FortiRecon combines machine learning, automation, and human intelligence to continually monitor an organization’s external attack surface.

**SAN FRANCISCO, Calif., – RSAC 2022 - Jun 6, 2022**

**John Maddison, EVP of Products and CMO at Fortinet**

“The sooner in the attack cycle you identify and stop an adversary, the less costly and damaging their actions. Employing a powerful combination of human and artificial intelligence, FortiRecon provides organizations with a view of what adversaries are seeing, doing and planning. FortiRecon’s vendor agnostic SaaS delivery model combined with an intuitive interface and easily digestible reports enable executives across the organization to quickly understand the risks posed to their company, data, and brand reputation, while our team of FortiGuard Labs cybersecurity experts enhance the offering with takedown services, guidance on prioritization of remediation efforts, and targeted threat research and intelligence.”

**News Summary**

Fortinet® (NASDAQ: FTNT), a global leader in broad, integrated, and automated cybersecurity solutions, today announced FortiRecon, a complete Digital Risk Protection Service (DRPS) offering that uses a powerful combination of machine learning, automation capabilities, and FortiGuard Labs cybersecurity experts to manage a company’s risk posture and advise meaningful action to protect their brand reputation, enterprise assets, and data. FortiRecon uniquely delivers a triple offering of outside-in coverage across External Attack Surface Management (EASM), Brand Protection (BP), and Adversary-Centric Intelligence (ACI) to counter attacks at the reconnaissance phase – the first stage of a cyberattack – to significantly reduce the risk, time, and cost of later stage threat mitigation.

**Organizations are Overwhelmed in the Fight to Protect their Network, Data, and Reputation and Mitigate Risk Early**

Before attacking an organization, a cybercriminal’s primary objective is to gather as much intelligence about their target as possible. This phase of early reconnaissance arms the adversary with everything they need to determine if and how they would exploit an organization. They will test a company’s defense and response tactics, look for unpatched systems, use social media to learn more about its employees and their normal behavior, and go as far as researching business partners, recent acquisitions, and any other third-party affiliation that could lead to a successful compromise. As organizations digitally accelerate their businesses and deploy hybrid IT architectures that expand the attack surface, identifying and mitigating these threats has become increasingly more difficult. In response to the velocity of threats, cybersecurity best practices have evolved from point-in-time evaluations to continual monitoring, ongoing reviews, and continuous enhancements to an organization’s security posture.

**Taking a Page Out of the Adversary Playbook to Mitigate Risk**

With the introduction of FortiRecon, Fortinet provides enterprise organizations with a powerful tool to understand how the adversary views an organization from the outside to help inform cybersecurity teams, the C-Level, and risk and compliance management on how to prioritize risk and improve the company's overall security posture. FortiRecon offers companies consistent and comprehensive coverage across three areas:

*   **External Attack Surface Monitoring:** Empowers organizations to understand their risk profile and mitigate risks early. Provides an outside-in view of an organization and its subsidiaries to identify exposed known and unknown enterprise assets and associated vulnerabilities, and prioritize the remediation of critical issues. EASM identifies servers, credentials, public cloud service misconfigurations, and even third-party partner software code vulnerabilities that could be exploited by malicious actors.
*   **Brand Protection:** Enables organizations to protect their brand and identify risks to their customers. Proprietary algorithms detect web-based typo-squatting, defacements, and phishing impersonations, as well as rogue mobile apps, credential leaks, and brand impersonation on social media, all common techniques used by cyber threat actors. The early detection of malicious activity allows teams to quickly take action (such as website or application takedown) to stop and prevent damage.
*   **Adversary-Centric Intelligence:** Increases the security awareness of an organization’s SOC team with industry and geography specific coverage to better understand their attackers and protect assets. FortiGuard Labs cybersecurity experts assess the underground and imminent threat risks posed by active cybercriminals to an individual company by proactively monitoring public and private forums, open-source, dark web, and other cybercriminal domains. By engaging in human intelligence collection, FortiGuard Labs experts assess and curate custom threat intelligence, providing recommendations specific to the company, industry, and geography.

For partners, FortiRecon can be sold on top of the Fortinet Security Fabric or as a stand-alone, vendor-agnostic solution that delivers easily digestible reports and enables their customers to quickly understand the risks posed to their company, data, and brand reputation. FortiRecon also extends the categories of risk for which partners can provide insight to customers and increases the opportunity to land new customers that have only invested in more traditional security solutions.

