SaaS security platform promises to track down shadow IT, map supply chain risk, and "nudge" employees to work securely.

After months of speculation and input from security, compliance, and IT operations professionals, Nudge Security has launched its new software-as-a-service (SaaS) platform with the promise of making the increasingly weighty lift of enterprise IT teams lighter. 

Nudge received $7 million in seed money in April to develop what co-founders Russell Spitler and Jamie Blasco told Dark Reading at the time would be a cloud product developed in coordination with psychologists to help end users at critical decision points and avoid security risks and mistakes. 

Now Nudge — which officially emerged from stealth mode today — is offering a free two-week trial for its tool, which the company says will automatically discover shadow IT assets, map digital supply chain risk, and automate security tasks. 

The tool gives end users automated "nudges" to guide them to make secure decisions. 

"Not only do security nudges reduce the burden on IT, security, and compliance teams, but they also give your employees the opportunity to practice good security habits in practical, real-world scenarios — not just during hypothetical training sessions," the company said in an announcement about the Nudge launch. "Simply connect it, go make a sandwich, and then see what you’ve been missing." 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Nudge Security Launches Platform With Humans in Mind

Ransomware attacks are on the rise, but organizations also have access to advanced tools and technologies they can use to fight back.

Ransomware is a hot topic. No industry is immune, and the ransomware gangs behind these attacks are making a lot of money with minimal risk of being caught. However, every industry has increasing access to the advanced tools and technologies needed to fight back.

In the past few years, ransomware attacks have evolved to include crippling, networkwide attacks using multiple extortion methods to target both your data and reputation, all enabled by human intelligence. This has led to ransomware operators driving their profits to unprecedented levels, with predictions noting that the total cost of ransomware attacks will reach $265 billion by 2031.

We have seen a major shift from commodity ransomware attacks to human-operated ransomware. These “hands-on-keyboard” attacks target an entire organization rather than a single device or individual, leveraging human attackers’ knowledge of common system and security misconfigurations to get in, navigate the enterprise network, and adapt to the environment and its weaknesses as they go.

Attackers use a three-step approach to carry out successful human-operated ransomware attacks. First, they gain initial access to an environment using primarily identity attacks (via email, browser, password spray, etc.). Once the attackers have gained access to the organization, they then move laterally within the network to steal more credentials to gain elevated privileges and ultimately find an admin account that gives them access to data. Now that the attackers have access to the data, they can steal it, encrypt it, and deploy a ransomware payload to the resources of their choosing. This type of attack results in catastrophic outcomes for business operations that are very difficult to clean up.

**Ways to Prepare**

Given how common these ransomware attacks are and how easy they are to carry out, what can you and your organization do to prepare for future attacks?

First, we strongly recommend implementing a zero-trust approach. Based on the three principles of verify explicitly, use least-privileged access, and assume a breach, a comprehensive zero-trust architecture creates several safeguards within and across identity, endpoints, apps, infrastructure, network, and data. We not only recommend this approach with our customers and partners, but we also embrace it in our own approach to global security and software development here at Microsoft.

Next, integrated threat protection helps secure organizations by using the combination of extended detection and response (XDR) and security information and event management (SIEM) tools to detect attacks _while_ they are happening and stop them. Cloud-native SIEM systems can help eliminate security infrastructure setup and maintenance while scaling to meet organizational security needs and without being restricted by storage or query limits. Likewise, cross-domain threat protection, cloud security posture management (CSPM), and cloud workload protection (CWP) solutions can be deployed to increase efficiency and effectiveness while securing your digital estate.

Lastly, we recommend having a backup and incident response (IR) plan prepared in the event that your organization is compromised. It is crucial to back up all critical systems automatically on a regular basis and ensure all backups are protected against deliberate erasure/encryption. Your backup service should offer a centralized management interface to monitor, govern, and optimize data protection at scale, and you should look for a platform that can secure your backup platform whether data is in transit or at rest.

