In a widespread campaign, threat actors use a compromised Dynamics 365 Customer Voice business account and a link posing as a survey to steal Microsoft 365 credentials.

An elaborate and rather unusual phishing campaign is spoofing eFax notifications and using a compromised Dynamics 365 Customer Voice business account to lure victims into giving up their credentials via microsoft.com pages.  

Threat actors have hit dozens of companies through the broadly disseminated campaign, which is targeting Microsoft 365 users from a diverse range of sectors — including energy, financial services, commercial real estate, food, manufacturing, and even furniture-making, researchers from the Cofense Phishing Defense Center (PDC) revealed in a blog post published Wednesday.

The campaign uses a combination of common and unusual tactics to lure users into clicking on a page that appears to lead them to a customer feedback survey for an eFax service, but instead steals their credentials.

Attackers impersonate not only eFax but also Microsoft by using content hosted on multiple microsoft.com pages in several stages of the multistage effort. The scam is one of a number of phishing campaigns that Cofense has observed since spring that use a similar tactic, says Joseph Gallop, intelligence analysis manager at Cofense.

“In April of this year, we began to see a significant volume of phishing emails using embedded ncv\[.\]microsoft\[.\]com survey links of the sort used in this campaign,” he tells Dark Reading.

**Combination of Tactics**

The phishing emails use a conventional lure, claiming the recipient has received a 10-page corporate eFax that demands his or her attention. But things diverge from the beaten path after that, Cofense PDC's Nathaniel Sagibanda explained in the Wednesday post.

The recipient most likely will open the message expecting it's related to a document that needs a signature. "However, that isn't what we see as you read the message body," he wrote.

Instead, the email includes what seems like an attached, unnamed PDF file that's been delivered from a fax that does include an actual file — an unusual feature of a phishing email, according to Gallop.

"While a lot of credential phishing campaigns use links to hosted files, and some use attachments, it's less common to see an embedded link posing as an attachment," he wrote.

The plot thickens even further down in the message, which contains a footer indicating that it was a survey site — such as those used to provide customer feedback — that generated the message, according to the post.

**Mimicking a Customer Survey**

When users click the link, they are directed to a convincing imitation of an eFax solution page rendered by a Microsoft Dynamics 365 page that's been compromised by attackers, researchers said.

This page includes a link to another page, which appears to lead to a Microsoft Customer Voice survey to provide feedback on the eFax service, but instead takes victims to a Microsoft login page that exfiltrates their credentials.

To further enhance legitimacy on this page, the threat actor went so far as to embed a video of eFax solutions for spoofed service details, instructing the user to contact "@eFaxdynamic365" with any inquiries, researchers said.

The "Submit" button at the bottom of the page also serves as additional confirmation that the threat actor used a real Microsoft Customer Voice feedback form template in the scam, they added.

The attackers then modified the template with "spurious eFax information to entice the recipient into clicking the link," which leads to a faux Microsoft login page that sends their credentials to an external URL hosted by attackers, Sagibanda wrote.

**Fooling a Trained Eye**

While the original campaigns were much simpler — including only minimal information hosted on the Microsoft survey — the eFax spoofing campaign goes further to bolster the campaign’s legitimacy, Gallop says.

Its combination of multistage tactics and dual impersonation may allow messages to slip through secure email gateways as well as fool even the savviest of corporate users who’ve been trained to spot phishing scams, he notes.

"Only the users that continue to check the URL bar at each stage throughout the entire process would be certain to identify this as a phishing attempt," Gallop says.

Indeed, a survey by cybersecurity firm Vade also released Wednesday found that brand impersonation continues to be the top tool that phishers use to dupe victims into clicking on malicious emails.

In fact, attackers took on the persona of Microsoft most often in campaigns observed in the first half of 2022, researchers found, though Facebook remains the most impersonated brand in phishing campaigns observed so far this year.

**Phishing Game Remains Strong**

Researchers at this time have not identified who might be behind the scam, nor attackers' specific motives for stealing credentials, Gallop says.

Phishing overall remains one of the easiest and most oft-used ways for threat actors to compromise victims, not only to steal credentials but also spread malicious software, as email-borne malware is significantly easier to distribute than remote attacks, according to the Vade report.

Indeed, this type of attack saw month-over-month increases through the second quarter of the year and then another boost in June that pushed "emails back to the alarming volumes not seen since January 2022," when Vade saw upwards of 100-plus million phishing emails in distribution.

"The relative ease with which hackers can deliver punishing cyberattacks via email makes email one of the top vectors for attack and a constant menace for businesses and end users," Vade's Natalie Petitto wrote in the report. "Phishing emails impersonate the brands you trust the most, offering a wide net of potential victims and a cloak of legitimacy for the phishers masquerading as brands."

Unusual Microsoft 365 Phishing Campaign Spoofs eFax Via Compromised Dynamics Voice Account

SolarWinds CISO Tim Brown explains how organizations can prepare for eventualities like the nation-state attack on his company’s software.

On Dec. 8, 2020, FireEye announced the discovery of a breach in the SolarWinds Orion software while it investigated a nation-state attack on its Red Team toolkit. Five days later, on Dec. 13, 2020, SolarWinds posted on Twitter, asking "all customers to upgrade immediately to Orion Platform version 2020.2.1 HF 1 to address a security vulnerability." It was clear: SolarWinds — the Texas-based company that builds software for managing and protecting networks, systems, and IT infrastructure — had been hacked.

More worrisome was the fact that the attackers, which US authorities have now linked to Russian intelligence, had found the backdoor through which they infiltrated the company's system about 14 months before the hack was announced. The SolarWinds hack is now almost 3 years old, but its aftereffects continue to reverberate across the security world.

