Concerns about recessionary trends impacting the cybersecurity sector in 2022 remained largely unfounded in Q4, as investment activity surged after a Q3 slowdown.

Mergers and acquisition (M&A) activity and investments in cybersecurity picked up once again in the fourth quarter after dropping off somewhat sharply in Q3. The activity put the sector on track to close out the year in better shape than many had expected, with overall funding topping 2020's pace (even though it dipped compared to 2021).

"M&A and financing deal count and volume in 2022 are still above 2020 levels despite current economic uncertainty," says Eric McAlpine, managing partner at Momentum Cyber. "Cybersecurity is still a very active market relative to historical levels over the past decade."

McAlpine says Momentum tracked a total of 37 M&A deals in Q4 through November. That compares to 50 total acquisitions in Q4 2021.

"M&A activity in the cybersecurity services market continues to be higher than any other sector in the industry," he says. In fact, M&A volumes in 2021 and 2022 year-to-date in cybersecurity services top total volumes for the previous five years combined, he adds.

To boot, McAlpine predicts that M&A activity in cybersecurity will continue its momentum in 2023 as startups run into challenges with raising more capital, or run out of money, or adjust their valuation expectations downward. He predicts a "sea change in thinking by investors away from growth at all costs to funding profitable growth."

**M&A Activity Regained Momentum After 3Q Slowdown**

Two major cybersecurity acquisitions in October had an outsize impact on overall deal volumes in the last quarter of the year. One was Vista Equity Partners' $4.6 billion acquisition of KnowBe4 on Oct. 12. Like many other private equity (PE) firms, Vista plans to make the publicly traded KnowBe4 a private firm once the acquisition is complete.

The other major fourth-quarter deal was PE giant Thoma Bravo's all-cash purchase of ForgeRock for $2.3 billion on Oct. 11.

But that's not to say there weren't other significant deals during the quarter. As examples, McAlpine points to Palo Alto Networks' $195 million acquisition of Cider Security in November; Proofpoint's purchase of Illusive for an undisclosed sum in December; and 1Password's acquisition of Passage in November, for an unknown sum.

According to numbers that S&P Global Market Intelligence tracked, the first three weeks of October alone saw more M&A money move through the cybersecurity sector than the entire third quarter.

"Between Oct. 1 and Oct. 24, cybersecurity acquirers disclosed an aggregate $6.90 billion in deal values from nine announced transactions," the analyst firm said in a recent market report. In comparison, the aggregate deal values for all M&A transactions with disclosed values during the third quarter was just $3.06 billion — down more than 75% from the $13.77 billion during the same period in 2022, S&P Global Market Intelligence said.

**A Flurry of Funding Activity**

Meanwhile, the last quarter of 2022 also had its fair share of funding activity in the cybersecurity sector. Notable examples include Arctic Wolf's closing of a $401 million convertible notes offering in October; Drata's $200 million Series C funding round in December that valued the firm at $2 billion; and a BlackRock-led $120 million pre-IPO financing round in Versa Networks.

"Keeping in mind that the year is not over yet, there have been 396 funding rounds totaling $16.6 billion in new investments" in 2022, says Richard Stiennon, chief research analyst at IT-Harvest. "While this does not match last year's $24 billion, it exceeds the record funding of 2020 by 60%."

The numbers are not too shabby for a year for which disaster was predicted, Stiennon notes: "And the year is not over. I would not be surprised if we hit $17 billion."

By IT-Harvest's count, there were nearly two dozen cybersecurity funding rounds disclosed in the last three months of 2022. These included a $196.5 million series G funding round at Snyk that valued the firm at a $7.4 billion; NetSPI landing $410 million in growth funding; and Akeyless raising $65 million for its secrets management technology.

Data that Momentum tracked showed that through the end of November, the most active sectors for M&A deals were managed security service providers; risk and compliance; and security consulting and services segments. The most active segments for financing deals during the same period were risk and compliance; identity and access management; application security; and network and infrastructure security.

**The Impact of Industry Activity on Enterprise Security Teams**

Marc van Zadelhoff, CEO at Devo, expects that the cybersecurity market will weather any recession that might materialize, better than other sectors.

"In the second half of 2022, security was the last industry to observe a slowdown in spending, let alone IT spending," he says. "Before midway through 2023, I firmly believe that security will be the first industry to emerge out of the recession, given the explosion of data and threats and the need for a solid security posture."

However, security teams must show their capabilities and provide immediate ROI, van Zadelhoff says. "Now is the time to lay the groundwork for cybersecurity investment and for security decision-makers to learn the language of the CFO and practice their cyber pitch."

At the same time, some say a prolonged recession — or fears of one — could put a damper on security spending and trigger other changes in the industry over the next year and in the short term. They advocate that enterprise security team be aware of the potential implications of these changes and be prepared for them.

Security teams, for instance, need to be prepared to show measurable return on investments and do more with less in situations where their organizations might be looking to cut security spending, says Richard Caralli, senior cybersecurity advisor at Axio.

This is in anticipation of a slowdown in core spending in 2023 on technology acquisition, which could lead to some contraction in certain cybersecurity sectors and more potential consolidation and acquisition activity.

"At that point, you can expect to have to reevaluate any technologies that are caught up in these activities," Caralli says.

The fact that CISOs and people in charge of purchasing decisions are increasingly looking for more integrated platforms could be another driver for funding activity in the cybersecurity sector in 2023.

"The cybersecurity market is approaching bloated status," says Hank Thomas, CEO at Strategic Cyber Ventures. "There are far too many vendors chasing the same dollars with comparable technology. PE firms and other later-stage investors are looking to bring in larger players to serve as anchors for rollups and bolt-on acquisitions. This will create new more comprehensive, cost efficient, and effective security platforms."

New Year's Surprise: Cybersecurity M&A, Funding Activity Snowballs in Q4

ISOS firmwares from versions 1.81 to 2.00 contain hardcoded credentials from embedded StreamX installer that integrators are not forced to change.

**Published Firmwares in 2022**

**V2.01 : 11.11.2022**

2304

Bug fix

Moxa Real TTY driver update

2397

Security

OpenSSL: fix CVE-2020-1971

2406

Security

PAM: fix 'Empty Password improper authentication' (CWE-287)

2424

Bug fix

DA-820 and DA-820C: fix 'empty slot' command

2438

Bug fix

DA-820C: fix network error messages at bootup

2442

Security

sudo: fix CVE-2021-3156

2455

Security

OpenLDAP: fix multiple CVE

2464

Bug fix

Cellular modems: fix USB disconnect/connect problem

2470

Security

OpenSSL: fix multiple CVE (CVE-2021-23839, CVE-2021-23840, CVE-2021-23841)

2482

Bug fix

Postgres: fix the running state view

2491

Bug fix

Firmware update: improved the management of the postgresql service

2556

Add-on

Virtual: VirtIO NIC driver added for some KVM based hypervisors

2560

Add-on

DA-820C: support for I350-T4 and CP102U cards added

2561

Bug fix

DA-820C: fix comment update on slot 2

2590

Bug fix

Mono: moved "ApplicationData" and "CommonApplicationData" folders to /opt partition

2620

Bug fix

DA-820C: improvement of the firmware update (TPM related)

2743

Add-on

APU2: support for additional serial ports from P3

2812

Bug fix

IG2: fix EtherCAT driver for ARM64.

2857

Security

DA-820C: SysRq commands disabled

2858

Bug fix

Boot process, automatically fix potential mount errors

2873

Bug fix

NTP Server, fix the 'jump backwards in time

2878

Security

rsyslog: fix CVE-2022-24903

2897

Security

Force password change during the first login (CVE-2022-4780)

2940

Security

Virtual, open-vm-tools: fix CVE-2022-31676

2951

Bug fix

OpenLDAP: files integrated into the backup

2970

Bug fix

RADIUS: files integrated into the backup

 

Add-on

IG2: support for digital inputs/outputs

 

Security

RADIUS Integration

 

Security

Firmware Integrity Check integration

 

Security

Manage rate limiting (avoid DoS)

 

Security

Update of the Linux kernels

 

Security

Update of the Linux packages

 

Bug fix

StreamX Setup 6.05.00 (StreamConfig: version 35 of the parameters)

**V2.00d - 22.04.2022 (only for CX9020)**

2825

Add-on

Staging: images for 2GB and 4GB SD cards.

 

Bug fix

StreamX Setup v6.04.25 of 07.04.2022 (StreamConfig: version 34 of the parameters)

**V2.00c - 24.02.2022 (only for CX9020)**

 

Add-on

earlyoom: memory watchdog to protect EtherLAB from an 'out of memory'.

 

Bug fix

StreamX Setup v6.04.17 of 18.02.2022 (StreamConfig: version 34 of the parameters)

**Published Firmwares in 2021**

**V2.00 : 24.02.2021**

1279

Bug fix

Fix StreamView HTML serialization errors

1715

Bug fix

Fix StreamDaemon is no more responding on ARM architectures

1867

Bug fix

Fix general Mono memory leaks

1980

Bug fix

Mono: major upgrade to version 6.10.0.104

2135

Security

Sudo: fix potential vulnerability (CVE-2019-18684)

2157

Security

Fix CVE-2019-14899 : Inferring and hijacking VPN-tunneled TCP connections

2175

Bug fix

EtherCAT: etherlab stack update

2189

Bug fix

CX9020: fix speed of second LAN which was sometimes fixed at 10 Mbit/s

2283

Bug fix

Virtual: open-vm-Tools produces no more messages continuously.

2297

Add-on

Support of stunnel for all hardwares

2298

Add-on

CX9020: support of the LEDs TC, FB1, FB2

2327

Add-on

Backup of Postgresql configuration files

2332

Add-on

Postgresql: log file rotate mechanism

2340

Bug fix

Network: fix manual lan won't goes up at boot

2343

Bug fix

APC910: fix lan1 detection on TS17.04

2362

Security

OpenLDAP: fix CVE-2020-25709 and CVE-2020-25710

2382

Add-on

APC910: support for USB1 to USB4 ports added for model TS17

2429

Bug fix

Cellular modems: fix the enable/disable NMEA feature

 

Add-on

First integration of the hardware Elvexys IG2

 

Add-on

CX9020: bootloader version 5 for kernel compatibility

 

Security

CX9020: StreamBridge is no more executed with root account (least privilege)

 

Security

Update of the Linux kernels

 

Security

Update of the Linux packages

 

Bug fix

StreamX Setup v6.02.90 of 10.02.2021 (StreamConfig: version 34 of the parameters)

**Published Firmwares in 2020**

**V1.99 : 17.06.2020**

1827

Add-on

Cellular: PPP as default gateway is now listed into the network section in StreamConsole

1880

Add-on

Virtual hardware: OVF file compatibility for ESX 5.5

1893

Security

PostgreSQL: fixed multiple vulnerabilities

1897

Add-on

Virtual hardware: changed from generic to Intel network adapter

1906

Security

StrongSwan: upgrades to fix CVE-2018-16151 / CVE-2018-16152

1908

Security

Kernel: upgrades to fix CVE-2018-14634

1931

Bug fix

Cellular: fix for the configuration migration

1939

Bug fix

Cellular: fix USAN management when receiveing a SMS

1940

Bug fix

Fix to no more generate duplicate paths after a firmware migration

1954

Security

OpenSSL: fix multiple vulnerabilities

1984

Bug fix

LEDs: swapped the management of Storage and SNMP Agent

1985

Bug fix

Firmwares files with special chars are now possibles

2002

Bug fix

LEDs: no more turned off after a long period of time

2023

Bug fix

Bonds on B&R APC910 are now working as expected

2060

Add-on

CX9020: compatibility with HW rev. 3

2088

Security

Kernel: upgrades to fix CVE-2019-11477 (SACK Panic)

2095

Add-on

Virtual hardware: drivers for VMXNET3 added

2106

Bug fix

Cellular: fix infinite loop in ppp restart Under certain conditions

2112

Security

SysRq commands over serial ports is now disable for all hardware

2127

Security

Sudo: fix CVE-2019-14287 Potential bypass of Runas user restrictions

2138

Security

Unable to use SCP anymore

2142

Bug fix

APC910: fix the use of lan2 without the additional 4 lans board

2150

Add-on

Firmware update: error codes 24 and 25 added

2151

Bug fix

Default Gateway no more lost after changing the IP on the interface binded to the default gateway

2165

Security

OpenSSL : fix CVE-2019-1551

2167

Bug fix

SSL Certificates for StreamX applications are now backuped

2180

Add-on

Beckhoff CX9020: support of the new HW revision of TOSIBOX 4G modem (based on Quectel EC25 chip)

2199

Add-on

Firewall: extend ports range for StreamX services.

2218

Add-on

Fsck package added (File System Consistency Check)

2269

Bug fix

Moxa DA-820, fix the receive mechanism on serial ports P1 and P2 when used in RS485 2 wires mode.

 

Bug fix

PFC100/PFC200: use Wago BSP v. 2.8.35

 

Add-on

First integration of the hardware B&R APC910

 

Add-on

First integration of the hardware APU4

 

Add-on

First integration of the hardware Moxa DA-820C

 

Add-on

APU2 and APU4: support for the LEDs and the dual power boards

 

Add-on

APU2: support for two dual LAN mPCIe boards

 

Add-on

APU4: support for one dual mPCIe board

 

Add-on

UC-8112: first LEDs management

 

Add-on

Support of PRP for Moxa DA-820 and Moxa DA-820C from StreamConsole

 

Add-on

Support of stunnel for Virtual hardware

 

Add-on

Firewall: added UDP port 123 for NTP server

 

Security

Update of the Linux kernels

 

Security

Update of the Linux packages

 

Bug fix

StreamX Setup of 08.05.2020 (StreamConfig: version 34 of the parameters)

**Published Firmwares in 2018**

**V1.98 : 05.07.2018**

1738

Security

Kernel: upgrades to fix Meltdown and Spectre vulnerabilities

1826

Security

Moxa DA-820, fix the process to disable physical USB ports

 

Add-on

PostgreSQL, migration process updated for future major upgrades

 

Add-on

First integration of virtual hardware (VMWare) with the configinit tool

 

Bug fix

Moxa DA-681A, fix the RS485

 

Bug fix

Moxa DA-720, fix the RS485 2 wires mode on P2

 

Add-on

Moxa UC-8100, new bootloader for Linux kernel 4.1

 

Bug fix

All libraries: update to the latest stable version

 

Security

Improving hardening like using ASLR and Stack Smaching Protection

 

Bug fix

Cellular: fix the use of CTS and DTS signals

 

Bug fix

StreamX Setup of 22.06.2018 (StreamConfig: version 32 of the parameters)

**V1.97 : 05.03.2018 (only for DA-681A, DA-720, UC-81xx and APU2)**

1743

Security

Moxa Nport: the owner of the remote serial ports is now the group streamx\_apps instead of root

1729

Bug fix

WD Cellular: prevent rebooting the system if a firmware upgrade is in progress

1782

Bug fix

WD Cellular: don't block anymore in case of huge system time changes

 

Add-on

WD Cellular: the RSSI and the cellular antenna ID are now published in memory files for other programs

1748

Add-on

DHCP Client: new default settings for interoperability with slow DHCP servers

 

Add-on

First integration of the hardware Moxa DA-720

 

Bug fix

StreamX Setup of 27.02.2018 (StreamConfig: version 32 of the parameters)

CVE-2022-4780: ISOS release notes - Elvexys SA

This is what happens when a CISO gets tired of reacting to attacks and goes on the offensive.

Like a member of any profession, a chief information security officer (CISO) grows into their role. They exhibit a maturity curve that can be roughly split into five attitudes:

1.  **Protection:** When a CISO first steps into their role, they look to perfect the basics and build a fortress for themselves in the form of firewalls, server hardening, and the like.
2.  **Detection:** Once they determine how the framework is built, the CISO moves on to more and more sophisticated monitoring tools, incorporating in-depth monitoring and packet filtering.
3.  **Response:** The journeyman CISO will start crafting detailed response plans to various scenarios, weaving them into the overall BC/DR planning and making sure that the team is ready for anything.
4.  **Automation:** Next they'll focus on making everyone's life easier by incorporating automation, AI/ML learning, and third party intelligence into their already-robust defenses.

You may have seen or experienced this kind of four stage evolution yourself. But there's a much rarer _fifth stage_ that is reached much later in a CISO's career. Upon seeing the multitude of annoyances buzzing around them, probing, trying to gain access to _their_ territory ... they become restless. They get tired of waiting for their enemies to strike.

The fifth and final stage is proactivity. And it’s at this stage that CISOs go on the hunt, using techniques of modern defense.

**Leaving the Comfort Zone**

The demarcation point is traditionally where everything becomes "somebody else's problem." If anything breaks or gets hacked, it isn't on the company's dime.

At least, that's how it used to be. Veteran CISOs know that in the era of the cloud and heavy federation, nothing could be further from the truth. Every hack has ripples. Every DDoS has collateral damage. An attack on your ISP, on a federated partner, on your supply chain, on the company's bank, or on utility providers might as well be an attack on your turf.

Most importantly, social engineering and fraud ignore internal demarcations entirely! They don't respect traditional boundaries. If they need to use your federated partner to get in, they will. If they need to infiltrate your employees' social media to gain leverage, they won't hesitate.

But what can be done? Your tools, your monitoring ... absolutely everything you've built is designed to cover your own territory. How can you have an impact on the other side of the demarcation?

Part of the proactivity that comes with stage five of a CISO's career is the ability to process threats that have the potential to impact your business. This means combining the resources that are available to the entire cybersecurity community and the intelligence gleaned from your own monitoring efforts.

Now you're in what Tom Petty once called "The Great Wide Open." The bad news is that your activities are more exposed out here. The good news? You aren't alone.

**Resources for Fraud Prevention Beyond the Demarcation**

In order to get ahead of the curve, you need to work with others and assess emerging threats. Two traditional resources are still effective here: CERT and OWASP. These two organizations have been tirelessly tracking cybersecurity trends for over a generation.

But there are some newer kids on the block that can help you on your hunt. PortSwigger's BURP suite can help you to perform intelligent Web application and network analysis (just make sure you get permission from your business partners before you go full white-hat on their infrastructure). Some subscription advisory services like Black Duck can be worth their weight in gold.

But those are all solutions on the technical side, and fraud isn't always technical. To hit fraudsters where it hurts, you need to embrace the human element.

**A Global Defense Effort**

One of the advantages of using an antifraud suite such as that made by Human Security is that the breach information it gathers is shared anonymously across Human's entire client base. That means when a new fraud attempt is registered with any customer, updates to combat it are shared with all customers across every impacted system: training, automated scans, spam rejection, firewall rules, and packet filtering, to name a few.

Additionally, internal and external attempts to misuse or compromise corporate resources are compared to events taking place elsewhere on the Human network. If there's a pattern, the cybersecurity team is informed, and additional resources can be dedicated to monitoring the situation. MediaGuard can do the same for impersonation attempts or attacks on brand integrity.

**What Do You Do When You Catch Something?**

All of these resources allow you to hunt well beyond the demarcation point. But what do you do when you actually track something down?

When you find vulnerabilities in your supply chain or within a federated resource, you need to share them with your counterpart at the company in question. Assuming you've done everything above board and with their permission, this isn't a problem. If you accidentally hunted outside your domain without permission, see if the impacted business has an anonymous tip line for fraud or security.

Then, make sure your own detection and filtering process is adapted to deal with the new threat before the fraudsters or hackers can even make the attempt. Report any new technical vulnerabilities to your preferred advisory service, and then start planning your next hunt.

When CISOs Are Ready to Hunt

It's time companies build a multilayered approach to cybersecurity.

As global cyberattacks continue to become more sophisticated, so should corporations' risk mitigation strategies. Of these high-stakes attacks, financial motivation is the most common reason for cybercriminals to target businesses, with the IBM "Cost of a Data Breach" report finding that the average breach in 2022 cost organizations up to $4.35 million in damages. With consequences this detrimental to business, it's critical that companies build a multilayered approach to cybersecurity with a number of experts involved to ensure effective prevention, detection, and response to cyber threats.

To create the most effective cyber-risk prevention and recovery team, companies must leverage financial and technology talent to collaborate on prevention strategies. While cybersecurity professionals focus on the who, what, where, and how of a potential breach, accountants can monitor the potential impacts to a corporation's funds and controls to determine priority functions and vulnerable financial business data that need safeguarding. This is typically done most effectively by forensic accountants who are trained in auditing and investigating risk factors within the finances of individuals or businesses. When these two roles find synergy, they can combat even the most complex of corporate cybercrimes.

Here are some of the ways these professionals can effectively work together to prevent and recover from highly intelligent attacks on financial data.

**Prevention**

Proper prevention of financial cybercrimes takes a diversified skill set, tapping into financial and IT specialties to create the strongest possible defenses against breaches. For cyber professionals, this includes identifying and closing gaps in internal controls and technologies, and implementing the proper safeguards — from two-factor authentication programs to file encryptions and more. Meanwhile, forensic accountants are well-versed on corporate finances and have the ability to detect the misappropriation of funds before losses are incurred.

Cyber professionals are also invaluable assets to financial teams in alerting them to new threats as the digital landscape changes so that proper preventative measures can be implemented. For example, there is a new trend of hackers using Meta business accounts as an entry point to breach financial information. This typically involves the stealing of customer credit card and bank information when they make transactions through the social media platform.

Obviously, suffering from an attack of this kind can lead to a damaged reputation, monetary consequences, and a loss of consumer trust. Establishing open lines of communication between cyber professionals and those in charge of monitoring business transactions can mean that forensic accountants know what threats they need to be wary of and can make business decisions that are in the best interest of their clients and customers. Also, it can ensure quicker detection of odd transactional activity for early intervention.

Instituting safeguards to proactively defend financial information — and consistently reviewing and updating them — can help to keep corporate funds safe in an era where sophisticated cybercriminals can steal financial information at the click of a key.

**Recovery**

Even the best laid plans can fail, especially when the enemy continues to get smarter and stealthier as technology evolves. That's the case when it comes to cybercrime, so planning to fail is just as important as working to avoid failure.

Collaboration between cybersecurity professionals and forensic accountants can ensure that swift, immediate defenses are deployed when an attack is executed and that the damage to a business's financial bottom line is as minimal as possible.

In the event of a breach, these professionals must work together to block the attacker and protect as much data and capital as they can. For example, a seasoned forensic accountant brings experience and knowledge of the many forms of corporate fraud, as well as the necessary steps to employ investigative techniques to spot trends and outliers in large data sets as they develop. Immediately upon noticing suspicious activity, they can alert their company's cyber team to quickly employ a variety of techniques to close the digital path to systems while they investigate.

While losses are not ideal, they are difficult to avoid once a cybercrime is effectively executed, even if it was caught and stopped quickly. Post-incident, it is the task of forensic accountants to calculate potential losses, assess and disclose accounting requirements, and assist the cyber team with evidence collection for insurance claim purposes.

Generally, forensic accountants and cybersecurity professionals have the same goal: to safeguard important information. When they use their unique skill sets to collaborate effectively, a corporation has the best chance of evading the consequences of a devastating cyberattack.

Why Cyber Pros and Forensic Accountants Should Work Together to Mitigate Security Risk

Will the bottom falling out of the cryptocurrency market have a profound impact on cybercriminal tactics and business models? Experts weigh in on what to expect.

With the implosion of the FTX exchange putting a punctuation mark on the cryptocurrency crash of 2022, one of the natural questions for those in the cybersecurity world is, how will this rapid decline of cryptocurrency valuations change the cybercrime economy?

Throughout the most recent crypto boom, and even before then, cybercriminals have used and abused cryptocurrency to build up their empires. The cryptocurrency market provides the extortionary medium for ransomware; it's a hotbed of scams against consumers to steal their wallets and accounts. Traditionally, it's provided a ton of anonymous cover for money laundering on the back end of a range of cybercriminal enterprises.

Even so, according to cybersecurity experts and intelligence analysts, while there certainly have been some shifts in trends and tactics that they believe are loosely tied to the crypto crash, the jury's still out on long-term impacts.

**Shifting Crypto Trends & Tactics in 2022**

Regardless of crypto values, cybercriminals this year have definitely become more sophisticated in how they use cryptocurrencies to monetize their attacks, says Helen Short, cyber-threat intelligence analyst for Accenture, who points to the use by some ransomware groups taking advantage of yield farming within decentralized finance (DeFi), as an example.

"The concept of yield farming is the same as lending money, with a contract in place that clearly shows how much interest will need to be paid," she explains. "The advantage for ransomware groups is that the 'interest' will be legitimate proceeds, so there will be no need to launder or hide it."

Her analysis has shown that threat actors are increasingly turning toward 'stablecoins,' which are usually tied to fiat currencies or gold to stem their volatility. She says that in many ways, the downturn in crypto values has increased the risk appetite of cybercriminals and is spurring them into more investment fraud and cryptocurrency scams.

"Threat actors are also playing on people’s desperation to recoup their losses," she says.

While some consumers who have lost their wallet value may be desperate, others have simply lost their interest and aren't watching their accounts as closely, which is driving another trend, says Brittany Allen, trust and safety architect and fraud researcher at Sift.

"Plummeting crypto prices have led to consumers paying less attention to their crypto wallets than they were early this year and in 2021, and fraudsters noticed," Allen says. "This has led to a 79% rise in crypto account takeover attacks."

By point of example, she explains that her team discovered a new type of crypto cash-out scam this year on Telegram and Dark Web forums, where account takeover fraudsters teamed up to target the crypto market during the crash.

"In this scheme, cybercriminals use stolen wallets, bank accounts, or crypto exchange accounts to move or launder illicitly obtained funds. Fraudster A will advertise their access to stolen funds on Telegram, then find another fraudster who specializes in crypto account takeover and KYC (know your customer identity verification) bypass methods," she says. "Once Fraudster B offers access to stolen wallets or crypto exchanges, Fraudster A sends the stolen funds to Fraudster B’s accounts, where they funnel the money out and split the profits. Each party takes a risk trusting the other, but if successful, they stand to make tens of thousands of dollars each."

This is in line with another shift in cybercriminal tactics in 2022 that Short says she's witnessed. It's not necessarily a response to cryptocurrency devaluation, but it is a business model shift to maximize revenue.

"We're seeing threat actors partnering together to facilitate an attack, rather than paying each other for their specialist services. This reduces the overall cost of the attack as the agreement is a set cut of the proceeds," she says.

**Ransomware Is Here to Stay**

One point that cybersecurity pundits are almost unanimous on is that even with a ton of cryptocurrency volatility, ransomware isn't going anywhere. There was a slight downturn in ransomware activity in 2022, but according to Aamil Karimi, threat intelligence analyst at Optiv, that's more attributable to other variables like the war in Ukraine. 

There was some significant regrouping of ransomware cartels that were more likely to result in the decline of activity than anything else, and he says cryptocurrency will still be a favored extortion demand for a long time.

"It’s likely cryptocurrency will still be the payment of choice demanded in extortionary incidents. As of right now, it’s the safest medium for cybercriminals to conduct transactions," Karimi says. "I don’t estimate any slowdown in cybercriminal or extortionary activity."

Bob Rudis, vice president of data science for GreyNoise Intelligence, agrees. There are simply too many soft ransomware targets ripe for attack for criminals to ignore, Rudis says. And it's not as if they lose any money with lower values of the currency since they are the ones setting the ransom, and they're likely going to convert it into tangible funds before further volatility impacts the total.

"Attackers care not if they receive one or a hundred units of a given cryptocurrency when asking for, say, $100,000 USD," Rudis says. "They have the means, markets, and processes to convert any ill-gotten crypto gains into something more tangible, and will likely always be one step ahead of law enforcement and market regulators." 

In spite of headline stories about authorities using crypto mechanisms to hurt adversaries financially, Rudis says there are "still real law enforcement hurdles to curb that flow," which is why he believes cryptocurrency will still be heavily used for cybercriminal money laundering for some time to come.

Not everyone sees it the same way, though. Short of Accenture points out that law enforcement this year has increasingly taken a real bite out of the crooks' bottom line through claw-back transactions, seizures, and more.

"Law enforcement took aggressive measures in 2022, including fund seizures, sanctions, and high-profile arrests," she says. "It is becoming harder to launder and cash out illicit funds, resulting in the trend of threat actors exchanging ‘dirty cash’ for other services as they cannot get the illicit funds out."

Ryan Kovar, distinguished strategist and leader of Splunk's SURGe research team, also points out that perhaps the cybercrime impact of the crypto crash of 2022 will have less to do with a potential future divestment of cryptocurrency in cybercriminal enterprises than it will with changes in the crypto market's perceived anonymity.

“Ransomware gangs are going to move away from cryptocurrency not because of financial instability, though that’s a factor, but more due to the traceability," Kovar says. "Ultimately, crypto is not really anonymous."

He adds, "If you’re a criminal who lives in a country that supports, sponsors, or doesn’t care about cybercrime, then you’re probably not getting prosecuted easily unless you really tick people off.” 

**Evolution to Expect in 2023**

Experts also believe that increased law enforcement friction will likely influence an evolution in cybercriminal operations around other types of attacks beyond ransomware. Especially proven ones that already don't depend on cryptocurrency, like business email compromise (BEC).

"The FBI's annual IC3 report \[PDF\] shows business email compromise (BEC) to be top of the list when it comes to attackers banking fiat coin. Advanced technology that mimics writing, speech, and even live video of humans is now almost trivial to use and will evolve rapidly in quality," GreyNoise's Rudis says. "Ransomware groups are, first and foremost, businesses, and it would seem logical to assume they'd apply their technical skills to conduct more advanced BEC schemes as well. 

In the meantime, attackers will also be likely to keep advancing technology to stay a step ahead of the authorities with regard to traceability and laundering.

"Attackers will become more sophisticated, breaking the sequence of blockchain transactions to try and obfuscate their illicit funds," Short says. "We will likely see a professionalization in cryptocurrency mixers, such as Tornado cash, with threat actors offering fast and high value 'cash out as-a-service' offerings."

She believes that in 2023, this could drive up the value of personally identifiable information (PII), as it will further push the demand for account takeovers to create mule accounts for cashing out on the back end of various scams.

"It is likely that cybercriminals will continue to convert to stable assets to secure value," she says, "and we will see an increase in threat actors using more privacy focused cryptocurrencies that are harder for law enforcement to trace."

Will the Crypto Crash Impact Cybersecurity in 2023? Maybe.

Digital transformation initiatives are challenging because IT still has to make sure performance doesn't suffer by making applications available from anywhere.

Over the past two years, many businesses have adopted hybrid work environments and begun migrating mission-critical applications to the cloud to allow their hybrid workforce to work from anywhere. However, combining working from anywhere with migrating applications such as Salesforce, SAP, Microsoft 365, and ServiceNow was an IT challenge because the networks needed to be improved.

The challenge was to reduce downtime and increase end user productivity. Even minor outages can impact operations, productivity, and profits, with Gartner suggesting that unplanned downtime costs US$5,600 per minute. To reduce such costs, businesses must quickly identify the root cause of outages and turn to intelligent digital experience monitoring solutions.

    

45 minutes of downtime costs more than a quarter million dollars. (Source: Gartner)

Businesses spent time rethinking the digital transformation journey to ensure they were delivering excellent performance while still securing users, workloads, and device communications over any network. As businesses look forward to 2023, three top digital experience monitoring trends emerge:

**Increase Hybrid Workforce Productivity**

Many businesses have accelerated digital business initiatives over the past couple of years to retain talent and optimize productivity. Companies like Zoom, Facebook, Google, and Apple adjusted their work-from-home policies to allow 100% remote and hybrid formats. Even healthcare businesses have enabled staff to work remotely, offering more telemedicine options and limiting in-person appointments.

Remote work is here to stay for the foreseeable future, as employees have proven that this hybrid model is possible. However, IT teams need to focus on keeping the business operational while ensuring excellent end user productivity. Supporting hybrid workers means having fast and reliable insights as issues arise from various devices, applications, and networks being used. For example, help desk and network operations teams need to know whether the user is having an issue with the local Wi-Fi connection or if there are problems with any of the network hops between the user's machine and where the application is hosted.

As hybrid workers become more adept at working from home, they learn basic connectivity troubleshooting steps, such as rebooting the home Wi-Fi router. In 2023, businesses need to be able to quickly recommend ways to solve end user problems without requiring users to open support tickets. IT teams need a global view of their environment to pinpoint areas of focus, and then to actively look at specific users to understand their challenges. This will reduce IT troubleshooting time while increasing end user productivity.

**Faster Mean Time to Resolution (MTTR) With Smart Technologies**

Service desk and network operations teams must look past traditional castle-and-moat architecture, change their work-from-home policies, and provide users with fast and reliable access from anywhere. To increase productivity, IT teams must diagnose an end user's situation quickly and confidently. They must analyze each device, dedicated network path, and application response times. That's the only way to grasp the end user's dilemma fully. To effectively analyze data from these segments and provide a meaningful response, IT teams will benefit from the help of AI and machine learning (ML).

In 2023, we’ll see continued growth in AI/ML-based technologies as they ingest more data and learn to apply insights across the board. The key will be the amount of data being ingested and analyzed. The intelligence will come from solutions that combine multiple facets of end user experience. For example, providing secure, fast, and reliable connections with the ability to triage issues based on collected data will separate solutions that offer combined capabilities from ordinary point products.

The FIFA World Cup used AI to produce some compelling projections . Imagine if the players knew exactly where to position the ball for a goal—it would be game-changing! Similarly, if service desk and network operations teams could similarly leverage AI, they would be able to quickly triage end user issues In 2023, let's spend less time with traditional operations troubleshooting guides and more with AI-based solutions.

As IT teams look to better understand their environments, they’ll need intelligent systems to provide trends and patterns holistically. In 2023, AI-based solutions should evolve to find trends and systematic issues. For example, imagine a view into your network that classified which ISPs were the most troublesome globally. You could create a plan to move off those ISPs or position them as backups, for instance. You could also use this knowledge to negotiate better terms with the ISP. Armed with AI-based insights, IT teams would have opportunities to optimize their environments and reduce potential outage scenarios.

**Reduce IT Costs With Monitoring Plus Security Solutions**

Macroeconomics will focus on reducing overall costs and increasing flexibility (consolidation). In 2023, businesses will not only look to remove siloed monitoring solutions around devices, networks, and applications; they will also look for solutions that combine monitoring and security. These two services fit together nicely.

With security issues on the rise, IT teams will continue to face pressure from executives on what happened, end user impact, and prevention techniques. The challenge will be trying to reduce costs while gaining this intelligence. Cloud-based solutions make it easier for IT teams to get started small, get comfortable with the solution, and then scale.

For example, when the economy shifts, more businesses look to consolidate through mergers and acquisitions. However, these business initiatives aren’t always predictable, and IT must ensure solutions are in place that can easily handle these shifts. With secure cloud-based solutions, IT teams can quickly focus on security and monitoring, and then scale while controlling costs .

One more way to reduce costs in 2023 will be to focus on using existing IT service management tools. For example, many businesses use ServiceNow—wouldn't it be great if digital experience monitoring could easily integrate into these solutions? IT teams could more easily adopt new digital experience monitoring solutions without changing their entire workflow. Continuing to reduce costs is all about intelligently gaining insights with smarter integrations.

Read more _Partner Perspectives_ from Zscaler.

Securing and Improving User Experience for the Future of Hybrid Work

The unfettered collaboration of the GitHub model creates a security headache. Follow these seven principles to help relieve the pain.

Last week Okta announced a security breach that involved an attacker gaining access to its source code hosted in GitHub. That's just the latest example in a long string of attacks gaining access to company source code in GitHub. Dropbox, Gentoo Linux, and Microsoft have all had their GitHub accounts targeted before.

With 90 million active users, GitHub is the most popular source code management tool for both open source and private enterprise code repositories. It's a major piece of fundamental infrastructure and the keeper of some of the most sensitive assets and data in the world.

It's no wonder that attackers are increasingly going after source code. In some cases, such as Okta, they might be trying to gain access to the source code. More often, the attackers are looking for sensitive information to use in a subsequent attack.

An attacker who can gain access to private source code can examine it for vulnerabilities and then exploit those vulnerabilities in subsequent attacks. Attackers can also harvest hardcoded keys, passwords, and other credentials that might be stored in GitHub to gain access to cloud services and databases hosted in AWS, Azure, or GCP. A single stolen repository can yield intellectual property, valid credentials, and a nice list of vulnerabilities in production software that are ready to be exploited.

Shiny Hunters, an attack group known to specifically target private GitHub repositories, has breached tens of companies using this technique, and sold their data across various Dark Web marketplaces.

**Securing the Organization's GitHub Environment**

There is no question that GitHub is a critical part of the organization's infrastructure, but locking it down is a complex and challenging identity security problem. The beauty of the GitHub model is that it allows for unfettered collaboration, but that also creates one of the biggest headaches in modern IT security.

Just think about it: Anyone remotely technical in 2022 has a GitHub account. And you can use your GitHub account for everything. We can use these accounts for personal side projects, open source contributions, and our work in public and private code repositories that are ultimately owned by our employers. That is a lot of heavy lifting for a single identity!

You can also use the "Sign in with GitHub" feature to use your GitHub identity in other websites and services outside of just GitHub itself. And there's more: GitHub is unique in that you don't just sign in to their website, you also pull, push, and clone code from GitHub's servers down to your local machine via git operations over HTTPS and SSH, which themselves require your GitHub identity.

Clearly GitHub picked up on these security implications when it announced the deprecation of usernames and passwords for git operations last year — a step in the right direction.

**7 Tips for Securing Your GitHub**

While GitHub provides tools to lock down the environment, organizations need to know how to use them. Unfortunately, some of the most important security capabilities require GitHub Enterprise. Nonetheless, here are seven principles for better GitHub security.

1.  **Don't allow personal accounts for work.** We get it, your company has a few public repositories and you can build your credibility by showing off some public contributions in your next job interview. Your personal GitHub account is part of your brand. Unfortunately, this is also one of the biggest holes in organizations using GitHub today: They do not strictly govern the use of personal accounts for work purposes. As tempting as it might be, personal accounts should not be used for work. There's just no way to control who has access to that personal Gmail address that you used to create your personal GitHub account.
2.  **Require authentication via company SSO.** Unfortunately, GitHub shows up prominently on the SSO Wall of Shame. That's right — you need to pay extra for SSO integration. Once you have GitHub Enterprise, you can connect GitHub to your company SSO, such as Okta or Azure AD or Google Workspace, and you can lock down your organization to only allow authentication via SSO.
3.  **Require 2FA on all accounts.** Even if you enforce two-factor authentication (2FA, aka MFA) via your SSO and also require SSO authentication, the safest option is to still enforce 2FA for all GitHub users in your organization. Exemption groups and policy exceptions in your SSO provider can make SSO MFA easy to bypass.
4.  **Use SSH Keys for git operations.** While GitHub has introduced fine-grained permissions control with personal access tokens (PATs), they remain susceptible to phishing as these tokens are often copied around in plaintext. By using SSH keys for authentication for git operations, your organization can use thoughtful PKI to govern how SSH keys are provisioned, and can also tie this to your company's device management and your own certificate authority (CA).
5.  **Restrict repository member privileges using roles.** GitHub offers several different repository roles that can be assigned based on the principle of least privilege. Base permissions can be controlled at the organization level. Always take care to assign the least privileged role that a member needs to be productive. Don't make everyone an admin.
6.  **Don't allow outside collaborators.** Working with contractors is a normal part of managing large software projects. However, the governance surrounding outside collaborators in GitHub is insufficient to keep your organization secure. Instead, force outside collaborators to authenticate via your company SSO, and do not allow repository admins to invite them directly to your organization's repositories.
7.  **Audit, analyze, and audit again.** No organization is perfect; even with the best policies in place, accounts fall through the cracks and mistakes are made. Even before locking down your GitHub organization, take the time to implement a regular audit process to look for dormant accounts that are not using their access and to limit the number of privileged roles in your repositories. Once your environment is locked down, keep an eye out for policy violations, such as a user who is somehow still authenticating outside of your SSO or not using 2FA.

The breach of Okta's GitHub repository is a powerful example of just how hard it is to protect identities within enterprises, but it isn't a unique one. Every day we see what happens when employees and contractors experience account takeover. We see the effects of weak authentication, lax policies for personal email accounts, and the ever-expanding size of the identity attack surface.

Unfortunately, this latest incident is just one part of a growing trend of identity-related breaches to watch for in 2023.

Why Attackers Target GitHub, and How You Can Secure It

BlueNoroff, a subcluster of the notorious Lazarus Group, has been observed adopting new techniques into its playbook that enable it to bypass Windows Mark of the Web (MotW) protections.
This includes the use of optical disk image (.ISO extension) and virtual hard disk (.VHD extension) file formats as part of a novel infection chain, Kaspersky disclosed in a report published today.
"BlueNoroff

Cyber Attack / Windows Security

**BlueNoroff**, a subcluster of the notorious Lazarus Group, has been observed adopting new techniques into its playbook that enable it to bypass Windows **Mark of the Web** (MotW) protections.

This includes the use of optical disk image (.ISO extension) and virtual hard disk (.VHD extension) file formats as part of a novel infection chain, Kaspersky disclosed in a report published today.

"BlueNoroff created numerous fake domains impersonating venture capital companies and banks," security researcher Seongsu Park said, adding the new attack procedure was flagged in its telemetry in September 2022.

Some of the bogus domains have been found to imitate ABF Capital, Angel Bridge, ANOBAKA, Bank of America, and Mitsubishi UFJ Financial Group, most of which are located in Japan, signalling a "keen interest" in the region.

Also called by the names APT38, Nickel Gladstone, and Stardust Chollima, BlueNoroff is part of the larger Lazarus threat group that also comprises Andariel (aka Nickel Hyatt or Silent Chollima) and Labyrinth Chollima (aka Nickel Academy).

The threat actor's financial motivations as opposed to espionage has made it an unusual nation-state actor in the threat landscape, allowing for a "wider geographic spread" and enabling it to infiltrate organizations across North and South America, Europe, Africa, and Asia.

It has since been associated with high-profile cyber assaults aimed at the SWIFT banking network between 2015 and 2016, including the audacious Bangladesh Bank heist in February 2016 that led to the theft of $81 million.

Since at least 2018, BlueNoroff appears to have undergone a tactical shift, moving away from striking banks to solely focusing on cryptocurrency entities to generate illicit revenues.

To that end, Kaspersky earlier this year disclosed details of a campaign dubbed SnatchCrypto orchestrated by the adversarial collective to drain digital funds from victims' cryptocurrency wallets.

Another key activity attributed to the group is AppleJeus, in which fake cryptocurrency companies are set up to lure unwitting victims into installing benign-looking applications that eventually receive backdoored updates.

The latest activity identified by the Russian cybersecurity company introduces slight modifications to convey its final payload, swapping Microsoft Word document attachments for ISO files in spear-phishing emails to trigger the infection.

These optical image files, in turn, contain a Microsoft PowerPoint slide show (.PPSX) and a Visual Basic Script (VBScript) that's executed when the target clicks a link in the PowerPoint file.

In an alternate method, a malware-laced Windows batch file is launched by exploiting a living-off-the-land binary (LOLBin) to retrieve a second-stage downloader that's used to fetch and execute a remote payload.

Also uncovered by Kaspersky is a .VHD sample that comes with a decoy job description PDF file that's weaponized to spawn an intermediate downloader that masquerades as antivirus software to fetch the next-stage payload, but not before disabling genuine EDR solutions by removing remove user-mode hooks.

While the exact backdoor delivered is not clear, it's assessed to be similar to a persistence backdoor utilized in the SnatchCrypto attacks.

The use of Japanese file names for one of the lure documents as well as the creation of fraudulent domains disguised as legitimate Japanese venture capital companies suggests that financial firms in the island country are likely a target of BlueNoroff.

Cyber warfare has been a major focus of North Korea in response to economic sanctions imposed by a number of countries and the United Nations over concerns about its nuclear programs. It has also emerged as a major source of income for the cash-strapped country.

Indeed, according to South Korea's National Intelligence Service (NIS), state-sponsored North Korean hackers are estimated to have stolen $1.2 billion in cryptocurrency and other digital assets from targets around the world over the last five years.

"This group has a strong financial motivation and actually succeeds in making profits from their cyberattacks," Park said. "This also suggests that attacks by this group are unlikely to decrease in the near future."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

BlueNoroff APT Hackers Using New Ways to Bypass Windows MotW Protection

Throughout 2022, geopolitics has given rise to a new wave of politically motivated attacks with an undercurrent of state-sponsored meddling.

During its brutal war in Ukraine, Russian troops have burnt cities to the ground, raped and tortured civilians, and committed scores of potential war crimes. On November 23, lawmakers across Europe overwhelmingly labeled Russia a “state sponsor” of terrorism and called for ties with the country to be reduced further. The response to the declaration was instant. The European Parliament’s website was knocked offline by a DDoS attack.

The unsophisticated attack—which involves flooding a website with traffic to make it inaccessible—disrupted the Parliament’s website offline for several hours. Pro-Russian hacktivist group Killnet claimed responsibility for the attack. The hacktivist group has targeted hundreds of organizations around the world this year, having some limited small-scale successes knocking websites offline for short periods of time. It’s been one player in a bigger hacktivism surge. 

Following years of sporadic hacktivist activity, 2022 has seen the re-emergence of hacktivism on a large scale. Russia’s full-scale invasion of Ukraine spawned scores of hacktivist groups on both sides of the conflict, while in Iran and Israel, so-called hacktivist groups are launching increasingly destructive attacks. This new wave of hacktivism, which varies between groups and countries, comes with new tactics and approaches and, increasingly, is blurring lines between hacktivism and government-sponsored attacks.

“I’m not going to say that hacktivism was dying, but it was definitely withering for some time,” says Juan Andres Guerrero-Saade, principal threat researcher at security firm SentinelOne. For the past four or five years, Guerrero-Saade explains, hacktivism has often existed at extremes: low-level disruptions and more sophisticated attacks that could be cover for a nation-state’s hacking. “You have so many more players in the space and a much beefier middle ground between those two extremes,” Guerrero-Saade says of the current situation.

Russia’s invasion of Ukraine in February prompted a surge in hacktivism activity. Legacy hacktivist collective Anonymous was revitalized, but new groups were also formed. Ukraine’s unprecedented IT Army, a volunteer group of hackers from around the world, has continuously launched DDoS attacks against Russian targets that are outlined in its Telegram group. In June, a speech by Vladimir Putin was delayed after a cyberattack. Other hacktivist-linked groups have run huge hack-and-leak operations against Russian entities, resulting in hundreds of gigabytes of data from Russia being published online.

On the other side of the conflict, there are four main pro-Russian hacktivist groups, says Sergey Shykevich, threat intelligence group manager at security firm Check Point. These are: Killnet, NoName 057, From Russia With Love, and XakNet. Killnet is probably the most active of these groups, Shykevich says. “Since April, they have targeted around 650 targets—only about 5 percent of them were Ukraine.” Its targets, like the European Parliament, have largely been countries that oppose Russia. The group, which mostly uses DDoS attacks, is proactive on Telegram, media friendly, and appeals to Russian speakers.

DDoS attacks still have an outsize place within modern hacktivism. An FBI notification, issued in early November, says those behind DDoS attacks have “minimal operational impact” on their victims. “Hacktivists often select targets perceived to have a greater perceived impact rather than an actual disruption of operations,” the FBI said. In other words: The bark is often worse than the bite. 

Erica Lonergan, a research scholar at the Saltzman Institute of War and Peace Studies at Columbia University, says the impact of DDoS attacks is often overstated. Media reports can overemphasize the impact of DDoS, making it sound more severe than it is. “There’s this gap between the hyperbole of the language that’s used to talk about the types of attacks that these groups like Killnet are engaged in, and then the reality of their impact,” Lonergan says. 

But it isn’t all DDoS. In South America, the Guacamaya hacktivist group claims to have hacked mining companies and leaked their internal emails. The politically motivated Belarusian Cyber Partisans, which formed in 2020 following Alexander Lukashenko’s election, has innovated as it disrupts Russian and Belarusian efforts linked to the war. The highly organized group became the first to use ransomware for purely political objectives. It has also claimed to have taken data from Russian government organizations and mapped the data of government officials who have backed Lukashenko’s regime. 

Guerrero-Saade says the Cyber Partisans are part of a new style of hacktivists that use targeted sabotage and disruption. “To us, it looked very much like they’re an authentic group. They’re coordinating locally and trying out new ways to actually slow down or disrupt or inconvenience the local government away from supporting the war,” Guerrero-Saade says.

In Iran, the Predatory Sparrow group of hackers—which claims to be hacktivists—used a cyberattack to start a fire in a steel factory in July. The move was an incredibly rare use of a cyberattack to cause physical damage. In 2021, the Adalat Ali hacktivist group hacked and leaked CCTV footage from the notorious Evin political prison. The incidents were part of a larger series of cyberattacks between Iran and Israel. They show the potential extremes of hacktivism.

Check Point’s Shykevich says much of the hacktivism seen in 2022 can be classified as “state-affiliated” hacking. “In most cases, it’s difficult to tell if this group is guided or sponsored by a specific state organization,” Shykevich says. “But most of those groups, they have very clear pro or anti-regime narrative.”

Working out who is behind a cyberattack of any kind is always complex and difficult for organizations to do—attackers often try to disguise their activity or hide it from view. However, there is evidence some hacktivists are linked to individual countries. Researchers suspect Predatory Sparrow is linked to a government, for instance. Meanwhile, security firm Mandiant believes that the pro-Russian groups XakNet, Infoccentr, and Cyber Army of Russia all coordinate their operations with Russia’s GRU military hackers. The Cyber Army of Russia launched DDoS attacks against US organizations around the November midterm elections, with XakNet and KillNet also trying to influence the elections, Mandiant claims.

“They can be used in witting and unwitting ways by governments for political purposes,” Lonergan says. “Killnet for example, on the Russian side, has been pretty explicit in its Telegram channels of disavowing direct links with Moscow. But at the same time, they follow the implicit rules of the road of Russian cyber proxy groups.” Russian cybercrime groups rarely attack Russian targets, and the Kremlin has largely turned a blind eye to them.

The result is that while hacktivist groups are becoming more sophisticated and testing new tools, there’s increasing uncertainty about their origins. “There will be more hacktivism groups that will be more affiliated with governments,” Shykevich says. “Generally, this year the lines between what is governmental attack, hacktivism, and cybercrime have completely blurred.”

Hacktivism Is Back and Messier Than Ever

The pay-per-install (PPI) malware downloader service known as PrivateLoader is being used to distribute a previously documented information-stealing malware dubbed RisePro.
Flashpoint spotted the newly identified stealer on December 13, 2022, after it discovered "several sets of logs" exfiltrated using the malware on an illicit cybercrime marketplace called Russian Market.
A C++-based malware,

Cyber Crime / Data Security

The pay-per-install (PPI) malware downloader service known as **PrivateLoader** is being used to distribute a previously documented information-stealing malware dubbed **RisePro**.

Flashpoint spotted the newly identified stealer on December 13, 2022, after it discovered "several sets of logs" exfiltrated using the malware on an illicit cybercrime marketplace called Russian Market.

A C++-based malware, RisePro is said to share similarities with another info-stealing malware referred to as Vidar stealer, itself a fork of a stealer codenamed Arkei that emerged in 2018.

"The appearance of the stealer as a payload for a pay-per-install service may indicate a threat actor's confidence in the stealer's abilities," the threat intelligence company noted in a write-up last week.

Cybersecurity firm SEKOIA, which released its own analysis of **RisePro**, further identified partial source code overlaps with PrivateLoader. This encompasses the string scrambling mechanism, HTTP method and port setup, and the HTTP message obfuscation method.

PrivateLoader, as the name indicates, is a download service that enables its subscribers to deliver malicious payloads to target hosts.

It has been used in the past to deliver Vidar Stealer, RedLine Stealer, Amadey, DanaBot, and NetDooka, among others, while masquerading as pirated software hosted on decoy sites or compromised WordPress portals that appear prominently on search results.

RisePro is no different from other stealers in that it's capable of stealing a wide range of data from as many as 36 web browsers, including cookies, passwords, credit cards, crypto wallets, as well as gathering files of interest and loading more payloads.

It's offered for sale on Telegram, with the malware's developer also making available a Telegram channel that enables criminal actors to interact with infected systems by providing a bot ID created by the stealer and sent to a remote server post a successful breach.

Also part of the malware's infrastructure is an administration panel hosted at a domain named my-rise\[.\]cc that allows access to stolen data logs, but only after signing into an account with a valid set of credentials.

It's currently not clear if RisePro is authored by the same set of threat actors behind PrivateLoader, and if it's exclusively bundled alongside the PPI service.

"PrivateLoader is still active and comes with a set of new capabilities," SEKOIA said. "Similarities between the stealer and PrivateLoader cannot be ignored and provides additional insight into the threat actor expansion."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#intel