But valuations have dropped — and investors are paying closer attention to revenues and profitability, industry analysts say.

Cloud security vendor Lacework's recent announcement that it will reduce head count as part of a restructuring plan — just months after it secured $1.3 billion in a record-setting funding round — may have shocked the high-flying cybersecurity sector, but industry analysts say the layoffs do not signal any broad, imminent industry slowdown.

General economic conditions appear to have made investors a bit more cautious, however: Private equity (PE) investments — which accounted for nearly 40% of merger and acquisition activity last year — are down compared with the same period in 2021, as are company valuations overall.

Even so, M&A and venture capital activity in the cybersecurity industry remains robust and shows little sign of a major slowdown. Just in the last few days, for instance, ReliaQuest announced plans to purchase Digital Shadows for $160 million; Netskope acquired WootCloud for an undisclosed sum; and Lookout acquired SaferPass. In late May, Broadcom announced its intent to buy VMware for $61 billion in a deal that, if approved, will bring VMware's Carbon Black security under Broadcom's roof.

**Multiple Drivers**

"There are multiple dynamics at play for M&A" activity in the cybersecurity space, says Fernando Montenegro, an analyst with Omdia. "The established vendor being acquired for their cash flow. The adjacent technology being acquired by a security vendor to enter a market. The technology tuck-in and/or 'acqui-hire' into an existing vendor," he adds. Expect VCs, private equity, and corporate development teams to be a little more cautious, but still active, he notes.

"The industry has had a strong pace of acquisitions and fundings over the years, and we expect that to continue," Montenegro says. "What is changing is that there appears to be much more focus on demonstrating actual capabilities and momentum while being mindful of run rate."

There's also the understanding that too-large funding rounds raise expectations on delivery that may be more difficult to attain in a tightening economic environment, he notes.

Richard Stiennon, chief research analyst at IT-Harvest, says Lacework's decision to downsize and restructure may, in a way, be the result of its own success. The company experienced hypergrowth of some 272% last year and went on a hiring spree. After that, the company might have thought it wise to pause and consolidate while it catches up with expectations on sales growth, Stiennon explains. "There is categorically no broad consolidation in cybersecurity and there will not be until threat actors give up and go home," he says. "We will always need new ways to counter new threats."

That said, the antivirus space for the first time is now truly consolidating, according to Stiennon. Thanks to Microsoft giving away good-enough security with Windows Defender and the availability of stronger endpoint protection capabilities from vendors such as CrowdStrike and SentinelOne, the traditional AV vendors are fading away, he says.

**Fast and Furious Pace**

Data that S&P Global Market Intelligence compiled earlier this year showed there were 42 cybersecurity transactions through March 18, 2022, with a median deal value of some $97 million. Google's $5.4 billion purchase of Mandiant was easily the biggest of those deals and accounted for most of the $6.77 billion in total transaction value of announced deals in the cybersecurity industry through that date. In comparison, there were 36 transactions over the same period in 2021, with a median deal value of $185 million. In all, in the first quarter of 2022 there were 59 deals compared with 49 last year. But total deal value at $9.3 billion was significantly smaller than last year's $17.6 billion, according to S&P Global Market Intelligence.

Rising interest rates, inflation, and concerns over potential economic headwinds appear to have driven down security vendor valuations compared with last year, says Garrett Bekker, an analyst with S&P Global Market Intelligence. Even so, investors appear willing to pay hefty multiples to acquire security firms and the appetite for buying them does not appear to have diminished significantly, he says. That's because most existing drivers remain in place, such as cloud adoption, the move to zero-trust access models, and the proliferation of ransomware and other malware.

One potential red flag is the slowdown in private equity investments so far this year, Bekker says. For the past two decades, there has been a steady increase in PE-funded mergers and acquisitions — from 40 in 2002 to 80 in 2010, and 209 in 2021 — or 37% of all transactions in the space, he says. There has been a near 20% drop-off in PE transactions in 2022 compared with the same period last year, Bekker says. 

"It's a fairly large drop-off," he notes. "We'll be looking to see whether that persists or is an aberration."

**Closer Scrutiny**

Speculation about potential recession and recent turmoil with tech equities is causing venture investors to scrutinize funding more carefully, says Joseph Blankenship, an analyst with Forrester Research. Many investors are also advising the firms they've invested in to slow their burn rate and concentrate on building revenue, with an eye toward profitability. "I do predict that the increased scrutiny, reduced risk appetite, and decreased funding will lead to fewer startups entering the cybersecurity market." It will also push existing firms to find faster exits.

