Malware-laced ads are hauling in tens of millions of dollars in revenue for operators of pirated-content sites — posing a real risk to enterprises from remote employees.

The conventional wisdom about there being no such thing as a free lunch appears to be especially true for those visiting websites offering "free" (read: pirated) movies, TV shows, and other entertainment content.

A joint investigation by the consumer-oriented Digital Citizens Alliance, piracy and brand protection firm White Bullet, and security firm 221B found that most pirate sites generate a substantial portion of their revenues from serving malware-infused ads on the systems of users who visit them.

Many of the advertisers use fear tactics — of a malware infection, for instance — or messages conveying the need for a user to update their antivirus or other software, to try and deceive users into clicking on a malicious ad. The ads are often served as pop-ups or in so-called pop-under fashion behind a browser window. Users who click on the advertisements can often end up downloading ransomware, spyware for tracking their activities, and malware for stealing banking credentials or for bookmarking their compromised system for a future attack.

**Not Just a Consumer-Oriented Threat**

The threat might appear primarily consumer-oriented on the surface, but in an era in which many employees are working from home — often using unmanaged devices and poorly secured networks — what happens on a consumer device can easily spill over into enterprise environments as well. 

"The report's findings show that deceptive ads on piracy sites are driving the spread of malware, including ransomware attacks," says Tom Galvin, executive director of Digital Citizens Alliance. That should be a matter of concern to enterprises that have workers splitting their time between an office and home, he notes.

For such workers, the division between when they are working or playing is increasingly blurred, Galvin says.

"Given that the ads on piracy websites condition visitors to change their device settings to get access to what they want, that poses risks to enterprises," he says. "Workers visiting a piracy website could end up with their device breached, exposing the company to ransomware attacks or risk exposure to confidential information."

The collaborative investigation by Digital Citizens Alliance, White Bullet, and 221B showed that on average, 12% of the ads on websites serving pirated entertainment are malicious ads that generate a minimum of $121 million annually in revenues for the site operator. 

More than half of those revenues, or some $68 million, come from malicious advertisements served to US-based visitors to these sites. The research showed that the top websites that offer pirated and stolen content are raking in $1.08 billion in annual ad revenues.  

**Pirating & Malware: A Willing Alliance**

In many instances, the researchers found ad intermediaries actively facilitating ad placement on pirated sites even though they knew the advertisements were weaponized with different kinds of malware.

The new investigation showed that sites offering pirated content can sometimes profit from legitimate ads on their sites, but instances of ads for reputable companies landing on pirate sites are decreasing because of initiatives that the ad industry has launched in recent years. 

One of the most significant efforts to reduce revenues from legitimate ads for pirate site owners is being spearheaded by a group called the Trustworthy Accountability Group, according to the joint report: "As those efforts have succeeded in reducing revenue from legitimate advertisers, pirate operators appear to be increasingly turning to malvertising facilitated by the bottom feeders of the advertising ecosystem," the report noted.

Pop-under ads, through which malicious activity is hidden under content that a user might expect to see, are particularly lucrative for piracy site operators. These ads accounted for $88 million of the average $121 million in revenues the site operators generate. Click-to-play ads, where users are tricked into clicking on something to stream content, is another favorite tactic and accounts for $21 millions in revenues.

**Cyber-Risks With the New Normal**

The new normal of people working from home has created a target-rich environment for criminals seeking to breach computers, Galvin says. "They may be a consumer one minute and working on behalf of their organization the next," he says. Piracy and specifically many of malicious ads that appear on the sites are crafted to trick users to taking steps that lead to their devices being infected.

"Once that happens, it doesn't matter. Whatever information is on that device is the target of these illicit actors," he warns. "This should be a concern for corporations, nonprofit organizations, and governments that face the growing threat of cyberattack."

Malware on Pirated Content Sites a Major WFH Risk for Enterprises

When an organization fully embraces the cloud, traditional endpoints become disposable. Organizations must adapt their security strategy for this reality.

Traditional endpoint concepts were eroding as a result of mobile device adoption, and cloud sealed the deal. Data is an organization's most valuable asset. When an organization fully embraces the cloud, traditional endpoints become disposable. Modern applications are consumed from any device, anywhere, not just controlled workstations from the confines of a sanctioned data center. Endpoints are more likely to refer to APIs or services, not desktops, laptops, or servers. Organizations must adapt their security strategy for this reality, or they're exposing themselves to risk of incident, breach, or reputational damage.