Let's face it: The enterprise is constantly under threat — either from malicious actors who attack for financial gains or hardened cybercriminals who extract and weaponize data crown jewels in nation-state attacks. However, supply chain attacks are becoming more common today, as threat actors continue to exploit third-party systems and agents to target organizations and break through their security guardrails. Gartner predicts that by 2025, "45% of organizations worldwide will have experienced attacks on their software supply chains," a prediction that has created a ripple across the cybersecurity world and led more companies to start prioritizing digital supply chain risk management.

While this is the right direction for enterprises, the question still lingers: What lessons have organizations learned from a cyberattack that went across the aisle to take out large corporations and key government agencies with far-reaching consequences even in countries beyond the United States?

To better understand what happened with the attack and how organizations can prepare for eventualities like the SolarWinds hack, Dark Reading connected with SolarWinds CISO Tim Brown for a deeper dive into the incident and lessons learned three years on.

    

Tim Brown, CISO at SolarWinds

**1\. Collaboration Is Critical to Cybersecurity**

Brown admits that the very name SolarWinds serves as a reminder for others to do better, fix vulnerabilities, and strengthen their entire security architecture. Knowing that all systems are vulnerable, collaboration is an integral part of the cybersecurity effort.

"If you look at the supply chain conversations that have come up, they're now focusing on the regulations we should be putting in place and how public and private actors can better collaborate to stall adversaries," he says. "Our incident shows the research community could come together because there's so much going on there."

After standing at the frontlines of perhaps the biggest security breach in recent years, Brown understands that collaboration is critical to all cybersecurity efforts.

"A lot of conversations have been ongoing around trust between individuals, government, and others," he says. "Our adversaries share information — and we need to do the same."

**2\. Measure Risk and Invest in Controls**

No organization is 100% secure 100% of the time, as the SolarWinds incident demonstrated. To bolster security and defend their perimeters, Brown advises organizations to adopt a new approach that sees the CISO role move beyond being a business partner to becoming a risk officer. The CISO must measure risk in a way that's "honest, trustworthy, and open" and be able to talk about the risks they face and how they are compensating for them.

Organizations can become more proactive and defeat traps before they are sprung by using artificial intelligence (AI), machine learning (ML), and data mining, Brown explains. However, while organizations can leverage AI to automate detection, Brown warns there's a need to properly contextualize AI.

"Some of the projects out there are failing because they are trying to be too big," he says. "They're trying to go without context and aren't asking the right questions: What are we doing manually and how can we do it better? Rather, they're saying, 'Oh, we could do all of that with the data' — and it's not what you necessarily need."

Leaders must understand the details of the problem, what outcome they are hoping for, and see if they can prove it right, according to Brown.

"We just have to get to that point where we can utilize the models on the right day to get us somewhere we haven't been before," he says.

**3\. Remain Battle-Ready**

IT leaders must stay a step ahead of adversaries. However, it's not all doom and gloom. The SolarWinds hack was a catalyst for so much great work happening across the cybersecurity board, Brown says.

"There are many applications being built in the supply chain right now that can keep a catalog of all your assets so that if a vulnerability occurs in a part of the building block, you will know, enabling you to assess if you were impacted or not," he says.

This awareness, Brown adds, can help in building a system that tends toward perfection, where organizations can identify vulnerabilities faster and deal with them decisively before malicious actors can exploit them. It's also an important metric as enterprises edge closer to the zero-trust maturity model prescribed by the Cybersecurity and Infrastructure Security Agency (CISA).

Brown says he is hopeful these lessons from the SolarWinds hack will aid enterprise leaders in their quest to secure their pipelines and remain battle-ready in the ever-evolving cybersecurity war.

Nearly 3 Years Later, SolarWinds CISO Shares 3 Lessons From the Infamous Attack

Increasing complexity in IT continues to lead to breaches and compromises, highlighting the need for more holistic approaches to cyber protection.

**SCHAFFHAUSEN, Switzerland, Aug. 24, 2022** (GLOBE NEWSWIRE) — Today, Acronis, a global leader in cyber protection, unveiled its midyear cyber threats report, conducted by Acronis' Cyber Protection Operation Centers, to provide an in-depth review of the cyber threat trends the company's experts are tracking. The report details how ransomware continues to be the No. 1 threat to large and midsize businesses, including government organizations, and underlines how overcomplexity in IT and infrastructure leads to increased attacks. Nearly half of all reported breaches during the first half of 2022 involved stolen credentials, which enable phishing and ransomware campaigns. Findings underscore the need for more holistic approaches to cybersecurity.

To extract credentials and other sensitive information, cybercriminals use phishing and malicious emails as their preferred infection vectors. Nearly 1% of all emails contain malicious links or files, and more than one-quarter (26.5%) of all emails were delivered to the user's inbox (not blocked by Microsoft365) and then were removed by Acronis email security.

Moreover, the research reveals how cybercriminals also use malware and target unpatched software vulnerabilities to extract data and hold organizations hostage. Further complicating the cybersecurity threat landscape is the proliferation of attacks on nontraditional entry avenues. Attackers have made cryptocurrencies and decentralized finance systems a priority of late. Successful breaches using these various routes have resulted in the loss of billions of dollars and terabytes of exposed data.

These attacks are able to be launched due to overcomplexity in IT, a common problem throughout businesses as many tech leaders assume more vendors and programs lead to improved security when the inverse is actually true. Increased complexity exposes more surface area and gaps to potential attackers, keeping organizations vulnerable to potentially devastating damage.

"Today's cyber threats are constantly evolving and evading traditional security measures," said Candid Wüest, Acronis VP of Cyber Protection Research. "Organizations of all sizes need a holistic approach to cybersecurity that integrates everything from anti-malware to email-security and vulnerability-assessment capabilities. Cybercriminals are becoming too sophisticated and the results of attacks too dire to leave it to single-layered approaches and point solutions."