For incident response, organizations need to ensure rapid detection and remediation of common attacks on endpoint, email, and identity (ransomware operators love these three) by prioritizing common entry points and monitoring for adversaries disabling security. It is important to regularly practice these backup and incident response plans.

Mitigating human-operated ransomware attacks is a top priority for organizations worldwide. By implementing these strategies and tools outlined in our ransomware mitigation plan, organizations can be fearless, armed with the ability to secure everything without limits.

The Playbook for Human-Operated Ransomware

From the basics to advanced techniques, here's what you should know.

Cybersecurity has been compared to a never-ending game of whack-a-mole, with an ever-changing cast of threats and threat actors. While the attacks that make headlines may change from year to year, the basic fact remains: Any network, no matter how obscure the organization it supports, most likely will come under attack at some point. Thus, attaining and maintaining a strong security posture is of critical importance for organizations of any size.

An organization's security posture, however, is constantly changing. Employees join or leave the company; endpoints are added and discarded; and network and security technologies are deployed, decommissioned, configured, and updated. Each change in network elements can represent a potential attack vector for malware and other threats.

That's why security teams should review their security processes periodically and keep aligned with new developments in defensive and offensive testing and modeling. Doing so can help move the needle on security maturity from the most basic to an advanced, much stronger security posture, and from a reactive to a proactive model.

**The Basics: Vulnerability Scanning**

The first step most IT organizations undertake is vulnerability scanning, which seeks out potential weaknesses in the network and endpoints that could be exploited by attackers. There's a wide variety of scanners available as open source or commercial software, as managed services, and on cloud platforms like AWS and Alibaba. Some of the more popular scanners include Nessus, Burp Suite, Nmap, and Qualys, though each has its own area of focus. Several offer automatic patch remediation, as well.

Another consideration is whether to perform an external scan — which can discover potential vulnerabilities that hackers can exploit — or internal scanning that can find potential paths attackers would take once inside the network. Many, if not most, IT teams will do both.

While vulnerability scanning is relatively easy to use, it's not the end-all, be-all of a security strategy. For example, scanning might not detect subtle misconfigurations or the more complicated attack paths that advanced persistent threats (APTs) might take. They're also often prone to false positives and must be updated consistently.

Overall, though, vulnerability scanning is an important baseline step. Once it's running well, the next step is penetration testing.

**Penetration Testing**

Penetration testing typically entails human ethical hackers who attempt to gain access to the network interior, much as an outside hacker would. Here, too, there's a wide variety of tools and services available — many of the aforementioned vulnerability scanners offer tools that can be used in pen testing. Others include Metasploit, Kali Linux, Cobalt.io, and Acunetix.

Run periodically, pen testing can uncover weaknesses that aren't found by vulnerability scanners. Furthermore, human-managed pen testing can explore more complex pathways and technique combinations that hackers increasingly leverage to exploit victims, such as phishing.

Not surprisingly, the biggest trends impacting networking and cybersecurity are essentially the same trends noted in penetration testing this year: rampant ransomware attacks, the newly distributed workforce, and the rise of Web applications and cloud usage to support remote workers. Each of these trends will require thoughtful consideration in choosing tools and designing plans for penetration testing.

While penetration testing can provide a great deal of benefit, it's a good idea to periodically review the wealth of information on best practices available online.

**Red Team/Purple Team**

The third step in the quest for security maturity is usually the establishment of a red team that will manually attempt to attack and penetrate the organization's security defenses. This may be a completely separate team, or it may be closely allied with the blue team (the defenders) in a combination called a purple team. As another option, some vendors offer red-team services on a subscription or one-off basis.

A red team will imitate the tactics, techniques, and procedures (TTPs) that attackers use — which usually turns up more points of vulnerability than penetration testing can reveal. The blue team can then begin to resolve these weaknesses, further hardening the network against attack.

But too often, red and blue teams devolve into an adversarial relationship that's counterproductive. It's also quite expensive to set up a red team, and given the shortage of cybersecurity professionals, it may not be feasible. Therefore, many CISOs are investigating two newer trends: adversary emulation and adversary simulation.