**Cloud Attack Patterns Are Different**

Attack patterns evolved with cloud adoption and mobilization. Attack patterns that compromise endpoints for persistence are more likely to trigger security monitoring mechanisms and alert security teams. Attackers need not resort to the blunt hammer approach of ransomware infection. They can rely on numerous other methods to compromise credentials, abuse services, and exfiltrate sensitive data that are just as successful and profitable. Examples of attack patterns that never touch an endpoint include:

*   Abusing access credentials for privilege escalation or account takeover (ATO)

*   Compromising digital supply chain elements like application dependencies and repositories

*   Cryptojacking, or maliciously mining cryptocurrency at the organization's expense

*   Exploiting access to liberally permissioned cloud storage services

*   Targeting machine identities rather than user identities

*   Siphoning infrastructure data from cloud provider metadata APIs

Collection and analysis of cloud environment interactions provides context to security teams to enable threat detection and response (TDR) and support digital forensics and incident response (DFIR). Continuous analysis informs baselines for secure configurations and workload behaviors. Deviations from those baselines are environmental drift or potential indicators of compromise. When a series of seemingly interconnected events are part of a complex attack chain, that event must be quickly surfaced so security teams can prioritize an appropriate response. It's a difficult problem to solve in practice because it requires data collection and correlation across heterogeneous environments and technology stacks. Attacks may also traverse on-premises and cloud environments, depending on where targeted data exists or services run.

**Organizations Have Low Success With Traditional Tools**

Organizations implement a number of security technologies to enable SecOps in modern architectures, but they all result in security gaps. Common approaches include:

*   **Network detection and response (NDR):** Network monitoring can work well for traditional environments but not in cloud. Most business traffic flows through cloud services that are external to the organization. You don't own cloud networks fully, so it can't be your source of truth.

*   **Endpoint detection and response (EDR):** Endpoints may not exist at all and workloads only persist for short intervals. Agents, particularly those that are perceived to be heavyweight, aren't technically feasible or create availability concerns. You can't treat a container workload or cloud service like a laptop or Windows workstation.

*   **Extended detection and response (XDR):** A proverbial kitchen sink approach to TDR, XDR was intended to correlate all types of event data. In reality, the XDR tooling shares traditional endpoint roots with focuses on laptops or desktops. It's best to think of EDR as next-generation EDR (NG-EDR).

*   **Security information and event management (SIEM):** The backbone of SecOps, SIEMs unfortunately become a dumping ground for too many logs and event streams. Organizations rely on their SIEM to alert on security events like ransomware or phishing attacks. Storage costs often present an issue, not to mention time wasted by analysts parsing data that may not even be actionable. SOC modernization efforts often emphasize reduction on the number of feeds into SIEM instances to improve signal-to-noise ratio for security events.

**Cloud Detection and Response Addresses Gaps**

Modern application designs, threat evolution, and weaknesses of traditional security approaches have spotlighted the need for different capabilities to support TDR and DFIR. Organizations need augmenting capabilities to succeed in their security strategy. Some in industry have started labeling this new grouping of capabilities cloud detection and response (CDR). Traits of CDR include:

*   Unify visibility across traditional, cloud, and cloud-native environments by ingesting and analyzing host telemetry, workload telemetry, and cloud event sources.

*   Improve mean-time-to-detect (MTTD) security events with automation based on service profiling, flexible and customizable rules, and ML-based detections.

*   Improve mean-time-to-respond (MTTR) with contextualized guidance for the organization's unique environments.

*   Accelerate remediation and repair time with auto-generated "as code" formats like AWS CloudFormation, Terraform, or Kubernetes YAML.

*   Bridge work streams of development, operations, and security teams via API integrations with nonsecurity and SecOps systems.

The current state of SecOps sometimes reminds me of earlier days of application security and infrastructure security, when practitioners first wrestled with digital transformation. DevOps practices put heavy emphasis on automation. We're able to quickly tear down and redeploy secure applications, but SecOps approaches also need to evolve for this reality. CDR capabilities are a path forward for organizations that must maintain security operations in modern architectures.

**About the Author**

    

Michael Isbitski, the Director of Cybersecurity Strategy at Sysdig, has researched and advised on cybersecurity for more than five years. He's versed in cloud security, container security, Kubernetes security, API security, security testing, mobile security, application protection, and secure continuous delivery. He has guided countless organizations globally in their security initiatives and supporting their business. Prior to his research and advisory experience, Mike learned many hard lessons on the front lines of IT with more than 20 years of practitioner and leadership experience focused on application security, vulnerability management, enterprise architecture, and systems engineering.