**Critical Data Points Reveal Complex Threat Landscape**  
As reliance on the cloud increases, attackers have homed in on different entryways to cloud-based networks. Cybercriminals increased their focus on Linux operating systems and managed service providers (MSPs) and their network of SMB customers. The threat landscape is shifting, and companies must keep pace.

Ransomware is worsening, even more so than we predicted.

Ransomware gangs, like Conti and Lapsus$, are inflicting serious damage.

The Conti gang demanded $10 million in ransom from the Costa Rican government and has published much of the 672 GB of data it stole.

Lapsus$ stole 1 TB of data and leaked credentials of over 70,000 NVIDIA users. The same gang also stole 30 GB worth of T-Mobile's source code.

The U.S. Department of State is concerned, offering up to $15 million for information about the leadership and co-conspirators of Conti.

The use of phishing, malicious emails and websites, and malware continues to grow.

Six hundred malicious email campaigns made their way across the internet in the first half of 2022.

58% of the emails were phishing attempts.

Another 28% of those emails featured malware.

The business world is increasingly distributed, and in Q2 2022, an average of 8.3% of endpoints tried to access malicious URLs.

More cybercriminals are focusing on cryptocurrencies and decentralized finance (DeFi) platforms. By exploiting flaws in smart contracts or stealing recovery phrases and passwords with malware or phishing attempts, hackers have wormed their way into crypto wallets and exchanges alike.

Cyberattacks have contributed to a loss of more than $60 billion in DeFi currency since 2012.

$44 billion of that vanished during the last 12 months.

Unpatched vulnerabilities of exposed services is another common infection vector — just ask Kaseya. To that end, companies like Microsoft, Google, and Adobe have emphasized software patches and transparency around publicly submitted vulnerabilities. These patches likely helped stem the tide of 79 new exploits each month. Unpatched vulnerabilities also tie into how overcomplexity is hurting businesses more than helping, as all these vulnerabilities serve as additional potential points of failure.

**Breaches Leave Financial, SLA Distress in Their Wake**  
Cybercriminals often demand ransoms or outright steal funds from their targets. But companies do not suffer challenges only to their bottom lines. Attacks often cause downtime and other service-level breaches, impacting a company's reputation and customer experience.

In 2021 alone, the FBI attributed a total loss of $2.4 billion to business email compromise (BEC).

Cyberattacks caused more than one-third (36%) of downtime in 2021.

The current cybersecurity threat landscape requires a multilayered solution that combines anti-malware, EDR, DLP, email security, vulnerability assessment, patch management, RMM, and backup capabilities all in one place. The integration of these various components gives companies a better chance of avoiding cyberattacks, mitigating the damage of successful attacks, and retaining data that might have been altered or stolen in the process.

You can download a copy of the full Acronis Midyear Cyberthreats Report 2022 and learn more here.

**About Acronis:**

Acronis unifies data protection and cybersecurity to deliver integrated, automated cyber protection that solves the safety, accessibility, privacy, authenticity, and security (SAPAS) challenges of the modern digital world. With flexible deployment models that fit the demands of service providers and IT professionals, Acronis provides superior cyber protection for data, applications, and systems with innovative next-generation antivirus, backup, disaster recovery, and endpoint protection management solutions powered by AI. With advanced anti-malware powered by cutting-edge machine intelligence and blockchain-based data authentication technologies, Acronis protects any environment — from cloud to hybrid to on-premises — at a low and predictable cost.

Founded in Singapore in 2003 and incorporated in Switzerland in 2008, Acronis now has more than 2,000 employees in 34 locations in 19 countries. Acronis Cyber Protect solution is available in 26 languages in over 150 countries and is used by over 20,000 service providers to protect over 750,000 businesses.

Acronis' Midyear Cyberthreats Report Finds Ransomware Is the No. 1 Threat to Organizations, Projects Damages to Exceed $30 Billion by 2023

Avoid the disconnect between seeing the value in threat modeling and actually doing it with coaching, collaboration, and integration. Key to making it "everybody's thing" is communication between security and development teams.

Threat modeling is a highly effective means of securing software and applications, yet very few organizations actually do it. In today's computing and security environment, however, threat modeling is more necessary than ever.

Cloud-based distributed systems and cross-functional, agile software development teams have replaced monolithic systems built and operated by siloed teams. Along the way, software has become much more complex — and so have the threats. Threat actors have changed tactics to get around traditional means of detection. Many attacks no longer deliver malware, for example, instead focusing on credential compromises. And attackers can sit inside company networks for months before acting. IBM's "Cost of a Data Breach Report" found that it takes an average of 287 days for organizations to identify and contain a breach.

Companies do recognize the need. A 2021 Security Compass study found that 79% of the midsize and large enterprises view threat modeling as a priority, but only 25% conduct modeling during the early design phases. And only 10% perform threat modeling on 90% of the applications they develop.

As an industry, we need to make threat modeling a standard practice in software development, introduced in a way that both development and security teams can work with, and implemented in a way that shows positive results and improvement over time. And it all starts with a word you might not hear a lot in IT ops and security circles: empathy.

**A Cultural Change**

There are a number of reasons for the disconnect between seeing the value in threat modeling and actually doing it, including a lack of communication between security and development teams, and a tendency to give up on threat modeling if initial efforts become muddled and don't produce the desired results.

Too often, security teams can look at applying security controls as a one-way street between them and development teams, as simply a matter of telling developers what to do. But that's starting off on the wrong foot. Organizations need to recognize that each team has skills that the other can learn from. After all, if you put a security pro in the developer space, they'd be lost.

Changing this mindset requires a cultural shift, and it starts with viewing empathy as a value proposition. The human side of this needs to come to the forefront, getting more people involved in enriching our knowledge. Security teams need to appreciate the environment developers work in, under pressure to develop and deliver software rapidly. Dev teams can help security teams understand frameworks such as containers and how to control access, knowledge which can be applied to security policies.