**Enhancing Fortinet’s Early Detection and Response Portfolio and Industry Leading Security Services**

FortiRecon complements Fortinet’s robust portfolio of early detection and advanced response products, including FortiNDR, FortiXDR, FortiDeceptor, in-line sandboxing, as well as advanced automation with FortiAnalyzer, FortiSIEM and FortiSOAR.

Fortinet is firmly committed to the success of SOC teams and the protection of organziations and offers an extensive portfolio of outsource services ranging from cybersecurity assessments and readiness, playbook development, tabletop training, Incident Response, MDR and SOC-as-a-service. This combined offering, alongside the many enhancements across the Fortinet Security Fabric and extended ecosystem deliver simplification and automation to help SOC teams regain focus, control, and speed by strengthening an organization’s SOC with FortiGuard Labs cybersecurity tools and experts.

**Get a demo of FortiRecon in the Fortinet booth at RSAC 2022**

Fortinet will be a Platinum Sponsor at this year’s RSA Conference and will feature product demos, a live theater, and a Fortinet Expert Bar at booth #5855 in the Moscone Center North Hall. Stop by the booth to get a demo of FortiRecon and other recent product, solution, and services innovations from Fortinet. Learn more about Fortinet at RSA and presentations featuring Fortinet executives in the media alert.

**Additional Resources**

*   Read our blog to learn more about the value security services can bring to any organization and find out more about Fortinet’s robust portfolio of AI-powered Security Services.
*   Learn more about Fortinet’s advanced detection offerings for the SOC: FortiNDR, FortiDeceptor, FortiXDR, and FortiGuard In-line Sandbox Service
*   Learn more about Fortinet SOC-as-a-Service.
*   Learn more about how the Fortinet Security Fabric delivers broad, integrated, and automated protection across an organization’s entire digital infrastructure.
*   Learn more about FortiGuard Labs threat intelligence and research or Fortinet’s AI-powered FortiGuard Security Services portfolio.
*   Learn more about Fortinet’s free cybersecurity training which includes broad cyber awareness and product training. As part of the Fortinet Training Advancement Agenda (TAA), the Fortinet Training Institute also provides training and certification through the Network Security Expert (NSE) Certification, Academic Partner, and Education Outreach programs.
*   Read more about how Fortinet customers are securing their organizations.
*   Engage in the Fortinet User Community (Fuse). Share ideas and feedback, learn more about our products and technology, and connect with peers.
*   Follow Fortinet on Twitter, LinkedIn, Facebook, and Instagram. Subscribe to Fortinet on YouTube.

**About Fortinet**

Fortinet (NASDAQ: FTNT) makes possible a digital world that we can always trust through its mission to protect people, devices, and data everywhere. This is why the world’s largest enterprises, service providers, and government organizations choose Fortinet to securely accelerate their digital journey. The Fortinet Security Fabric platform delivers broad, integrated, and automated protections across the entire digital attack surface, securing critical devices, data, applications, and connections from the data center to the cloud to the home office. Ranking #1 in the most security appliances shipped worldwide, more than 580,000 customers trust Fortinet to protect their businesses. And the Fortinet NSE Training Institute, an initiative of Fortinet’s Training Advancement Agenda (TAA), provides one of the largest and broadest training programs in the industry to make cyber training and new career opportunities available to everyone. Learn more at https://www.fortinet.com, the Fortinet Blog, or FortiGuard Labs.

Fortinet Unveils New Digital Risk Protection Offering

Prometheus ransomware contained a weak random number generator that inspired researchers to try and build a one-size-fits-all decryptor. 
The post RSA 2022: Prometheus ransomware’s flaws inspired researchers to try to build a near-universal decryption tool appeared first on Malwarebytes Labs.

Prometheus—a ransomware build based on Thanos that locked up victims’ computers in the summer of 2021—included a major “vulnerability” that led security researchers at IBM to try and build a one-size-fits-all ransomware decryptor that could work against multiple ransomware variants, including Prometheus, AtomSilo, LockFile, Bandana, Chaos, and PartyTicket.

Though the IBM researchers managed to undo the work of multiple ransomware variants, the panacea dream decryptor never materialized.

