Categories: Threat Intelligence
Tags: Magecart

Tags: skimmer

Tags: Kritect

Tags: Magento

Compromised online stores have been injected with skimmers hiding around the Google Tag Manager script. We identified a new one that looked similar at first but is part of a different campaign.



(Read more...)




The post New Kritec Magecart skimmer found on Magento stores appeared first on Malwarebytes Labs.

Threat actors often compete for the same resources, and this couldn't be further from the truth when it comes to website compromises. After all, if a vulnerability exists one can expect that it will be exploited more than once.

In the past, we have seen such occurrences with Magecart threat actors for example in the breach of the Umbro website. Recently, while reading a blog post from security vendor Akamai, we spotted a similar situation. In the listed indicators of compromise, we noticed domains that we had seen used in a distinct skimming campaign which didn't seem to be documented yet.

In fact, we saw instances of compromised stores having both skimmers loaded, which means double trouble for victims as their credit card information is stolen not just once but twice. In this blog post, we show how the newly found Kritec skimmer was found along side one of its competitors.

**Original campaign using WebSockets**

Researchers at Akamai reported on a Magecart skimmer campaign disguised as Google Tag Manager that also made the news with the compromise of one of Canada's largest liquor store (LCBO). While details were not shared at the time, we were able to determine thanks to an archived crawl on urlscan.io that the skimmer was using WebSockets and is the same one as described in Akamai's blog. 

**Kritec campaign**

Akamai notes that they identified multiple compromised websites that had similarities. They also list nebiltech\[.\]shop in their IOCs which is a domain we sometimes saw injected near the Google Tag Manager script, but not within it.

We believe this is a different campaign and threat actor altogether. Here are some reasons why:

*   No WebSocket being used
*   Domains abusing Cloudflare
*   Intermediary loader
*   Completely different skimming code

To complicate things, we observed some stores that had both skimmers at the same time, which is another reason why we believe they are not related:

We started calling this new skimmer 'Kritec' after one of its domain names. It has an interesting way of loading the malicious JavaScript we had not seen before either. The injected code calls out a first domain (seen above encoded in Base64) and generates a Base64 response:

Decoding it reveals a URL pointing to the actual skimming code, which is heavily obfuscated (likely via obfuscator.io):

The data exfiltration is also done differently as seen in the image below. On the left, the stolen credit card data is sent via a WebSocket skimmer while on the right, it is a POST request:

**Google Tag Manager variants**

In the past months there have been several Magecart skimmers abusing Google Tag Manager in one way or another. We mentioned Akamai's blog but it was also documented by Recorded Future. In those instances, the malicious was actually embedded in the Google Tag Manager library itself, which is very clever and difficult to detect.

While the Kritec skimmer hangs around the Google Tag Manager script, we believe it is not related to the other active campaigns. We have been documenting it recently and are reporting the abuse to Cloudflare which it uses to hide its real infrastructure.

Malwarebytes customers are shielded against this campaign via our web protection in Endpoint Protection (EP), Endpoint Detection and Response (EDR) and Malwarebytes Premium.

**Indicators of Compromise**

WebSocket Skimmer:

cloud-cdn\[.\]org

\--

Kritec skimmer:

kritec\[.\]pics

vitalmob\[.\]pics

flowit\[.\]pics

flagmob\[.\]quest

entrydelt\[.\]sbs

sanpatech\[.\]shop

prijetech\[.\]shop

nebiltech\[.\]shop

kruktech\[.\]shop

lavutele\[.\]yachts

tochdigital\[.\]pics

smestech\[.\]shop

klstech\[.\]shop

shotsmob\[.\]sbs

gemdigit\[.\]pics

nevomob\[.\]quest

vuroselec\[.\]quest

apexit\[.\]yachts

sorotele\[.\]yachts

bereelec\[.\]quest

bereelec\[.\]quest/ww\[.\]min\[.\]js

apexit\[.\]yachts/apex\[.\]min\[.\]js

vuroselec\[.\]quest/dych\[.\]min\[.\]js

nevomob\[.\]quest/elan-loader\[.\]js

gemdigit\[.\]pics/wpp-loader\[.\]js

gemdigit\[.\]pics/sun-loader\[.\]js

klstech\[.\]shop/opencart-cache-worker\[.\]min\[.\]js

tochdigital\[.\]pics/digital\[.\]min\[.\]js

vitalmob\[.\]pics/pre-loader\[.\]js

New Kritec Magecart skimmer found on Magento stores

The North Korean advanced persistent threat (APT) actor dubbed ScarCruft is using weaponized Microsoft Compiled HTML Help (CHM) files to download additional malware.
According to multiple reports from AhnLab Security Emergency response Center (ASEC), SEKOIA.IO, and Zscaler, the findings are illustrative of the group's continuous efforts to refine and retool its tactics to sidestep detection.
"

Cyber Threat Intelligence

The North Korean advanced persistent threat (APT) actor dubbed **ScarCruft** is using weaponized Microsoft Compiled HTML Help (CHM) files to download additional malware.

According to multiple reports from AhnLab Security Emergency response Center (ASEC), SEKOIA.IO, and Zscaler, the findings are illustrative of the group's continuous efforts to refine and retool its tactics to sidestep detection.

"The group is constantly evolving its tools, techniques, and procedures while experimenting with new file formats and methods to bypass security vendors," Zscaler researchers Sudeep Singh and Naveen Selvan said in a new analysis published Tuesday.

ScarCruft, also tracked under the names APT37, Reaper, RedEyes, and Ricochet Chollima, has exhibited an increased operational tempo since the start of the year, targeting various South Korean entities for espionage purposes. It is known to be active since at least 2012.

Last month, ASEC disclosed a campaign that employed HWP files that take advantage of a security flaw in the Hangul word processing software to deploy a backdoor referred to as M2RAT.

But new findings reveal the threat actor is also using other file formats such as CHM, HTA, LNK, XLL, and macro-based Microsoft Office documents in its spear-phishing attacks against South Korean targets.

These infection chains often serve to display a decoy file and deploy an updated version of a PowerShell-based implant known as Chinotto, which is capable of executing commands sent by a server and exfiltrating sensitive data.

Some of the new capabilities of Chinotto include capturing screenshots every five seconds and logging keystrokes. The captured information is saved in a ZIP archive and sent to a remote server.

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.

RESERVE YOUR SEAT

The insights about ScarCruft's various attack vectors come from a GitHub repository maintained by the adversarial collective to host malicious payloads since October 2020.

"The threat actor was able to maintain a GitHub repository, frequently staging malicious payloads for more than two years without being detected or taken down," Zscaler researchers said.

Outside of malware distribution, ScarCruft has also been observed serving credential phishing webpages targeting multiple email and cloud services such as Naver, iCloud, Kakao, Mail.ru, and 163.com.

It's however not clear how these pages are accessed by the victims, raising the possibility that they may have been embedded inside iframes on websites controlled by the attacker or sent as HTML attachments via email.

Also discovered by SEKOIA.IO is a piece of malware named AblyGo, a backdoor written in Go that utilizes the Ably real-time messaging framework to receive commands.

The use of CHM files to smuggle malware appears to be catching on with other North Korea-affiliated groups as well, with ASEC uncovering a phishing campaign orchestrated by Kimsuky to distribute a backdoor responsible for harvesting clipboard data and recording keystrokes.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

ScarCruft's Evolving Arsenal: Researchers Reveal New Malware Distribution Techniques

On Thursday, Shou Zi Chew will meet a rare united front in the US Congress against the Chinese-owned social media app that has lawmakers in a tizzy.

March has been brutal for TikTok. Last week, the UK joined the US, Canada, and Belgium in banning TikTok on government devices. And FBI director Christopher Wray warned lawmakers that misinformation spread through the app can “divide Americans.” At the start of the month, Senate intelligence chair Mark Warner unveiled a new measure, the Restrict Act, which would enable the US commerce secretary to ban TikTok and any other tech from six “hostile” nations that the US intelligence community deems a national security threat.

The White House supports Warner’s bill, and the multi-agency Committee on Foreign Investment in the United States told TikTok it would be banned unless it’s completely divested from ByteDance. Lawmakers in both parties welcomed that announcement. “It’s a step toward banning them,” says senator Roger Wicker, a Mississippi Republican.

While many lawmakers embraced White House pressure, they aren’t sitting on the sidelines as they did when former president Donald Trump tried to ban TikTok through executive orders, which the courts ultimately shot down.

“I think it's absolutely a good first step. I'm not sure it's going to get us everywhere we want to be,” says senator John Hickenlooper, a Colorado Democrat. “I don't think we want to have a Chinese-owned company to have that kind of access to not just our kids, our culture.”

It’s not just espionage that worries lawmakers, who argue the app has a vulnerable captive audience among young people in the US. TikTok recently unveiled new efforts to limit users’ exposure to the app, including an hour-per-day time limit for children under 18, but it fails to address lawmaker’s concerns. “I'm not sure TikTok is a healthy ingredient to add to our children's psychological diet,” Hickenlooper says.

TikTok did not respond to WIRED's request for comment.

More than half of states prohibit TikTok’s use on government devices, and it’s banned by dozens of public schools, from grade schools to some of the nation’s largest universities. Tennessee attorney general Jonathan Skrmetti is leading an investigation on behalf of 46 states into whether the app is detrimental to children’s mental health. The US Department of Justice, meanwhile, is investigating reports that TikTok staffers spied on US journalists.

In short, Chew faces a daunting assignment given the hostility that awaits him at 10 am ET tomorrow. 

The debate at the Capitol is now over _how_ to punish TikTok, not _whether_ to punish TikTok. After supporting the Senate’s unanimous consent agreement to ban the app on government devices in December, senator Rand Paul, a Kentucky Republican, is one of the few lawmakers opposed to an outright ban. “I’m against banning TikTok. I think it violates the First Amendment. I think it also violates the prohibition on bills of attainder where one company is targeted by government,” Paul says. 

Other lawmakers dismiss claims that a TikTok ban would be unconstitutional. “We're not regulating the speech of the company, we're regulating the way it uses its data and its ownership on how it creates a national security vulnerability,” says Marco Rubio, the Senate Intelligence Committee vice chair and Florida Republican. 

With the Senate in Democrats’ hands and the House controlled by Republicans, TikTok is one of the few areas where the two chambers seem to agree. 

“TikTok in its current construct is unacceptable,” says senator Lindsey Graham, a South Carolina Republican. “I'd like to come up with a construct that people could enjoy the service, like 100 million people do, and not empower communist China. That's my preferred outcome.”  

With broader data privacy measures stalled in Congress and antitrust measures shelved by the new House Republican majority, TikTok has become the Big Tech bogeyman for both parties. And both parties seem fine with that—at least for now. “The reason why this is a good place to start is because we’re all agreed,” Krishnamoorthi says. “You may disagree about which American companies handle our data best, but nobody disagrees that the Chinese Communist Party should not have access to our private data.”

The TikTok CEO’s Face-Off With Congress Is Doomed

An authenticated remote code execution vulnerability exists in the AOS-CX Network Analytics Engine. Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system, leading to a complete compromise of the switch running AOS-CX.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2023-004 CVE: CVE-2023-1168 Publication Date: 2023-Mar-21 Status: Confirmed Severity: High Revision: 1 Title ===== Authenticated Remote Code Execution in Aruba CX Switches Overview ======== Aruba has released updates for wired switch products running AOS-CX that address a security vulnerability in the Network Analytics Engine (NAE). Affected Products ================= Customers using the following switch models and firmware versions are affected by the vulnerability listed in this advisory. Aruba Switch Models: - Aruba CX 10000 Switch Series - Aruba CX 9300 Switch Series - Aruba CX 8400 Switch Series - Aruba CX 8360 Switch Series - Aruba CX 8325 Switch Series - Aruba CX 8320 Switch Series - Aruba CX 6400 Switch Series - Aruba CX 6300 Switch Series - Aruba CX 6200F Switch Series Software Branch Versions: - AOS-CX 10.10.xxxx: 10.10.1020 and below. - AOS-CX 10.09.xxxx: 10.09.1020 and below. - AOS-CX 10.08.xxxx: 10.08.1070 and below. - AOS-CX 10.06.xxxx: 10.06.0230 and below. All other AOS-CX software versions that are not listed under Resolution section are unsupported and considered to be affected. Software branch versions of AOS-CX that are end of life are affected by this vulnerability unless otherwise indicated. Unaffected Products =================== Any other Aruba products not listed above including AOS-S Switches, Aruba Intelligent Edge Switches, and HPE OfficeConnect Switches are not affected by these vulnerabilities. Details ======= Authenticated Remote Code Execution in AOS-CX Network Analytics Engine (NAE) (CVE-2023-1168) --------------------------------------------------------------------- An authenticated remote code execution vulnerability exists in the AOS-CX Network Analytics Engine. Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system, leading to a complete compromise of the switch running AOS-CX. Internal reference: ATLAX-69 Severity: High CVSSv3 Overall Score: 7.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program. Resolution ========== In order to address the vulnerability in the affected release branches and switch platforms described above, it is recommended to upgrade the software to one of the following versions (as applicable): - AOS-CX 10.11.xxxx: 10.11.0001 and above. - AOS-CX 10.10.xxxx: 10.10.1030 and above. - AOS-CX 10.06.xxxx: 10.06.0240 and above. Aruba does not evaluate or patch AOS-CX firmware versions that have reached their End of Support (EoS) milestone. Supported versions as of the publication date of this advisory are: - AOS-CX 10.11.xxxx - AOS-CX 10.10.xxxx - AOS-CX 10.06.xxxx For more information about Aruba's End of Support policy visit: https://www.arubanetworks.com/support-services/end-of-life/ Workaround ========== To minimize the likelihood of an attacker exploiting this vulnerability, Aruba recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above. Contact Aruba TAC for any configuration assistance. Exploitation and Public Discussion ================================== Aruba is not aware of any public discussion or exploit code that target this specific vulnerability as of the release date of the advisory. Revision History ================ Revision 1 / 2023-Mar-21 / Initial release Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at: http://www.arubanetworks.com/support-services/security-bulletins/ For reporting \*NEW\* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: http://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2023 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQFLBAEBCAA1FiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmQPgLQXHHNpcnRAYXJ1 YmFuZXR3b3Jrcy5jb20ACgkQmP4JykWFhtmpRQgAsZp0VTZTe3zkrR3nee3+e5PQ +MLUn451iaRAh3Z7FGzE0OPz3nMuOlRYiZ/tHVx5XnesvlSn5FTd/7iOvYsKcu+W 1qT5nS6gLbo6CwS4OlLbMHNLAREm8OOJzm8VIjretjb2jj5bZvsari6M8u0u1sG7 2F/RhiU1fPficEvY9UaWDvcwCc+16d9egmpTmLUZ9egEagVZZGBiiC4LFWdAmG9Y mMjdNtBvIEXA0uRw0vpUOKDC7CnHKrLujkedQijt0SV0o0HIJlyxLHeF1HdaQQWM 5/XSXiyeuV6h1ffe0+E0Td249McHB+ffT+594pQk8Zb6pfHkFeNpaS/v5SeBmw== =Q26C -----END PGP SIGNATURE-----

CVE-2023-1168

General Bytes Crypto Application Server (CAS) 20230120, as distributed with General Bytes BATM devices, allows remote attackers to execute arbitrary Java code by uploading a Java application to the /batm/app/admin/standalone/deployments directory, aka BATM-4780, as exploited in the wild in March 2023. This is fixed in 20221118.48 and 20230120.44.

CVE-2023-28725: Changelog | GENERAL BYTES

IONIX illuminates exploitable risks across the real attack surface and its digital supply chain providing security teams with critical focus to accelerate risk reduction.

**NEW YORK****,** **March 21, 2023** **/PRNewswire/ --** Cyberpion, the leader in Attack Surface Management, has rebranded as IONIX (pronounced 'eye on x'). IONIX helps customers keep an 'eye on x,' providing visibility into their real attack surface including an organization's internet-facing assets and their mesh of connected dependencies.

A threat actor set on penetrating an organization doesn't care whether they're attacking internet-facing assets directly or exploiting a vulnerability from an exposed third-party digital service. Using Connective Intelligence, IONIX accurately maps an organization's real attack surface and its digital supply chain, discovering more organizational assets than any other provider, and delivers unmatched capabilities for proactively preventing attacks.

2022 was a transformational year for IONIX. The company delivered 250% ARR growth and secured $27 million in Series A funding, led by U.S. Venture Partners and existing investors Team8 Capital and Hyperwise Ventures. In January 2023, IONIX announced that Marc Gaffan had been named CEO. Co-founder Nethanel Gelernter moved from CEO to Chief Technology Officer where he is focusing on accelerating innovation and scaling the company's ASM platform. Additionally, the company announced the appointment of Doron Gill as Vice President of Engineering, and Ido Samson as Chief Revenue Officer. 

"IONIX was built on the premise that the increasingly interwoven nature of the digital supply chain demands a radically different approach to threat protection by identifying the sprawling network of dependencies on the same level as an organization's other assets," said Marc Gaffan, CEO, IONIX. "IONIX's ASM solution helps organizations take control of their real attack surface and its digital supply chain. By working closely with our customers, we have expanded our offering with wider coverage and deeper focus into their biggest attack surface risks. We believe that our new brand and product strategy will provide us with a strong platform to grow and lead in this market."

**IONIX ASM Platform**

IONIX Connective Intelligence technology leverages machine learning to discover and monitor every internet-facing asset and connection, delivering laser focus into the most critical risks to the business. IONIX goes further, enabling action by providing the tools to rapidly remediate exploitable threats and reduce attack surface risk.

IONIX focuses on real risks by surfacing exploitable issues with large blast radius that require immediate attention. With less noise and fewer alerts, security teams can remediate what matters most, faster. To deliver on these market needs, IONIX has significantly expanded its capabilities to include:

Multi-layered prioritization that goes beyond risk severity to validate exploitability and identify blast radius:

*   Determine the blast radius - Rank asset importance based on data sensitivity, business context, brand reputation and inter-connectivity
*   Evaluate exploitability - Identify exploitable misconfigurations, documented exploits and simulated attacks
*   Integrate threat intelligence - Correlate deep dark web findings regarding leaked credentials and compromised machines with customers' asset inventories

*   Smart remediation workflows that reduce noise with clear action items and automatically assign tasks to the right subsidiary or operational owner
*   Integration with customers' cloud environments by combining inside out visibility with an outside in attackers' view to uncover even more exposed assets and shadow IT
*   Risk scores that quantify attack surface risk across multiple categories enabling decision makers to understand their security posture, track progress over time and make strategic, risk-informed decisions.
*   Executive ASM reports, generated with one-click, that provide a comprehensive high-level overview of customers' attack surface with visibility into their assets, risks and action items. 

"The IONIX brand is new, but the team here has been helping organizations secure their extended attack surface since long before there was even a market category," said Rik Turner, senior principal analyst in Omdia's IT security and technology team. "What they are delivering now as IONIX is a combination of broad coverage of the extended attack surface, along with a focus on the threats that matter most to the organization. The addition of the Risk Scores and Executive Reports comes as the C-Suite and Boards of Directors are focused on cybersecurity like never before, due to the attention of lawmakers and regulators, not to mention the extra attention attack surfaces have gained thanks to the pandemic."

**About IONIX**

IONIX is the attack surface management solution that uses Connection Intelligence to shine a spotlight on exploitable risks across your real attack surface – and its digital supply chain. Only IONIX discovers and monitors every internet-facing asset and connection, delivers laser focus into the most important risks to your business, and provides the tools to rapidly remediate exploitable threats and reduce attack surface risk. Global leaders including Infosys, The Telegraph, Warner Music Group and E. ON depend on IONIX's machine learning-powered discovery engine, contextual risk assessment and prioritization, and end-to-end remediation workflows to go on the offensive in managing their complex and ever-changing attack surfaces. For more information visit www.ionix.io or connect with us on LinkedIn.

Cyberpion Rebrands As IONIX

Global study reveals boards still undervalue cyber's role.

**DALLAS****,** **March 21, 2023** **/PRNewswire/ --** Trend Micro Incorporated (TYO: 4704; TSE: 4704), a global cybersecurity leader, today released new research\* revealing that while global organizations plan to increase cybersecurity budgets in 2023, business leaders hold conflicting views on the function.

**To read a full copy of the report,** _Risky Rewards_**, please visit:** https://www.trendmicro.com/explore/risk-reward2023/2031-tl-en-rpt#page=1

Jon Clay**, VP of threat intelligence at Trend Micro:** "If organizations want to make the most of their security investments, business leaders must reframe their view of cybersecurity – to think more broadly about how it can positively impact the enterprise. This research shows it's clearly a critical component of winning new business and talent. At a time when every dollar/penny counts, it's concerning to see stereotyped views of security persist at the very top."

Nearly two-thirds (64%) of business decision-maker (BDM) respondents say they plan to increase security investment in 2023.

However, the research also reveals critical gaps in BDMs' understanding of the relationship between cybersecurity and other parts of the organization.

On the one hand, half (51%) claim cybersecurity is a necessary cost but not a revenue contributor, while a similar share (48%) argue that its value is limited to attack/threat prevention. Nearly a fifth (38%) even see security as a barrier rather than a business enabler.

However, on the other hand, 81% worry that a lack of cybersecurity credentials could impact their ability to win new business – with a fifth (19%) admitting it already has. This comes as nearly three-quarters (71%) of BDMs admit they're being asked about security posture in negotiations with prospects and suppliers. And 78% say these requests for information are increasing in frequency.

This apparent contradiction in attitudes is laid bare by another finding. Despite prospects and suppliers clearly prioritizing security in negotiations, only 57% of BDMs perceive there to be a strong or very strong connection between cyber and client acquisition/satisfaction.

Talent acquisition is another area where there are clear gaps in BDMs' understanding of the interconnectivity between cybersecurity and the rest of the business.

Nearly three-quarters (71%) of respondents claim that the ability to work from anywhere has become vital in the battle for talent. Yet only around two-fifths understand the strong connection between cybersecurity and employee retention (42%) and talent attraction (43%).

That's despite respondents recognizing the impact of cyber on the employee experience:

*   83% say current security policies have affected remote employees' ability to do their jobs (eg. network and information access issues, and slowing the pace of work)
*   43% say current security policies place restrictions on employees' ability to work from anywhere
*   54% say current policies restrict what devices/platforms employees can choose to use

_\* Trend Micro commissioned Sapio Research to poll 2718 business decision-makers in companies with 250+ employees across 26 countries._ 

**About Trend Micro**

Trend Micro, a global cybersecurity leader, helps make the world safe for exchanging digital information. Fueled by decades of security expertise, global threat research, and continuous innovation, Trend Micro's cybersecurity platform protects hundreds of thousands of organizations and millions of individuals across clouds, networks, devices, and endpoints. As a leader in cloud and enterprise cybersecurity, the platform delivers a powerful range of advanced threat defense techniques optimized for environments like AWS, Microsoft, and Google, and central visibility for better, faster detection and response. With 7,000 employees across 65 countries, Trend Micro enables organizations to simplify and secure their connected world. www.TrendMicro.com.  

SOURCE Trend Micro Incorporated

Research Highlights Cyber Security's Underestimated Role As a Business and Revenue Enabler

**WATERLOO, ON****,** **March 21, 2023** **/PRNewswire/ --** BlackBerry Limited (NYSE: BB; TSX: BB) announced today that it has entered into an agreement to sell substantially all of its non-core patents and patent applications to Malikie Innovations Limited ("Malikie"), a newly-formed subsidiary of Key Patent Innovations Limited ("KPI"), a leading intellectual property monetization company, for a combination of cash at closing and potential future royalties in the aggregate amount of up to $900 million.

The transaction is not subject to any financing conditions. Funding has been secured from a leading US-based investment firm, with in excess of $30 billion of assets under management.

_"We're extremely pleased to have executed this agreement with KPI, whose industry-leading expertise and experience positions them well to realize the patent portfolio's potential and enhance returns for BlackBerry," said_ John Chen_, Executive Chairman & CEO, BlackBerry. "This transaction, once complete, will further strengthen our balance sheet while simplifying our business and enabling increased focus on our core IoT and Cybersecurity opportunities."_

_"We are very excited to have completed this transaction with a partner of BlackBerry's calibre, and we look forward to getting to work to maximize returns from this portfolio," said_ Angela Quinlan_, Managing Director, KPI._

Under the terms of the agreement, BlackBerry will receive $170 million in cash on closing and an additional $30 millionin cash by no later than the third anniversary of closing.  BlackBerry will also be entitled to receive annual cash royalties from the profits generated from the BlackBerry patents, on the following basis:

*   8% of the first $500 million of profits;
*   15% of the next $250 million of profits;
*   30% of the next $250 million of profits; and
*   50% of all subsequent profits.

Royalty payments to BlackBerry will initially be capped at $700 million, subject to an annual cap increase of an amount equal to 4% of the remaining portion of the $700 million that has not been paid to BlackBerry as of the date of the increase.  Malikie's costs will also be capped in the calculation of profits generated.

Approximately 32,000 patents and applications relating primarily to mobile devices, messaging and wireless networking will be sold in the transaction with Malikie.  The transaction excludes patents and applications that are necessary to support BlackBerry's current core business operations. It also excludes approximately 120 monetizable non-core patent families relating to mobile devices (representing approximately 2,000 patents and applications which are primarily standards essential), as well as all existing revenue generating agreements.  BlackBerry will receive a license back to the patents being sold and the transaction will not impact customers' use of any of BlackBerry's products, solutions or services.

Completion of the transaction is conditional upon, among other things, satisfaction of all regulatory conditions under the Hart–Scott–Rodino Antitrust Improvements Act in the United States and the Investment Canada Act. 

Termination of Agreement with Catapult:

On December 20, 2022, BlackBerry provided an update on its previously-announced patent portfolio sale transaction with Catapult IP Innovations, Inc., indicating that Catapult was working with a financing partner and that the parties were negotiating definitive closing documents.  BlackBerry also disclosed that it was then in advanced term sheet discussions with another party that was fully financed, and which had completed its due diligence on the portfolio. 

Catapult was unable to secure financing that would have enabled it to complete the previously-announced transaction on amended terms that were acceptable to BlackBerry, and therefore BlackBerry has terminated its agreement with Catapult and has instead entered into the patent sale agreement with Malikie. 

**About BlackBerry** 

BlackBerry (NYSE: BB; TSX: BB) provides intelligent security software and services to enterprises and governments around the world. The company secures more than 500M endpoints including over 215M vehicles. Based in Waterloo, Ontario, the company leverages AI and machine learning to deliver innovative solutions in the areas of cybersecurity, safety, and data privacy solutions, and is a leader in the areas of endpoint security, endpoint management, encryption, and embedded systems.  BlackBerry's vision is clear - to secure a connected future you can trust.

_BlackBerry. Intelligent Security. Everywhere._  

For more information, visit BlackBerry.com and follow @BlackBerry.

BlackBerry Announces New Patent Sale Transaction With Patent Monetization Company for Up to $900M

**NEW YORK****,** **March 21, 2023** **/PRNewswire/ --** BigID, the leading platform for data security, compliance, privacy, and governance,, announced today that native integrations with leading Security Orchestration, Automation, and Response (SOAR) platforms, including Splunk SOAR (formerly Phantom) and Palo Alto Networks Cortex XSOAR (formerly Demisto).

Enterprises have been struggling with responding to the deluge of security events generated by all their security information and event management systems. The volume and complexity of these events increases the need for automated security orchestration and response (SOAR) platforms to help security teams streamline and automate their incident response processes.

BigID's native integrations with SOAR platforms, including Splunk, Palo Alto Networks and Torq , provide customers with access to thousands of pre-built playbooks, enabling them to automate the incident response process from detection to remediation. With these native orchestrations, customers can seamlessly manage and automate their security response workflows, reducing response time and improving overall security posture.

"BigID is committed to helping organizations manage and secure their sensitive data. With these native integrations with leading SOAR platforms, we're able to provide customers with a powerful, integrated solution that enables them to streamline their incident response processes and more effectively manage security risks," said Dimitri Sirota, CEO of BigID.

With this integration, customers can now:

*   Leverage automation to reduce response time and improve accuracy
*   Automate incident response workflows with access to thousands of SOAR playbooks
*   Gain better visibility into incidents and manage responses with ease
*   Increase productivity and reduce the manual effort involved in incident response

The integration with Splunk SOAR, Cortex XSOAR and Torq offers a seamless user experience and significant improvements to security operations.

For more information, please visit www.bigid.com or visit https://home.bigid.com/demo to see it in action.

**About BigID:**

BigID enables organizations to know their enterprise data and take action for data-centric security, privacy, compliance and governance. Customers deploy BigID to proactively discover, manage, protect, and get more value from their regulated, sensitive, and personal data across their data landscape. BigID has been recognized for its data intelligence innovation as a 2019 World Economic Forum Technology Pioneer, named to the 2021 Forbes Cloud 100, the 2021 Inc 5000 as the #19th fastest growing company and #1 in Security, the 2021 and 2022 Deloitte 500, and an RSA Innovation Sandbox winner. Find out more at https://bigid.com.

SOURCE BigID

BigID's Data Security Posture Management Solution Integrates With SOAR Platforms

For companies, training an existing worker is cheaper than hiring, while for employees, training brings job security and more interesting work.

Companies continue to value cybersecurity skills, but many have moved their focus from hiring cybersecurity professionals to training up in-house staff on needed cybersecurity skills.

The monthly number of cybersecurity-related job postings plummeted by nearly a third (31%) in the last month, compared with its peak a year ago, according to employment services firm Indeed.com. Yet cybersecurity is the No. 1 desired skill set that companies would like their employees to learn, with 59% of technology leaders rating cybersecurity as a top-three topic for training, ahead of both data science and cloud skills, according to training firm Pluralsight.

For companies that need to fill gaps in their employee's technical skills, training employees in new skill sets — "upskilling" in the industry parlance — is a relative bargain, compared with the cost of hiring a new employee, says Gary Eimerman, chief product officer at Pluralsight.

"Given the level of risk, cybersecurity hacks are a boardroom conversation across organizations," he says. "Upskilling internally for cybersecurity talent is significantly more cost effective than hiring externally for cybersecurity skills."

Companies would both hire and train cybersecurity professionals, but given the shortage in available skilled workers, training has taken precedence, says Bill Reynolds, research director at Foote Partners, a workforce research firm. The average estimate to hire a technology workers, such as a full-time developer, is about $32,000.

"They are absolutely doing both, but with the significant shortfall in the marketplace for skilled cybersecurity professionals, the sense I'm getting by talking to hundreds of employers ... is that they're focusing more right now on training and developing talent from within," he says. "And it is not just technical skills — they want a whole market basket of soft nontech skills \[as well\]."

**Cybersecurity Skills as Layoff Protection?**

As recession fears continue to roil the technology industry, on March 20 Amazon announced its second tranche of layoffs — this time, planning to cut 9,000 corporate and technology workers, bringing the total number of job affected to 27,000. Cybersecurity vendors have not been spared, shedding thousands of employees in the last three quarters, with some companies cutting more than a quarter of their workforce, according to tracking site Layoffs.fyi.

    

Cybersecurity takes the top spot among skills preferred by employers for training purposes. Source: Pluralsight

Yet, overall, workers with cybersecurity skills have largely been protected from layoffs, due to the relative difficulty in hiring or replacing them. Only 10% of C-level executives intend to lay off cybersecurity staff, much lower than other departments, such as human resources (30%), finance (24%), and even information technology (14%).

As another metric, two-thirds of tech executives have been asked to reduce costs, but 72% still plan to increase investments in the development of technology skills, according to Pluralsight's "2023 State of Upskilling" report. 

"When layoffs are on the table for an organization, where the cuts are made is highly individualized based on business need," Pluralsight's Eimerman says. "Among layoffs that have been done in the tech industry, few have focused on technology-specific roles." 

**Cybersecurity as the Most-Wanted Tech Skill**

Among technology skills, cybersecurity is most often in the top-three skills demanded by technology leaders. Overall, if employees had a weekly sprint for learning, 59% of executives would want them to learn cybersecurity skills, while 44% preferred data-science skills, and 42% selected cloud skill sets, according to Pluralsight's report.

But learning such skills has gained priority for employees, too, who list their top reasons for upskilling as salary growth, personal development, and job security. 

Across the 53 noncertified cybersecurity skills tracked by Foote Partners, the average worker commands a 12.3% base-salary cash premium. Skills such as security auditing, penetration testing, vulnerability scanning and management, DevSecOps, and cyberthreat intelligence all have significant premiums, Reynolds says.

Some combinations of skills are in even greater demand, such as cloud and cybersecurity, he says. With companies focused on shrinking their attack surface area and putting more security capabilities into a very small footprint, for example, workers with cybersecurity, embedded OS, optimizing, and threat detection skills together would garner even greater premiums. 

"From a career perspective, there is so much opportunity for cybersecurity professionals," he says.

While a lack of time and budget has undermined upskilling efforts in the past, workers have new incentives in the tighter employment market: Almost half say that a hiring freeze or pause has resulted in them doing more duties outside their job function. In 2022, 60% of workers cited "I'm too busy" as the top barrier to gaining new technology skills, according to Pluralsight. In 2023, that number dropped to 42%, while 30% cited uncertainty in where to focus their efforts as a top barrier.

Tag

#intel