When teams get collaboration going back and forth, they're learning from each other. It will take time to get to that point. It might start in meetings or a process integration, perhaps working through a bit of trial-and-error, and eventually move into tool integration. When they get to the level of maturity where everybody has a basic understanding of each other's domains, they can then move to more advanced levels of threat modeling, such as modeling knowledge bases and creating graphs of concepts that map together.

But it needs a stable process, or it gets expensive and chaotic, resulting in messy people issues.

**3 Steps to Better Threat Modeling**

There are three key elements to creating a collaborative atmosphere.

**Coaching****:** This helps developers understand the importance of threat modeling. It can start with onboarding new employees. Regardless of their background and certifications, don't assume they know how security is handled at your company. Make sure they understand the culture.

**Collaboration****:** A culture of cooperation and collaboration begins with a company's leadership, with a CISO having the attitude of wanting to serve the teams. It can take time, but it should be modeled at the leadership level.

**Integration****:** The elements of cooperation come together working on integrations, which is an ongoing process. The goal isn't perfection, but to improve and evolve over time.

A key to making this approach work is applying metrics, specifically by looking at outcomes, such as "reducing vulnerabilities" — as opposed to trying to grade the details of how individuals work. Outcomes are not a developer or security thing, it's everybody's thing.

I've found in my experience that it's useful to have clear 30-, 60-, and 90-day plans, describing the expected outcome at each stage. The plans should demonstrate incremental growth and be done collaboratively. If These outcomes should be measured, or you end up drifting aimlessly.

**Empathy Is the Key**

As a security community, it's our responsibility to help developers embrace threat modeling. It's not us versus them. We need to get them to think about security, and threat modeling, as part of an integrated approach that evolves over time.

Empathy as a management technique can help create that environment. Some people may think empathy means no accountability — that understanding someone's position and thoughts is somehow soft — but it actually produces the opposite result. It develops the collaboration that we so desperately need.

Why Empathy Is the Key to Better Threat Modeling

Three of the world's leading browsers were measured for phishing and malware protection, with time to block and protection over time as key metrics in test scores.

**AUSTIN, Texas – Aug. 16, 2022** — CyberRatings.org, the nonprofit entity dedicated to providing transparency on cybersecurity product efficacy, has published the results of its 2022 Web Browser Security Test. Google Chrome, Microsoft Edge, and Mozilla Firefox were tested for Phishing Protection and Malware Protection running on Windows 10 and 11.

The Malware tests ran for 24 days with 96 discrete test runs. Phishing tests ran for 20 days with 80 discrete test runs. The reports include measurements of protection against fresh new attacks, consistency of protection over time, and how effective the browser protection was overall.

The ability to warn potential victims that they are about to land on a malicious website or click on a suspicious URL puts web browsers in a unique position to protect the user from an attack. Websites that trick users into downloading malware and phishing campaigns often used for criminal activity have short lifespans, so it is essential that the URL is discovered and added to the reputation system as quickly as possible. A good reputation system must be both accurate and fast to achieve high catch rates.

"Phishing attacks pose a significant risk to individuals and organizations by threatening to compromise or acquire sensitive personal and corporate information," said Vikram Phatak, CEO of CyberRatings.org. "Phishing and Ransomware attacks continue to rise year over year. Consumers should not override the warnings offered by their web browser protection but instead take advantage of the free offering."

*   Malware protection:

*   Microsoft Edge – 97.0%
*   Google Chrome – 88.4%
*   Mozilla Firefox – 84.6%

*   Phishing protection:

*   Microsoft Edge – 91.6%
*   Mozilla Firefox – 90.0%
*   Google Chrome – 89.6%

*   Average time to block a URL from malware:

*   Microsoft Edge 0:56:51
*   Google Chrome 4:46:39
*   Mozilla Firefox 5:18:40

*   Average time to block a phishing URL:

*   Microsoft Edge 0:44:07
*   Mozilla Firefox 1:23:37
*   Google Chrome 2:19:13

The Comparative Test Reports provide detailed results for each product. As a service to the community, CyberRatings.org is providing these reports for free.

**The following browsers were tested:**  

*   Google Chrome: Version 101.0.1210.53 - 102.0.5005.115
*   Microsoft Edge: Version 101.0.1210.47 - 102.0.1254.39
*   Mozilla Firefox: Version 100.0.1 - 101.0.1

**Additional Resources**

*   Follow CyberRatings.org on Twitter
*   Follow CyberRatings.org on LinkedIn

**About CyberRatings.org**

CyberRatings.org is a nonprofit 501(c)6 entity dedicated to quantifying cyber-risk and providing transparency on cybersecurity product efficacy through testing and ratings programs. To become a member, visit www.cyberratings.org

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

CyberRatings.org Announces New Web Browser Test Results for 2022

New research report reveals financial organizations are failing to act despite majority experiencing a firmware-related breach.

**Portland, Ore. – Aug. 23, 2022** – Eclypsium® and Vanson Bourne today released a new report that reveals the financial sector is ill-equipped to effectively tackle the ongoing threat of firmware-related supply chain attacks. In fact, 92% of CISOs in finance believe adversaries are better equipped at weaponizing firmware than their teams are at securing it. Additionally, three out of four acknowledge gaps in awareness concerning the organization's firmware blind spot. Consequently, 88% of those surveyed admit to experiencing a firmware-related cyberattack in the last two years alone.