"What we’re seeing now is a continuation of the M&A activity," Blankenship says, At the same time, he adds, buyers are looking to consolidate vendors and the technology portfolios from major cybersecurity vendors are more attractive than they've been previously.

Cybersecurity M&A Activity Shows No Signs of Slowdown

The buzz on the show floor during RSA Conference is about aligning the organization's security priorities with the right technology. Will Lin, managing director and founding member at Forgepoint Capital, weighs in on the biggest security priorities for 2022 — and what kind of tech senior-level executives are looking for.

At Forgepoint Capital, I have the unique, ongoing privilege of asking for help from the best and brightest in the cybersecurity space. Aggregating insights from a variety of expert sources provides a clear view of what works, what doesn’t, and where the industry is headed.

Our recent CISO Security Priorities Model report goes a step further and democratizes access to information on cybersecurity priorities and trends. For the report, we surveyed senior-level executives (CISOs, CIOs, CSOs, CTOs, CDOs, etc.) across different sectors and organization sizes.

The survey revealed several interesting patterns on cybersecurity spend, differences between small and midsize (SMB) business and large enterprise priorities, and the strategic direction organizations expect to take over the next several years. The goal of the report is to answer these three questions for 2022:

*   What are CISOs top security priorities?

*   What NIST cybersecurity framework priorities are CISOs focused on?

*   What areas of control are CISOs focused on?

Key insights from the report include:

*   **Large enterprises are focused on digital transformation and incident response, and SMBs are focused on people.** While some overlap exists in security concerns across organizations of all sizes, there are stark differences between priorities for large enterprises and SMBs. For example, CISOs at large enterprises report incident response as a top priority, while that was near the bottom of the list for SMBs. SMBs tend to prioritize human aspects of cybersecurity, such as talent development and security awareness instead.

*   **Cloud and digital transformation is now a CISO priority.** Cloud and digital transformation have traditionally been the domain of CTOs and CIOs. CISOs at large enterprises are now reporting cloud, business, and digital transformation as their top priority, so clearly that paradigm has shifted.

*   **CISOs are spending on areas where they can make a measurable impact.** Security budgets are growing — 76% of CISOs expect to see a security budget increase — and organizations are being very intentional with their spend. Decision-makers are prioritizing areas where they can see ROI and impact. In practice, that means focusing on areas where teams can move quickly, which tends to vary by industry. For example, security hygiene is a key focus for professional services, while healthcare is prioritizing software supply chain security and third-party risk.

*   **New areas of control are growing in popularity.** Traditional security control areas like network, endpoint, identity, and data remain important priorities for many enterprises. However, digital transformation is bringing new areas of control to the forefront. Specifically, DevSecOps (54%) and cloud, infrastructure, and APIs (62%) were leading areas of control organizations plan to prioritize.

*   **Vendors and organizations both aim to address key NIST functions.** According to the cybersecurity leaders we surveyed, the three most popular NIST cybersecurity framework priorities for 2022 are protect, detect, and identify. Interestingly, this overlaps with the focus of security vendors placing an emphasis on visibility in their products. While this overlap may be explained by mutual interest between enterprises and vendors, it could also suggest a lack of products that focus on response and recovery.

Additionally, some of the most interesting insights were the more nuanced tactical challenges facing CISOs. For example, while identity is still a top priority for many organizations, finding talent with the requisite skills across major cloud providers is proving to be a challenge for some. An AWS security engineer may not be familiar with GCP or Azure. Often, those real-world pain points are where innovation in the space can have a significant impact.

That’s just the tip of the iceberg when it comes to what we’ve learned in our survey of cybersecurity leaders. 

Here is Forgepoint Capital's full report.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

The CISO Shortlist: Top Priorities at RSA 2022

A single compromised Slack account can easily be leveraged to deceive other users and gain additional access to other users and multiple Slack channels.

When organizations moved to hybrid work at the beginning of the pandemic, Slack offered a crucial way for teams to collaborate efficiently regardless of physical location. But in most organizations, Slack is a relatively new solution, bringing the typical challenges of adopting new technologies — related to culture, functionality, expected user behavior, and, of course, security. For many organizations, Slack is now the primary communication channel, replacing email and knowledge management repositories. As a result, Slack increasingly contains more sensitive information than those traditional systems.   

Before diving into the challenges, let's be clear: Slack invests substantial resources into securing its infrastructure, platform, and the software itself. Nonetheless, like any other technology platform, Slack can serve as a basis for attacks by taking advantage of built-in features, insecure usage, or misconfigurations. And while established collaboration and communication platforms have an entire ecosystem of security solutions and best practices, Slack has only a small subset of these solutions and practices in place.

Slack offers an open and collaborative culture, so while years of phishing attacks created users suspicious of unusual emails, few suspect a message from a co-worker on Slack. Therefore, compromising a single account in Slack can easily be leveraged to deceive other users and gain additional access — not only to other users but to multiple channels. Most organizations leave many channels public to encourage participation and share knowledge as part of the Slack as a knowledge base approach. However, few consider who has channel access and therefore people share sensitive information — even secrets, such as passwords or API keys in channels. Shared as part of a conversation, very few people think about it being stored forever and accessible to any compromised account.

This open culture isn't the only problem. Slack also offers an extensive marketplace of applications and allows you to build additional applications outside of this marketplace. Third-party apps in SaaS platforms are a huge supply-chain risk, creating an attack vector for nearly every SaaS platform, including Slack. Many apps request extensive permissions, but even seemingly innocuous requests to “read from all public channels” allow broad access to a significant amount of data. Additional potential risks include content filtering, lateral movement, third-party communication (Slack Connect), and many more.

**Slack Detection and Response  
**As Slack becomes an increasingly dominant part of your organization's infrastructure, it will become a target for attacks and eventually be breached, just like any other technology that we use. That’s why organizations must be able to identify, contain, and respond to security incidents quickly to minimize the impact. Unfortunately, both the technology and practices required to do so for Slack are still limited. For example, Slack provides access to security logs only to customers using its enterprise tier. Without security logs, both detection and response are almost impossible. Other advanced security features, such as single sign-on, are unavailable in their standard and pro plans, leaving many mid to large organizations exposed.

Furthermore, many don't realize that Slack doesn't keep a history of anything that's been erased. If an attacker deletes messages, they are gone forever. This can turn into an effective ransomware attack, which is hard to respond to without upfront preparations, predominantly backups.  

**Should I Stop Using Slack?**  
No — Slack is a great platform that can help your business work more efficiently. It's important to be aware, though, that any platform we use is susceptible to risk and may be an attack vector. By understanding these risks, we can become more secure and resilient when facing attacks.

Here are five ways to minimize the impact of a potential Slack breach.

**1\. Private/public channels:** Define and enforce a clear policy about public and private channels. As a repository of sensitive data, your users need to think about where and how they share information.

**2\. Limit third-party permissions:** Restrict your third-party apps to the minimum permissions to reduce the impact of a third-party breach.

**3\. Backups****:** Back up your Slack. If Slack serves as a knowledge management repository, it's a critical asset in the organization. Automate Slack's export capabilities or use an outside vendor to create backups.

**4. Enable advanced security features****:** Require multifactor authentication and enable the security features in Slack's enterprise license, including additional encryption, compliance, and security management.

**5\. Collect logs:** Collect and retain Slack logs so you have the information you need to investigate an incident.

The time you spend now considering the potential challenges and security risks of a Slack breach will help you if it happens. The steps outlined above can help you reduce the impact, and the likelihood, of potential Slack breaches.

Are You Ready for a Breach in Your Organization's Slack Workspace?

Come up with a clever caption, and our panel of experts will reward the winner with a $25 Amazon gift card.

Step up to the plate for your chance to win a $25 Amazon gift card with a homerun caption for The Edge's June contest. We offer four convenient ways for you to send us your ideas for the above caption:

*   Email _\[email protected\]_ with the subject line "The Edge June 2022 Toon."
*   Via social media: Twitter, Facebook, and LinkedIn_._

The contest closes on Wednesday, June 29, 2022.

**Last Month's Winner**All it took was the seed of an idea to get Dark Reading readers' digging deep for cartoon caption contenders. Congratulations go to Allan Campbell, director of information management at AG Credit, for the caption appears below: 

    

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Name That Edge Toon: Hey, Batter Batter!

New studies show less than a third of organizations use software bills of materials (SBoMs), but momentum is building to boost that number.

While the drumbeat grows louder for widespread adoption of software bills of materials (SBoM) in IT environments, the reality remains that relatively few organizations consistently implement SBoMs to track the software components used within their application portfolios.

A recent study by ReversingLabs, conducted by Dimensional Research, found that less than a third of companies today use SBoMs. Among those, half said the process of generating and reviewing SBoMs involve manual steps – an onerous process when there are thousands of pieces of code potentially in the mix.

Still, security experts increasingly believe that SBoMs are a foundational step for understanding and managing software supply chain risks. Modern development practices have pushed most software engineering teams to avoid reinventing the wheel when building common functions into their software and instead use open source libraries and packages that have already been developed by the community. Doing so makes their work faster and more predictable, but if there’s no governance or visibility into which components they use, the risk from vulnerabilities can quickly grow unmanageable. 

SBoMs help development teams understand what code is operating under the hood of their applications and to pinpoint when underlying components are found to be vulnerable.

Given the low prevalence of SBoMs reported by the ReversingLabs survey participants, it should come as no surprise that nearly half of them also admit they’re unprepared to protect their software from supply chain attacks.

Application security advocates in industry groups, open source communities, and government agencies alike are all involved in efforts to increase the prevalence of SBoMs and, in turn, improve the state of software supply chain security. In the past several weeks, these groups have launched three different initiatives aimed at not only boosting the rate at which SBoMs are generated, but also the effectiveness in how organizations use them to protect their software.

**CISA Listening Groups**

Last week the Cybersecurity and Infrastructure Security Agency (CISA) announced a series of public listening sessions scheduled for July aimed at gathering members of the software and security communities to discuss how to improve SBoMs best practices and standards.

“CISA believes that the concept of SBOM and its implementation need further refinement,” the agency wrote in a Federal Register post. “Work to help scale and operationalize SBOM implementation should continue to come from a broad-based community effort, rather than be dictated by any specific entity.”

The listening session topics that CISA will facilitate include cloud and online applications, sharing and exchanging SBoMs, tools and implementation, and on-ramps and adoption.

**OpenSSF Action Plan**

Last month at the Open Source Software Security Summit in Washington, DC, the Linux Foundation and the Open Source Security Foundation (OpenSSF) unveiled a 10-point security mobilization plan for improving the state of open source and commercial software worldwide.

Among the recommended priorities was getting SBoMs in place everywhere by focusing on improving SBoM tooling, training, and advocacy across the industry to normalize SBoM creation and consumption.

“The more ubiquitous SBOMs are, the more valuable they can be to the industry. Generally, we believe that SBOMs should be produced automatically via well-vetted tools every time that software is built or distributed,” the document explained. “To get to the point where SBOMs are ubiquitous in software distributions, we need to remove all friction for adoption."

The Linux Foundation and OpenSSF are planning on targeting $3.2 million in investments in the first year of their work on this SBoM initiative.

**OWASP CycloneDX API Rollout**

In order to create an easily operationalized SBoM, software and security teams need a consistent and standardized way to communicate bill-of-materials information – including everything from licensing and copyright information to security-related metadata such as versioning.

The two major choices of standards on this front are SPDX (a Linux Foundation Project) and CycloneDX, a lightweight SBoM standards project by OWASP. The OpenSSF action plan will continue to refine and move forward the SPDX standard. Meantime, OWASP continues to move the ball forward with OWASP. Most notably, last month OWASP launched the draft version of a new BOM Exchange API that’s designed to standardize how bills of materials are published and retrieved independent of the software ecosystem.

“There are lots of products and tools being released that support the production and consumption of SBOMs in standard data formats, but we haven’t had a standard way to transfer SBOMs between systems,” says Patrick Dwyer, co-leader of the CycloneDX standard. “With the release of this API specification, products and tools can start transferring this data in a standard way, enabling greater out-of-the-box integration across the SBOM product and tool ecosystem.”

Gathering Momentum: 3 Steps Forward to Expand SBoM Use

A critical security bug could lead to remote device control, altered lab results, and more, putting patients in danger, agency warns.

Healthcare providers and lab workers using Illumina genetic sequencing instruments are advised to immediately patch the device software against a new vulnerability that the Food and Drug Administration says could put patients in danger. 

Affected devices include Illumina NextSeq 550Dx, MiSeqDx, NextSeq 500, NextSeq 550, MiSeq, iSeq, and MiniSeq next-generation sequencing instruments, the FDA said. 

The medical devices are used to test for genetic conditions and genetic sequencing, and the FDA said the bug, first detected on May 3, could be exploited by threat actors to take over the Illumina instruments. That would allow them to alter the operating system, access a customer's network, tamper with test results, or even steal data. The flaw affects the Local Run Manager software, the FDA added. 

So far, there are no reports of the bug being exploited, the FDA said in a cybersecurity alert to health care providers; however, the agency asks "users to report any adverse events or suspected adverse events experienced with Illumina’s next-generation sequencing instruments." 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

FDA: Patch Illumina DNA Sequencing Instruments, Stat

The latest iteration of CMD-based ransomware is sophisticated and tricky to detect – and integrates token theft and worming capabilities into its feature set.

A new CMD-based ransomware variant is still under development, but researchers warn that its poisonous combination of multiple layers of obfuscation and the sneaky integration of legitimate service links into its attack make it a potentially formidable threat. 

YourCyanide traces its roots back to the GonnaCope ransomware family first discovered in April, a new report from the Trend Micro threat hunting team explains. It doesn't actually encrypt anything yet (researchers say that's likely coming soon), but it does rename all targeted files, steal information, and pilfer access tokens from popular applications like Chrome, Discord, and Microsoft Edge. It also self-propagates.

YourCyanide includes a few new tactics, including using PasteBin, Discord, and Microsoft links to download its payload in stages, and hiding behind Enable Delayed Expansion functionality, the analysts note. 

"While YourCyanide and its other variants are currently not as impactful as other families, it represents an interesting update to ransomware kits by bundling a worm, a ransomware, and an information stealer into a single mid-tier ransomware framework," the the ransomware variant report says. "It is also likely that these ransomware variants are in their development stages, making it a priority to detect and block them before they can evolve further and do even more damage." 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

YourCyanide Ransomware Propagates With PasteBin, Discord, Microsoft Links

DataLenz delivers real-time, machine learning-based breach detection with user behavior modeling for IBM zSystems.

NORMAN, Okla., June 3, 2022 /PRNewswire-PRWeb/ -- Iconium Software, the leading provider of geospatial security monitoring for IBM mainframe data, has announced the release of DataLenz 1.3 providing immediate access to indicators of compromise (IOCs) potentially saving IBM zSystems customers millions of dollars per year caused by security breaches. By presenting multiple complex data access points through a simple to use graphical interface, DataLenz quickly brings clarity to potential data threats permitting security personnel to act swiftly. Gone are the days of having to laboriously wade through reports trying to determine if a security breach occurred or not, let alone quickly take action.

Organization's mission-critical IBM mainframe data is constantly at risk from bad actors, often masquerading as insiders from remote geographies. DataLenz provides the CISO, DPO and SOC security professional with real-time awareness of and automatic response to anomalous and out-of-bounds threats against critical mainframe data assets.

"Many large enterprises are under attack from bad actors often from remote locations, as evidenced by increased frequency and severity of breaches," said Rick Jones co-founder and CEO, of Iconium Software. "Our customers are forward-thinking organizations that are looking to provide the most robust security for their IBM mainframe data. Our DataLenz solution, addresses these challenges by giving IBM mainframe professionals, security teams, and compliance-focused professionals the best set of tools available to deal with these new threats."

"As the geopolitical and overall security landscape becomes more fractured, enterprises are reevaluating their security posture. The DataLenz solution is perfectly placed to address the emerging threat vectors facing those enterprises looking to secure vital mainframe-based data. The latest enhancements in V1.3 further strengthen the DataLenz solution and more closely aligns with the most stringent requirements of highly regulated mainframe customers" – Steven Dickens, Senior Analyst, Futurum Research

With DataLenz 1.3, new innovation provides the following:

\-- Real-time alerts, intelligent analytics with customizable thresholds, and management for anomalous threats and out-of-bounds data and resource access, alteration, replication, and movement to, from, and on the IBM Z mainframe platform.

\-- An intuitive advanced dashboard with real-time and historical views, allows users to filter specific types and sources (including graphical paradigms such as geopolitical and satellite maps), and then expand into every relevant form of drill-down and analytical detail needed to recognize, understand, and respond to threats arising from inappropriate data and resource access anywhere in the world.