**Using Adversary TTPs for Good**

There are vast, freely available libraries of common tactics, techniques, and procedures used during attacks, such as MITRE's ATT&CK framework. Adversary emulation and simulation leverage these libraries to evaluate security based on intelligence for specific attacks and then simulating the TTPs used.

For example, MITRE developed a sample adversary emulation plan for APT3, an advanced persistent threat that previously targeted mostly US entities. The emulation plan covers three phases from command-and-control setup to initial access; from host compromise through to execution; and data collection through exfiltration. The Center for Threat-Informed Defense has posted other emulation plans.

Adversary emulation lets security teams assess their defenses against real-world attacks. It can also be used to test the security infrastructure's detection and response rates.

**Looking Ahead**

Security vendors are moving beyond simply advocating the concept of MITRE's ATT&CK and MITRE Shield. Many vendors are leveraging one or both to improve their own products and services. For example, some security vendors map anomalies and events to the ATT&CK framework, making it easier for security teams to respond.

MITRE's CALDERA also deserves attention. It provides an intelligent, automated adversary emulation system that can be programmed for a specific attack profile and launched into the network to test its defenses. Caldera can also be used to train blue teams on detecting and remediating specific attacks.

There are also open source projects for adversary behavior simulation in development. A few of them of note include Uber's Metta, Nextron Systems' APT Simulator, Elastic/Endgame's Red Team Automation, CyberMonitor's Invoke-Adversary, and Red Canary's Atomic Red Team.

**Conclusion**

Keeping abreast of developments in key security processes is important for security teams as they strive to defend the network against changing threats. By so doing, they can move the organization closer to a far stronger security posture.

What You Need for a Strong Security Posture

The campaign uses a combination of tactics and a common JavaScript obfuscation technique to fool both end users and email security scanners to steal credentials.

Attackers are spoofing Google Translate in an ongoing phishing campaign that uses a common JavaScript coding technique to bypass email security scanners. Leveraging trust in Google Translate is a never-before-seen approach, researchers said.

Researchers from Avanan, a Check Point Software Company, uncovered the campaign, which uses the coding technique to obfuscate phishing sites to make them appear legitimate to the end user as well as fool security gateways. The phish also uses social engineering tactics to convince users they need to respond quickly to an email or face having an account closed, according to a blog post published today.

The messages direct a user to a link that directs them to a credential-harvesting page that appears to be a legitimate Google Translate page, with a pre-populated email field that requires only that a person enter his or her password to log in.

The campaign is an example of a number of current, increasingly more sophisticated tactics that threat actors are using in contemporary phishing campaigns to fool both more savvy end users who have become familiar with malicious tactics, as well as email scanners that delete suspicious messages before they get through, noted Jeremy Fuchs, an Avanan cybersecurity researcher and analyst.

"This attack has a little bit of everything," he wrote in the post. "It has unique social engineering at the front end. It leverages a legitimate site to help get into the inbox. It uses trickery and obfuscation to confuse security services."

**"Urgent Plea"**

Researchers observed a Spanish-language email being used in the campaign, which begins — as most phishing messages do — with social engineering.

In this case, hackers make an "urgent plea" for a user to confirm access to his or her account by informing them that they are missing out on important emails and have only 48 hours in which to review them before they will be deleted.

"That's a compelling message that might get someone to act," Fuchs noted.

Upon taking the bait, the link directs a victim to a login page that is a "pretty convincing" Google Translate lookalike page, complete with the typical logo on the upper left-hand corner of the page and a drop-down list of languages. Closer inspection shows that the URL has nothing to do with Google Translate, however, the researchers noted.

The code in the background makes it even more apparent that the page is a fake, with the "HTML that goes into turning this site into a Google Translate lookalike_,"_ Fuchs wrote.

One of the JavaScript commands hackers use here is the "unescape function_,"_ which is "a classic command that helps obfuscate the true meaning of the page," he wrote.