Will the Cloud End the Endpoint?

Several models of EZVIZ cameras are open to total remote control by cyberattackers, and image exfiltration and decryption.

At least five models of EZVIZ Internet of Things (IoT) cameras are vulnerable to a handful of vulnerabilities that could lead to threat actors accessing, decrypting, and downloading the video from the devices.

EZVIZ is a smart home security brand of cloud-connected hardware used across the globe, offering dozens of IoT security camera models. 

As part of their ongoing research into IoT hardware security, analysts at Bitdefender identified vulnerabilities in at least five EZVIZ camera models, although the team added there could be other affected products as well: 

*   CS-CV248 \[20XXXXX72\] - V5.2.1 build 180403
*   CS-C6N-A0-1C2WFR \[E1XXXXX79\] - V5.3.0 build 201719
*   CS-DB1C-A0-1E2W2FR \[F1XXXXX52\] - V5.3.0 build 211208
*   CS-C6N-B0-1G2WF \[G0XXXXX66\] - v5.3.0 build 210731
*   CS-C3W-A0-3H4WFRL \[F4XXXXX93\] - V5.3.5 build 22012

First, the security researchers identified a stack-based buffer overflow bug that could lead to remote code execution (CVE-2022-2471). In addition, they found an insecure direct object reference vulnerability at several API endpoints that could allow a cyberattacker to take control of the camera, and a third remote bug that lets an attacker steal the encryption key for the video, the researchers added. 

Finally, a local vulnerability, tracked under CVE-2022-2472, lets an attacker take over the device in earnest. 

"When daisy-chained, the discovered vulnerabilities allow an attacker to remotely control the camera, download images and decrypt them," the IoT cybersecurity research team added. "Use of these vulnerabilities can bypass authentication and potentially execute code remotely, further compromising the integrity of the affected cameras." 

EZVIZ started issuing security updates for the cameras affected by the IoT bug starting in June, Bitdefender disclosed.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Popular IoT Cameras Need Patching to Fend Off Catastrophic Attacks

Organizations are thinking about their cyber resilience. Here are five steps security teams should take.

5 Steps to Strengthening Cyber Resilience

Authorities are cracking down on persistent cybercriminal attacks from APTs associated with Iran's Islamic Revolutionary Guard Corps.

Iranian threat actors have been on the radar and in the crosshairs of the US government and security researchers alike this month with what appears to be a ramp-up in and subsequent crackdown on threat activity from advanced persistent threat (APT) groups associated with the Iran's Islamic Revolutionary Guard Corps (IRGC).

The US government on Wednesday simultaneously revealed an elaborate hacking scheme by and indictments against several Iranian nationals thanks to recently unsealed court documents, and warned US organizations of Iranian APT activity to exploit known vulnerabilities — including the widely attacked ProxyShell and Log4Shell flaws — for the purpose of ransomware attacks.

Meanwhile, separate research revealed recently that an Iranian state-sponsored threat actor tracked as APT42 has been linked to more than 30 confirmed cyberespionage attacks since 2015, which targeted individuals and organizations with strategic importance to Iran, with targets in Australia, Europe, the Middle East, and the United States.

The news comes amid growing tensions between the United States and Iran on the heels of sanctions imposed against the Islamic nation for its recent APT activity, including a cyberattack against the Albanian government in July that caused a shutdown of government websites and online public services, and was widely castigated.

Moreover, with political tensions between Iran and the West mounting as the nation aligns itself more closely with China and Russia, Iran's political motivation for its cyber-threat activity is growing, researchers said. Attacks are more likely to become financially driven when faced with sanctions from political enemies, notes Nicole Hoffman, senior cyber-threat intelligence analyst at risk-protection solution provider Digital Shadows.

**Persistent & Advantageous**

Still, while the headlines seems to reflect a surge in recent cyber-threat activity from Iranian APTs, researchers said recent news of attacks and indictments are more a reflection of persistent and ongoing activity by Iran to promote its cybercriminal interests and political agenda across the globe.

"Increased media reporting on Iran's cyber-threat activity does not necessarily correlate to a spike in said activity," Mandiant analyst Emiel Haeghebaert noted in an email to Dark Reading.

"If you zoom out and look at the full scope of nation-state activity, Iran has not slowed their efforts," agrees Aubrey Perin, lead threat intelligence analyst at Qualys. "Just like any organized group their persistence is key to their success, both in the long term and short term."