\-- Advanced methods of notification of any potential breach of access with a wide range of user responses including issuing administrative commands such as terminating and blocking apparent threat actors and issuing RACF® administrative commands (as authorized).

\-- Detailed historical tracking, analysis, and response to anomalous and threatening events, plus exporting and forwarding of custom-specifiable data for processing by the full range of tools from spreadsheets to real-time event management systems (SIEMs).

\-- Advanced and intuitive filters, heat maps, geographical zoom-in, score cards, and highly configurable widgets create a fully immersive environment for maximum awareness and control.

\-- Datalenz strengthens your data protection and in conjunction with RACF,  
ACF2, Top Secret. Today's CISOs and DPOs demand truly comprehensive, reliable, real-time and compelling awareness of and resolution of all potential threats to their mission-critical mainframe data and legal and regulatory compliance.

More than just ensuring compliance with ever-more-exacting audits, immediate responsiveness to potential breaches of critical data must be dealt with using automation and advanced analytical tools for the briefest possible Mean Time to Repair (MTTR). Remote accesses must be properly managed to prevent, alert, terminate and block out-of-bounds interaction with sensitive data and related resources, employing real-time and historical graphical searching, filtering, reporting, drill-down and response to anomalous events.

The advanced monitoring, historical intelligence, proactive alerting and actions and versatile dashboard functionality of DataLenz 1.3 make it the definitive solution for extending the security of your critical mainframe data against threats anywhere in the world. See DataLenz v1.3 in action and discover how quickly DataLenz can bring your mainframe data access into sharp focus. See DataLenz v1.3 in action and discover how quickly DataLenz can bring your mainframe data access into sharp focus.

To learn more about Iconium and today's news, visit the website: https://www.iconiumsoftware.com

**About Iconium Software**

Iconium Software was formed in 2017 to serve customers and offer high-performance quality software products that are customer-driven by design. The Founders, Executive Team, and employees at Iconium Software are committed to providing the highest quality software to achieve the greatest advantage for each of our customers. For more information \[email protected\].

Iconium Software Releases DataLenz v1.3 for IBM zSystems

The attack on Israeli organizations is the latest in a long line of attempts to compromise supply chains, as the APT looks to leverage that access to target a multitude of potential victims.

After detecting a Lebanese hacking group it calls Polonium abusing its OneDrive personal storage service, Microsoft says it was able to disable the group, which could have links to the Iranian government.

In its latest effort, the advanced persistent threat (APT) targeted more than 20 Israeli organizations and one intergovernmental organization. The Microsoft Threat Intelligence Center (MSTIC) says it suspended more than 20 malicious OneDrive applications created by Polonium actors in the campaign.

Among the targeted organizations were those involved in critical manufacturing, transportation systems, financial services, IT, and Israel’s defense industry, the software giant says – all of which offer an avenue to carry out downstream supply chain attacks.

"In at least one case, Polonium’s compromise of an IT company was used to target a downstream aviation company and law firm in a supply-chain attack that relied on service provider credentials to gain access to the targeted networks," according to MSTIC. "Multiple manufacturing companies they targeted also serve Israel’s defense industry, indicating a Polonium tactic that follows an increasing trend by many actors, including among several Iranian groups, of targeting service provider access to gain downstream access."

**Polonium's Infection Routine**

In 80% of the observed cases, the group exploited a flaw in Fortinet VPN appliances (likely via CVE-2018-13379 vulnerability) to gain initial access. Then they installed a custom PowerShell implant called CreepySnail on the target networks, according to Microsoft. From there, the actors deployed a set of tools named CreepyDrive and CreepyBox to abuse legitimate cloud services for command-and-control (C2) across most of their victims. 

MSTIC says with “moderate confidence” that the attacks were likely carried out with help from Iran’s Ministry of Intelligence and Security (MOIS).

"The observed activity was coordinated with other actors affiliated with Iran's \[MOIS\], based primarily on victim overlap and commonality of tools and techniques," the MSTIC assessment states. “The tactic of leveraging IT products and service providers to gain access to downstream customers remains a favorite of Iranian actors and their proxies.”

**Cyber Operations in Support of State Objectives**

Sherrod DeGrippo, Proofpoint’s vice president of threat research and detection, explains that Iran, specifically MOIS, uses a variety of organizations and affiliates to conduct cyber operations in support of Iranian government interests.

“This activity, which spans the spectrum of state responsibility, mirrors Iran’s material support to various organizations,” she says.