Unescape is a function in JavaScript that computes a new string in which hexadecimal escape sequences are replaced with the character that it represents. The function can be used on a webpage to appear to show the page as one thing but then, when decoded, shows a "bunch of gibberish" that can trick email security, according to a video about the phishing campaign posted by Avanan.

"This attack requires vigilance on the part of the end user, and advanced natural language processing on the part of the security service to stop," Fuchs noted in the post.

**Phishers Pivoting for Success**

Indeed, as Internet users already are familiar with common tactics that threat actors use to fool them into giving up credentials to phishing pages, actors increasingly are pivoting to new tactics or combining common ones in different ways to help ensure the success of their cybercriminal activity, the researchers said.

Attackers recently have been seen using everything from voice-themed messages to spoofed PayPal invoices to leveraging the ongoing war in the Ukraine to get unwitting email users to take phishing bait.

Even with the ramp-up in sophistication, however, the usual precautions that all Internet users and security professionals alike should take to avoid giving up their credentials to phishers still apply — not only in the case of the Google Translate campaign but across the board, according to Avanan.

Researchers recommend that people always hover over URLs found in messages before clicking on them to ensure the destination is legitimate, as well as pay closer attention to grammar, spelling, and factual inconsistencies within an email before trusting it.

And as always, users also should put basic common sense into play when dealing with emails from unknown entities, researchers said. If they ever have doubts about where they're coming from or their intentions, they should just ask the original sender to be sure before taking further actions.

Cyberattackers Spoof Google Translate in Unique Phishing Tactic

Despite dozens of tools and external vendors, 2 in 3 organizations believe their data strategy isn't sustainable beyond three years, which could leave businesses vulnerable.

SAN FRANCISCO, Oct. 13, 2022 /PRNewswire/ — Cribl, the leader in enabling open observability, in collaboration with CITE Research, today released the State of Security Data Management 2022. The industry-wide report examines the primary cybersecurity challenges that enterprises are facing in the midst of hybrid work mandates, ongoing digital transformation efforts, and rapidly growing data volumes. Conducted in September 2022, the report surveyed 1,000 senior-level IT and security decision-makers.

**Key findings from the research:**

*   Two in three organizations believe their data management strategy isn't sustainable beyond three years, with one-third of organizations acknowledging that it's sustainable for less than one year, which could impact both threat visibility and attack response time.
*   63% currently use more than 25 tools for data visibility and control, with more than 40% planning to add more tools in the next 12-24 months––as the majority of organizations are now managing more than 30 data sources.

"We all know cybersecurity teams are under incredible pressure, but what these results indicate is that beneath the surface of what the headlines espouse — sophisticated attackers, expanding attack surface, skills shortages — lies a more entrenched problem for cybersecurity teams: data," said Clint Sharp, CEO and co-founder of Cribl. "Practitioners are drowning in a deluge of data while managing dozens of tools and external vendors, limiting organizations' visibility and hindering their ability to swiftly respond to potential threats. But there's a light at the end of the tunnel: We're trending towards greater collaboration between IT and security teams and increased interoperability between tools, which will boost the cybersecurity industry in coming years."

**Additional findings include:**

*   Despite acknowledging that their data management strategies are not sustainable, 92% of organizations state that they are confident in their current strategy.
*   Nine in 10 respondents indicated that IT and security teams are now working closely together, and rely on the same information and tools in their day-to-day operations.
*   Though historically hesitant to outsource cybersecurity operations, nearly 70% of organizations have an internal incident response and an external managed detection and response (MDR) provider.
*   53% of organizations believe greater control over their data would improve response and remediation time, 52% believe it would improve threat visibility, and 50% believe it would improve alert management.

For more insights from The State of Security Data Management 2022, please visit http://cribl.io/state-of-security-data-management.**Methodology**

The survey was conducted in September 2022 in partnership with CITE Research. The 1,000 respondents were based in the US with Director level or above job titles in software development, IT, or C-Suite. Respondents were spread across a variety of industries at organizations with greater than $100 million in revenue.

