Experts say CVE-2022-42899 is a serious vulnerability, but widespread exploitation is unlikely because of the specific conditions that need to exist for it to happen.

Researchers who have analyzed the recently disclosed vulnerability in Apache Commons Text — referred to by some as Text4Shell — described it this week as serious but unlikely to be as disruptive as last year's Log4j bug.

The flaw (CVE-2022-42889) is present in versions 1.5 through 1.9 of Apache Commons Text and gives attackers a way to run malicious code remotely on vulnerable systems. The Apache Software Foundation (ASF) disclosed the flaw last week in a brief advisory and recommended that organizations upgrade to Apache Commons Text 1.10.0, a version that the ASF released on Sept. 24 or more than two weeks before bug disclosure.

CVE-2022-42889 stems from insecure defaults when Apache Commons Text performs a function called variable interpolation, which involves the process of looking up and evaluating code strings that contain placeholders. According to the ASF, the set of Lookup instances in versions 1.5 through 1.9 of Apache Commons Text included interpolators that could trigger arbitrary code execution or contact with remote servers. Since the vulnerability was disclosed, several researchers have released proof-of-concept code showing how it can be exploited and scanners for finding potential targets to attack.

Shachar Menashe, senior director of security research at JFrog, says Apache Commons Text (ACT) is an extremely common Java library focused on algorithms that work on strings. "ACT provides an API to perform variable interpolation — or substitution — allowing properties to be dynamically evaluated and expanded," Menashe says. "Some functions of this library were found to lead to remote code execution if attacker-controlled data is passed to these functions."

There are three potential substitution sources that could have a security impact if an attacker has control of the string being interpolated: script, dns, and url, he explains. Attackers could use the script source to execute arbitrary JavaScript code; they could use the dns source to proxy dns requests, and the url source as a server-side request forgery vector, Menashe says.

However, "the vulnerability can only be exploited in cases where some Java code exists that uses \[Apache Commons Text\] and passes attacker-controlled data to specific functions," he says. "We believe exploitation won't be as widespread as Log4Shell since these functions seem to be less likely to receive external user input." 

An attacker would have to research the target Java application and find an input that is passed to the vulnerable functions, which the attacker can control, Menashe says. At the same time, it's unwise to rule out that possibility.

"It's still possible this will blow up if researchers start finding other popular third-party services that use this library and pass external input to these vulnerable functions by default," Menashe notes. "But as of now, no such third-party services have been found."

ASF describes the Commons Text library as providing additions to the standard Java Development Kit's (JDK) text handling. Sonatype's Maven Central Java repository lists 2,588 projects that currently use the library. Among them are Apache Hadoop Common, Apache Velocity, Spark Project Core, and Apache Commons Configuration,

**Widespread Exploitation Seems Unlikely**

Erick Galinkin, principal researcher at Rapid7, says the fact that CVE-2022-42889 is a library vulnerability makes it hard to say for certain what its impact will be. A lot depends on how the vulnerable object is used in a particular application. "Overall, our assessment is that the vulnerability is potentially serious," he says. "It is certainly important to patch affected applications as those patches become available, but not worth panicking over."

The severity is really a function of how the vulnerable object — the Commons Text StringSubstitutor interpolator — is used. "If there's an application out there that is using the interpolator on arbitrary untrusted input, a user of that application is going to have a bad time," he says. 

But based on initial research, the vulnerable object isn't very common, and it is implausible for an unprivileged attacker to actually gain control of the relevant strings. "That said, there may still be some application using this in a way that is risky, and in that case, the potential for code execution is very high," Galinkin said.

He adds that the ability for an attacker to discover vulnerable targets depends on how an organization might have implemented the vulnerable component. "Many of the proofs-of-concept for the vulnerability, including ours, just involve passing a crafted string to the interpolator — so in that sense, it is extremely easy to exploit," he says. In many other implementations an attacker would need to already have some level of access, making it difficult to exploit.

Menashe notes that JFrog has written an open source tool to detect Java binaries that are vulnerable to this issue. The tool can help organizations determine whether the version of commons-text is vulnerable.

He adds: "The tool also locates the calls to the vulnerable functions in compiled \[.jar files\] and reports the findings as class name and method names in which each vulnerable call appears."

Apache Commons Vulnerability: Patch but Don't Panic

We need more than the incomplete snapshot SBOMs provide to have real impact.

With Executive Order 14028, a large regulatory push toward mandating the production of a software bill of materials (SBOM) began. As this new buzzword spreads, you'd think it was a miracle cure for securing the software supply chain. Conceptually, it makes sense — knowing what is in a product is a reasonable expectation. However, it is important to understand what exactly an SBOM is and whether or not it can objectively be useful as a security tool.

**Understanding SBOMs**

SBOMs are meant to be something like a nutrition label on the back of a grocery store item listing all of the ingredients that went into making the product. While there currently is no official SBOM standard, a few guideline formats have emerged as top candidates. By far, the most popular is the Software Data Package Exchange (SPDX), sponsored by the Linux Foundation.

SPDX, as with most other formats, attempts to provide a common way to represent basic information about the ingredients that go into the production of software: names, versions, hashes, ecosystems, ancillary data like known flaws and license information, and relevant external assets. However, software is not as simple as a box of cereal, and there is no equivalent to the Food and Drug Administration enforcing compliance to any recommended guidelines.

**Everything Is Optional, Therefore Nothing Is Required**

One of the biggest and most obvious gaps in SPDX and other standards is that, like the open source ecosystem at large, it is a set of communities built on general guidelines, not verified standards. Open source communities are wide and sprawling, with contributors from across the globe. Often, package managers and hosting environments are designed by separate committees, each operating in isolation. While SBOM mandates represent an early attempt to unify these many silos of information, they suffer from some of the fundamental limitations of applying a standard retroactively.

First and foremost, the cracks begin to show when we consider what SPDX actually provides. As it turns out, nearly every field in the standard is optional. While this optionality of fields is clearly an artifact of how different the many software ecosystems the format attempts to cover really are, an SBOM loses its value as a real source of truth if there is no requirement for cryptographic hashes or other information that would allow us to positively associate the library with the information presented in the SBOM document.

**SBOMs Miss the Mark on Provenance**

In addition to being incomplete, many of the inputs cannot be properly represented in the current formats, especially from places like version control system repositories. While some emerging frameworks like SLSA attempt to apply notions of provenance, no format hits the mark. We must incorporate accurate provenance data into the SBOM format in order to ensure that we get a reasonable view of what is inside the software we are consuming. This should include the following, at minimum:

*   **Author identity information:** Both maintainers and contributors are a critical part of the software supply chain. They hold the proverbial keys to the kingdom, and choose how the software we consume downstream is released. Even if complete data cannot be captured, we can absolutely do better than what is provided today, which is nothing at all.
*   **Development tools:** This includes build tools, CI/CD infrastructure, and tools used during the development of upstream software. What good is securing your internal development infrastructure if a compromise in any library you use could still cause an internal compromise?
*   **Controls and protections:** If one of the goals is third-party risk management, we must ask: What does the security posture of the development team look like? Is branch protection being used? What sort of review processes are applied?
*   **Artifact attestation:** We absolutely must be able to tie an entry within an SBOM document back to an actual artifact. This should include both an actual build artifact, such as a compiled package, as well as continuously developed artifacts such as tagged branches in a version control system.

Realistically, we must build an understanding of each of these elements to comprehend what goes into the software we are utilizing before even considering how an SBOM may be operationalized.

**We Can't Rely On a Simple Snapshot in Time**

Finally, the biggest challenge with broad SBOM adoption is that the static format only provides the truth in that moment. In order to be meaningful, SBOMs must have the ability to be delivered and accessed continuously.

Consider, for instance, that you were to receive a vendor SBOM from your cloud storage provider. Not only would this SBOM be a document containing tens of thousands of individual pieces of software, but it would also contain many multiples of versions of those software packages. Now, consider that by the time you receive that information, it is likely already out of date. This is because large enterprises often ship hundreds or thousands of builds per day. By the time you have processed, consumed, and reasoned about an SBOM for any large vendor, the data is already stale.

Versions will have changed, new packages will have been added, and some packages may have been removed. Modern development best practices mean that builds and delivers are meant to be continuous, which leads to faster iteration and faster release cycles. It also means that the delivery of a single SBOM is all but meaningless. What this really implies is that there is a strong requirement for scalable automation around SBOMs in order for them to provide true value.

The intent behind SBOMs is to pave the way to improved visibility, both internally and externally. However, don't be fooled into thinking they will secure your software supply chain. We need more than an incomplete snapshot in time to have real impact.

SBOMs: An Overhyped Concept That Won't Secure Your Software Supply Chain

New data-protection innovations mitigate security risks by expediting deployment cycles and simplifying operational complexity.

**SAN JO****SE, Oct. 18,** **2022** — Zscaler, Inc. (NASDAQ: ZS), the leader in cloud security, today announced new data protection innovations that build upon a rich heritage of securing data across all cloud apps for data in motion, data at rest, and BYOD assets with unprecedented accuracy and scale. The new advancements accelerate data protection programs from months to hours with zero configuration for data loss prevention (DLP). This mitigates security risks by unifying data protection across all channels, simplifying operations by automating workflows.

In today’s highly mobile and cloud-centric world, data is created and distributed across hundreds of applications and workloads, escalating organizations’ risk of data loss. Enterprises’ inability to protect distributed data is reinforced in the findings of the new 2022 Data Loss Report by the Zscaler ThreatLabz research team. ThreatLabz found that 36% of cloud application data is accessible via the open internet. Analysis of nearly 6 billion data loss policy violations revealed that organizations experience an average of 10,000 potential data loss events daily resulting in losses greater than $4.35 million.¹

Traditional DLP solutions can't secure distributed data and require a massive amount of resources to configure, maintain and manage, which can be costly and result in months to implement, putting organizations at risk. Concurrently, the lack of automated workflows prevents security teams from managing critical risks leading to elongated mitigation timelines and unresolved incidents. To make matters worse, the reliance on separate point products for different channels causes increased risk, reduced visibility and inconsistent policies. Organizations that have not deployed a unified zero trust strategy suffer an additional $1 million loss on average¹, indicating that data protection can not be a standalone endeavor.

“Building on eight years of data protection innovations, Zscaler has employed advanced auto-classification capabilities to accelerate setup and reduce security team overhead and costs,” said Moinul Khan, Vice President & General Manager, Data Protection, Zscaler. “Unlike other data protection solutions, this ensures that Zscaler Data Protection works for the IT administrator, rather than having the IT administrator work for it. In addition, the technology we acquired from the recently announced ShiftRight acquisition allows organizations to manage hundreds of potential risks and incidents in a simple yet very sophisticated way to reduce case resolution time significantly."

The recently introduced security category, security service edge (SSE), reinforces the market’s need for unified data protection as part of a larger, purpose-built security platform. These advancements to the Zero Trust Exchange, aligned to SSE principles, further Zscaler’s position as a leader in data protection by empowering security teams with:

  

*   **_Expedited Deployment Cycles with_** **_Zero Configuration DLP_****:** Utilizing the scale of the world’s largest security cloud that processes 170 million files per day, the new zero configuration DLP capabilities auto classify all organizational data, thereby accelerating the deployment of data protection programs.
*   **_Mitigated Security Risks by Unifying_** **_Data Protection Across all Channels:_** The addition of endpoint, and email data protection capabilities adds to the existing support of web, SaaS, IaaS, PaaS and private apps. This removes the need for point products, decreasing security risks and management complexity by unifying policies across channels.
*   **_Simplified Operations through_** **_Automated Workflows_****:** Advanced closed-loop incident management delivers actionable insights and automates workflows to respond to potential security risks in a timely and effective manner.

“Securing data is always a challenge due to complex workflows and inconsistent protection strategies and coverage across users and devices," said Bashar Abouseido, CISO, Charles Schwab. "With Zscaler, that has all changed, as we now have one unified platform with full visibility and policy control while drastically streamlining our processes.”

"Zscaler is one of the most seamless, straightforward deployments I've seen in a while,” said Thomas Likas, Head of Cyber & Digital Trust Enterprise Architecture, Takeda. “Their comprehensive and unified approach to protecting data across all channels helps us transform and evolve our data protection program, ensuring sensitive data remains secure from accidental loss or malicious exfiltration.”

“The DLP market has long suffered from complexity and efficacy issues due to the need for time-intensive, manual configuration and management,” said John Grady, Senior Analyst, Enterprise Strategy Group (ESG). “Zscaler’s massive data set, garnered from the 250 billion transactions its security cloud processes every day, provides impressive scale and a key differentiation in the market. This scale enables greater visibility and accuracy, which translates into ease of use, better efficiencies, and lower costs for customers.”

1\. Zscaler, 2022 ThreatLabz Data Loss Report, Oct. 18, 2022

**Additional Resources**

For a deeper dive into the new Data Protection features, please visit.

The 2022 ThreatLabz Data Loss Report, in which the Zscaler ThreatLabz research team has analyzed nearly 6 billion data loss policy violations from November 2021 through July 2022, can be downloaded here.

**About Zscaler**

Zscaler (NASDAQ: ZS) accelerates digital transformation so customers can be more agile, efficient, resilient, and secure. The Zscaler Zero Trust Exchange protects thousands of customers from cyberattacks and data loss by securely connecting users, devices, and applications in any location. Distributed across more than 150 data centers globally, the SSE-based Zero Trust Exchange is the world’s largest inline cloud security platform.

_Zscaler™ and the other trademarks listed at_ _https://www.zscaler.com/legal/trademarks_ _are either (i) registered trademarks or service marks or (ii) trademarks or service marks of Zscaler, Inc. in the United States and/or other countries. Any other trademarks are the properties of their respective owners._

Zscaler Advances Enterprise Data Security With Zero-Configuration Data Protection

New version boosts VPN tunnel performance and lets users prioritize secure connection traffic for certain services.

**Woburn, Mass., Oct. 19, 2022** — Today Kaspersky unveiled a new version of Kaspersky VPN Secure Connection, which introduces a dramatic 200% boost in VPN tunnel performance, compared to 2020. A split-tunneling feature grants users the ability to prioritize secure connection traffic for certain services, while a VPN-for-routers capability automatically re-routes any connected device at home.

Global VPN usage is on the rise, with the market set to reach a colossal $77.1 billion by 2026. This comes as no surprise, since installing a VPN provides a quick and easy way to improve security and prevent data from falling into the wrong hands. It does this by routing data through an encrypted tunnel, which hides the IP address and makes it look as though the connection has come from elsewhere.

Alongside the performance increase, the updated Kaspersky VPN Secure Connection’s split-tunnelling feature allows users to select exactly what traffic goes through the VPN. This will help to achieve better performance, letting the user prioritize high-bandwidth traffic, focus on data in sensitive apps, and disable the VPN for other apps that might be reliant on location data.

The geography of servers within Kaspersky VPN Secure Connection has also been greatly increased, now offering 86 locations across 68 regions. This lets users access a wider range of content on the biggest global streaming services, including Netflix, Hulu, Amazon Prime, HBO Max, Disney+ and BBC iPlayer. An intuitive new function of the VPN helps customers to pick the best location for a particular task by recommending the one that provides the best performance level for either streaming or torrenting.

Additionally, the VPN for routers now allows all devices connected to home Wi-Fi to run through the VPN automatically, without having to set up each one individually. This feature is particularly useful for smart TVs, smart locks, and other smart home gadgets, on which a user cannot install a VPN directly, therefore providing uninterrupted privacy and security to these devices.

“As people continue to work from home and spend more time online, an increased importance is placed on keeping their data private as well as securing connected home devices,” said Marina Titova, vice president, consumer product marketing at Kaspersky. “To support consumers with their needs, we’ve invested a lot into improvement of our Kaspersky VPN. As a result, consumers can experience boosted VPN tunnel performance, with a 200% increase compared to 2020. The VPN also sees new features and better UX to ensure speed, privacy and high performance across all home devices.”

The new Kaspersky VPN Secure Connection is available now. To find out more about the product, visit this page.

****About Kaspersky****

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 240,000 corporate clients protect what matters most to them. Learn more at usa.kaspersky.com.

Kaspersky Launches New VPN to Amplify Speed and Convenience

Training service prepares ransomware response teams for successful threat actor engagement to mitigate damage, protect brand reputation, anticipate emerging threats, and more.

**Arlington, Va., Oct. 19, 2022 –** GroupSense, a digital risk protection services company, today announced the launch of a new Ransomware Negotiation Training service offering. During an immersive three-day, in-person training session, participants will learn the proper strategies to combat the negative consequences of an attack from negotiation experts at both GroupSense and Max Negotiating, a negotiation advisory firm that specializes in training lawyers and legal professionals. As a result of the training, participants will be able to help their client organizations identify threat actors, learn key cyber negotiation principles and strategies, protect brand reputation, avoid unnecessary business losses and stay ahead of emerging threats.

According to the Federal Bureau of Investigation’s Internet Crime Complaint Center, ransomware complaints increased 62% from 2020 to 2021. The increase in attacks makes negotiation with threat actors a crucial part of enabling an organization to resume operations, reducing permanent data loss and eliminating regulatory fines and penalties. While response teams, typically led by lawyers, are accustomed to negotiating on their client’s behalf, many have never communicated directly with threat actors or conducted negotiations under the constraints they impose. With GroupSense’s Ransomware Negotiation Training, participants will discover the ins-and-outs of ransomware attacks, the intricacies of threat actor engagement, discern their role in a ransomware negotiation and master a proactive ransomware response strategy.

“The business impact of a ransomware attack can be severe – revenue loss, brand and reputation damage, operational and business disruption, increased cyber insurance premiums and legal consequences,” said Maxwell Bevilacqua, chief negotiating officer of Max Negotiating. “By teaming up with GroupSense, we’re able to pair their expert ransomware negotiators with our negotiation experts to help clients - such as lawyers and law firms with cybersecurity practices - better understand the art and science of negotiation with threat actors so they can minimize damage to their companies.”

As part of the three-day training, GroupSense and Max Negotiating design a case simulation according to the structure of the client’s organization, putting the client’s response team through a fire drill to consolidate their strengths and highlight vulnerabilities, and prepare the team for worst-case scenarios. The agenda for the training is as follows:

*   **Day 1** – Participants begin by learning the anatomy of a ransomware attack, including how they are conducted, the roles involved and the ransomware ecosystem. Next, the GroupSense and Max Negotiating team provides a framework for conducting ransomware negotiations and delves into core principles as they apply to cybercrime and ransomware.
*   **Day 2** – The framework is then put to the test in a complex, dynamic, multi-party simulation of a ransomware attack. The simulation is recorded for future review and coaching on the third day.
*   **Day 3** – The team provides feedback as participants review recordings of the previous day’s negotiation simulation. The team leads participants in exercises to strengthen the vulnerabilities identified in the simulation. The training is then concluded by building out a team response plan.

After the training program, client organizations will have access to the video recordings as well as the Max Negotiating digital toolkit. They will also have the opportunity to engage in additional ransomware negotiation training and coaching opportunities from both GroupSense and Max Negotiating.

“Over the last three years, our ransomware experts have conducted some of the world’s largest ransomware and extortion negotiations, giving them in-depth practical knowledge of the process and the ability to develop a proven negotiation method that has garnered best-case outcomes for our clients,” said Kurtis Minder, co-founder and CEO, GroupSense. “We partnered with Max Negotiating to combine our field experience with their deep knowledge of the negotiation process to help response teams reduce panic and decision fatigue during a ransomware attack, to arm them with the skills to remain in control of the situation, and to provide the tools they need to engage successfully with threat actors and facilitate a positive outcome.”

In addition to the new Ransomware Negotiation Training offering, GroupSense has additional ransomware offerings, including its Ransomware Response Readiness Assessment (R3A) and Ransomware Negotiation Services. Additional services include ransomware incident support, post-incident monitoring and breach notification services. GroupSense also provides a ransomware hotline (1-800-484-9426) for companies to speak to an expert negotiator if they’ve been affected by ransomware.

For more information about GroupSense’s Ransomware Negotiation Training offering, download the data sheet, and to inquire about pricing, please contact \[email protected\].

**About GroupSense**

GroupSense is a digital risk protection services company delivering customer-specific intelligence to dramatically improve enterprise cybersecurity and fraud-management operations. Unlike generic cyber-intelligence vendors, GroupSense uses a combination of automated and human reconnaissance to create finished intelligence mapping each customer’s specific digital business footprint and risk profile. This enables customers to immediately use GroupSense’s intelligence to reduce enterprise risk, without requiring any additional processing or management by overstretched security and fraud-prevention teams. GroupSense is based in Arlington, Va., with a growing customer base that includes large enterprises, state and municipal governments, law enforcement agencies and more.

GroupSense Delivers New Ransomware Negotiation Training Service

Former Zscaler president to lead DigiCert's next stage of growth as the company accelerates its strategy, expands its product offering, and works to become the de facto standard for digital trust.

**LEHI, Utah, Oct. 19, 2022** – DigiCert, Inc., ("DigiCert" or the "Company") a leading global provider of digital trust, has named Amit Sinha as the Company's Chief Executive Officer, and a member of the DigiCert Board of Directors. Sinha joins DigiCert from Zscaler, Inc. ("Zscaler") where he served as President and a member of the Board of Directors. During his 12-year tenure, Zscaler grew from a startup to a NASDAQ-100 company and established itself as a leader in enterprise security. DigiCert is backed by Clearlake Capital Group, L.P. (together with its affiliates, "Clearlake"), Crosspoint Capital Partners ("Crosspoint"), and TA Associates ("TA").

"I'm honored and grateful for the opportunity to lead the DigiCert team," said Amit Sinha. "Digital trust is the cornerstone of our connected world and DigiCert has built a foundation with global enterprises by delivering comprehensive security solutions. As we look ahead, the Company is positioned to accelerate its leadership in digital trust for connected device and user authentication, secure software, documents, digital content and data integrity."

"Amit has a track record of delivering technology innovation, operational excellence, and customer value," said Behdad Eghbali, Co-Founder and Managing Partner, and Prashant Mehrotra, Partner and Managing Director, of Clearlake. "We look forward to partnering with Amit, and the DigiCert leadership team, as the Company embarks on its next phase of accelerated growth and expansion."

"Amit is a seasoned industry leader with deep security domain expertise and business acumen," said Greg Clark, Managing Partner of Crosspoint Capital and Chair of DigiCert's Board of Directors. "With Amit at the helm, we believe we can drive increasing market adoption of our core platform and deliver innovative new products and services to strengthen DigiCert’s position as the dominant provider of digital trust."

"Amit’s years of experience and passion for continuous technological innovation have positioned him well to guide DigiCert through its next strategic growth phase," said Jason Werlin, a Managing Director at TA. "We believe Amit will be a valuable addition to DigiCert’s talented management team and are excited to work closely with him as we aim to further DigiCert’s industry leadership."

Mr. Sinha brings over 20 years of technology, strategy, and operational experience from leading category-creating businesses at Zscaler, Motorola, AirDefense, and Engim. He has a doctorate in electrical engineering and computer science from the Massachusetts Institute of Technology and a Bachelor of Technology in electrical engineering from the Indian Institute of Technology, Delhi, where he graduated summa cum laude and was awarded the President of India Gold Medal. Mr. Sinha has authored over 25 journal/conference papers, contributed to three books, and is the inventor of 39 US patents, granted or pending.

**About DigiCert, Inc.**

DigiCert is a leading global provider of digital trust, enabling individuals and businesses to engage online with the confidence that their footprint in the digital world is secure. DigiCert® ONE, the platform for digital trust, provides organizations with centralized visibility and control over a broad range of public and private trust needs, securing websites, enterprise access and communication, software, identity, content and devices. DigiCert pairs its award-winning software with its industry leadership in standards, support and operations, and is the digital trust provider of choice for leading companies around the world. For more information, visit www.digicert.com or follow @digicert.

**About Clearlake**

Clearlake Capital Group, L.P. is an investment firm founded in 2006 operating integrated businesses across private equity, credit and other related strategies. With a sector-focused approach, the firm seeks to partner with management teams by providing patient, long-term capital to businesses that can benefit from Clearlake’s operational improvement approach, _O.P.S._® The firm’s core target sectors are technology, industrials, and consumer. Clearlake currently has over $70 billion of assets under management, and its senior investment principals have led or co-led over 400 investments. The firm is headquartered in Santa Monica, CA with affiliates in Dallas, TX, London, UK and Dublin. More information is available at www.clearlake.com and on Twitter @Clearlake.

**About Crosspoint Capital**

Crosspoint Capital Partners is a private equity investment firm focused on the cybersecurity, privacy and infrastructure software markets. Crosspoint has assembled a group of highly successful operators, investors and sector experts to partner with foundational technology companies. Crosspoint has offices in Menlo Park, CA, and Boston, MA. For more information visit: www.crosspointcapital.com.

**About TA**

TA Associates ("TA") is a leading global growth private equity firm. Focused on targeted sectors within five industries — technology, healthcare, financial services, consumer and business services — the firm invests in profitable, growing companies with opportunities for sustained growth, and has invested in more than 560 companies around the world. Investing as either a majority or minority investor, TA employs a long-term approach, utilizing its strategic resources to help management teams build lasting value in high quality growth companies. TA has raised $48.6 billion in capital since its founding in 1968. The firm's more than 110 investment professionals are based in Boston, Menlo Park, Austin, London, Mumbai and Hong Kong. More information about TA can be found at www.ta.com.

DigiCert Appoints Industry Veteran Amit Sinha as Chief Executive Officer

New partnership gives security analysts simplicity when sifting through data, thorough readouts of compliance options, and streamlined response to incidents.

**SANTA CLARA, Calif., Oct. 19, 2022** — Revelstoke has partnered with BreachRx to unify automated incident response and compliance capabilities with the Revelstoke next-generation enterprise Security Orchestration, Automation, and Response (SOAR) platform.

BreachRx has created the security industry’s first incident reporting and response automation solution. It is designed to help people find answers to security and regulatory compliance questions in real time and at the height of a crisis. Similarly, Revelstoke has developed a next-level-SOAR solution that allows Security Operations Centers (SOCs) to sift through incoming data and identify the most dangerous cyber threats. The two solutions together give organizations an off-the-shelf solution that holistically addresses problems like no other product currently on the market.

“In the past, security teams relied on trained people and manual processes, but given the scale of today’s threats and growing regulatory landscape, teams can't continue to throw people at the problem,” said Matt Hartley, Chief Product Officer and co-founder of BreachRx. “Our solutions together allow businesses to streamline and automate their response to threats, whether they’re criminals, nation-states, or whatever else could come their way, while ensuring the company meets all legal and contractual incident reporting requirements in tandem.”

Revelstoke’s Unified Data Layer (UDL) — the unique technology that allows different products to communicate seamlessly — will make it easier for analysts working in Security Operations Centers (SOC) to document incident findings. With the power of the UDL, incident response requirements can be managed faster and easier. Additionally, by using automation to help address security and compliance matters, the products can help users get solutions to legal, regulatory, communications, and marketing issues faster than ever before.

“Partnering with BreachRx allows us to help customers in a way we haven’t been able to do before,” said Bob Kruse, Revelstoke’s CEO and co-founder. “We know we make security easier for security analysts, but we also know that more security analysts are concerned about new rules and regulations than ever before. Compliance concerns are rising and there’s no one better at helping organizations sift through the complex maze of new laws like BreachRx. Our two companies approach these problems with a very similar mindset and range of concerns. This partnership makes sense for both the companies and, most importantly, the customers looking for better outcomes.”

**About BreachRx**

BreachRx is the leading automated incident reporting and response platform that security and technical leaders use to overcome one of their biggest challenges — reducing cybersecurity regulatory and incident compliance risks. Our SaaS platform’s automated workspace streamlines collaboration and frees internal bandwidth across the business while ensuring compliance with the most stringent global cybersecurity and privacy frameworks. BreachRx is the only automated approach that creates tailored, effective incident response plans and protects privilege in the market today.

Learn how to turn incident reporting and response into a routine business process today at breachrx.com.

**About Revelstoke**

Revelstoke is the only next-generation Security Orchestration, Automation and Response (SOAR) solution built on a Unified Data Layer that offers no-code automation and low-code customization. Revelstoke empowers CISOs and security analysts to automate analysis, eliminate software development needs, optimize workflows, prevent vendor lock, scale processes, and secure the enterprise.

For more information, contact: \[email protected\]

Revelstoke Teams Up With BreachRx, Offering Users Automated Incident Response and Compliance Solutions

Why — and how — companies should consider shifting day-to-day security responsibilities out to operations teams. The move would elevate the team's level of decision-making and help address the challenge of finding professionals with security-specific credentials.

Security leaders have been raising the alarm for years about the ongoing cybersecurity skills shortage. Even as cyberattacks become increasingly sophisticated, and frequent, corporate defense teams are having more trouble filling open positions. The problem can seem insurmountable, but it shouldn't be.

One solution that few companies have considered is extricating the security team from operations. Consider how much less daunting the skills gap problem would look if corporate security narrowed its focus to governance, oversight, supervision, and auditing, while pushing the implementation and management of security systems out to the operational teams that use them.

Such a change would be dramatic. The corporate security function would shrink substantially, both in staffing and in the number of specific tasks it's responsible for, but it would become more strategic — and more effective.

**Today's Less-Efficient Approach**

The typical security team today involves themselves in all manners of operational activities. For example, when the development group is creating a new application, security staff may get involved in design details, settings for underlying technologies, and determining which users can access development servers.

But the centralized security team may not immediately have the operational knowledge to make those decisions. They may have to dedicate significant time to understanding the business drivers behind the application, the structure, and expertise of individuals on the development team, etc.

The development team managers already have the requisite expertise in operational aspects of putting together their solution. The corporate security team has expertise in the controls needed to prevent specific attacks. Why not let each group specialize in their core competency?

**How It Would Work**

As I envision it, the security team could take responsibility for establishing, at an abstracted level, the controls needed to protect the application, both during development and after launch. But they could hand off responsibility to the development group for building those controls. The development team could decide which security software and configurations they need, set specific security policies, and determine user permissions. Then, the corporate security team could inspect the development environment — and the resulting application — to ensure that the requested controls were implemented and are performing as expected.

This approach would put detailed decision-making in the hands of the people closest to those decisions. The security team would need to know a little bit about the technologies the development group uses, but mostly they would just need to be controls experts who set expectations for the security outcomes the operations groups should achieve.

Consider access control. How should people get authenticated to enter the company's development environment? What credentials are sufficient to prove they are who they say they are? It makes sense for the corporate security group to own the high-level governance of access control, but they would need to learn a great deal about the development environment and development team to effectively answer these questions. Meanwhile, people on the development team already have this knowledge. Letting them make the decisions down in the weeds of their group's access control policies is only logical.

Development processes are one example. The security team I'm envisioning wouldn't be involved in building networks; they would provide control requirements to the networking team, then make sure those requirements were followed. In a cloud setting, the security team might set high-level expectations, then do inspection scanning, looking for anomalies. But that would be the extent of their involvement in cloud security decisions.

**What This Change Would Mean**

Obviously, my vision would require a total restructuring of IT. In some ways, it would move security activities more toward where they were a quarter century ago. Back when security was usually not a separate function, companies taught security best practices to operational subject-matter experts throughout the organization. Expertise was widely distributed, but security was only a small slice of anyone's job responsibilities.

Consolidating security activities into a centralized function has created experts who specialize in the subject. These highly qualified and hard-to-find professionals should focus on setting the overall direction of the company's security strategy, dictating the controls necessary to prevent certain types of attacks, and providing governance and oversight to ensure those controls are effective.

I would like to see the industry re-evaluate whether other, more operational responsibilities — routine firewall maintenance or configuration of SaaS apps, for example — are appropriate for the central security group. I think those tasks are better suited for the individuals who are connecting, architecting, designing, implementing, and configuring the company's systems. They have the expertise to make correct decisions about securing systems and processes with which they are intimately familiar.

An organizational structure that shifts security decisions out to operations groups may shrink some of the day-to-day responsibilities of the security team. However, it would also elevate the team's level of decision-making, free staff time for more strategic activities, and provide a tidy solution to the perpetual challenge of finding professionals with security-specific credentials.

A New Solution to the Cybersecurity Skills Gap: Building Security into Operational Teams

Cybersecurity company RCS Secure announces round of Series A funding and name change as it rebrands to Third Wave Innovations.

**FRISCO, Texas, Oct. 18, 2022 /PRNewswire/** — RCS Secure is thrilled to announce the completion of a Series A funding round. The funding round was led by Socii Capital, LLC., a venture investment firm focused on healthcare IT with investments in MedOne, ScriptCyle, and ProviderScience.

This round of funding will allow us to grow the customer base we serve and invest in new parts of our core products and services.

RCS Secure has always been committed to being a leading provider of Managed Security, Data, and IT Services. As we have looked to expand our offerings and align the company's strategic growth, it has been decided that a rebrand is appropriate. As of October 17th, 2022, RCS Secure will be known as **Third Wave Innovations**.

"I am both grateful and humbled with our success and accomplishments as an organization," says Randal Asay, CEO of Third Wave Innovations. "From the inception, the advancement of this company has been built on the partnerships and relationships developed over the past 30 years. It is with gratitude and appreciation that as we progress to further heights, that we are worthy of such an amazing and accomplished group of professionals, Socii Capital, to help guide and drive our pathway. The quote 'If you want to go fast, go alone, if you want to go far, go with others' describes our past, our present, and our growth in the future!"

"Properly securing your IT environment to protect your data and the data of your patients is paramount in today's healthcare environment. Health care providers throughout the country are struggling to fill critical gaps in IT security needs with limited internal resources." said George Lazenby, a co-Founder and Partner at Socii Capital. "We were introduced to Third Wave Innovations through one of our portfolio companies utilizing their services. We were immediately impressed with their capabilities, management team and future plans for growth. We are excited to introduce Third Wave to health care providers through our network and portfolio companies."

Since day one, RCS Secure has been driven to innovate and provide cutting-edge solutions within its competitive market. The goal has always been to leverage our family of employees, partners, and clients, using technology to create a more secure world, and the company is committed to accelerating its efforts. We're investing in additional people, processes, and technology to deliver a broader and more robust set of services to our clients. Our commitment to this will remain our highest priority.

We look forward to what the future holds for Third Wave Innovations and can't wait to catch this wave with you.

**About Third Wave Innovations**

Third Wave Innovations is a privately owned corporation offering a full spectrum of cybersecurity safeguards, managed IT services, and a comprehensive data platform that empowers organizations to experience their own data in new ways.

**About Socii Capital, LLC**

Socii is a private investment capital firm founded in Fort Worth in 2015 with investments in SAAS technology companies with a primary focus on solving healthcare provider issues. Based on our team's deep experiences in the healthcare IT sector: operational management, product knowledge, and industry relationships, coupled with our hands-on approach, we add significant value to our portfolio companies.

**Contact Info:  
**Third Wave Innovations  
5 Cowboys Way, Suite 300  
Frisco, TX 75034  
844-267-6100  
**\[email protected\]**

**SOURCE:** Third Wave Innovations

RCS Secure Catches Its Next Big Wave

The Winnti APT was spotted dropping several variants of Spyder Loader and other malware as part of the so-called Operation Cuckoobees.

The Winnti cyber-espionage group out of China was discovered deploying the Spyder Loader malware as part of an ongoing campaign to gather intelligence information on government organizations in Hong Kong.

Researchers at Symantec's Threat Hunter Team recently observed malicious activity in which attackers remained active on some targeted networks for more than a year to steal critical data in what they believe is an extension of the group's previously identified Operation Cuckoobees, they said in a blog post published this week.

"While we did not see the ultimate payload in this campaign, based on the previous activity seen alongside the Spyder Loader malware it seems likely the ultimate goal of this activity was intelligence collection," researchers wrote.

Researchers at Cybereason first identified the Cuckoobees campaign in May as a massive cyber-espionage campaign against manufacturing and technology companies in North America and Asia that had been stealing immense stores of intellectual property and other sensitive data for years when it was discovered.

At that time, researchers estimated that Winnti — aka APT41, Wicked Panda, and Barium — so far had stolen hundreds of gigabytes of data, including trade secrets, blueprints, formulas, diagrams, and proprietary manufacturing documents, from more than 30 global organizations. They also harvested details about a target organization's network architecture, user accounts, credentials, customer data, and business units to leverage in future attacks.

The latest activity against Hong Kong organizations appears to be part of that broad campaign, which is likely to continue and ensnare more victims in its cyber-espionage web before it's over, researchers said. "The fact that this campaign has been ongoing for several years … indicates that the actors behind this activity are persistent and focused adversaries, with the ability to carry out stealthy operations on victim networks over a long period of time," they wrote.

**Unpacking a Trojan**

During the activity they observed Symantec researchers got a good look under the hood at Spyder Loader, which Winnti already had been spotted using as the initial payload in previous malicious activity.

Researchers at SonicWall were the first to discuss the malware publicly in March 2021, according to Symantec, which is part of Broadcom Software. At the time researchers identified the malware being used for targeted attacks on information storage systems to collect information about corrupted devices, execute mischievous payloads, coordinate script execution, and communicate with command and control systems, they said in their report.

The malware later was spotted being used in the Cuckoobees campaign and now again against Hong Kong organizations, with various variants being deployed this time around. All of them "displayed largely the same functionality" to load next-stage payloads and perform functions similar to those described by SonicWall, using obfuscation to hide malicious activity, the researchers said.

Winnti is believed to be working on behalf of, or with the support of, the Chinese government since at least 2010. Some security vendors have described Winnti as an umbrella group comprised of multiple threat actors operating under the control of China's state intelligence agencies.

In addition to Cuckoobees, Winnti also has been linked to attacks in 2010 on scores of US firms that included such heavy-hitters as Google and Yahoo. Its activity eventually led the US government to indict five members of the threat group, which in the end did little to stop its malicious activities.

**Technical Details**

Symantec researchers analyzed a sample of Spyder Loader compiled as a 64-bit PE DLL, a modified copy of sqlite3.dll with the addition of a malicious export, sqlite3\_prepare\_v4, which expects a string as its third argument, they said.

"Reportedly, whenever an export is executed by rundll32.exe, the third argument of the called export should contain part of the process command-line," researchers explained. "When this loader is executed, it extracts the file name from its third argument, and the referred file is expected to contain a sequence of records."

The malware executes a created wlbsctrl.dll file that likely acts as a next-stage loader that runs the content of a previously stored blob\_id 2 record — which it encrypts using the AES algorithm in Ciphertext Feedback (CFB) mode with segment\_size of 0x80 bits — from the created FileMapping, researchers explained. The encryption key is based on the name of an affected computer per GetComputerNameW() API, they said.

Spyder Loader also used other obfuscation techniques to prevent its activity from being analyzed, researchers said. In addition to AES encryption, the malware sample also used the ChaCha20 algorithm encryption to obfuscate one of the strings, as well as cleaned up created artifacts by overwriting the content of the dropped wlbsctrl.dll file before deleting it, for example, they said.

There are several similarities between the Spyder Loader activity seen in the Hong Kong campaign and its original functionality as described by Cybereason. They include: use of a modified version of sqlite3.dll; use of the third parameter of its malicious export that's consistent with the rundll32.exe command-line example seen in Cybereason’s research; and use of the CryptoPP C++ library.

In addition to Spyder Loader, credential-stealer Mimikatz and a Trojanized ZLib DLL were among the malware loaded onto victim machines, the researchers said.

The researchers included in their report a list of indicators of compromise for Spyder Loader in the post so enterprises can detect if their systems have been infected. They also encouraged organizations to stay up to date on the latest threats and malware in circulation that may require security updates by referring to Symantec's Protection Bulletins page.

Source

DARKReading