The Firmware Security in Financial Services Supply Chains report shares insights from 350 IT security decision-makers in the financial sector, specifically those based in the US, Canada, Singapore, Australia, New Zealand, and Malaysia. The findings not only expose the state of firmware security and the lack of preventive controls or remediation tactics, but also shed light on the complacency and lack of awareness regarding current security measures. More alarming is the consensus around little-to-no dedicated investment or resources, and general lack of skills to tackle one of the biggest threats in cybersecurity today. Data shows:

*   Over half (55%) were victims of a firmware-level compromise more than once in the past two years.
*   Almost four in 10 rate data loss (and a GDPR breach) as the leading consequence for an attack; equally ranked is the fear of losing critical security controls.
*   Destruction of critical devices (35%), customer loss (34%) and adversary access to other devices (34%) were all equally noted as a detrimental impact following a firmware-related attack.

"Financial Services organizations are leading targets of cyberattacks. That explains why they are vanguards for adopting new protection technologies, all while under the constant watchful eye of regulators and other industries waiting to follow their lead as they strive to combat ever evolving attack vectors. Yet in the case of securing firmware and the hardware supply chain, we are seeing potential blind spots," said Ramy Houssaini, Global Cyber Resilience Executive. "A shift in priorities is critical if we are going to effectively protect the technology supply chain. Financial organizations must continue to serve as trailblazers and close the firmware security gap."

**Financial Organizations Lack Firmware Risk Insights to Act**

According to the National Institute of Standards and Technology (NIST), firmware level attacks have soared by 500% since 2018, yet 93% of respondents are surprised by the lack of insight into current firmware threats. In the last eight months alone, Eclypsium Research has uncovered major in-the-wild threats, including Intel ME attacks by the Conti ransomware group. Unfortunately, the lack of insight stems from considerable gaps in knowledge of firmware and the supply chain. In fact:

*   Slightly over half (53%) know that their security controls (firewalls, access controls, etc.) rely on firmware, 44% are aware when asked the same question about laptops, leaving 56% uninformed.
*   47% believe they have total awareness of their organization's overall firmware attack surface, 49% are mostly aware. Only 39% say they would be immediately informed if a device had been compromised.

Despite the perceived knowledge, 91% are concerned about the gap in firmware security in their organization's supply chain.

**Misconceptions, Limited Funds and Lack of Skills/Resources are Driving Surge**

Firmware is the most fundamental component of any device and thus, the overall supply chain, yet it remains the most overlooked and dismissed part of the technology stack — creating a perfect catalyst for an attack. Four in five agree that firmware vulnerabilities are on the rise and close to all (93%) state that securing firmware should be an urgent priority. To move the needle, financial organizations nearly unanimously believe an increase in investment and resources is imperative. Positively, respondents anticipate an 8.5% increase in IT security budget dedicated to firmware in the next 1-2 years. In addition to these factors for success, these organizations must also dispel myths around current technologies and methods that are creating a false sense of security, such as:

*   Vulnerability management solutions (81%) and/or their endpoint detection and response (EDR) programs can identify firmware vulnerabilities and assist in remediation (83%).
*   Threat modeling exercises are a reliable source of knowledgeable insight into potential firmware gaps, according to 37% of respondents, 57% state using the process some of the time. Interestingly, 96% report their organization's threat modeling exercises do not match today's threat landscape.
*   12 hours is the average time for IT teams to respond to a firmware-based attack, with respondents attributing lack of knowledge (39%) and limited resources (37%) as the top reasons for the unduly length of time. 71%, though, claim budget is not a factor.

"Based on the onslaught of firmware-related attacks over the recent months, it's evident that adversaries are not having to work hard enough to exploit flaws in the technology supply chain. Unfortunately, our research data represents a regression that is purely driven by lack of awareness and the inaction driven by 'out of sight, out of mind,' " said Yuriy Bulygin, CEO and Co-Founder of Eclypsium. "New government directives and initiatives such as CISA's Known Exploited Vulnerabilities Catalog and its Binding Operational Directive are calls for immediate action to better safeguard the critical firmware layer of the supply chain. Progression might be slow, but we are moving in the right direction."

**ABOUT ECLYPSIUM**

Eclypsium's cloud-based platform identifies, verifies, and fortifies firmware in laptops, servers, network gear, and connected devices. The Eclypsium platform secures your device supply chain by monitoring devices for threats, critical risks, and patching firmware across the entire device fleet. For more information, visit eclypsium.com.

**About Vanson Bourne**

Vanson Bourne is an independent specialist in market research for the technology sector. Their reputation for robust and credible research-based analysis is founded upon rigorous research principles and their ability to seek the opinions of senior decision makers across technical and business functions, in all business sectors and all major markets. For more information, visit www.vansonbourne.com.

Report: Financial Institutions Are Overwhelmed When Facing Growing Firmware Security and Supply Chain Threats

Almost half of teams develop and deploy software using a DevSecOps approach, but security remains the top area of investment, a survey finds.

Software developers and operations teams continue to adopt DevOps and other agile methodologies as well as automation and low-code services, but they still struggle with security, the fallout of the COVID-19 pandemic, and a shortage of skilled security workers, according to a newly published annual survey from GitLab.

DevSecOps results in better code quality, higher developer productivity, and improved operational efficiency, according to the survey of more than 5,000 software developers, operations specialists, and application security professionals. Security still is a problem, however. While more than half (57%) of those surveyed considered security to be a performance metric, nearly the same number said it was "difficult to get devs to actually prioritize fixing code vulnerabilities."

The survey conducted by the toolchain provider underscores that all participants in the development and deployment process still need to improve the communications and relationships between groups, says Johnathan Hunt, vice president of information security and cybersecurity at GitLab.

"Getting developers and security professionals to work better together requires a culture-first approach to software development through the creation of a DevOps culture," Hunt says. "A DevOps platform lends itself well to this approach by granting organizations seamless collaboration across DevSecOps teams, shared ownership of security and compliance, and strategic uses of technologies such as automation and AI/ML."