From DeGrippo’s perspective, this report demonstrates another example of how Iran and Israel are engaged in cyber conflict and comes amid rising gray zone tensions between Iran and its adversaries.

In March 2021, for example, Proofpoint reported on how the Iran-aligned threat actor TA453 had targeted Israeli and American medical researchers in late 2020. TA453 has historically aligned with Islamic Revolutionary Guard Corps (IRGC) priorities, targeting dissidents, academics, diplomats, and journalists.

“While this campaign may have been a one-off requirement, TA453 targeting Israeli organizations and individuals is consistent with these ever-increasing geopolitical tensions between the two countries,” she noted.

**Defense Should Focus on Authentication Activity**

Mike Parkin, senior technical engineer at Vulcan Cyber, a provider of SaaS for enterprise cyber-risk remediation, says that while knowing Polonium’s exact motivation is impossible, given the known animosity between the states involved, it’s a “reasonably safe bet” they are trying to do as much damage to their targets as possible as part of a larger agenda.

“State and state-sponsored threat actors compound the problems presented by common cybercriminal groups,” he explains to Dark Reading. “Where criminals are typically after information for sale, data to hold for ransom, or resources to use for further attacks, state-level actors often have additional, much deeper motivations,” such as cyber-espionage or destructive attacks.

Because of the overlap in techniques and tools, it can be difficult to tell the two apart, which can complicate the matter for targeted organizations, he adds.

**Fending Off State-Sponsored Cyberattacks**

To thwart attacks like these, Microsoft advises that organizations should review all authentication activity throughout their remote access infrastructure and VPNs. A particular focus should be fixed on accounts configured with single-factor authentication, to confirm authenticity and investigate any anomalous activity.

Parkin points out that access and authentication logs can easily reveal suspicious activity and keep an attempted breach from turning into a newsworthy incident.

“There is an old saying from system administration about the uselessness of keeping logs that are never reviewed,” he says. “With access logs, regular reviews for suspicious activity should be happening regularly. If not, why keep them?”

In addition to patching known vulnerabilities, Proofpoint’s DeGrippo also notes that a basic best practice for defense is ensuring that all remote-access accounts are required to enable multifactor authentication (MFA).

“Those accounts that require only single-factor authentication do not have the protection MFA provides, allowing an attacker to successfully phish or social engineer a user’s password without encountering a secondary authentication,” she adds.

**VPNs: Taking a Page From Fancy Bear**

Phil Neray, vice president of cyber-defense strategy at CardinalOps, a threat coverage optimization company, tells Dark Reading that Russian threat actor Fancy Bear (aka APT28 and Strontium) also targeted VPNs on a large scale in 2018 with the VPNFilter campaign, which similarly targeted critical infrastructure.

MITRE ATT&CK categorizes this approach as T1133 External Remote Services, with recommended mitigations including creating security information and event management (SIEM) detection queries that examine authentication logs for unusual access patterns, windows of activity, and access outside of normal business hours.

“Exploiting vulnerable VPNs as the initial access point, as in this campaign, is also attractive since VPNs are Internet-exposed on one side and provide direct access to the victim network on the other,” Neray says. “We recommend ensuring your SIEM has specific detections for it, such as monitoring for suspicious logins.”

Microsoft Disables Iran-Linked Lebanese Hacking Group Polonium

An remote code execution (RCE) vulnerability in all versions of the popular Confluence collaboration platform can be abused in credential harvesting, cyber espionage, and network backdoor attacks.

UPDATE

A critical security vulnerability in Atlassian Confluence is under active attack, opening servers to full system takeover, security researchers warned.

The bug (CVE-2022-26134) is a command-injection issue that allows unauthenticated remote code execution (RCE), affecting all supported versions of Confluence Server and Confluence Data Center. According to a forensic investigation of two zero-day attacks by Volexity, it can be exploited without needing credentials or user interaction, simply by sending a specially crafted Web request to the Confluence system.

No Atlassian Cloud sites have been impacted.

Confluence is a remote working and corporate workspace suite used for project management and collaboration among teams. As such, it houses sensitive data on projects, specific users, and potentially partners and customers; also, it tends to be integrated with other corporate resources, servers, and systems. A successful exploit would allow attackers to vacuum up data from the platform as well as pivot to burrowing deeper into an organization's network as a prelude to, say, a ransomware attack.