**About Cribl**

Cribl makes open observability a reality for today's tech professionals. The Cribl product suite defies data gravity with radical levels of choice and control. Wherever the data comes from, wherever it needs to go, Cribl delivers the freedom and flexibility to make choices, not compromises. It's enterprise software that doesn't suck, enables tech professionals to do what they need to do, and gives them the ability to say "Yes." With Cribl, companies have the power to control their data, get more out of existing investments, and shape the observability future. Founded in 2017, Cribl is a remote-first company with an office in San Francisco, CA. For more information, visit www.cribl.io or our LinkedIn, Twitter, or Slack community.

State of Security Data Management 2022 Report Reveals Overconfidence Masks a Pervasive Data Problem

New open source Cloud Hunter tool, developed through Lacework Labs research, helps customers get better visibility to reduce response times for incident investigations.

SAN JOSE, Calif., Oct. 13, 2022 /PRNewswire/ — Lacework®, the data-driven cloud security company, today released the fourth Lacework Labs Cloud Threat Report and subsequently launched a new, open source tool for cloud hunting and security efficacy testing. The new tool, known as Cloud Hunter, will help customers keep pace with ever-improving adversarial tradecraft through advanced environmental analysis and improved incident response time.

Developed in response to new types of sophisticated threat models uncovered through Lacework Labs' research, Cloud Hunter utilizes the Lacework Query Language (LQL) to permit hunting across data within the Lacework platform by way of dynamically-created LQL queries. Customers can quickly and easily find data and develop queries for ongoing monitoring as they scale detections along with their organization's cloud security program. Data is automatically analyzed while Cloud Hunter extracts information, further streamlining the capabilities and response times for incident investigations.

The Lacework Labs Cloud Threat Report examines the cloud security threat landscape over the past three months and unveils the new techniques and avenues cybercriminals are exploiting for profit at the expense of businesses. In this latest edition, the Lacework Labs team found a significantly more sophisticated attacker landscape, with an increase in attacks against core networking and virtualization software, and an unprecedented increase in the speed of attacks following a compromise. Key trends and threats identified include:

*   **Increased speed from exposure to compromise:** Attackers are advancing to keep pace with cloud adoption and response time. Many classes of attacks are now fully automated to capitalize on timing. Additionally, one of the most common targets is credential leakage. In a specific example from the report, a leaked AWS access key was caught and flagged by AWS in record time. Despite the limited exposure, an unknown adversary was able to login and launch tens of GPU EC2 instances, underscoring just how quickly attackers can take advantage of a single simple mistake.
*   **Increased focus on infrastructure, specifically attacks against core networking and virtualization software:** Commonly deployed core networking and related infrastructure consistently remains a key target for adversaries. Core flaws in infrastructure often appear suddenly and are shared openly online, creating opportunities for attackers of all kinds to exploit these potential targets.
*   **Continued Log4j reconnaissance and exploitation**: Nearly a year after the initial exploit, the Lacework Labs team is still commonly observing vulnerable software targeted via OAST requests. Analysis of Project Discovery (interact.sh) activity revealed Cloudflare and DigitalOcean as the top originators.

"Creating an open source tool not only extends our capabilities as a research team and company, but also gives us a way to fully give back to and empower the developer community based on what we're seeing from our threat research," said James Condon, Director of Threat Research at Lacework. "As our research shows an increasingly more sophisticated attack landscape, this tool provides a more detailed analysis of an organization's unique environment based on the new techniques being leveraged by attackers. Cloud Hunter is the first tool from Lacework to generate queries that can be directly converted into custom policies within a customer's environment."

The Lacework Labs team also examined issues around how "rogue accounts" are utilized by attackers for the reconnaissance and probing of S3 buckets as well as the growing popularity of cryptojacking and steganography. A full copy of the report and the executive summary can be found here.