IBM global head of threat intelligence Andy Piazza said that the team’s efforts revealed that even though some ransomware families can be reverse-engineered to develop a decryption tool, no company should rely on decryption itself as a response to a ransomware attack.

“Hope is not a strategy,” Piazza said at RSA Conference 2022, held in San Francisco in person for the first time in two years.

IBM security research Aaron Gdanski, who was aided by security researcher Anne Jobman, said his interest in building a Prometheus decryption tool began after one of IBM Security’s clients was hit with the ransomware. He began by trying to understand the ransomware’s behavior: Did it persist in the environment? Did it upload files anywhere? And how, specifically, did it generate the keys that were used to encrypt files?

By using the DS-5 debugger and disassembler, Gdanski found that Prometheus’ encryption algorithm relied on both “a hardcoded initialization vector which did not change between samples” and the uptime of the computer. Gdanski also learned that Prometheus created its seeds by relying on a random number generator that, by default, used Environment.TickCount.

These discoveries revealed a key vulnerability in Prometheus, Gdanski said. If he could find when Prometheus encrypted files on the system, he could then likely generate the same seed that Prometheus used for that decryption.

“If I could obtain the seed at the time of encryption, I could use the same algorithm Prometheus did to regenerate the key it uses,” Gdanski said.

Equipped with the boot time on an affected machine and the recorded timestamp on an encrypted file, Gdanski then had a starting point to narrow down his work. After some additional calculations, Gdanski generated a seed from Prometheus and he tested it on portions of encrypted files.

With some fine-tuning, Gdanski’s work paid off.

Gdanski also learned, though, that the seed changed depending on the time when a file was encrypted. That meant that one single decryption key would not work, but by sorting the encrypted files by the last write time on the machine, he was able to slowly build a series of seeds that could be used for decryption.

The success, Gdanski said, could be applied to other ransomware families that similarly relied on flawed random number generators.

“Any time a non-cryptographically secure random number generator is used, you’re probably able to recreate a key,” Gdanski said.

But Gdanski emphasized that this flaw is rare from what he’s seen. As Piazza reiterated, the best defense to ransomware isn’t hoping that the ransomware involved in an attack has a sloppy implementation—it’s preventing a ransomware attack before it happens.

For the latest on current ransomware activity, read our May ransomware review here. You can also read about some lessons from the real-life ransomware attack on Northshore School District here.

RSA 2022: Prometheus ransomware’s flaws inspired researchers to try to build a near-universal decryption tool

Crackdowns are driving down ransomware profits, and analysts see signs that operators are pivoting to business email compromise attacks, security researcher warned.

RSA CONFERENCE 2022 – San Francisco – Law enforcement crackdowns, tighter cryptocurrency regulations, and ransomware-as-a-service (RaaS) operator shutdowns are driving down the return on investment for ransomware operations across the globe. 

Abnormal Security threat researcher Crane Hassold, in a presentation at the RSA Conference, laid out his latest analysis of the ransomware threat landscape, predicting that there will be a pivot from ransomware toward renewed interest in basic business email compromise (BEC) attacks in the next 6 to 12 months. 

**RaaS Operator Crackdowns**

Ransomware attacks grab headlines and have been supercharged by a few prolific RaaS operators, Hassold explained. But crackdowns on just one group can make an enormous dent. 

"Ransomware is a centralized ecosystem with small numbers of operators responsible for the majority of attacks," Hassold said. 

He pointed to the recent disappearance of Pysa, leaving just two groups, Conti and Lockbit, with more than 50% of the share of the total ransomware attacks in the first half of 2022. BEC groups, on the other hand, are diffuse and scattered, making them much harder to eradicate, Hassold added. 

Although they're not as quick to make the headlines, BEC attacks have cost business more than $43 billion since 2016, according to the FBI, and make up $1 out of every $3 lost to cyberattacks, far outpacing ransomware losses, Hassold said. 

**Cryptocurrency Supercharged Ransomware**

Ransomware has had a moment over the past couple of years, Hassold explained, in part because once threat actors were able to abandon arcane wire transfers to collect ransoms and rely on cryptocurrency, caps on transactions were lifted and it became simple to collect much larger amounts. But new crypto regulations are chilling the ability of these cybercriminals to rely on its infrastructure to do business, adding what Hassold called "friction" to the transactions. 

BEC attacks, by comparison, rely on social engineering to corrupt a business's financial supply chain to get employees to willingly part with the cash, making them exponentially harder to track and stop.  

**Social Engineering Works**

By far, the most-used BEC tactic is the standard gift-card swindle, tricking employees to buy bogus gift cards, meaning the tried-and-true grift is still working. But Hassold said the BEC landscape is shifting from impersonating internal employees to posing as external business contacts. 

Once inside a business email account, attackers will wait and gather intelligence that can help them impersonate a trusted source. Today's BEC attacks are aimed at a company's financial supply chain, and once threat actors are inside, they will look for opportunities to spoof vendor emails to send payments to controlled accounts, change direct deposit information of executives to steal their paychecks, and even order aging reports showing which vendors owe the company. Once they have an aging report, an attacker will simply try to reach out to partners and collect any outstanding balances. 

In short, social engineering works. 

"BEC, in my opinion, is the clear threat to enterprises everywhere," Hassold warned. "These attacks disproportionately impact business." 

He added there is already evidence that ransomware operators and West African BEC attackers have already started comparing notes. 

"They're not collaborating, but interacting," Hassold said. "Those relationships might harden in the future."

Ransomware's ROI Retreat Will Drive More BEC Attacks

A panel of CISOs at the RSA Conference outlined what a successful first 90-day plan looks like, and it boiled down to effective communication and listening.

RSA CONFERENCE – San Francisco – A trio of high-powered CISOs talked about the first 90 days in their roles, and whether the aim was getting board of directors' buy-in or building rank-and-file credibility, they all said how they communicated was what mattered the most. 

The RSAC panel included Allison Miller, Reddit's CISO and VP of Trust; Olivia Rose, Amplitude's CISO and VP of IT; and Caleb Sima, CISO for Robin Hood. Chenxi Wang, founder of the Rain Capital venture capital fund, moderated the discussion.

Practically, Sima opened up by explaining how during his first few days with Robin Hood he gathered simple data points he labeled "top challenges" and "things that scare me."   

But Rose interjected that in many instances blunt statements like that could end up offending and alienating critical engineering and IT teams right out of the gate, which can make a CISO's job much harder. 

**The Internal Comms "Dance"**

"It's a dance," Rose said. "You have to be careful not to offend those who have been handling this before you got there." 

Rose suggests meeting members of other departments where they are. 

"Whether its infrastructure or executive, talk their language," she said. "And be very clear and persistent." 

Sima disagreed, adding with a bit of a chuckle, "If you don't have any haters, you're not doing the right thing."

Regardless of the approach, both of them, as well as Miller, spent time early in their positions trying to sell a security program to internal teams often not in line with their strategies. Miller and Rose said legal and compliance became their most natural partners inside the business.

"You've got to have allies," Rose said. There's often friction with engineering, infrastructure, IT, product, customer service, and others, but the legal and compliance teams have a clearer vision of the consequences of a security incident and can be invaluable in communicating them to the wider enterprise. 

**Communicating With the Board of Directors**

Beyond everyday internal wrangling, these CISOs unpacked their communications approach with their respective companies' boards of directors. Sima explained he relies heavily on narrative to tell the story about where his team is right now and where it's heading. The techie stuff he drops in the appendix in case someone wants more detail. 

When it comes to providing boards with data they can digest and use, Rose said she relies on the CMMI Cybermaturity Model and Sima and Miller said they lean on the NIST CSF framework. 

"It's an easy way to visually show people who don't understand security where you need to be and why," Rose said. 

Moderator Wang sits on a company's board of directors and suggested the boards should requisition a third-party validation assessment so they can be assured that the information the CISO is providing is correct.

"The first board meeting should be about setting expectations," Sima added. 

But for all the competing messages and audiences CISOs regularly juggle, during the first 90 days in the CISO chair, talking as little as possible is the best bet, Rose explained.

"You first 90 days you should just shut up," Rose said. "You have to listen to what's going on."

Communication Is Key to CISO Success

CMS helps minimize the impact a cyberattack has on business operations, finances and reputation.

SAN FRANCISCO, June 6, 2022 /PRNewswire/ -- As organizations grow and evolve, so does the threat of cyberattacks. This creates the need to readily identify and protect critical security assets as part of an effective cyber strategy. To help clients strengthen their resiliency in this area, Optiv — the cyber advisory and solutions leader — today launched its new Cyber Recovery Solution (CRS) at the RSA Conference.

Optiv, the cyber advisory and solutions leader, has launched its Cyber Recovery Solution (CRS). Focused on protection and rapid recovery, CRS enables organizations to be resilient during data loss events and helps them get back to business faster.

Optiv's CRS helps organizations get back to business faster by providing strategic and tactical advisory and technology solutions for cyber readiness while enabling rapid recovery to a secure state. CRS identifies and prioritizes the protection of critical assets through automated workflows that backup business-essential data, systems, and applications and supports the implementation of a vaulted, data-isolated, air-gapped backup solution that reduces the risk of data loss.

**Key Benefits of CRS:**

*   **Business/technology alignment:** Identify, prioritize and build a cohesive connection between business and technology.
*   **Enhanced recovery:** Create custom playbooks, defined in advance of an incident, to enable rapid recovery to a secure state.
*   **Reduced risk of business impact:** Minimize the impact a cyberattack has on business operations, finances and reputation.
*   **Cyber resilience:** Build a framework that anticipates and efficiently responds to cyberattacks for better business continuity.

CRS is part of Optiv's holistic approach to cybersecurity and information technology, where business operations are connected with the technology that enables it. CRS is applicable to Zero Trust initiatives, Managed Extended Detection and Response (MXDR) capabilities, supports cyber insurance requirements and more. The application of CRS runs across all technology domains and security initiatives.

"Cyber resiliency is no longer just an IT problem. It's an opportunity for every organization, starting at the top, to implement tools like CRS to better identify threats while readily protecting its security posture," says David Martin, executive vice president and chief services officer at Optiv.

As part of CRS, Optiv works with clients to identify and classify mission-critical business processes, visualizes and prioritizes supporting systems, data and applications, and then develops step-by-step playbooks to quickly restore technology assets. This allows business operations to continue with minimal disruption when a cyberattack occurs. Organizations utilizing CRS can create a stronger cyber resilience framework.

"What matters most today is being able to reduce risk to your business from any threat, in any form" said Jessica Hetrick, senior manager, cybersecurity and enterprise resilience at Optiv. "CRS helps you proactively identify, prioritize and protect critical assets in your environment. This informs your ability to detect, respond and subsequently recover when a cyberattack happens — culminating in a truly resilient organization that can better withstand the most advanced cyber threats."

**Explore More About CRS:**

*   CRS Field Guide
*   CRS Infographic
*   CRS Service Brief
*   Video: CRS Explained

For the latest news and updates from Optiv, visit https://www.optiv.com/newsroom/. **Follow Optiv**  

https://www.optiv.com/explore-optiv-insights/blog

**Optiv Security:** **Secure greatness.™**

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to more than 7,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.

Optiv Launches Cyber Recovery Solution Focused on Protection and Rapid Recovery

New SmallID offering brings cloud-native data privacy and protection to organizations of all sizes.

SAN FRANCISCO, June 6, 2022 /PRNewswire/ -- BigID, the leading data intelligence platform that enables organizations to know their enterprise data and take action for privacy, security, and governance, today announced the availability of SmallID: the first pay-as-you-go cloud data security platform.

Now more than ever, the world runs on data - and it's difficult to have a clear understanding of all data assets across the company.  On top of that, evolving data protection and privacy regulations means that accumulating data without proactively protecting introduces more risk than ever. 

SmallID brings cloud-native data privacy and protection to organizations of all sizes, making it easy to find and mitigate risk across their entire cloud environment. Customers can easily reduce their attack surface, identify high-risk data, and automatically discover dark data across the cloud - without impacting business.  

Customers can now use the first on-demand cloud data security platform to manage their cloud risk posture, by benefitting from years of ML innovation from BigID, packaged up in a lightweight, on-demand platform in SmallID.

With SmallID, customers can:

*   Automatically discover and classify their data by sensitivity, type, regulation, policy, and more
*   Drastically reduce their attack surface
*   Identify shadow data and dark data
*   Improve security posture across the cloud
*   Simplify regulatory compliance with a data-first approach

"Cloud-native organizations leave themselves vulnerable to bad actors and a host of other complex issues when they don't have insight into what kind of data they are collecting," said Tyler Young, Chief Information Security Officer at BigID. "SmallID is a huge step forward for organizations of all sizes to have on-demand cloud protection that reduces the attack surfaces through allowing teams to identify and mitigate risk across their entire cloud environment."

Visit BigID at RSAC 2022 to see SmallID in action, or try it for free today.

**Learn more:**

*   Visit BigID's Data Protection HQ at RSAC2022 - save your spot
*   Visit SmallID-sponsored Cloud Data Security Panels June 7 & 8, with CISO led discussions from Amplitude, Blackstone, Clearsky Cybersecurity, Datadog, Highspot, Optiv, Relativity, Servicenow, ServiceTitan, Wiz, and more
*   Visit Booth #4529 in the North Expo Hall

**About BigID**

BigID's data intelligence platform enables organizations to know their enterprise data and take action for privacy, protection, and perspective. Customers deploy BigID to proactively discover, manage, protect, and get more value from their regulated, sensitive, and personal data across their data landscape. BigID has been recognized for its data intelligence innovation as a 2019 World Economic Forum Technology Pioneer, named to the 2021 Forbes Cloud 100, the 2021 Inc 5000 as the #19th fastest growing company and #1 in Security, a Business Insider 2020 AI Startup to Watch, and an RSA Innovation Sandbox winner. Find out more at https://bigid.com.

BigID Introduces Cloud Data Security On Demand

Clusters using Calico (version 3.22.1 and below), Calico Enterprise (version 3.12.0 and below), may be vulnerable to route hijacking with the floating IP feature. Due to insufficient validation, a privileged attacker may be able to set a floating IP annotation to a pod even if the feature is not enabled. This may allow the attacker to intercept and reroute traffic to their compromised pod.

Return to List

Description

Severity

Notes

**Calico Enterprise & Calico OS are vulnerable to pod route hijacking**

Reference: TTA-2022-001

Date published: 2022-June-1

Medium

N/A

**Description**

Customers running Calico Enterprise and Calico OS are vulnerable to route hijacking with the floating IP feature. Due to insufficient validation, a privileged attacker is able to set a floating IP annotation to a pod even if the feature is not enabled. This allows the attacker to intercept and reroute traffic to their compromised pod.

CVE-2022-28224 has been assigned to this vulnerability.

**Severity**

MEDIUM

The validation on using floating IP can be bypassed by annotating the pod directly after pod creation. The routing will be reverted when the annotated pod is destroyed or the annotation is removed. This vulnerability requires the Kubernetes RBAC permission of \[“patch”, “pods”\] to annotate pods.

**Affected Releases**

*   Calico Enterprise v3.12 and below
*   Calico OS v3.22 and below

**Indicators of Impact/Compromise**

Review running pods and identify if floating IP annotations are present.

**Workaround / Remediation**

Review Kubernetes RBAC and review access to \[“patch”, “pods”\].

**Fixed Software**

*   Calico Enterprise
    *   V3.13.0 and above
    *   v3.12.1
    *   v3.11.4
*   Calico OS
    *   V3.22.2 and above
    *   v3.21.5
    *   v.3.20.5

**Acknowledgment**

We would like to acknowledge Aloys Augustin from Cisco for reporting this issue.

Return to List

CVE-2022-28224: Security Bulletins – TTA-2022-001

Randori’s attack-surface management software will be integrated into IBM Security QRadar extended detection and response (XDR) features.

RSA CONFERENCE 2022 – San Francisco – IBM plans to purchase attack-surface management firm Randori in a move that ultimately will expand IBM's extended detection and response (XDR) family of products to incorporate the "attacker's view" of the IT infrastructure.

The buy also will bolster IBM's X-Force with automated red-team functions and add to IBM's threat detection services within its Managed Security Services, the company said.

Randori, which is backed by Accomplice, .406 Ventures, Harmony Partners, and Legion Capital, offers visibility into on-premise and cloud exposure, including risk prioritization features. This is IBM's fourth acquisition of the year.

"Our clients today are faced with managing a complex technology landscape of accelerating cyberattacks targeted at applications running across a variety of hybrid cloud environments – from public clouds, private clouds and on-premises," said Mary O'Brien, general manager at IBM Security, in a statement. "In this environment, it is essential for organizations to arm themselves with attacker’s perspective in order to help find their most critical blind spots and focus their efforts on areas that will minimize business disruption and damages to revenue and reputation."

Financial terms were not disclosed. The deal is expected to close in the coming months, pending closing conditions and regulatory reviews.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

IBM to Buy Attack Surface-Management Firm Randori

As governments crack down on ransomware, cybercriminals may soon shift to business email compromise—already the world's most profitable type of scam.

Ransomware attacks, including those of the massively disruptive and dangerous variety, have proved difficult to combat comprehensively. Hospitals, government agencies, schools, and even critical infrastructure companies continue to face debilitating attacks and large ransom demands from hackers. But as governments around the world and law enforcement in the United States have grown serious about cracking down on ransomware and have started to make some progress, researchers are trying to stay a step ahead of attackers and anticipate where ransomware gangs may turn next if their main hustle becomes impractical.

At the RSA security conference in San Francisco on Monday, longtime digital scams researcher Crane Hassold will present findings that warn it would be logical for ransomware actors to eventually convert their operations to business email compromise (BEC) attacks as ransomware becomes less profitable or carries a higher risk for attackers. In the US, the Federal Bureau of Investigation has repeatedly found that total money stolen in BEC scams far exceeds that pilfered in ransomware attacks—though ransomware attacks can be more visible and cause more disruption and associated losses. 

In business email compromise, attackers infiltrate a legitimate corporate email account and use the access to send phony invoices or initiate contract payments that trick businesses into wiring money to criminals when they think they’re just paying their bills.

“So much attention is being paid to ransomware, and governments all over the world are taking action to disrupt it, so eventually the return on investment is going to be impacted,” says Hassold, who is director of threat intelligence at Abnormal Security and a former digital behavior analyst for the FBI. “And ransomware actors are not going to say, ‘Oh, hey, you got me’ and go away. So it’s possible that you would have this new threat where you have the more sophisticated actors behind ransomware campaigns moving over to the BEC space where all the money is being made.”

BEC attacks, many of which originate in West Africa and specifically Nigeria, are historically less technical and rely more on social engineering, the art of creating a compelling narrative that tricks victims into taking actions against their own interests. But Hassold points out that a lot of the malware used in ransomware attacks is built to be flexible, with a modular quality so different types of scammers can assemble the combination of software tools they need for their specific hustle. And the technical ability to establish “initial access,” or a digital foothold, to then deploy other malware would be extremely useful for BEC, where gaining access to strategic email accounts is the first step in most campaigns. Ransomware actors would bring a much higher level of technical sophistication to this aspect of the scams.

Hassold also points out that while the most notorious and aggressive ransomware gangs are typically small teams, BEC actors are usually organized into much looser and more decentralized collectives, making it more difficult for law enforcement to target a central organization or kingpin. Similar to Russia’s unwillingness to cooperate on ransomware investigations, it has taken time for global law enforcement to develop working relationships with the Nigerian government to counter BEC. But even as Nigeria has put more emphasis on BEC enforcement, countering the sheer scale of the scam operations is still a challenge.

“You can’t just cut off the head of the snake,” Hassold says. “If you arrest a dozen or even a few hundred of these actors, you’re still not making much of a dent.”

For ransomware actors, the most difficult aspect of transitioning to BEC scams would likely be the dramatic difference in collecting stolen money. Ransomware gangs almost exclusively collect victim payments in cryptocurrency, while BEC actors primarily use local networks of money mules in the markets where they launch their scams to launder fiat currency. Ransomware actors would need to plug into existing networks or invest in establishing their own in order to monetize BEC scams and have somewhere for the errant payments to go. Hassold points out, though, that as law enforcement becomes increasingly adept at tracing and freezing cryptocurrency payments—and as the value of cryptocurrencies continues to fluctuate wildly—ransomware actors may be motivated to learn new techniques and switch gears.

Crucially, Hassold notes that while he and his colleagues have not seen evidence of active collaboration between Eastern European ransomware gangs and West African BEC actors, he does see evidence on criminal forums and in active engagement with attackers that ransomware actors are interested in BEC and have been learning about it. Whether this exploration is simply for, ahem, professional enrichment, remains to be seen.

“All of these types of attacks are very serious and the stakes are very high, so it got me thinking about what things will look like in the future when ransomware eventually gets disrupted,” Hassold says. “It’s possible that these two threats on opposite sides of the cybercrime spectrum will converge in the future—and we need to be ready for that.”

The Hacker Gold Rush That's Poised to Eclipse Ransomware

Ransomware attacks, including those of the massively disruptive and dangerous variety, have proved difficult to combat comprehensively. Hospitals, government agencies, schools, and even critical infrastructure companies continue to face debilitating attacks and large ransom demands from hackers. But as governments around the world and law enforcement in the United States have grown serious about cracking down on ransomware and have started to make some progress, researchers are trying to stay a step ahead of attackers and anticipate where ransomware gangs may turn next if their main hustle becomes impractical.

At the RSA security conference in San Francisco on Monday, longtime digital scams researcher Crane Hassold will present findings that warn it would be logical for ransomware actors to eventually convert their operations to business email compromise (BEC) attacks as ransomware becomes less profitable or carries a higher risk for attackers. In the US, the Federal Bureau of Investigation has repeatedly found that total money stolen in BEC scams far exceeds that pilfered in ransomware attacks—though ransomware attacks can be more visible and cause more disruption and associated losses. 

In business email compromise, attackers infiltrate a legitimate corporate email account and use the access to send phony invoices or initiate contract payments that trick businesses into wiring money to criminals when they think they’re just paying their bills.

“So much attention is being paid to ransomware, and governments all over the world are taking action to disrupt it, so eventually the return on investment is going to be impacted,” says Hassold, who is director of threat intelligence at Abnormal Security and a former digital behavior analyst for the FBI. “And ransomware actors are not going to say, ‘Oh, hey, you got me’ and go away. So it’s possible that you would have this new threat where you have the more sophisticated actors behind ransomware campaigns moving over to the BEC space where all the money is being made.”

BEC attacks, many of which originate in West Africa and specifically Nigeria, are historically less technical and rely more on social engineering, the art of creating a compelling narrative that tricks victims into taking actions against their own interests. But Hassold points out that a lot of the malware used in ransomware attacks is built to be flexible, with a modular quality so different types of scammers can assemble the combination of software tools they need for their specific hustle. And the technical ability to establish “initial access,” or a digital foothold, to then deploy other malware would be extremely useful for BEC, where gaining access to strategic email accounts is the first step in most campaigns. Ransomware actors would bring a much higher level of technical sophistication to this aspect of the scams.

Hassold also points out that while the most notorious and aggressive ransomware gangs are typically small teams, BEC actors are usually organized into much looser and more decentralized groups, making it more difficult for law enforcement to target a central organization or kingpin. Similar to Russia’s unwillingness to cooperate on ransomware investigations, it has taken time for global law enforcement to develop working relationships with the Nigerian government to counter BEC. But even as Nigeria has put more emphasis on BEC enforcement, countering the sheer scale of the scam operations is still a challenge.

“You can’t just cut off the head of the snake,” Hassold says. “If you arrest a dozen or even a few hundred of these actors, you’re still not making much of a dent.”

For ransomware actors, the most difficult aspect of transitioning to BEC scams would likely be the dramatic difference in collecting stolen money. Ransomware gangs almost exclusively collect victim payments in cryptocurrency, while BEC actors primarily use local networks of money mules in the markets where they launch their scams to launder fiat currency. Ransomware actors would need to plug into existing networks or invest in establishing their own in order to monetize BEC scams and have somewhere for the errant payments to go. Hassold points out, though, that as law enforcement becomes increasingly adept at tracing and freezing cryptocurrency payments—and as the value of cryptocurrencies continues to fluctuate wildly—ransomware actors may be motivated to learn new techniques and switch gears.

Crucially, Hassold notes that while he and his colleagues have not seen evidence of active collaboration between Eastern European ransomware gangs and West African BEC actors, he does see evidence on criminal forums and in active engagement with attackers that ransomware actors are interested in BEC and have been learning about it. Whether this exploration is simply for, ahem, professional enrichment, remains to be seen.

“All of these types of attacks are very serious and the stakes are very high, so it got me thinking about what things will look like in the future when ransomware eventually gets disrupted,” Hassold says. “It’s possible that these two threats on opposite sides of the cybercrime spectrum will converge in the future—and we need to be ready for that.”

Tag

#cisco