**Mix and Match**

The survey found that no single dominant approach to software development exists, and most teams use a mix of approaches. While a majority of development teams (47%) used DevOps and DevSecOps, other agile approaches accounted for significant shares as well: 34% of teams used Scrum, 24% used Kanban, and 29% used Lean methodologies. Teams even expanded their use of Waterfall development, with more than a quarter (26%) adopting that approach.

"DevOps teams are not limiting themselves to any one way of working," Hunt says. "They are flexible and willing to adjust their approaches to meet various business and project needs."

The increase in agile approaches to software development and deployment has resulted in faster deployment of software. Seven in 10 survey respondents said their teams deploy at least once every few days or more frequently, a jump of 11 points from 2021. Integrating automated testing, deployment, and security controls into the development pipeline is a key factor in speeding application deployment, with nearly half (47%) of teams asserting that their testing is fully automated today, up from 25% in 2021.

The adoption of low-code and no-code APIs for development has also made teams more efficient. Two-thirds (66%) of survey takers are using at least one low-code or no-code tool in their DevOps practice, a significant increase from the 25% of those surveyed in 2021.

Yet the expanding number of options for development, deployment, and securing of software has resulted in more confusion, leading DevOps teams to look to simplify their pipeline and toolsets, GitLab's study found. While 44% of DevOps teams use two to five tools to manage the software development process, 41% use between six and 10 tools.

"That's a lot of tools, and 69% of survey takers told us they'd like to consolidate their toolchains," GitLab stated in the survey report.

**AI and Machine Learning 'On the Rise'**

Artificial intelligence and machine-learning technologies have seen mixed adoption among developers and application-security specialists. While AI/ML is at the bottom of the list of priorities for developers' future careers, a majority of security pros (54%) said AI/ML will help them most in their future careers. AI/ML particularly suits the security domain. For example, AI/ML systems can be trained to detect and respond to threats, generate alerts, and trigger rule sets.

"But AI/ML is far from falling off of developers' radars. In fact, its use is on the rise," Hunt says, adding: "This is especially helpful when it comes to detecting and defending against attacks and malicious actors, since security professionals cannot watch every packet and connection that transverses a network."

Security continues to take a larger role in the software development pipeline, with 57% of companies shifting security responsibility "left" and making developers more responsible for the vulnerabilities in their code. Yet there is still a ways to go, with a significant number of developers blaming security for delays and the division of responsibility for software security very much in flux.

"While dev and ops are taking on a larger share of security ownership, it's not so straightforward on the sec team," GitLab stated in the report. "In 2020 and 2021, the percentage of security pros who said they were fully responsible for security was roughly the same as those who said everyone was responsible."

DevSecOps Gains Traction — but Security Still Lags

M&A activity in the identity and access management (IAM) space has continued at a steady clip so far this year.

Two recent financial transactions worth billions — both involving private equity firm Thoma Bravo — have highlighted the continued and strong interest among investors and other technology vendors in the identity and access management (IAM) market.

Thoma Bravo last week completed its previously announced purchase of identity security services provider SailPoint Technologies in an all-cash transaction valued at around $6.9 billion. At completion of purchase, the company was delisted from the New York Stock Exchange and stockholders were entitled to receive $65.25 in cash per share of the company's common stock. SailPoint is now a privately held entity.

Earlier this month, Thoma Bravo also announced its intention to acquire federated ID management firm Ping Identity for $2.8 billion. That transaction is expected to close in the fourth quarter. At that time, Ping, too, will go from being a publicly listed company to a private entity under the Thoma Bravo umbrella. Ping's current stockholders will receive $28.50 in cash per share of common stock.

**Substantial Premiums**

Thoma Bravo paid a substantial premium for both firms. The $65.25 per share of common stock that it offered for SailPoint when it first announced plans to acquire the firm in April represented a more than 31% premium on SailPoint's share price at the time. Similarly, Thoma Bravo's offer for Ping Identity represented a premium of more than 63% of the identity vendor's closing share price at the time of the offer in early August.

The premiums reflect the growing value that investors and other technology firms have begun attaching to IAM firms over the past two years. Much of it is being driven by the realization that companies moving to the cloud and supporting more distributed workforces also require new approaches to IAM.

**Cloud Migration Driving IAM Demand**

"Identity is core to digital transformation," says Richard Stiennon, chief research analyst at IT-Harvest. "Enterprises are looking closely at identity because they are moving to a zero-trust approach as they transition to the cloud."

Stiennon says that as enterprises move to the cloud, there is an opportunity for them to consolidate their IAM platforms. New and simpler ways to handle identities and authentication have become available which give enterprise organizations a way to consolidate their identity infrastructures in the cloud, he says.

Accelerated cloud adoption is also giving identity-security vendors a window of opportunity to broaden their footprint in a market that Microsoft has dominated since introducing Active Directory more than two decades ago, Stiennon notes. 

"Thoma Bravo is making opportunistic moves," he says, adding that a recent and general decline in cybersecurity stock valuations has created a great buying opportunity for the company.

"It raised a $22.8 billion fund two years ago, and it is putting that capital to work" through strategic investments like those involving SailPoint and Ping, he says.

**Near Doubling of Market Size in Next Five Years**

MarketsandMarkets has estimated that global demand for IAM technologies will grow from around $13.4 billion in 2022 to some $25.6 billion by 2027. The market research firm has identified several factors as driving this growth including the aforementioned proliferation of cloud-based IAM technologies and services, rapid adoption of hybrid cloud models, and an overall increase in cybersecurity spending post-COVID-19. 

Others, such as Jupiter Research, have estimated similar growth. The analyst firm has predicted that the IAM market will top $26 billion in 2027, driven largely by purchases by small businesses that hitherto have not made big investments in IAM platforms. The growing proliferation of relatively inexpensive software-as-a-service (SaaS) and cloud subscription services for identity management is making it possible for this segment to make these new investments, the research firm said.

Thoma Bravo's latest acquisitions add to the rapid growing portfolio of cybersecurity vendors that the private equity firm now owns. Other major acquisitions in the last few years include Proofpoint, McAfee, LogRhythm, Imperva, Sophos, and Veracode.

However, the company is just one of several that have snapped up IAM vendors just this year alone. Examples of others who have made similar investments include Vectra AI's purchase of identity security and cloud posture management vendor Siriux Security Technologies in January; SentinelOne's March purchase of Attivo Networks for $616 million in cash; and Avast's purchase of SecureKey for an undisclosed sum in April.

Stiennon says there has also been substantial funding activity in the IAM space. So far this year, there has been a total of $1.4 billion invested in 18 identity vendors, he says. 

"Last year saw $2.8 billion in 44 companies, and 2020 saw $2.6 billion in 48 vendors. I expect the pace of investments in IAM to continue at current levels or increase over the next two years," he says. Stiennon estimates there are some 400 vendors in the identity space overall currently. Forty of them have more than 400 employees.

Thoma Bravo Buying Spree Highlights Hot Investor Interest in IAM Market

Lawmakers and cybersecurity insiders are reacting to a bombshell report from former Twitter security head Mudge Zatko, alleging reckless security lapses that could be exploited by foreign adversaries.

Twitter's former head of security has blown the whistle on what he characterizes as sprawling cybersecurity weaknesses, including vulnerabilities that could lay the social media platform open to cyberattacks that could have major national-security implications.

That's the allegation from Peiter "Mudge" Zatko, who sent a 200+-page disclosure to Congress detailing issues that he claims could allow foreign manipulation of users, account hacking and espionage, and disinformation campaigns ahead of the 2022 US midterm elections.

The disclosure, obtained exclusively by CNN and The Washington Post, most explosively alleges that the tech giant has one or more employees that are actually plants working for foreign intelligence, and that top execs have actively engaged in a cover-up of Twitter's serious security holes.

Zatko, who has a decades-long history and reputation in the ethical hacking space, laid out an internal scene where mismanagement and a lack of cohesive security oversight allows over-permissioned access to the company's most sensitive information and control platforms, while bots (disinformation-focused and otherwise) run amok and corporate leadership looks the other way. To boot, Zatko said that Twitter CEO Parag Agrawal told him to make his reports on Twitter's security problems rosier than they deserved to be, and that he was directed to omit damning data in order for the company to appear to be making progress on the security and privacy fronts.

When it comes to privacy, Zatko also alleged that Twitter does not steward user information well, often losing track of it or not deleting data when it's required to do so (such as when a user cancels an account).

The allegations certainly fall in the "bombshell" category, but some in the security community are unsurprised by the claims, especially given the infamous compromise of verified accounts in 2020 by an attacker who was able to access Twitter's internal control platforms.

"From research that I coordinated after the 2020 incident, it was obvious that Twitter did not have appropriate privileged user management controls nor separation of duty policies for developers and administrators of their systems," says Aaron Turner, chief technology officer of SaaS Protect at Vectra. "If Mudge's disclosure is correct, that Twitter has a significant system hygiene problem combined with the user management controls and policies, then Twitter's entire platform is at risk of compromise."

For its part, Twitter denies the allegations and claims Zatko should be discredited given that he was fired in January for "poor performance."

"Mr. Zatko was fired from his senior executive role at Twitter in January 2022 for ineffective leadership and poor performance," a Twitter spokesperson told CNN. "Mr. Zatko's allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders. Security and privacy have long been company-wide priorities at Twitter and will continue to be.”

Agrawal weighed in on Tuesday, saying in a corporate memo posted on Twitter that the company is reviewing the claims. "What we've seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context," he wrote.

**Lawmakers, Cybersecurity Community React**

Where the truth lies could come to light sooner rather than later, given that Zatko's report has gotten the attention of lawmakers on both sides of the aisle. Senate Judiciary Chair Sen. Dick Durbin (D-Ill.) said that he will "take further steps as needed to get to the bottom of these alarming allegations. …The claims I've received from a Twitter whistleblower raise serious national security concerns."

Sen. Chuck Grassley (R-Iowa), ranking member of the Judiciary Committee, told CNN that the allegations should raise very loud alarm bells.

"Take a tech platform that collects massive amounts of user data, combine it with what appears to be an incredibly weak security infrastructure, and infuse it with foreign state actors with an agenda, and you've got a recipe for disaster," he said. "The claims I've received from a Twitter whistleblower raise serious national security concerns as well as privacy issues, and they must be investigated further.”

Casey Ellis, founder and CTO at Bugcrowd, said the scrutiny will hopefully prompt a larger discussion around how much oversight, scrutiny, and regulation that social media platforms should have.

"I can't speak to the specifics of the disclosures themselves, but I’m definitely pleased to see this prompting a discussion around the critical infrastructure characteristics of social media platforms and the implications this has on security and privacy — especially as the US approaches midterms and sets itself up for the 2024 election. It seems clear that this categorization as critical infrastructure is something Twitter and other social platforms wish to avoid, but it is a conversation we need to have."

Meanwhile, members of the cybersecurity community have rallied around Zatko, pointing to his character and track record for integrity.

"Mudge has a long and rock-solid reputation of putting integrity first. He's also one of those infosec elders who rarely sticks their neck out to make a fuss, but when they do it's almost certainly worth paying attention to," Ellis tells Dark Reading. "This dates back to the L0pht testimony in 1998, which was a warning to Congress about computer insecurity well before its time. Judging by the way the infosec community has closed ranks around Mudge this morning, others clearly feel the same way. Infosec doesn't suffer fools and has a keen eye for sensationalism, and I think the reaction today speaks very strongly to both his character and the claims themselves."

Turner echoes those sentiments.

"I've known Mudge since his days at Cult of the Dead Cow," says Turner. "When I was at Microsoft, he and the @stake team helped us fundamentally improve our security strategy and tactics. As I've worked across government projects over the last 20 years, I would say that his work at DARPA made a significant difference in the way that the US government approached cybersecurity. He has always had the highest level of integrity and also adheres to the highest technical standards of development and operation of systems. If Mudge says that Twitter has cybersecurity problems, Twitter has some big problems."

Twitter did not immediately respond to a request for comment from Dark Reading on the allegations.

Mudge Blows Whistle on Alleged Twitter Security Nightmare

Integrated solution offers enterprises modern regulatory compliance safeguards while simplifying corporate legal protection practices.

**Sunnyvale, Calif., Aug. 23, 2022** — Proofpoint Inc., a leading cybersecurity and compliance company, today announced the launch of its Intelligent Compliance Platform, offering enterprises modern regulatory compliance safeguards while simplifying corporate legal protection practices. The platform leverages Proofpoint's proprietary machine learning engine to provide business leaders with AI-powered collection, classification, detection, prevention, search, eDiscovery, supervision, and next generation predictive analytics while meeting complex compliance and information governance obligations.

Proofpoint's AI and machine learning technology transforms the modern-day compliance world, improving efficacy and efficiency through automation. The platform enables intuitive compliance, insider risk, and data management controls to classify and predict risks across a wide array of digital communications channels, files, email, and endpoint activities. This enables Compliance, IT, Information Management, and Legal teams to gain visibility and access information with superior fidelity and context to growing volumes of enterprise data, while detecting and preventing corporate and regulatory risks in real time.

"We understand today's organizations are overwhelmed with growing volumes of data that are incredibly difficult to manage. For Compliance and Legal staff, that means having to manually search and review petabytes of messages or files from regulatory compliance, supervisory, or investigation review queues," said Kevin Leusing, senior vice president and general manager, Compliance at Proofpoint. "The new Intelligent Compliance Platform vastly improves the detection of non-compliant communications and content while quickly pinpointing supervised insider risks."

The new Intelligent Compliance Platform is powered by several Proofpoint leading solutions:

*   **Proofpoint Capture****:** Modernizes data collection from the most critical and popular communications collaboration platforms.
*   **Proofpoint Patrol****:** Ensures full compliance and reputation protection from employee social media accounts by monitoring, remediating, and reporting on social media policy violations at scale with intelligent classifiers, automated workflows, and intuitive reporting.
*   **Proofpoint Track****:** Provides complete visibility into your capture stream, so you can ensure that collected communications are received by downstream services such as repositories and supervision tools.
*   **Proofpoint Archive****:** Simplifies storage, search, legal discovery, supervisory, and end-user data access through a cloud-first archive that provides a secure and scalable central repository.
*   **Proofpoint Discover****:** Makes e-discovery and case management easy with a built-in, high-performance search, advanced dashboards and visualizations, no-cost export, and legal hold.
*   **Proofpoint Supervision**: Satisfies corporate and regulatory compliance requirements by supervising regulated employees and leveraging hundreds of advanced detection scenarios to detect timely communications risks.
*   **Proofpoint Automate****:** Applies market-leading machine learning to your security and compliance stack to help significantly reduce false positives in your data collection, monitoring, search, discovery, and supervisory activities.

Existing customers can leverage the Proofpoint Intelligent Compliance Platform in two ways. For efficiency, compliance and legal teams can reduce supervised communications content review time by up to 84%. For effectiveness, sentiment analysis of communications data and a variety of machine learning models enable early detection of organizational behavioral misconduct to protect customers from insider risks and regulatory fines.

**Customer benefits include:**

*   **Unified Data Collection and Preservation:** Customers can easily manage content from communication platforms including Microsoft Teams, Zoom, Meta, LinkedIn, Slack, Instagram, and Twitter. API-based content collection is automatically centralized with an extensible platform that consumes all data types, including audio, video, and text. Content tracking provides a full audit trail where data in transport is reconciled and scanned for anomalies from source to destination.
*   **Automated Risk Detection in Real-Time Digital Communication:** Customers can automate detection of communication trends to pinpoint the source of supervised insider risk. Customers can proactively monitor sensitive data and be alerted as compliance violations occur.
*   **Supervisory Flag Deduplication**: Compliance, IT, and Legal teams can significantly reduce the amount of time spent on data review by bypassing pre-flagged content (such as replies and forwards).
*   **AI-Powered Data Discovery with Case Management:** Customers can track communications data history interactively with advanced visualizations, intelligent conversation threading, and review content in native chat view.

For more information about Proofpoint's Intelligent Compliance Platform, please visit:

https://www.proofpoint.com/us/solutions/enable-intelligent-compliance

https://www.proofpoint.com/us/resources/solution-briefs/intelligent-compliance

**About Proofpoint, Inc.**

Proofpoint, Inc. is a leading cybersecurity and compliance company that protects organizations' greatest assets and biggest risks: their people. With an integrated suite of cloud-based solutions, Proofpoint helps companies around the world stop targeted threats, safeguard their data, and make their users more resilient against cyberattacks. Leading organizations of all sizes, including 75% of the Fortune 100, rely on Proofpoint for people-centric security and compliance solutions that mitigate their most critical risks across email, the cloud, social media, and the web. More information is available at www.proofpoint.com.

Connect with Proofpoint: Twitter | LinkedIn | Facebook | YouTube

_Proofpoint is a registered trademark or tradename of Proofpoint, Inc. in the U.S. and/or other countries. All other trademarks contained herein are the property of their respective owners._

Source

DARKReading