**About Lacework**

Lacework is the data-driven security platform for the cloud. The Lacework Cloud Security Platform, powered by Polygraph, automates cloud security at scale so our customers can innovate with speed and safety. Only Lacework can collect, analyze, and accurately correlate data across an organization's AWS, Azure, GCP, and Kubernetes environments, and narrow it down to the handful of security events that matter. Customers all over the globe depend on Lacework to drive revenue, bring products to market faster and safer and consolidate point security solutions into a single platform. Founded in 2015 and headquartered in San Jose, Calif., Lacework is backed by leading investors like Sutter Hill Ventures, Altimeter Capital, D1 Capital Partners, Tiger Global Management, Counterpoint Global (Morgan Stanley), Franklin Templeton, Durable Capital, General Catalyst, XN, Coatue, Dragoneer, Liberty Global Ventures, and Snowflake Ventures, among others. Get started at www.lacework.com.

Attackers Use Automation to Speed from Exploit to Compromise According to Lacework Labs Cloud Threat Report

Can already beleaguered CISOs now add possible legal charges to their smorgasbord of job considerations? Disclose a breach to comply and face dismissal, or cover it up and face personal punishment.

This is a challenging time to be a CISO. The security community has been eagerly following multiple stories regarding Uber in the past few weeks. From the play-by-play of their recent major hack, to last week's guilty verdict of former Uber security chief Joe Sullivan, CISOs are facing considerable challenges.

The verdict in the Sullivan case found him guilty of obstructing a federal investigation and concealing a felony from the government. According to the New York Times: "Stephanie M. Hinds, the US attorney for the Northern District of California, said in a statement: 'We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users. Where such conduct violates the federal law, it will be prosecuted.'"

The government is sending a message to CISOs in the US — disclose and potentially lose your job, or cover up and go to jail. If they disclose information to the government, they meet compliance regulations, but their job will be on the line. A breach, especially one in which personally identifiable information (PII) is compromised, will result in a lawsuit and the CISO will likely get fired.

But the punishment for noncompliance, inability to demonstrate full disclosure, or any gray zone in the middle is now personal (unlike other regulations where noncompliance results in fines for the company). Covering up a breach, in the Uber case, and then further hiding details of the hack in the context of a federal investigation, can result in prison time.

This case also brings to light a new challenge for CISOs: "What did you know?" Concealing information is an important part of this case and verdict. Hiding information by saying "I didn't know" isn't an answer for a CISO with a data breach — it reflects negligence at best and is at worst a lie. Security teams need to know — and most likely _do_ know about their security posture, from the many security tools they use — and what they know can't be concealed.

The Sullivan case has enormous gravity for the security industry. What can we expect from CISOs? Are these expectations fair?

**Managing Expectations for CISOs**

According to proposed legislation, the expectations are as follows. From the Form 8-K (6-K) Disclosure About Material Cybersecurity Incidents (PDF) — the following rules will be added:

*   New Item 1.05 of Form 8-K will require SEC-reporting companies to disclose a material cybersecurity incident within four business days of determining that a material incident has occurred.
*   The company must determine the materiality of a cybersecurity incident "as soon as reasonably practicable" after discovery of the incident.
*   The SEC indicated last year in a cybersecurity enforcement action that companies must maintain disclosure controls and procedures designed to ensure that all available relevant information concerning any cybersecurity incident is analyzed for timely disclosure in the company's SEC reports.
*   "Cybersecurity incident" means an unauthorized occurrence on or through company's information systems that jeopardizes the confidentiality, integrity, or availability of a company's information systems "or any information residing therein."

The question is, what should CISOs do? They're already deploying multiple security solutions. On-premises, cloud, endpoint detection, firewalls, ransomware recovery, workload protection … the list goes on and on. Still, hackers get in — as in Uber's case — often by simply nagging an employee to click on a phishing link. Millions of dollars on attack prevention and "user XYZ" takes the system down.

**Ways to Aid CISOs**

I've been working in security for most of my career, building the tools that keep hackers out. I'd like to propose a few ways we can help CISOs out of the complicated situation they're in.