"By exploiting this kind of vulnerability, attackers can gain direct access to highly sensitive systems and networks," Volexity researchers noted.

Researchers have advised administrators to remove external access to their Confluence servers immediately until patches have been applied. In the meantime, Atlassian confirmed in its advisory that has rushed a fix, with patches rolling out towards the close of business ET on June 3.

A spokesperson told Dark Reading that the company has "contacted all potentially vulnerable customers directly to notify them of the fix."

**Zero-Day Atlassian Confluence Attacks**

During its investigation, Volexity followed the path of attackers in two instances, which was the same in both. To start, the culprits exploited the vulnerability to create an interactive webshell (by writing a malicious class file in memory), which gave them persistent backdoor access to the server without having to write anything to disk.

After that, the firm observed that the threat actors dropped the Behinder implant on the server, which is an open source tool for creating flexible memory-only webshells. It also allows integration with Meterpreter and Cobalt Strike, two tools that are most often used for lateral movement. Meterpreter allows users to fetch various Metasploit modules (i.e., working exploits for known bugs), while Cobalt Strike is a pen-testing tool that's often used by the bad guys to probe for and compromise new targets on the network.

Once Behinder was in place, Volexity found that the adversaries went on to install two additional webshells to disk: China Chopper and a custom file upload shell. China Chopper is a tool that's been around for a decade, which allows attackers to retain access to an infected Web server using a client-side application. The client contains all the logic required to control the target, which makes it very easy to use.

Once this basic infection setup was in place, the attackers ran several commands, including those aimed at reconnaissance (checking the operating system, looking for password repositories); stealing information and user tables from the local Confluence database; and altering Web access logs to remove evidence of exploitation, Volexity said.

While the firm detected two zero-day attacks, it's likely that the activity is more widespread. "Volexity has reason to believe this exploit is currently in use by multiple threat actors and that the likely country of origin of these attackers is China," researchers said.

**How to Prevent Confluence Compromise**

The best option beyond patching to prevent compromise is simply to disable Confluence Server and Confluence Data Center instances, remove all external access, or use IP address safelisting rules to restrict access to only trusted endpoints, researchers noted. Organizations can also add Java deserialization rules that defend against RCE injection vulnerabilities to their Web application firewalls (WAFs).

It's also important to uncover signs of any compromise, given that an infection can persist beyond patching.

"The presence of a webshell provides an attacker with the ability to maintain access to a compromised system even after a vulnerability like this one has been patched," notes Satnam Narang, senior staff research engineer at Tenable. "We observed the same following exploitation of the ProxyShell vulnerability last year, where attackers implanted webshells onto vulnerable Microsoft Exchange Server instances."

However, "these systems can often be difficult to investigate, as they lack the appropriate monitoring or logging capabilities," Volexity pointed out.

Volexity researchers offered the following advice:

*   Ensure Internet-facing Web services have robust monitoring capabilities and log retention policies to assist in the event of an incident
*   Send relevant log files from Internet-facing web servers to a SIEM or Syslog server
*   Monitor child processes of Web application processes for suspicious processes (in this case, the Python shell is a good example of this)

If past is prologue, it's good to be vigilant on this one: Attackers see Confluence as a popular target, as shown by the mass exploitation of another RCE flaw last fall, in volumes that were large enough to trigger a CISA alert.

"While there are currently no exploitation details or proof-of-concept for this vulnerability, we know from history that attackers relish the opportunity to target Atlassian products like Confluence," Narang tells Dark Reading. "We strongly encourage organizations to review their mitigation options until patches are available."

Greg Fitzgerald, co-founder at Sevco Security, also cautions organizations to take proactive steps to generally prevent zero-day attacks.

“Organizations vulnerable to this exploit cannot simply sit back and assume that this will be resolved through their typical patch management process," he tells Dark Reading. "When Atlassian releases a patch, that will be the first step for most organizations. But while patching vulnerabilities works great for the systems that you know about, the vast majority of enterprises simply don’t know the entirety of their attack surface. This is because maintaining an accurate IT asset inventory in a dynamic environment is exceptionally difficult. Threat actors figured that out a long time ago and work around the clock to exploit it. The first step to combating threats like this one is to establish a continuously updated, accurate inventory of all enterprise assets to serve as a foundational control for your security program.”

**_This post was updated at 4:45 ET to reflect that the bug is no longer unpatched._**

Source

DARKReading