Still, Iran, like any threat actor, is opportunistic, and the pervasive fear and uncertainty that currently exists due to geopolitical and economic challenges — such as the ongoing war in Ukraine, inflation, and other global tensions — certainly buoys their APT efforts, he says.

**Authorities Take Notice**

The growing confidence and boldness of Iranian APTs has not gone unnoticed by global authorities — including those in the United States, who appear to be getting fed up with the nation's persistent hostile cyber engagements, having endured them for at least the last decade.

An indictment that was unsealed Wednesday by the Department of Justice (DoJ), US Attorney's Office, District of New Jersey shed specific light on ransomware activity that occurred between February 2021 and February 2022 and affected hundreds of victims in several US states, including Illinois, Mississippi, New Jersey, Pennsylvania, and Washington.

The indictment revealed that from October 2020 through the present, three Iranian nationals — Mansour Ahmadi, Ahmad Khatibi Aghda, and Amir Hossein Nickaein Ravari — engaged in ransomware attacks that exploited known vulnerabilities to steal and encrypt data of hundreds of victims in the United States, the United Kingdom, Israel, Iran, and elsewhere.

The Cybersecurity and Infrastructure Security Agency (CISA), FBI, and other agencies subsequently warned that actors associated with the IRGC, an Iranian government agency tasked with defending leadership from perceived internal and external threats, have been exploiting and are likely to continue to exploit Microsoft and Fortinet vulnerabilities — including an Exchange Server flaw known as ProxyShell — in activity that was detected between December 2020 and February 2021.

The attackers, believed to be acting at the behest of an Iranian APT, used the vulnerabilities to gain initial access to entities across multiple US critical infrastructure sectors and organizations in Australia, Canada, and the United Kingdom for ransomware and other cybercriminal operations, the agencies said.

Threat actors shield their malicious activities using two company names: Najee Technology Hooshmand Fater LLC, based in Karaj, Iran; and Afkar System Yazd Company, based in Yazd, Iran, according to the indictments.

**APT42 & Making Sense of the Threats**

If the recent spate of headlines focused on Iranian APTs seems dizzying, it's because it took years of analysis and sleuthing just to identify the activity, and authorities and researchers alike are still trying to wrap their heads around it all, Digital Shadows' Hoffman says.

"Once identified, these attacks also take a reasonable amount of time to investigate," she says. "There are a lot of puzzle pieces to analyze and put together."

Researchers at Mandiant recently put together one puzzle that revealed years of cyberespionage activity that starts as spear-phishing but leads to Android phone monitoring and surveillance by IRGC-linked APT42, believed to be a subset of another Iranian threat group, APT35/Charming Kitten/Phosphorus.

Together, the two groups also are connected to an uncategorized threat cluster tracked as UNC2448, identified by Microsoft and Secureworks as a Phosphorus subgroup carrying out ransomware attacks for financial gain using BitLocker, researchers said.

To thicken the plot even further, this subgroup appears to be operated by a company using two public aliases, Secnerd and Lifeweb, that have links to one of the companies run by the Iranian nationals indicted in the DoJ's case: Najee Technology Hooshmand.

Even as organizations absorb the impact of these revelations, researchers said attacks are far from over and likely will diversify as Iran continues its aim to exert political dominance on its foes, Mandiant's Haeghebaert noted in his email.

"We assess that Iran will continue to use the full spectrum of operations enabled by its cyber capabilities in the long term," he told Dark Reading. "Additionally, we believe that disruptive activity using ransomware, wipers, and other lock-and-leak techniques may become increasingly common if Iran remains isolated in the international stage and tensions with its neighbors in the region and the West continue to worsen."

Unflagging Iranian Threat Activity Spurs Warnings, Indictments From US Government

Solution addresses compliance challenges in complex landscapes

**Ashburn, Va. – September 15, 2022** – Telos Corporation (NASDAQ: TLS), a leading provider of cyber, cloud and enterprise security solutions for the world’s most security-conscious organizations, is pleased to announce a collaboration with IBM Security as part of IBM’s Active Governance Services (AGS) that allows enterprises to operationalize and automate activities and solve challenges in cybersecurity compliance and regulatory risks.

“The number of global, national and local compliance requirements are increasing, which means enterprises now have massive amounts of security controls to implement, test and report on,” said John B. Wood, Telos CEO and chairman. “Telos and IBM Security are excited to address this issue together by leveraging our combined and extensive expertise in IT risk management and compliance to create efficiency out of chaos and offer effective solutions to the audit fatigue issue.”