1.  **Get rid of tools that alert on every potential attack or misconfiguration.** A generation of alert-based security tools pinging security teams for every small thing has made the situation worse. There is no way for a security team to keep up with the hundreds of alerts, mostly false alerts, that their security tools provide. They need to be able to see a real-time incoming attack, in the context of their specific assets – one that provides a sequence of events identifying immediate risk to the company's most valuable assets. We need to do better to support security teams with tools that provide value, not just alerts.
2.  **Retool.** Regulators expect CISOs to be able to detect, analyze, and understand impact of real attack events (vs. potential misconfigurations) fast. This requires retooling and rethinking much of the security software "stack" to ensure that we're keeping a step ahead of hackers. Using dated techniques is one area that often results in friction between security best practices and reality.
3.  **Work more closely with government** on the important regulations that are being proposed for legislation. To protect our CISOs from falling into felony territory, we need legislation that protects the public while also protecting CISOs that come forward and report data breaches. CISOs who genuinely plan for every attack scenario (and can show this planning) but find themselves outsmarted by hackers should not be penalized by the companies they serve.
4.  **Align security goals.** Many organizations are moving too fast to focus on security — and it will catch up with them. Development teams are increasingly leveraging agile techniques like CI/CD (continuous integration, delivery, and deployment) to deliver new and innovative features quickly and maintain a competitive advantage. And security is not part of the dev team's or any typical employee's everyday thought process — but it must be. Organizations must have a security strategy that permeates the organization so everyone — developers, marketing, HR, finance, the board, and everyone else share the responsibility with the CISO and security teams. _All_ employees play a role in securing data assets.

What the Uber Breach Verdict Means for CISOs in the US

This marks the third identity and access management (IAM) company acquired by Thoma Bravo in just the past few months.

Private equity firm Thoma Bravo continues its massive multibillion-dollar buying spree in the identity and access management (IAM) space, this time splashing out $2.3 billion in a reportedly all-cash offer for ForgeRock. 

ForgeRock went public just a little over a year ago, Reuters pointed out. The San Francisco-based company provides IAM for end consumers, workforce, and Internet of Things (IoT) devices, the company site says.

ForgeRock shareholders will receive $23.25 per share, which represents a premium of about 53.4% to the stock's last closing price on Tuesday. The deal is expected to close in the first half of 2023.

Thoma Bravo is banking on a swelling market for cloud services to drive IAM demand, according to earlier Dark Reading reporting on investors' keen interest in the cybersecurity software sector. 

Reuters added that the private equity firm has also expressed interest in Darktrace and Nearmap over the past year. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Thoma Bravo to Acquire ForgeRock in $2.3B Deal

Among other things, users who download the app could end up having their WhatsApp account details stolen.

Security researchers have detected a threat actor distributing a data-stealing mobile Trojan via a spoofed version of YoWhatsApp, a relatively widely used, modified version of the WhatsApp messaging application.

Users who download the app are at risk of having their WhatsApp account details stolen and being signed up for paid subscriptions they did not want or were even aware of.

Researchers at Kaspersky detected the threat recently and identified the Trojan as Triada, a malware tool that it observed last year being similarly distributed via another malicious version of YoWhatsApp.

WhatsApp mods are basically unofficial, modified versions of the social media app touting features and functionality — such as additional privacy, custom backgrounds, and bulk messaging — that the official version does not have. Since these modified social media apps are unofficial, they are not available on the official mobile app stores of Google and Apple, so users who want them must download them from unofficial sources — a practice that security experts have long warned as being especially risky. However, users often do it anyway because they see the additional functionality is worth the risk. 

**Malicious Mod Threatens Corporate Users**

In a report this week, Kaspersky said its researchers had observed the malicious WhatsApp mod being advertised in Snaptube, a legitimate mobile app that tens of thousands of people use to download videos from Facebook, YouTube, and Instagram. It's a strategy that Kaspersky assessed as designed to lend credibility to the malicious mod.

"Since YoWhatsApp is being advertised in the Snaptube app used by hundreds of thousands of users around the world, many of them are not even aware that this modification could be dangerous," according to Kaspersky. 

In fact, it's quite likely that Snaptube's own developers are unaware of a threat actor abusing the advertising feature in their app to hawk the malicious YoWhatsApp mod, the security vendor said. 

In addition, the malicious mod is also available for download — as "WhatsApp Plus" — via an unofficial Android app store associated with Vidmate, a mobile app for downloading YouTube videos.

Organizations using WhatsApp for workplace communication should pay attention to threats like this, says Anton Kivva, security researcher at Kaspersky in comments to Dark Reading. An employee using the malicious version of YoWhatsApp could end up leaking sensitive business information or having their account used in phishing scams and for sending spam.

"In theory, judging by the technical capabilities of Triada Trojan, if attackers infect a corporate-owned mobile device, they could even penetrate the corporate network and search and steal sensitive information, including both business development secrets, as well as employees’ personal data," Kivva says.

**Potential Impact on Businesses**

Though WhatsApp is primarily a consumer-focused app, its use in business settings (along with similar encrypted messaging apps, such as Signal and Telegram) has been growing in recent years, especially with the post-COVID shift to remote and hybrid work models. 

The Facebook-owned WhatsApp's release of WhatsApp Business in 2018 has also propelled a lot of its use, especially in business-to-consumer (B2C) settings. For instance, many small and midsize businesses use messaging apps to engage customers and drive brand loyalty.

"Many customers want to have human interaction when it comes to customer service, and messenger apps like this provide an easy avenue to deliver this," says Eugene Kolodenker, staff security intelligence engineer at Lookout.

In many workplaces, employees also rely on the end-to-end encryption to communicate on sensitive topics or business issues.

In all, more than 5 million organizations are reported to be using the business version of the app for customer support, advertising, and other reasons. So, criminals do look to target businesses with malware that is being distributed via the platform.

"Attackers often use the lure of new product features like this WhatsApp messenger mod to socially engineer users into downloading malware," Kolodenker says. "Even if only a few people download this malicious mod on their device, it can still do damage, and organizations that have bring-your-own-device (BYOD) policies need to stay aware of the threat."

It's important therefore for organizations to have visibility into vulnerable app or OS versions on employee devices. "Mobile attacks can come through channels outside of your security team's control — like SMS, social media, and third-party messaging platforms like WhatsApp," Kolodenker says.

Malicious mods always have serious consequences both for individuals and businesses, Kivva adds. "Therefore, it's crucial to be careful when downloading new apps from third-party sites," he says. "The malicious mod YoWhatsApp we discovered was advertised on the safe Snaptube app, but that didn't make it any less dangerous for users and only increased the number of potential victims."

WhatsApp Users Beware: Dangerous Mobile Trojan Being Distributed via Malicious Mod

Vista Equity Partners plans take the publicly traded security-awareness training vendor private.

Vista Equity Partners plans to acquire KnowBe4 for $4.6 billion in cash, taking the publicly traded security vendor private.

KnowBe4 — the popular security awareness training and simulated phishing platform provider, with some 52,000 customer organizations worldwide — is the latest security vendor to be acquired by a private equity firm. PE firm Thoma Bravo has announced a series of identity management vendor acquisitions in recent months: Sailpoint, Ping Identity, and most recently, ForgeRock, a deal that was announced on Tuesday.

Under the Vista deal, KnowBe4's stockholders will get $24.90 per share in cash when the transaction is completed in early 2023, a 44% premium over KnowBe4's closing price on Sept. 16, prior to the acquisition disclosure.

"As a significant investor in KnowBe4, we could not be more excited to take this next step in our journey together," Rod Aliabadi, managing director at Vista, said in a statement. "We have long appreciated the work that KnowBe4 does in strengthening the human layer of cybersecurity through educating employees on how to identify social engineering and related cyber threats."

Vista has been on a tear in cybersecurity investments, with a $1 billion investment in Securonix, a $215 million investment in Critical Start, and sales of SecureLink to Imprivata and Ping Identity. The PE firm also took Citrix private earlier this year.

KnowBe4 was founded by Stu Sjouwerman, chairman and CEO of KnowBe4, and the company's chief hacking officer, Kevin Mitnick, assisted in the design of the company's training.  

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading