experts. For some organizations, it is the logical choice from the available Azure offerings. With this announcement, customers can now use CBA on their mobile devices using native Azure AD CBA. When using native Azure AD CBA, organizations can reduce their existing infrastructure and move it into the cloud. Azure AD CBA capabilities can also be combined with Conditional Access policies so admins can enforce phishing-resistant sign-in methods.

CBA is currently the only form of phishing-resistant authentication within Azure that is supported on mobile devices, which is an important factor for an organization when deciding which scheme to adopt.

“Yubico has been a driving force in working with our teams to build this solution that allows Microsoft customers to securely log into their Microsoft accounts on their iPhone or Android mobile device. This is a big win for us, Yubico, and most importantly our federal government customers,” said Sue Bohn, Vice President of Product Management for Microsoft’s Identity and Network Access (IDNA) group.

Setting up CBA on Azure requires some basic configuration steps within Azure AD and installation of the Microsoft Authenticator app on Android or iOS/iPadOS. The Yubico Authenticator app is also needed on iOS/iPadOS. The PIV credential must be set up independently from the Azure solution. Your existing YubiKey PIV/smart card issuance process does not need to change.

Also, with the new Conditional Access authentication strength policies, you can enforce CBA as the required sign-in mechanism.

Yubico and Microsoft are globally recognized leaders in cybersecurity assisting public and private organizations on their journey to Zero Trust. Both Yubico and Microsoft are FIDO Alliance members and committed to providing phishing-resistant authentication solutions based on FIDO2 and certificate-based authentication standards.

**Learn more**

Microsoft's mobile certificate-based solution coupled with the YubiKey is a simple, convenient, FIPS certified phishing-resistant MFA methods for organizations, and we’re excited to share additional details and best practices during our upcoming webinar, _New solutions to prevent phishing with Azure AD and YubiKeys_ on November 3rd at 9 am PT, register here to attend.

Certificate-Based Authentication With YubiKeys for Microsoft, Third-Party, and Web Applications Now Available on iOS and Android

"SandStrike," the latest example of espionage-aimed Android malware, relies on elaborate social media efforts and back-end infrastructure.

Adware and other unwanted and potentially risky applications continue to represent the biggest threat that users of mobile devices currently face. But that doesn't mean attackers aren't constantly trying to deploy other sophisticated mobile malware as well.

The latest example is "SandStrike," a booby-trapped VPN application for loading spyware on Android devices. The malware is designed to find and steal call logs, contact lists, and other sensitive data from infected devices; it can also track and monitor targeted users, Kaspersky said in a report this week.

The security vendor said its researchers had observed the operators of SandStrike attempting to deploy the sophisticated spyware on devices belonging to members of Iran's Baha'i community, a persecuted, Persian-speaking minority group. But the vendor did not disclose how many devices the threat actor might have targeted or succeeded in infecting. Kaspersky could not be immediately reached for comment.

**Elaborate Social Media Lures**

To lure users into downloading the weaponized app, the threat actors have established multiple Facebook and Instagram accounts, all of which purport to have more than 1,000 followers. The social media accounts are loaded with what Kaspersky described as attractive, religious-themed graphics designed to grab the attention of members of the targeted faith group. The accounts often also contain a link to a Telegram channel that offers a free VPN app for users wishing to access sites containing banned religious materials.

According to Kaspersky, the threat actors have even set up their own VPN infrastructure to make the app fully functional. But when a user downloads and uses SandStrike, it quietly collects and exfiltrates sensitive data associated with the owner of the infected device.

The campaign is just the latest in a growing list of espionage efforts involving advanced infrastructure and mobile spyware — an arena that includes well-known threats like NSO Group's notorious Pegasus spyware along with emerging problems like Hermit.

**Mobile Malware on the Rise**

The booby-trapped SandStrike VPN app is an example of the growing range of malware tools being deployed on mobile devices. Research that Proofpoint released earlier this year highlighted a 500% increase in mobile malware delivery attempts in Europe in the first quarter of this year. The increase followed a sharp decline in attack volumes toward the end of 2021.

The email security vendor found that many of the new malware tools are capable of a lot more than just credential stealing: "Recent detections have involved malware capable of recording telephone and non-telephone audio and video, tracking location and destroying or wiping content and data."

Google and Apple's official mobile app stores continue to be a popular mobile malware delivery vector. But threat actors are also increasingly using SMS-based phishing campaigns and social engineering scams of the sort seen in the SandStrike campaign to get users to install malware on their mobile devices.

Proofpoint also found that attackers are targeting Android devices far more heavily than iOS devices. One big reason is that iOS doesn't allow users to install an app via an unofficial third-party app store or to download it directly to the device, like Android does, Proofpoint said.

**Different Types of Mobile Malware in Circulation**

Proofpoint identified the most significant mobile malware threats as FluBot, TeaBot, TangleBot, MoqHao, and BRATA. The different capabilities integrated into these malware tools include data and credential theft, stealing funds from online accounts, and general spying and surveillance. One of these threats — FluBot — has been largely quiet since the disruption of its infrastructure in a coordinated law enforcement action in June.

Proofpoint found that mobile malware is not confined to a specific region or language. "Instead, threat actors adapt their campaigns to a variety of languages, regions and devices," the company warned.

Meanwhile, Kaspersky said it blocked some 5.5 million malware, adware, and riskware attacks targeted at mobile devices in Q2 2022. More than 25% of these attacks involved adware, making it the most common mobile threat at the moment. But other notable threats included mobile banking Trojans, mobile ransomware tools, spyware link SandStrike, and malware downloaders. Kaspersky found that creators of some malicious mobile apps have increasingly targeted users from multiple countries at once.

The mobile malware trend poses a growing threat to enterprise organizations, especially those that allow unmanaged and personally owned devices in the workplace. Last year, the US Cybersecurity and Infrastructure Security Agency (CISA) released a checklist of actions that organizations can take to address these threats. Its recommendations include the need for organizations to implement security-focused mobile device management; to ensure that only trusted devices are allowed access to applications and data; to use strong authentication; to disable access to third-party app stores; and to ensure that users use only curated app stores.

Cyber-Threat Actor Uses Booby-Trapped VPN App to Deploy Android Spyware

An attack campaign using phishing attacks gives threat actors access to internal Dropbox code repositories, the latest in a series of attacks targeting developers through their GitHub accounts.

A massive phishing campaign targeting GitHub users convinced at least one developer at Dropbox to enter in their credentials and a two-factor authentication code, leading to the theft of at least 130 software code repositories.

According to a Dropbox advisory on Nov. 1, the mid-October attack consisted of emails that appeared to be from CircleCI, a popular DevOps platform, and directed Dropbox employees to go to a fake login page, enter in their GitHub credentials, and then enter in the one-time password created by a hardware key. 

The attacker eventually succeeded with at least one target, gaining access to and copying 130 code repositories, which included customized versions of third-party libraries, prototypes of internal software projects, and a collection of tools and configuration files maintained by the Dropbox security team.

The attackers did not gain access to the company's core software or the files used to configure and operate its infrastructure, Dropbox said in its advisory.

"Our security teams took immediate action to coordinate the rotation of all exposed developer credentials, and determine what customer data — if any — was accessed or stolen," the company stated. "We also reviewed our logs, and found no evidence of successful abuse."

**GitHub Developers: In the Cyber-Crosshairs**

Dropbox programmers were not the only developers targeted by the attackers. In September, GitHub warned that a threat group had begun targeting the service's users with the same tactic: phishing emails that purported to be from CircleCI, with the goal of harvesting user credentials and the one-time passwords used by developers as a second factor of authentication.

The stakes are high: An attacker who successfully steals a developer's credentials can then download code from any private repository to which the compromised account has access and use a variety of techniques — such as creating personal access tokens, adding SSH keys, and authorizing applications using OAuth — to maintain persistence of access, GitHub stated in a September advisory.

"While GitHub itself was not affected, the campaign has impacted many victim organizations," the advisory stated.

**Cyber-Risks to Dropbox Customers "Minimal"**

The attack on the Dropbox developer allowed the attackers to nab a "few thousand names and email addresses belonging to Dropbox employees, current and past customers, sales leads, and vendors," Dropbox noted, adding that it has more than 700 million registered users. Despite this, the privacy risks to customers, partners and employees are "minimal," Dropbox maintained.

"At no point did this threat actor have access to the contents of anyone's Dropbox account, their password, or their payment information," Dropbox said in its statement. "To date, our investigation has found that the code accessed by this threat actor contained some credentials — primarily, API keys — used by Dropbox developers."

Developers have become an increasingly popular target of attackers. Stolen Slack credentials, for example, have allowed the compromise of developer accounts at software and game makers, including Take-Two Interactive's Rockstar Games.

Like most security experts, Dropbox stressed that humans — even the most technical and knowledgeable users — are fallible, and for that reason, technical controls continue to be important.

"Even the most skeptical, vigilant professional can fall prey to a carefully crafted message delivered in the right way at the right time," the company said. "This is precisely why phishing remains so effective — and why technical controls remain the best protection against these kinds of attacks."

**How to Adopt Phishing-Resistant Infrastructure**

Multifactor authentication (MFA) makes phishing for credentials much more difficult, but not impossible. Attackers have found ways around time-based one-time passwords (TOTPs), Javvad Malik, an evangelist at security awareness and training provider KnowBe4, said in a statement sent to Dark Reading.

"As MFA adoption increases in popularity, we see criminals adapt their methods to bypass MFA controls by tricking the users in increasingly sophisticated ways," he said. "This is why phishing-resistant MFA is strongly advised so that social engineering attacks have less likelihood of succeeding."

In its advisory, GitHub stressed that companies should move instead to hardware security keys, the codes for which a user cannot inadvertently hand over to an attacker, or WebAuthn, a standards-based way to use hardware keys for two-factor authentication.

Dropbox has already embarked on the latter path, the company said.

"Prior to this incident, we were already in the process of adopting this more phishing-resistant form of multi-factor authentication," Dropbox stated in its advisory. "Soon, our whole environment will be secured by WebAuthn with hardware tokens or biometric factors."

Dropbox Code Repositories Stolen in Cyberattack on GitHub-Based Developers

Vulnerable people are lured by Facebook ads promising high-paying jobs, but instead they're held captive and put to work in Cambodia running cyber scams.

Up to 100,000 people from across Asia have been lured to Cambodia by Chinese crime syndicates with the promise of good jobs. When they arrive, their passports are seized and they are put to work in modern-day sweatshops, running cybercrime campaigns. 

The Los Angeles Times reported that Cambodia, which was hit hard economically by the pandemic, has allowed Chinese mobsters to set up enormous cybercrime operations using human trafficked labor without consequence, because of the revenue it generates for the country. The campaigns they carry out run the gamut from romance scams to fake sports betting.

Although the Cambodian government acknowledges that as many as 100,000 workers are involved in these activities, it denies anyone is being held against their will. However, the stories from traumatized victims rescued from cybercrime mills include tales of beatings and torture for failing to meet quotas, and of being sold and passed around from gang to gang.

"Instead of getting fired for poor performance, you get physical punishments — forced push-ups and squats, tased, beaten, deprived of food, locked up in dark rooms or worse," Jacob Sims, country director for International Justice Mission Cambodia, a rights group that has rescued many of these victims, told the LA Times. “On the other hand, those who consistently meet or surpass their targets are rewarded with more freedoms, food, money, and control over other victims.”

International scrutiny has ramped up in the last few months on the operations, with the US recently downgrading Cambodia to the lowest tier on its human trafficking index.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Chinese Mob Has 100K Slaves Working in Cambodian Cybercrime Mills

The renowned security researcher, ethical hacker, and cybersecurity phenom was found Wednesday by the US Coast Guard.

Vitali Kremez, chairman and CEO of AdvIntel, has been found dead after going missing on Oct. 30. He was 36 years old.

The US Coast Guard announced on Wednesday that the body of the longtime security researcher and ethical hacker had been recovered from the sea, after days of searching along the Florida coast. He was last seen "wearing a black wetsuit and scuba tank while diving near Hollywood Beach, Fla.," according to the Coast Guard.

According to local reports, he went into the water around 9 a.m. EDT on Sunday, and did not return.

Peers, supporters, and admirers began offering condolences on Wednesday. "This is an incredibly heart-breaking loss for the world," tweeted Danny Aga, vice president at managed security provider Solis Security. "VK was a superhero and will be missed by many."

    

Vitali Kremez. Source: LinkedIn.

Kremez's career has been a storied one, with wunderkind overtones. After graduating _summa cum laude_ from John Jay College of Criminal Justice at the City University of New York (CUNY), he enjoyed a successful career as a cybercrime investigative analyst for the New York County District Attorney’s Office. There, he partnered with federal and international law enforcement on a range of cybercrime busts, including prosecuting intrusions at American Express, Goldman Sachs, Saks Fifth Avenue, and StubHub.

He then quickly catapulted into a range of top-tier industry positions, including as head of SentinelLabs at SentinelOne, and director of advanced research at Flashpoint. In 2020, Kremez took the helm at Advanced Intelligence (AdvIntel), where he led an elite threat intelligence team and guided technology development to support proactive cyber-threat disruptions. Throughout it all, he has devoted himself to ethical hacking efforts, information-sharing, and malware research.

Kremez was also a prolific blogger and industry columnist (contributing articles to Dark Reading, BusinessReview, and Infosecurity Magazine, among others), and a go-to industry commentator on cybercrime, hacking incidents, and policy. He also delivered keynote presentations at NATO's 2018 summit and to the United Nations, and spoke regularly at cybersecurity industry events.

"My heart is broken for his family and for the great future he had," tweeted Gate 15 risk management analyst and podcaster Andy Jabbour. "He \[was\] such an incredibly smart and amazing person."

Source

DARKReading