AGS helps organizations overcome the challenges and costs associated with regulatory compliance, especially audit fatigue. According to a 2020 study, organizations, on average, must comply with 13 different IT security compliance and privacy regulations, which requires a team of 22 dedicated staff members and results in 58 working days per quarter spent responding to audit evidence requests. Beyond audit fatigue, the study also found that 86% of respondents believed compliance is or will be an issue when moving systems, applications, and infrastructures to the cloud.

The AGS solution, available via IBM Security Services, addresses these challenges by combining IBM’s world-class expertise to plan, design, deploy, operationalize, and accelerate cyber compliance and governance programs, and Telos’ Xacta® IT Risk Management platform that automates the most time-consuming aspects of compliance and audit activities like control selection, validation, reporting, and monitoring.

“Every organization must meet compliance, regulatory, contractual, and privacy obligations – no one is exempt. However, individual organizations have different risk appetites, tolerance levels, missions, and goals,” said Dimple Ahluwalia, VP & global managing partner, IBM. “AGS helps take the guesswork out of managing cybersecurity risk and compliance – all with proven technology, techniques, complete visibility, and ongoing expert support. We are thrilled to be working with Telos on this important challenge that faces today’s enterprises.”

The AGS solution, available via IBM Security Services, utilizes strategic planning, responsive compliance reporting, proactive monitoring and automation, all while leveraging existing tools to create a more ordered approach to IT risk management and compliance. The solution is scalable across hybrid, multi-cloud, and on-premises architectures and systems, bringing much-needed peace of mind to those on the front lines of the cybersecurity battle. The power of automation is on full display with AGS, reducing system compliance time up to 90% faster, the time to generate regulatory documentation by up to 70%, as well as the time to research vulnerabilities by up to 90%.

To learn more about AGS, please visit https://www.telos.com/offerings/ibm-active-governance-services-xacta.

**Forward-Looking Statements**

This press release contains forward-looking statements which are made under the safe harbor provisions of the federal securities laws. These statements are based on the Company’s management’s current beliefs, expectations and assumptions about future events, conditions and results and on information currently available to them. By their nature, forward-looking statements involve risks and uncertainties because they relate to events and depend on circumstances that may or may not occur in the future. The Company believes that these risks and uncertainties include, but are not limited to, those described under the captions “Risk Factors” and “Management’s Discussion and Analysis of Financial Condition and Results of Operations” set forth from time to time in the Company’s filings and reports with the U.S. Securities and Exchange Commission (SEC), including its Annual Report on Form 10-K for the year ended December 31, 2021, as well as future filings and reports by the Company, copies of which are available at https://investors.telos.com and on the SEC’s website at www.sec.gov.

Although the Company bases these forward-looking statements on assumptions that the Company’s management believes are reasonable when made, they caution the reader that forward-looking statements are not guarantees of future performance and that the Company’s actual results of operations, financial condition and liquidity, and industry developments, may differ materially from statements made in or suggested by the forward-looking statements contained in this release. Given these risks, uncertainties and other factors, many of which are beyond its control, the Company cautions the reader not to place undue reliance on these forward-looking statements. Any forward-looking statement speaks only as of the date of such statement and, except as required by law, the Company undertakes no obligation to update any forward-looking statement publicly, or to revise any forward-looking statement to reflect events or developments occurring after the date of the statement, even if new information becomes available in the future. Comparisons of results for current and any prior periods are not intended to express any future trends or indications of future performance, unless specifically expressed as such, and should only be viewed as historical data.

**About Telos Corporation**

Telos Corporation (NASDAQ: TLS) empowers and protects the world’s most security-conscious organizations with solutions for continuous security assurance of individuals, systems, and information. Telos’ offerings include cybersecurity solutions for IT risk management and information security; cloud security solutions to protect cloud-based assets and enable continuous compliance with industry and government security standards; and enterprise security solutions for identity and access management, secure mobility, organizational messaging, and network management and defense. The Company serves commercial enterprises, regulated industries and government customers around the world.

Telos Corporation to Help Enterprises Operationalize Cybersecurity Compliance and Regulatory Risks with IBM Security

The entire security team should share in the responsibility to secure sensitive data.

Several recent high-profile instances of data loss serve as cautionary tales for organizations handling sensitive data — including a recent case where the personal data of nearly half a million Japanese citizens was put in a compromising position when the USB drive on which it was stored was mislaid.

Regardless of industry, all businesses handle sensitive data — whether it's storing HR or payroll files that include bank information and Social Security numbers or securely logging payment details. As such, enterprises of all sizes should have a data loss prevention (DLP) strategy in place that encompasses the entire organization. Organizations should update their DLP strategy frequently, to account not only for the evolution of how we store, manage, and move data, but also for advancements in cybercrime.

Some enterprises have added information security professionals to focus exclusively on DLP, but the entire cybersecurity team should share in the responsibility to protect sensitive data. A strong DLP strategy protects customers and maintains the integrity of data operations. Here are some best practices to guide organizations as they work to deploy a new DLP strategy or improve an existing one:

**1\. Know What Data Is Sensitive**

It may be tempting for organizations to apply a universal standard for data security across their business, but putting guardrails up for all information and every process can be an expensive and onerous task. By reviewing the different types of data employees work with and have access to, leaders can determine what data qualifies as sensitive and tailor their organization's strategies to protect the data that matters most. When leaders become familiar with the flow of their organization's data, it allows them to identify the people and departments that need to emphasize cybersecurity measures the most.

**2\. Backup, Backup, Backup**

An ounce of prevention is worth a pound of cure — and when dealing with sensitive data, it may even be worth millions should an organization's data be held for ransom or result in a costly loss of IP. Once businesses have identified the specific types of data deemed sensitive, employees should back it up in multiple places, all under secure protocols. Backups protect against damage from corrupted files and accidental deletion, and they make the company less vulnerable to extortionists who may try to hold data for ransom. Backups on air-gapped storage devices or servers are the most secure as they are physically separated from the Internet and can be properly secured. 

**3\. Empower Your People**

Even the most secure data loss prevention strategy can be foiled by a successful phishing attempt or a password written in plain text. Uninformed employees can fall prey to the latest scam or social engineering, unwittingly exposing their organization's data to bad actors. When leaders empower all levels and people in their organization to be an active part of security efforts, it safeguards against data loss and theft. It's critical to provide consistent training about cybersecurity risks so that employees — from the CIO to the newest intern — are aware of the newest threats to data.

**4\. Consider the Whole Data Journey**

Even when an organization invests to create a highly secure data infrastructure, whenever sensitive data leaves that environment, those protections can unravel. For businesses using a cloud storage solution, sensitive data can be vulnerable as soon as employees use unsecured public Wi-Fi. A robust data security approach should account for all the ways employees share sensitive data, inside and outside of established platforms.

**5\. Have a Rapid Response Plan**

Following data protection best practices can make breaches, hacks, and data loss less likely. However, there's always the possibility that they may happen, so you have to have a plan in place if something does go wrong. By having a plan in place, leaders can act swiftly to mitigate damage. The specifics of each rapid response plan depend on the nature of the data that has been compromised, but a plan may involve starting a data recovery process, remotely revoking access to shared storage solutions, promptly notifying employees or customers of a vulnerability, or alerting the proper authorities or customers that a data breach has occurred. It is important to already have a rapid response team in place to quickly conduct forensics, determine what data may have been compromised, follow laws and regulations about notifications, and also direct the proper resources to ensure the correction of any identified cybersecurity vulnerability.

These best practices provide a strong baseline for how to implement a new DLP plan, and can make existing strategies more resilient and effective. While the specific protocols in a DLP plan should be designed to fit organizations' individual needs, they should always drive toward the same goal: preventing data breaches and maintaining personal and professional privacy.

5 Best Practices for Building Your Data Loss Prevention Strategy

Oversubscribed round validates company's data-first approach to solving cloud security and privacy issues for global businesses thwarting data breaches and ransomwar

**MOUNTAIN VIEW, Calif., Sept. 15, 2022** — Fortanix® Inc., the data-first multicloud security company and the pioneer of Confidential Computing, today announced $90 million in Series C financing bringing the total amount the company has raised to over $122 million. The round was led by the Growth Equity business within Goldman Sachs Asset Management (Goldman Sachs) with participation from GiantLeap Capital as well as the existing investors Foundation Capital, Intel Capital, Neotribe Ventures, and In-Q-Tel. Soumya Rajamani, Vice President at Goldman Sachs, will join Fortanix's board of directors.   

The funding builds upon the significant and sustained growth Fortanix has experienced despite the pandemic and the recent macro-economic conditions. The company has gained customers across multiple verticals including some of the highly regulated industries. Traditional network security led approaches have not been entirely successful in preventing data breaches and ransomware. Regulatory requirements have increased as have penalty amounts. The data-first approach to security advocated by Fortanix tackles this problem head-on by decoupling security from infrastructure, and provides an elegant way to secure data, wherever it is. It further allows organizations to credibly conform to privacy laws and regulatory requirements globally including GDPR, Schrems II, HIPAA, PCI, ITAR and several others.  

"We constantly look for companies with disruptive technologies and have seen the benefits of its data-first approach," said Soumya Rajamani, Vice President at Goldman Sachs. Many businesses can relate to the challenge of data security and privacy, and we are proud to support the Fortanix team in their mission to solve security and privacy.”  

Fortanix's innovative approach, backed by more than 25 patents, has resonated in the market. The company counts dozens of Fortune 500 companies as its customers, as well as several U.S. government agencies. The company experienced more than 500% growth over the past three years, placing it in the top quarter of the annual Inc. 5000 list of the fastest-growing private companies in America for 2022. 

"I am grateful to the new and existing investors for their confidence in the Fortanix team and our technology, and I am thrilled to welcome Soumya Rajamani to our board of directors," said Ambuj Kumar, CEO and co-founder of Fortanix. "Cybersecurity is one of the most important needs of our current era. This fundraise is a strong validation of the massive market opportunity ahead as we execute our bold mission."   

**Strong Company Execution Guides Investor Sentiment**  

This significant round of financing was driven by a number of company momentum factors, including: 

*   A three-year aggregate growth trajectory of 522%, landing on the 2022 Inc. 5000 list of fastest-growing private companies in the U.S. 
*   Employee growth of 70% year-over-year to more than 225 employees 
*   An expanded ecosystem of strategic partnerships that includes over 100 product integrations 
*   More than 125 marquee global customers across major industries, including healthcare, banking, FSI, technology services, cloud providers, and federal agencies 
*   Strong intellectual property base with over 25 patents, underscoring the technical differentiation of Fortanix's data-first approach 
*   Recent expansion of the leadership team, including the additions of the company’s vice president of legal, chief revenue officer and chief marketing officer.  

**Additional Resources:**

*   Learn about the company’s journey inthis conversation with the two founders
*   Explore a new approach to enterprise data security on the Intel Capital blog
*   Read this blog post from Neotribe Ventures
*   Check out this latest blog from Foundation Capital: Fortanix Raises $90M Series C

**About Goldman Sachs Asset Management Growth Equity**  

Bringing together traditional and alternative investments, Goldman Sachs Asset Management provides clients around the world with a dedicated partnership and focus on long-term performance. As the primary investing area within Goldman Sachs (NYSE: GS), we deliver investment and advisory services for the world’s leading institutions, financial advisors and individuals, drawing from our deeply connected global network and tailored expert insights, across every region and market—overseeing more than $2 trillion in assets under supervision worldwide as of June 30, 2022. Driven by a passion for our clients’ performance, we seek to build long-term relationships based on conviction, sustainable outcomes, and shared success over time. Goldman Sachs Asset Management invests in the full spectrum of alternatives, including private equity, growth equity, private credit, real estate, and infrastructure. Since 2003, the Growth Equity business within Goldman Sachs Asset Management comprising more than 75 individuals has invested over $13 billion in companies led by visionary founders and CEOs. We focus exclusively on investments in growth stage and technology-driven companies spanning multiple industries, including enterprise technology, financial technology, consumer, and healthcare.

**About GiantLeap Capital  
**GiantLeap Capital is a next-generation private investment firm focused on investing in technologies that are transforming critical industries at the convergence of physical and digital infrastructure. The firm takes a long-term, thematic approach to provide flexible capital focused on idiosyncratic investment opportunities across growth stages. For more information, please visit https://www.giantleapcapital.com.

**About Fortanix**   
Fortanix secures data, wherever it is. Fortanix’s data-first approach helps businesses of all sizes to modernize their security solutions on-premises, in the cloud and everywhere in-between. Enterprises worldwide, especially in privacy-sensitive industries like healthcare, fintech, financial services, government, and retail, trust Fortanix for data security, privacy and compliance. Fortanix investors include Goldman Sachs, Foundation Capital, Intel Capital, In-Q-Tel, Neotribe Ventures and GiantLeap Capital. Fortanix is headquartered in Mountain View, CA. For more information, visit https://fortanix.com/.

Fortanix Raises $90M in Series C Funding Led by Goldman Sachs Asset Management

Access tokens for other Teams users can be recovered, allowing attackers to move from a single compromise to the ability to impersonate critical employees, but Microsoft isn't planning to patch.

Attackers who gain initial access to a victim's network now have another method of expanding their reach: using access tokens from other Microsoft Teams users to impersonate those employees and exploit their trust.

That's according to security firm Vectra, which stated in an advisory on Sept. 13 that Microsoft Teams stores authentication tokens unencrypted, allowing any user to access the secrets file without the need for special permissions. According to the firm, an attacker with local or remote system access can steal the credentials for any currently online users and impersonate them, even when they are offline, and impersonate the user through any associated feature, such as Skype, and bypass multifactor authentication (MFA).

The weakness gives attackers the ability to move through a company’s network much more easily, says Connor Peoples, security architect at Vectra, a San Jose, Calif.-based cybersecurity firm.

"This enables multiple forms of attacks including data tampering, spear-phishing, identity compromise, and could lead to business interruption with the right social engineering applied to the access," he says, noting that attackers can "tamper with legitimate communications within an organization by selectively destroying, exfiltrating, or engaging in targeted phishing attacks."

Vectra discovered the issue when the company's researchers examined Microsoft Teams on behalf of a client, looking for ways to delete users who are inactive, an action that Teams does not typically allow. Instead, the researchers found that a file that stored access tokens in cleartext, which gave them the ability to connect to Skype and Outlook through their APIs. Because Microsoft Teams brings together a variety of services — including those applications, SharePoint and others — that the software requires tokens to gain access, Vectra stated in the advisory.

With the tokens, an attacker can not only gain access to any service as a currently online user, but also bypass MFA because the existence of a valid token typically means the user has provided a second factor.

In the end, the attack does not require special permissions or advanced malware to grant attackers enough access to cause internal difficulties for a targeted company, the advisory stated.

"With enough compromised machines, attackers can orchestrate communications within an organization," the company stated in the advisory. "Assuming full control of critical seats — like a company’s head of engineering, CEO, or CFO — attackers can convince users to perform tasks damaging to the organization. How do you practice phish testing for this?"

**Microsoft: No Patch Necessary**

Microsoft acknowledged the issues but said the fact that the attacker needs to have already compromised a system on the target network reduced the threat posed, and opted not to patch.

"The technique described does not meet our bar for immediate servicing as it requires an attacker to first gain access to a target network," a Microsoft spokesperson said in a statement sent to Dark Reading. "We appreciate Vectra Protect's partnership in identifying and responsibly disclosing this issue and will consider addressing in a future product release."

In 2019, the Open Web Application Security Project (OWASP) released a top 10 list of API security issues. The current issue could be considered either Broken User Authentication or a Security Misconfiguration, the second and seventh ranked issues on the list.

"I view this vulnerability as another means for lateral movement primarily — essentially another avenue for a Mimikatz-type tool," says John Bambenek, principal threat hunter at Netenrich, a security operations and analytics service provider.

A key reason for the existence of the security weakness is that Microsoft Teams is based on the Electron application framework, which allows companies to create software based on JavaScript, HTML, and CSS. As the company moves away from that platform, it will be able to eliminate the vulnerability, Vectra's Peoples says.

"Microsoft is making a strong effort to move toward Progressive Web Apps, which would mitigate many of the concerns currently brought by Electron," he says. "Rather than rearchitect the Electron app, my assumption is they are devoting more resources into the future state."

Vectra recommends the companies use the browser-based version of Microsoft Teams, which has enough security controls to prevent exploitation of the issues. Customers who need to use the desktop application should "watch key application files for access by any processes other than the official Teams application," Vectra stated in the advisory.

Token-Mining Weakness in Microsoft Teams Makes for Perfect Phish

New executive order stops short of mandating NIST's guidelines, but recommends SBOMs for federal agencies across government.

The Biden White House has released a new cybersecurity executive order outlining guidelines for software supply chain security, including the suggestion that federal agency CIOs start requiring documentation of secure development and software bills of materials (SBOMs).

In a memo sent to the heads of executive departments and agencies, the White House Office of Management and Budget outlines supply chain cybersecurity best practices established by the National Institute of Standards and Technology (NIST), which would recommend a full software inventory assessment, collecting statements from each outside software vendor that its products conform to the NIST supply chain security framework, and a requirement for SBOMs when purchasing new software.

"As agencies develop requirements that include the use of new software, they must request confirmation that the software producer utilizes secure software development practices," the OMB memo said. "This could be accomplished through specification of these requirements in the Request for Proposal (RFP) or other solicitation documents, but regardless of how the agency ensures compliance, the agency must ensure that the company implements and attests to the use of secure software development practices consistent with NIST Guidance, throughout the software development lifecycle." 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading