There have been some new developments in the case of the ESXiArgs ransomware attacks, including related to the encryption method used by the malware, victims, and the vulnerability exploited by the hackers.
After the US Cybersecurity and Infrastructure Security Agency (CISA) announced the availability of an open source tool designed to help some victims of the ESXiArgs ransomware recover their files without paying a ransom, the FBI and CISA released a document providing recovery guidance.
The FBI and CISA are aware of more than 3,800 servers that were compromised around the world in ESXiArgs ransomware attacks.
Currently, the Shodan and Censys search engines show 1,600-1,800 hacked servers, but there is indication that many impacted organizations have started responding to the attack and cleaning up their systems.
Reuters has conducted an analysis and determined that the victims include Florida’s Supreme Court and universities in the United States and Europe.
An analysis of the file-encrypting malware deployed in the ESXiArgs attacks showed that it has targeted files associated with virtual machines (VMs). However, experts noticed that the ransomware mainly targeted VM configuration files, but did not encrypt the flat files that store data, allowing some users to recover their data.
The tool released by the US government reconstructs the encrypted configuration files based on the unencrypted flat files.
However, Bleeping Computer reported on Wednesday that some victims have been targeted with a new version of the ESXiArgs malware, one with a different encryption process that involves encrypting more data, which prevents the recovery of files.
Until now, the ransomware did not encrypt the majority of data in large files, but the new version of the malware encrypts a far more significant amount of data in large files. Up until now, researchers have not found any flaws in the actual encryption, making it impossible to restore encrypted files.
It has been assumed that the ESXiArgs attacks leverage CVE-2021-21974 for initial access. This is a high-severity remote code execution vulnerability in VMware ESXi that VMware patched in February 2021. The issue is related to OpenSLP.
VMware has not confirmed exploitation of CVE-2021-21974, but it did say that there is no evidence of a zero-day vulnerability being leveraged in the attacks.
However, threat intelligence company GreyNoise is not convinced that there is enough evidence that CVE-2021-21974 is being exploited. GreyNoise pointed out that several OpenSLP-related vulnerabilities have been found in ESXi in recent years, and any of them could have been exploited in the ESXiArgs attacks, including CVE-2020-3992 and CVE-2019-5544.
Data collected by cloud security company Wiz showed that, as of February 7, 12% of ESXi servers were unpatched against CVE-2021-21974 and vulnerable to attacks.
The attacks have yet to be attributed to a known threat actor, but the evidence collected so far suggests that the file-encrypting malware is based on Babuk source code that was leaked in 2021.
“Due to the relatively low ransom demand (2 BTC) and widespread, opportunistic targeting, we assess with moderate confidence this campaign is not tied to ransomware groups known for ‘Big Game Hunting’,” said SOC-as-a-service provider Arctic Wolf. “More established ransomware groups typically conduct OSINT on potential victims before conducting an intrusion and set the ransom payment based on perceived value.”
North Korean hackers working for the government stole record-breaking virtual assets last year estimated to be worth between $630 million and more than $1 billion, U.N. experts said in a new report.
The panel of experts said in the wide-ranging report seen Tuesday by The Associated Press that the hackers used increasingly sophisticated techniques to gain access to digital networks involved in cyberfinance, and to steal information that could be useful in North Korea’s nuclear and ballistic missile programs from governments, individuals and companies.
With growing tensions on the Korean Peninsula, the report said North Korea continued to violate U.N. sanctions, producing weapons-grade nuclear material, and improving its ballistic missile program, which “continued to accelerate dramatically.”
In 2022, the Democratic People’s Republic of Korea – the North’s official name – launched at least 73 ballistic missiles and missiles combining ballistic and guidance technologies including eight intercontinental ballistic missiles, the panel said. And 42 launches, including the test of a reportedly new type of ICBM and a new solid-fueled ICBM engine, were conducted in the last four months of the year.
North Korea’s leader Kim Jong Un ordered an “exponential increase of the country’s nuclear arsenal” in January, and the panel said “a new law discussed an increased focus on tactical nuclear capability, a new first-use doctrine, and the `irreversible nature’ of the DPRK’s nuclear status.”
“The ability to carry out an unexpected nuclear strike on any regional or international target, described in DPRK’s new law on nuclear doctrine and progressively in public statements since 2021, is consistent with the observed production, testing, and deployment of its tactical and strategic delivery systems,” the experts said in the report to the U.N. Security Council.
The panel said that South Korean authorities quoted in media reports “estimated that state sponsored DPRK cyber threat actors had stolen virtual assets worth around $1.2 billion globally since 2017, including about $630 million in 2022 alone.”
The experts monitoring sanctions against North Korea said an unnamed cybersecurity firm “assessed that in 2022, DPRK cybercrime yielded cyber currencies worth over $1 billion at the time of the threat, which is more than double the total proceeds in 2021.”
The variation in the U.S. dollar value of cryptocurrency in recent months is likely to have affected these estimates, the panel said, “but both show that 2022 was a record-breaking year for DPRK virtual asset theft.”
The panel said three groups that are part of the Reconnaissance General Bureau, North Korea’s primary foreign intelligence organization, “continued illicitly to target victims to generate revenue and solicit information of value to the DPRK including its weapons programs” – Kimsuky, Lazarus Group and Andariel.
Between February and July 2022, the panel said, the Lazarus Group “reportedly targeted energy providers in multiple member states using a vulnerability” to install malware and gain long-term access. It said this “aligns with historical Lazarus intrusions targeting critical infrastructure and energy companies … to siphon off proprietary intellectual property.”
Lazarus Group’s primary focus is on specific types of industry, aerospace and defense and conventional finance and cryptocurrencies, with the objective of accessing the internal knowledge bases of the compromised companies, the experts said. They quoted the cybersecurity section of an internet technology company as saying Lazarus has been targeting engineers and technical support employees “using malicious versions of open source applications.”
In December 2022, the panel said, South Korea’s national police agency announced that Kimsuky had targeted 892 foreign policy related experts “in an effort to steal personal data and email lists.”
The police reported that the hackers didn’t manage to steal sensitive information, but they “laundered IP addresses of the victims and employed 326 detour servers and 26 member states to make tracing difficult,” the experts said. The police noted it was the first time they detected Kimsuky using ransomware, saying 19 servers and 13 businesses were affected, of which two paid 2.5 million South Korean won ($1,980) in Bitcoin to the hackers.
On military-related issues, the experts said they investigated the “apparent export” of military communications equipment from a North Korean company under U.N. sanctions to Ethiopia’s defense ministry in June 2022.
The panel said it has not yet received a reply from Ethiopia’s government about a photo published by the Ethiopian media in November allegedly showing a piece of equipment from the Global Communications Co., known as Glocom, being used by a top military official. Eritrea also hasn’t responded to questions about its alleged procurement of Glocom equipment, the experts said.
North Korea may also have illegally traded arms and related material with a number of countries, including sending artillery shells, infantry rockets and missiles to Russia – claims Pyongyang and Moscow have consistently denied, the panel said. And the experts said they are investigating the reported sale of weapons from a North Korean company on the U.N. sanctions list to the Myanmar military through a Myanmar company.
MSSPs took the lead in cybersecurity M&A in 2022 with twice as many deals as in 2021
An analysis conducted by SecurityWeek shows that more than 450 cybersecurity-related mergers and acquisitions were announced in 2022.
In 2022, we tracked a total of 455 deals, compared to 435 in 2021. The US and UK continue to lead in terms of the number of deals, but Israel and Australia were overtaken last year by Canada and Germany.
The number of deals involving companies from the United States increased from 341 to 358, and the UK dropped from 70 to 61 deals.
As for regional data, North America and Europe continue to lead with roughly the same number of M&As as in the previous year. The number of deals involving companies in Asia and Oceania dropped compared to 2021, but M&A activity more than doubled in Latin America.
Financial details of the transaction were disclosed in 62 cases in 2022, significantly less than the 88 deals that had financial terms disclosed in 2021.
In 2022, we saw transactions totaling more than $63 billion in disclosed deal value. Ten companies were acquired for more than $1 billion, roughly the same as in 2021. The most significant deal for the cybersecurity industry was Google’s acquisition of Mandiant.
Thoma Bravo acquired SailPoint, Ping Identity, and Forgerock for more than $1 billion, and reportedly sold Barracuda Networks for $4 billion. Vista Equity Partners acquired two companies for over $1 billion: KnowBe4 and Citrix (Citrix was acquired with Evergreen Coast Capital).
Other major deals include Kaseya’s acquisition of Datto, Carlyle Group’s acquisition of ManTech International, and AMD’s acquisition of Pensando.
Roughly the same number of companies as in 2021 was acquired for millions of dollars, but the number of deals for tens and hundreds of millions has dropped from 64 to 38.
As for the types of companies involved in 2022’s cybersecurity M&A deals, managed security services providers (MSSPs) lead by far, with over 150 deals, more than double compared to 2021. Many MSSPs are looking to buy other managed services providers as part of their expansion efforts.
In addition, a recent survey showed that many MSPs are focusing on growing their cybersecurity practices, with many planning to invest in threat intelligence, detection and response, real-time attack visibility, and forensics and incident response.
SecurityWeek is tracking MSSP deals separately. While it’s important to keep track of these transactions as they play a significant role in the cybersecurity industry, we are currently tracking them separately in an effort to get a better view of the other categories.
Deals in the governance, risk and compliance (GRC) category come in second place, with 58 mergers and acquisitions announced in 2022 involving these types of companies. It’s worth noting that GRC exceeded MSSP in 2021, when nearly 80 transactions were announced.
Companies providing network security and identity-related services were, just like in 2021, the third and fourth most common in cybersecurity deals, but the number of deals related to data protection nearly doubled, moving from the tenth position on the chart to the fifth.
Even in the first half of 2022 it was clear that data protection would be in the M&A spotlight, with the number of deals announced in H1 reaching the same level as in the entire 2021.
The number of deals involving government contractors dropped slightly in 2022 compared to 2021, from 43 to 36, but it remained one of the top types of transactions. This includes Carlyle Group’s acquisition of ManTech International for $4.2 billion.
The US government continues to invest in improving its cyber capabilities. As a result, IT and cybersecurity contractors are scrambling to extend and enhance their capabilities through strategic acquisitions that can pay off down the line.
The data collected by SecurityWeek shows that private equity (PE) companies continue to bet big on cybersecurity, with 18 of the mergers and acquisitions announced in 2022 involving PE firms, approximately the same as in the previous year.
PE firms have acquired companies specializing in cloud security, data protection, threat intelligence, risk management, application security, identity, network security, security operations center (SOC), mobile security, secure access, and managed services.
Three of the 2022 cybersecurity M&A deals involved a special purpose acquisition company (SPAC).
There were more than 10 deals for each of the following types of companies: cloud (32), application (24), specialized (22), consulting (21), incident response (20), training (20), threat intelligence (17), and web and email (16).
The ‘specialized’ category includes companies that provide highly focused security services. The list includes — but is not limited to — blockchain, quantum, payment, PR, healthcare, hardware, education, certification, design and automotive.
We are seeing a similar start in terms of the number of M&A deals in 2023. On one hand, the global economic slowdown may lead to a drop in the number of deals in 2023 as companies may be more cautious and delay expansions fueled by acquisitions. On the other hand, we predict that some firms will be keeping a close eye on the market in hopes of buying startups with promising technologies at a discount.
Methodology: The data was collected from news distribution services, Google and pitches from PR companies. The data includes companies that issued press releases announcing or mentioning acquisitions, as well as deals that have been privately reported to SecurityWeek. All deals that had a cybersecurity component have been taken into account for this study. Mergers and acquisitions that did not have an English-language announcement may not be included. The data could also include deals that may have not been completed after they were announced.
The GRC category includes governance, compliance, risk management, audit, assessment, vulnerability management, penetration testing, attack surface management, and cyber insurance. Network security includes endpoint security, MDR, XDR, NDR, and SASE. Identity includes IAM, PAM, secure access, authentication, authorization and fraud. Incident response includes SOAR, SIEM, SOC, and forensics. ‘Other (specialized)’ includes hardware, blockchain, quantum, payment, healthcare, PR, education, certification, design, and automotive. Data protection includes encryption/cryptography, VPN, privacy and backup. MSSP includes cybersecurity solution distributors and companies that provide security services but do not develop their own products or solutions.
Unpatched and unprotected VMware ESXi servers around the world have been targeted over the past few days in a large-scale ransomware attack exploiting a vulnerability patched in 2021.
The attacks, dubbed ESXiArgs, are still being analyzed by the cybersecurity community, but based on the information available to date, it appears that threat actors are exploiting CVE-2021-21974, a high-severity ESXi OpenSLP heap-overflow vulnerability that VMware patched in February 2021.
“A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution,” VMware said in its advisory at the time.
Proof-of-concept (PoC) code and technical details on CVE-2021-21974 were made public a couple of months after the patches were announced, but there do not appear to be any previous reports of the vulnerability being exploited in the wild.
In the ransomware attacks that surged over the weekend, threat actors exploited the flaw to hack ESXi servers and deploy a piece of malware that encrypts files associated with virtual machines, including files with the .vmdk, .vmx, .vmxf, .vmsd, .vmsn, .vswp, .vmss, .nvram, .vmem extensions, according to an analysis by French cloud company OVH.
The attacks seem to target vulnerable ESXi servers that are exposed to the internet on port 427.
OVH noted that the malware shuts down VM processes before initiating its encryption routine, but the function does not seem to work properly. In some cases, files are only partially encrypted, allowing victims to recover them without paying a ransom. There is no evidence of data being stolen in the attacks.
The attacks were initially incorrectly attributed to ransomware named Nevada and Cheerscrypt (Emperor Dragonfly), but they were later linked to a new ransomware operation named ESXiArgs.
More than two thousand ESXi instances appear to be impacted according to Censys. Shodan shows roughly 800 compromised servers.
Government agencies in the United States and Europe are looking into these attacks and assessing their impact.
While the malware does not appear to have file exfiltration capabilities, the ransom note dropped in the ESXiArgs attack informs victims that their data will be sold unless a payment is made. Victims are instructed to pay 2 bitcoins ($48,000) to receive the encryption key needed to recover files.
Ransomware expert Soufiane Tahiri has been keeping track of the Bitcoin wallet addresses used by the cybercriminals.
While it has become increasingly common for threat actors to target ESXi servers, the exploitation of ESXi vulnerabilities is rare.
President Joe Biden said on Saturday that he ordered U.S. officials to shoot down the suspected Chinese spy balloon earlier this week and that national security leaders decided the best time for the operation was when the it got over water.
“They successfully took it down and I want to complement our aviators who did it,” Biden said after getting off Air Force One en route to Camp David.
Fighter jets shot down the giant white balloon off the Carolina coast after it traversed sensitive military sites across North America and became the latest flashpoint in tensions between Washington and Beijing.
Defense Secretary Lloyd Austin said in a statement that Biden approved the shootdown on Wednesday, saying it should be done “as soon as the mission could be accomplished without undue risk to American lives under the balloon’s path.”
Austin said that due to the size and altitude of the balloon , which was moving at about 60,000 feet in the air, the military had determined that taking it down over land would pose an undue risk to people on the ground.
The balloon was spotted Saturday morning over the Carolinas as it approached the coast. In preparation for the operation, the FAA Administration temporarily closed airspace over the Carolina coastline, including the airports in Charleston and Myrtle Beach, South Carolina, and Wilmington, North Carolina. The FAA rerouted air traffic from the area and warned of delays as a result of the flight restrictions.
An operation was underway in U.S. territorial waters in the Atlantic Ocean to recover debris from the balloon, which had been flying at about 60,000 feet and was estimated to be about the size of three school buses. The balloon was downed by Air Force fighter aircraft, according to two officials who were not authorized to publicly discuss the matter and spoke on condition of anonymity.
President Joe Biden had told reporters earlier Saturday that “we’re going to take care of it,” when asked about the balloon. The Federal Aviation Administration and Coast Guard worked to clear the airspace and water below the balloon as it reached the ocean.
Television footage showed a small explosion, followed by the balloon descending toward the water. U.S. military jets were seen flying in the vicinity and ships were deployed in the water to mount the recovery operation.
Officials were aiming to time the operation so they could recover as much of the debris as possible before it sinks into the ocean. The Pentagon had previously estimated that any debris field would be substantial.
The balloon was spotted Saturday morning over the Carolinas as it approached the coast. In preparation for the operation, the FAA Administration temporarily closed airspace over the Carolina coastline, including the airports in Charleston and Myrtle Beach, South Carolina, and Wilmington, North Carolina. The FAA rerouted air traffic from the area and warned of delays as a result of the flight restrictions.
The Coast Guard advised mariners to immediately leave the area because of U.S. military operations “that present a significant hazard.”
Biden had been inclined to down the balloon over land when he was first briefed on it on Tuesday, but Pentagon officials advised against it, warning that the potential risk to people on the ground outweighed the assessment of potential Chinese intelligence gains.
The public disclosure of the balloon this week prompted the cancellation of a visit by U.S. Secretary of State Antony Blinken to Beijing scheduled for Sunday for talks aimed at reducing U.S.-China tensions. The Chinese government on Saturday sought to play down the cancellation.
“In actuality, the U.S. and China have never announced any visit, the U.S. making any such announcement is their own business, and we respect that,” China’s Ministry of Foreign Affairs said in a statement Saturday morning.
China has continued to claim that the balloon was merely a weather research “airship” that had been blown off course. The Pentagon rejected that out of hand — as well as China’s contention that it was not being used for surveillance and had only limited navigational ability.
The balloon was spotted over Montana, which is home to one of America’s three nuclear missile silo fields at Malmstrom Air Force Base.
The Pentagon also acknowledged reports of a second balloon flying over Latin America. “We now assess it is another Chinese surveillance balloon,” Brig. Gen. Pat Ryder, Pentagon press secretary, said in a statement.
China’s Ministry of Foreign Affairs did not immediately respond to a question about the second balloon.
Blinken, who had been due to depart Washington for Beijing late Friday, said he had told senior Chinese diplomat Wang Yi in a phone call that sending the balloon over the U.S. was “an irresponsible act and that (China’s) decision to take this action on the eve of my visit is detrimental to the substantive discussions that we were prepared to have.”
Uncensored reactions on the Chinese internet mirrored the official government stance that the U.S. was hyping the situation. Some used it as a chance to poke fun at U.S. defenses, saying it couldn’t even defend against a balloon, and nationalist influencers leapt to use the news to mock the U.S.
China has denied any claims of spying and said it is a civilian-use balloon intended for meteorology research. The Ministry of Foreign Affairs emphasized that the balloon’s journey was out of its control and urged the U.S. not to “smear” it based on the balloon.
After the French satirical magazine Charlie Hebdo launched a cartoon contest to mock Iran’s ruling cleric, a state-backed Iranian cyber unit struck back with a hack-and-leak campaign that was designed to provoke fear with the claimed pilfering of a big subscriber database, Microsoft security researchers say.
The FBI blames the same Iranian cyber operators, Emennet Pasargad, for an influence operation that sought to interfere in the 2020 U.S. presidential election, the tech giant said in a blog published Friday. Iran has in recent years stepped up false-flag cyber operations as a tool for discrediting foes.
Calling itself “Holy Souls” and posing as hacktivists, the group claimed in early January to have obtained personal information on 200,000 subscribers and Charlie Hebdo merchandise buyers, according to Microsoft’s Digital Threat Analysis Center.
As proof of the data theft, “Holy Souls” released a 200-record sample with names, phone numbers and home and email addresses of Charlie Hebdo subscribers that “could put the magazine’s subscribers at risk for online or physical targeting” by extremists. The group then advertised the supposed complete data cache on several dark web sites for $340,000.
Microsoft said it did not know whether anyone purchased the cache.
A representative for Charlie Hebdo said Friday that the newspaper would not comment on the Microsoft research. Iran’s mission to the United Nations did not immediately respond to a request for comment Friday.
The Jan. 4 sample release coincided with the publication of Charlie Hebdo’s cartoon contest issue. Entrants were asked to draw offensive caricatures of Iran’s supreme leader, Ayatollah Ali Khamenei.
The French newspaper Le Monde verified multiple victims of the leak from the sample, Microsoft said. The Iranian cyber operators sought to boost news of the hack-and-leak operation — and fuel outrage at the cartoon edition — through fake French “sock-puppet” accounts on social media platforms that included Twitter, Microsoft said.
The operation coincided with verbal attacks by Tehran condemning Charlie Hebdo’s “insult.”
The provocatively irreverent magazine has a long history of publishing vulgar cartoons which critics consider deeply insulting to Muslims. Two French-born al-Qaida extremists attacked the newspaper’s office in 2015, killing 12 cartoonists, and it Charlie Hebdo has been the target of other attacks over the years.
The magazine billed the Khamenei caricature contest as a show of support for nationwide antigovernment protests that have convulsed Iran since the mid-September death of Mahsa Amini, a 22-year-old woman detained by Iran’s morality police for allegedly violating the country’s strict Islamic dress code.
After the cartoon issue was published, Iran shut down a decades-old French research institute. Last week, it announced sanctions targeting more than 30 European individuals and entities, including three senior Charlie Hebdo staffers. The sanctions are largely symbolic as they bar travel to Iran and allow its authorities to block bank accounts and confiscate property in Iran.
About SecurityWeek Cyber Insights |At the end of 2022, SecurityWeek liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the security issues of today – and how these issues might evolve during 2023 and beyond. The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs.
SecurityWeek Cyber Insights 2023 | Venture Capital – We are in a period of huge turmoil. Cybercrime is increasing and becoming more destructive, driven by better organized criminals and geopolitically active nation states. And many commentators believe there is a strong likelihood of a global recession before the end of 2023.
Here we have one simple question: how will these political/economic conditions affect venture funding for cybersecurity firms during 2023?
Background
The bad news in any economic downturn is that business suffers, profits dip, staff are laid off, and budgets are cut. The better news for cybersecurity vendors is that they are somewhat insulated from these effects. Cybercrime is more likely to increase than decrease during a recession, and business must retain a strong cybersecurity posture if they wish to survive. The demand for strong and proven security controls will continue.
At the same time, the availability of capital for investment in new and growing cybersecurity firms remains constant and high, and is largely unaffected by short term economic downturns. This available capital is known in the venture capital industry as ‘dry powder’ (capital that is available and ready for use).
None of this means that all cybersecurity vendors will survive the downturn, nor that all will remain profitable. At the very least, profits are likely to dip as business is forced to do more with less resources. Dry powder isn’t money to burn, and the venture capital industry will adapt its priorities for new and further investment to the current realities.
One area that will stand proud despite economic headwinds is the cloud. “Cloud software is the deflationary force enabling productivity in a high inflation environment. Cloud-native is not an option, it’s a necessity,” wrote Battery Ventures in its State of the OpenCloud 2022 report published in November 2022.
Dry powder
Dry powder is raised from the VC industries’ limited partners (LPs). These might be pension funds, endowments, family offices, sovereign wealth funds, and corporations. “Most funds operate on a ten-year lifecycle, with funds typically being deployed over the first four or five years of a fund’s life,” explains Sidra Ahmed, investment principal at Munich Re Ventures – explaining the continued availability of investment funds despite current economic conditions.
According to Pitchbook data, there was approximately $290 billion of cumulative dry powder committed to venture capital as of the first half of 2022. It is these funds that are called on when venture capitalists invest in companies. It must be said, of course, that VC’s dry powder isn’t committed solely to cybersecurity firms although cybersecurity remains a favored investment area.
Different VC organizations tend to specialize in different areas. For example, “YL Ventures raised its $400 million fifth fund at the beginning of 2022, dedicated exclusively to investing in Israeli cybersecurity startups,” explains Yoav Leitersdorf, managing partner at YL Ventures. “This fund has been used to invest in only a small number of companies to date, all of which are still in stealth, in line with our very disciplined strategy of investing strategically in a select number of exceptional startups.”
VC organizations try to use all the funds they get from their LPs – but not at any cost. They still need to demonstrate value to the LPs. Bad investments will lead to difficulties in raising new funds, while not using the funds raised is like a business unit not using its whole annual budget – it might lead to a lower budget next year.
The difficulty for cybersecurity firms in raising investment funds in 2023 will not be because the funds don’t exist, but because the VC firms will be taking more concern over where the funds are invested.
Effect of an economic downturn
“The pace of investing is certainly going to change,” comments Ahmed. “With more uncertainty around budgets and sales cycles, investors will spend more time assessing deals that are able to withstand a time of austerity – companies with critical productions and solutions will be prioritized. There will be a lot more scrutiny of deals, valuations, and co-investors. Investors will also be focused on supporting their own portfolios.”
Jake Heller, Partner & Head of Tech Growth, Americas at KKR
Jake Heller, partner at KKR and head of tech growth equity Americas, believes the impact is unlikely to be felt evenly. “We have already seen the pullback in public markets affecting fundraising for some growth and early-stage companies,” he said. “In general, we expect the tightening of funding conditions to continue into 2023; however, we believe that capital will continue to be available to entrepreneurs and management teams who are able to effectively manage costs and allocate capital to growth opportunities with high potential for returns.”
Translated to the market, this all implies that startups don’t necessarily have sales targets that they can miss and can possibly ride out a recession before they need to show sustained profits; mid-growth companies seeking growth funding are likely to suffer with lower-than-expected profits and be less attractive to VCs; while established firms preparing for an IPO will likely need to survive the recession before proceeding.
“Market conditions had a dramatic impact on 2022 funding rounds, and we aren’t out of the woods yet,” says Leitersdorf. “The fallout is trickling from the top down. IPOs dropped this year from thousands to just over 100, the lowest number since 2016. There was a near stall in growth stages and a significant slowdown in Series C and D rounds, a steep decline in Series B rounds and a struggle to raise significant Series A rounds.”
In short, money is still available for attractive startups (seed and possibly A rounds), will require deeper consideration for growth equity (B, C and D rounds), and is much more difficult for pre-IPO companies (E rounds and above). In the last case, venture firms are looking closely at M&As to consolidate and strengthen their existing investments – but in all cases (apart from startups) venture firms will concentrate on further investments in their existing portfolios.
Outlook for startups
Leitersdorf remains upbeat on the prospects for investment in cybersecurity startups in 2023. “In today’s threat landscape, cybersecurity risks have become business risks. Organizations cannot afford to be lenient with threats to their assets, and executives now understand that security has a direct impact on their company’s reputation, business continuity and revenue,” he explains.
“Therefore, security will continue to be top-of-mind, as long as attacks continue to grow and evolve, demanding new and equally sophisticated security solutions. We see that investors are still eager to invest in the most promising startups in our industry with the greatest potential to lead their categories in the future. Capital will continue to flow to this necessary sector, as new and more challenging problem spaces continue to emerge.”
DataTribe, which describes itself as a cyber startup foundry (both an incubator and VC firm), is more circumspect. Funding will be harder, but potentially higher. John Funge, MD, explains, “Looking ahead, 2023 will be a slog for startups raising money. It will take longer for startups to complete next rounds as venture firms are both focusing more attention on their current portfolio as well as being more selective in new investments.”
He believes there will be fewer deals. “There will be a ‘flight to quality’ and the bar for attracting funding will be higher. Top startups that are hitting performance metrics will get funded at valuations not too far off historical. However, startups with a few words that previously would have gotten funded may find it hard to get funded at all — versus getting funded on less attractive terms.”
But he adds, “Historically, some of the most successful technology companies started during downturns. We don’t see it being any different this time around. It will be a tricky period to be a pre-IPO company, but likely an excellent time to be starting a new venture.”
Outlook for growth funding
Growth funding will become more difficult in 2023, and potentially more necessary. “We’ve already seen growth rounds plummeting in 2022, and this trend will most likely continue into 2023,” explains Leitersdorf. “Capital is available, but it will become increasingly expensive, and investors will prefer to use it in order to fuel innovative, early-stage startups that will require less capital at lower valuations.”
A particular problem for growth companies is in part historical. “The valuations of many growth-stage startups were significantly inflated in 2021 and were not based on sustainable growth metrics, revenue, or performance,” he continued. “Many of these growth-stage startups will be forced to raise funding in 2023 after scaling rapidly and burning through their capital in 2022. We, therefore, foresee an increase in growth rounds next year, most probably with unfavorable terms for founders, employees, and existing investors.”
But, adds Ahmed. “There is still a lot of capital available. Investors will be holding companies to their performance so we might see more down rounds into 2023.”
Bob Ackerman, founder of AllegisCyber
Bob Ackerman, founder of AllegisCyber and member of the board at DataTribe, agrees with this sentiment. “Undifferentiated and sub-critical mass cyber companies without truly compelling solutions are likely to be challenged as they go to the VC community for capital,” he said. “Investors will be materially more discriminating in the deployment of capital.”
Outlook for M&A consolidation
M&A activity has increased rapidly over the last few years. This trend will continue, driven by a number of different factors: desire among security users to consolidate their existing disparate security controls; a rush to the nearest exit point among startups; declining valuations making attractive targets; and a safe haven for further VC investments.
“The cybersecurity market is approaching bloated status,” comments Hank Thomas, CEO at Strategic Cyber Ventures. “There are too many vendors chasing the same dollars with similar technology. People in charge of purchasing decisions, often CISOs, are looking for more integrated security platforms and less point solution tools. PE firms and other later-stage investors are looking to bring in bigger players to serve as anchors for rollups and bolt on acquisitions.”
Will Lin, Venture Partner at Forgepoint Capital
Will Lin, venture partner at Forgepoint Capital, agrees. “I believe that we’ll see security M&A significantly pick up in 2023. The main reason being that so many security companies have been created in the past couple of years. When so many of these companies, full of amazing talent, come up to the crossroads of M&A or raising their next round, I believe the market dynamics will re-shuffle in a way where M&A will be considered the best next step.”
Security vendors are seeking to support their users by consolidating point products from different vendors into integrated solutions from single vendors. “The rapid expansion of new security products has led to many organizations purchasing the ‘latest and greatest’ without having a strong integration plan in place,” explains Dave Gerry, CEO at Bugcrowd. “Without a clear deployment and integration plan, even the best security product will go underutilized. For the past few years, the industry has seen an incredible amount of M&A consolidation.”
This process will continue through 2023. “Security organizations are looking internally for ways to leverage existing tool sets or upgrade existing tool sets versus adding to their ever-growing technology stack,” he continued. “This growing need for security vendor consolidation will continue to be driven by both the cost of the security products and the limited internal resources to effectively operate the products.”
Ackerman agrees with this sentiment. “Investors will be materially more discriminating in the deployment of capital with a significant pick up in M&A activity as the market looks to consolidate point products into broader security platforms,” he suggests.
The second driver for M&A activity comes from the transition from early stage to growth requirements. Early stage is still attractive to investors — growth stage is more difficult. As startups burn through their early financing, they will find it more difficult to secure further growth funding — and may find an early exit an attractive option, bumping into the consolidation driver.
This process may be actively promoted by the VC industry. “A new wave of innovation is needed in the security industry. Things have become stale,” explains Thomas. “VC investment will still drive innovation since larger companies often lose the ability to innovate, especially in security. As a result, we will see large entities acquiring VC backed companies earlier as established PE backed platform companies make tuck in and bolt-on acquisitions to remain relevant.”
Leitersdorf expands on this possibility. “Large security vendors such as Microsoft, SentinelOne, Akamai, CrowdStrike, IBM, CyberArk and Okta are strengthening their corporate development divisions and doubling down on in-house investment funds (CVCs), looking for strong talent and tech,” he said. “These venture arms of large security vendors will most likely become increasingly active in both investments and M&A deals in the coming years and make the option of acquisition more attractive for struggling startups.”
One effect of a downturn in the economy is that company valuations are lowered. This is already happening, and is likely to get worse in 2023. On December 14, 2022, the Federal Reserve raised interest rates by half a point — and US stock markets fell. The intention was to put a curb on high inflation rates, but it simultaneously increases the likelihood of a recession in 2023.
If this happens, company valuations will go lower. This in turn will make companies with good products but reduced valuations an attractive target for larger companies with money — and of course VC firms. VC firms will likely be driven to use their dry powder on their own existing portfolios rather than look for different companies in which to invest.
The current market conditions look set to promote increasing M&A activity through 2023. “The current state of the global economy will also encourage hyperscalers to move toward an M&A cyber strategy,” summarizes Simon Chassar, CRO at Claroty. “Furthermore, start-ups will struggle as we see less investment from PE or VCs, therefore creating an opportunity for some of the larger cash-strong security control companies to gain market share at a relatively low price.”
What VCs look for…
2023 will be a year when the VC firms have money to invest, but the economic conditions will force them to be careful where they invest it. Cybersecurity will remain an attractive sector, but the security vendors will need to work harder to get new funding. Two questions come to mind: which security sectors are most attractive to the investors, and how do they choose a specific vendor?
Favored cybersecurity sectors
Heller believes that continuing digital transformation will provide new opportunities. “We believe that digital transformation, which has been accelerated by the global pandemic, will continue to create significant opportunities and challenges across industries and geographies,” he said. “These broader trends span new methods of collaboration, workforce transformation, cloud migration, automation and testing, supply-chain disruption, and digital adoption.”
Sidra says her firm is focusing on data and the threats it faces. “With rapid cloud adoption, companies are struggling to understand where their data sits and how to put sufficient security and controls around it.” Furthermore, she adds, “The penalties regarding sensitive data being breached are increasing at an exponential rate globally, making it even more of a priority for companies to be sufficiently protected.”
And there are new and still evolving threats to data. “As more companies adopt machine learning and analytical models to make data-driven decisions,” she continued, “there is now a need to protect data (and the models we build on the data) from being compromised. There are also questions around the validity of data and how to discern true data and information from coordinated disinformation campaigns and narratives.”
Leitersdorf adds identity to data as an area attractive to investors. “Malicious cyber actors have focused their most egregious attacks on two specific vectors in the past two years – data and identity,” he says. Attackers have leveraged the gaps, misconfigurations and problems surrounding credentials, identity, and access provisions to steal data. This will continue.
“Therefore,” he continued, “we have been focusing our attention on innovative security solutions that strive to tackle these problems and ensure that organizational security postures are strengthened accordingly.”
Favored companies
While different VCs may be attracted to different cybersecurity sectors, they must still choose which individual companies to support. “A large part of the decision is based on the management team and our perception of its ability to execute on the vision effectively, and evolve that vision over time,” said Ahmed. “Other criteria include tech differentiation, product vision, competition, size of market and TAM [total addressable market], and path to exit.”
Leitersdorf takes an almost identical stance. “The technology must be remarkable, deep, and innovative – that’s a given. However, even the most groundbreaking idea and cutting-edge tech won’t develop into a top-tier startup without an exceptional team,” he explained.
“We invest in strong teams that combine determination, talent, and an unrelenting passion for solving the most acute problem spaces in cybersecurity. The cybersecurity market is saturated with startups solving niche problems, and we’re looking for founders that stand out, go big and break the mold.”
The same goes for Heller. “Once we have found a sector we like, we generally look for companies that are market leaders or have a real competitive advantage. Cultural fit and alignment is also very important to us and in many cases, we have built relationships with the entrepreneurs and management teams we’re investing in over multiple years.”
The basic conclusion is that prospective vendors won’t get consideration without an excellent product in an expanding or vital sector. But where two attractive companies exist, the one with the stronger management team is more likely to succeed.
Summary
Acquiring venture capital in 2023 may be more difficult than it has been in recent years, but it remains viable and available. “In 2023, cyber will be softer but will remain a bright spot for investing,” explains Funge. “Compared to the nearly 24% year-on-year decline in deal activity across all verticals, cyber deal activity across all investment stages is down only 3%.”
What will change most is the decision-making process of the VC firms. They will still wish to invest, and probably at the same overall levels they have been investing. But fears of bad investments in a down economy will make them concentrate on areas that give them the greatest confidence. This may mean more money going to fewer companies. While B, C and D rounds might be left with difficult, declined, or down rounds. seed and startup A rounds might reach new heights. Any money left over will be focused into M&A.
About SecurityWeek Cyber Insights |At the end of 2022, SecurityWeek liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the security issues of today – and how these issues might evolve during 2023 and beyond. The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs.
Exploitation attempts targeting a critical-severity Oracle E-Business Suite vulnerability have been observed shortly after proof-of-concept (PoC) code was published.
One of the major Oracle product lines, the E-Business Suite is a set of enterprise applications that help organizations automate processes such as supply chain management (SCM), enterprise resource planning (ERP), and customer relationship management (CRM).
Tracked as CVE-2022-21587 (CVSS score of 9.8), the exploited flaw was identified in the Web Applications Desktop Integrator of Oracle’s enterprise product and was addressed as part of Oracle’s October 2022 Critical Patch Update.
According to a NIST advsory, unauthenticated attackers with network access via HTTP can easily exploit the security defect to compromise the Web Applications Desktop Integrator and take it over.
This week, CISA added CVE-2022-21587 to its Known Exploited Vulnerabilities (KEV) catalog, urging Oracle customers to apply the available patches as soon as possible.
The first exploitation attempts, however, were observed on January 21, Shadowserver warned last week.
“Since Jan 21st we are seeing exploitation attempts in our honeypot sensors for Oracle E-Business Suite CVE-2022-21587 (CVSS 9.8 RCE) shortly after a PoC was published,” Shadowserver said.
The PoC came from Vietnam-based cybersecurity firm Viettel Cyber Security, which on January 16 published a detailed analysis of the vulnerability and potential exploitation venues.
According to Shadowserver data, the number of observed exploitation attempts is currently low. However, threat actors are known to target unpatched Oracle products, and the number of attacks may increase shortly.
This week, CISA also warned of observed exploitation of CVE-2023-22952, a high-severity remote code execution flaw in SugarCRM.
Impacting the EmailTemplates, the vulnerability is described as a missing input validation defect that allows an attacker to inject custom PHP code using crafted requests. Patches for this vulnerability were released on January 11, 2023.
In January, shortly after exploitation began, Censys reported seeing hundreds of SugarCRM servers being hacked using CVE-2023-22952.
Users of the GoAnywhere secure managed file transfer (MFT) software have been warned about a zero-day exploit that malicious actors can target directly from the internet.
The GoAnywhere MFT is made by Fortra, known until recently as HelpSystems, and it’s designed to enable organizations to automate and secure the exchange of data with their trading partners.
An advisory obtained by Krebs — it can only be accessed by authenticated users — describes it as a zero-day remote code injection exploit and says that “the attack vector of this exploit requires access to the administrative console of the application”.
According to the vendor, the vulnerable admin console should in most cases only be accessible from within a company’s network, through a VPN, or only by trusted IP addresses. However, the company has admitted that some GoAnywhere users may be exposing the console to the public internet.
Fortra noted that the web client interface, which is typically accessible from the internet, is not affected by the exploit.
The advisory doesn’t clearly say that the vulnerability has been exploited in the wild, but active exploitation is likely, considering that it has been described as a zero-day. In addition, the vendor provides instructions on how customers can check if their system has been compromised.
The best indicator of compromise (IoC), according to the advisory, is the presence of suspicious administrator accounts that may have been created by malicious actors.
The advisory does not mention a patch, but it does recommend mitigations that should prevent exploitation. There is also no mention of a CVE identifier for the vulnerability in the advisory obtained by Krebs.
Security researcher Kevin Beaumont has conducted a Shodan search and found roughly 1,000 internet-exposed systems, a majority located in the United States. However, some of the results are clearly labeled as being associated with the web client, which Fotra says is not impacted.
About SecurityWeek Cyber Insights |At the end of 2022, SecurityWeek liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the security issues of today – and how these issues might evolve during 2023 and beyond. The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs.
SecurityWeek Cyber Insights 2023 | Supply Chain Security – The supply chain threat is directly linked to attack surface management (it potentially represents a hidden part of the attack surface) and zero trust (100% effective zero trust would eliminate the threat). But the supply chain must be known and understood before it can be remediated.
In the meantime – and especially throughout 2023 – it will be a focus for adversaries. Why attack a single target when successful manipulation of the supply chain can get access to dozens or even hundreds of targets simultaneously.
Supply chain attacks are not new. The iconic Target breach of late 2013 was a supply chain breach. The attackers got into Target using credentials stolen from its HVAC provider, Fazio Mechanical Services – that is, via Target’s supply chain.
The 2018 breach of Ticketmaster was another supply chain breach. A Ticketmaster software supplier, Inbenta, was breached and Inbenta software was modified and weaponized. This was automatically downloaded to Ticketmaster.
Island hopping is another form of supply chain attack. In 2017, Operation Cloud Hopper was revealed. This disclosed that an advanced group, probably APT10, was compromising managed service providers to gain access to the MSP’s customers.
Despite these incidents, it has only been in the last couple of years, fueled by more extensive incidents such as SolarWinds, that industry has become cognizant of the full threat from increasingly sophisticated and wide-ranging supply chain concerns. But we should not forget that the 2017 NotPetya incident also started as a supply chain attack. Software from the Ukrainian accounting firm M.E.Doc was weaponized and automatically downloaded by the firm’s customers, before spreading around the globe. Both SolarWinds and NotPetya are believed to be the work of nation state actors.
All forms of supply chain attacks will increase in 2023, and beyond. Chad Skipper, global security technologist at VMware, specifically calls out island hopping. “In 2023, cybercriminals will continue to use island hopping, a technique that aims to hijack an organization’s infrastructure to attack its customers,” he warns. “Remote desktop protocol is regularly used by threat actors during an island-hopping campaign to disguise themselves as system administrators. As we head into the new year, it’s a threat that should be top of mind for all organizations.”
Attacks will increase
That supply chain attacks will increase in 2023 and beyond is the single most extensive prediction for 2023. “Supply chain attacks happen when hackers gain access to a company’s inner workings via a third-party partner, a method that provides them with a much greater amount of privileged information from just one breach,” explains Matt Jackson, senior director security operations at Code42. “This type of attack already rose by more than 300% in 2021, and I anticipate this trend will continue in 2023, with these attacks becoming more complicated and intricate.”
Lucia Milică, Resident CISO, Proofpoint
Lucia Milică, global resident CISO at Proofpoint, worries that despite all the wake-up calls so far, “We are still a long way from having adequate tools to protect against those kinds of digital supply chain vulnerabilities. We predict these concerns will mount in 2023, with our trust in third-party partners and suppliers becoming one of the primary attack channels.”
The result, she added, is, “We expect more tension in supply chain relationships overall, as organizations try to escalate their vendors’ due diligence processes for better understanding the risks, while suppliers scramble to manage the overwhelming focus on their processes.”
Jackson added, “Because many third-party partners are now privy to more sensitive data than ever before, companies can no longer rely on their own cybersecurity prowess to keep information safe,” he said.
“Supply chain attacks purposefully target the smaller organizations first because they’re less likely to have a robust cybersecurity setup, and they can use those companies to get to the bigger fish,” he continued. “In the next year, companies will become even more diligent when deciding on an outside organization to work with, creating an increase in compliance verifications to vet the cyber tools used by these prospective partners.”
Anand Raghavan, co-founder and CPO at Armorblox, expands on this theme. “This becomes particularly relevant,” he said, “for the Fortune 500 or Global 2000 companies that have a large ecosystem of suppliers, vendors, and distributors whose security stacks are nowhere as mature as those of large organizations. Large organizations might consider requiring all vendors to follow certain security best practices, including modernizing their email security stack if they want to continue being a vendor in good standing.”
Interestingly, despite all the warnings of an escalating threat, Christopher Budd, senior manager of threat research at Sophos, notes, “Unlike two years ago when the SolarWinds attack put supply chain attacks high on people’s radar, supply chain attacks have faded from prominence.” This may be a misleading premise. The discovery of a vulnerability in a widely used piece of software, such as the log4j vulnerability, will be used by individual cybercriminals and nation state actors alike.
However, targeted attacks such as that against SolarWinds requires resources and skill. These attributes are more usually found only in the more advanced gangs and nation state actors. Such adversaries have another attribute: patience. “Today’s and undoubtedly tomorrow’s threat actors have shown they can play the long game,” warns Pieter Arntz, senior intelligence reporter at Malwarebytes.
Budd also warns that despite their immediate lack of prominence (at the time of writing, but anything could happen tomorrow), “Supply chain may be something that continues to not gather news, similar to 2022. But it will remain a real threat and one that organizations should be prioritizing across the board, in part because effectively countering this threat requires a comprehensive, careful, methodical approach.”
The software supply chain
The primary growth area in supply chain attacks will likely be the software supply chain. “Over the past few years,” explains Eilon Elhadad, senior director of supply chain security at Aqua, “increasing pressure to deliver software faster has widened attack surfaces and introduced severe vulnerabilities.”
New tools, languages and frameworks that support rapid development at scale are being targeted by malicious actors, who understand the widespread impact that results from attacks to the software supply chain.
“In 2023,” Elhadad continued, “software supply chain threats will continue to be a significant area of concern. These attacks have a larger potential blast radius to allow hackers to impact entire markets and wreak havoc for organizations.”
Eric Byres, founder and CTO at aDolus, agrees. “Software supply chain attacks will continue to increase exponentially in 2023,” he said; “the ROI on these attacks is just too sweet for professional adversaries to resist.” He notes that supply chain attacks have increased by 742% over the last three years.
Much of the software supply chain threat comes from the growing reliance on open source software libraries as part of the ‘increasing pressure to deliver software faster’. Zack Zornstain, head of supply chain security at Checkmarx, believes the software threat will particularly affect the open source supply.
“We believe that this threat of compromising open source packages will increase as malicious code can endanger the safety of our systems, ranging from ransomware attacks to the exposure of sensitive information, and more. We expect to see this as a general attack vector used both by cyber firms and nation-state actors. SBOM adaptation will help clarify which packages we’re using in applications, but we will need to invest in more controls to ensure the safety of those packages,” he said.
“Organizations should be on high alert for supply chain attacks if they use open-source software,” warns Kevin Kirkwood, deputy CISO at LogRhythm. “Bad actors examine the code and its components to obtain a thorough understanding of its flaws and the most effective ways to exploit them.”
If the source code of an open source software library either has – or can be engineered by bad actors to have – a vulnerability, then every company that downloads and uses that code becomes vulnerable.
“In 2023,” continues Kirkwood, “we’ll see bad actors attack vulnerabilities in low-hanging open-source vendors with the intention of compromising the global supply chain that uses third-party code. Attackers will infect the open-source repositories and chromium stores with malicious code and will wait for developers and other end users to come along and pick up the new sources and plugins.”
Venafi’s Matt Barker, president of cloud native solutions, adds, “We’re seeing many instances of vulnerable code brought inside their firewall by developers trying to go fast using unverified code from GitHub, or copypasta from Stack Overflow.”
He continues, “Thankfully, we’ve reached a collective sense of focus on this area and are seeing tremendous developments in how we tackle it. This is only going to increase through 2023 as we see more start-ups popping up and open source tools like cosign and sigstore designed to help it. Biden’s SBOM initiative has helped bring attention to the requirement, and The OpenSSF is leading in this charge.”
Mark Lambert, VP of products at ArmorCode, expands on this. “As the software supply chain continues to get more complicated, it is vital to know what open source you are indirectly using as part of third-party libraries, services (APIs) or tools. This is where SBOM comes in,” he said. “By requiring a disclosure of all embedded technologies from your vendors, you can perform analysis of those libraries to further assess your risk and react appropriately.”
The SBOM
Biden’s May 2021 Executive Order on Improving the Nation’s Cybersecurity introduced the concept of a software bill of materials (SBOM), effectively if not actually mandating that software bought (or supplied) by government agencies be accompanied with a bill of materials. It described the SBOM as “a formal record containing the details and supply chain relationships of various components used in building software,” and analogous to a list of ingredients on food packaging.
While the advantages of the SBOM may appear obvious in helping software developers understand precisely what is included in the open source libraries they use, it must be said that not everyone is immediately enthusiastic. In December 2022, it emerged that a lobbying group representing major tech firms such as Amazon, Microsoft, Apple, Intel, AMD, Lenovo, IBM, Cisco, Samsung, TSMC, Qualcomm, Zoom and Palo Alto Networks was urging the OMB to ‘discourage agencies’ from requiring SBOMs. The group argued that the requirement is premature and of limited value — but it didn’t ask for the concept to be abandoned.
It is the complexity and difficulty in both compiling and using an SBOM that is the problem — and it is these concerns that will drive a lot of activity through 2023. The value of the concept outlined in the executive order remains undiminished.
“Incidents such as Log4shell [log4j] and the most recent SpookySSL vulnerabilities [CVE-2022-3602 and CVE-2022-3786] will push the adoption of a software bill of materials as a core component of achieving effective incident response, while efforts will continue in maturing the SBOM ecosystem (adoption across sectors, tooling, standardization around sharing and exchanging of SBOMs and more),” explains Yotam Perkal, director of vulnerability research at Rezilion.
“One of the big challenges I see in the year ahead is that this is more data for the development teams to manage as they deliver software,” notes Lambert. “In 2023, organizations are going to need ways to automate generating, publishing and ingesting SBOMs – they will need ways to bring the remediation of the associated vulnerabilities into their current application security programs without having to adopt whole new workflows.”
As part of this process, Michael Assraf, CEO and co-founder at Vicarius, said, “We predict that a new market will evolve called binary software composition analysis, which will look for software files that are different from what was pre-packaged and shipped. Automated techniques can utilize machine learning that will find this discrepancy, which will be vital in knowing where your risk lies and how large your attack surface can potentially be.”
Thomas Pace, Co-founder & CEO at NetRise
Thomas Pace, CEO at NetRise, suggests, “SBOM is going to continue to garner mainstream adoption, not just from software/firmware suppliers that are building products they are selling, but also for internal development teams that are building applications and systems for internal use.”
He adds, “The need to be able to rapidly understand the provenance of software components is becoming increasingly critical. Without this visibility, the window for attackers to exploit these vulnerabilities is much too big and puts cyber defenders at a significant disadvantage.” But he also notes, “strong efforts from organizations like Google have moved the ball forward in a positive way. Efforts such as open-source insights provide a lot of visibility for end users and vendors alike to scale out the analysis of these components.”
The problems involved with SBOM generation and use have not yet been solved, but enthusiasm remains. We can expect considerable effort into automating these processes to continue throughout 2023.
Nevertheless, Kurt Baumgartner, principal security researcher at Kaspersky, warns, “Open source projects continue to be polluted with malicious code. Awareness of these issues and challenges increase, but the attacks continue to be effective on a large scale. Despite the best efforts of software bill of materials, complex dependency chains help ensure that malicious code is uncontrolled for a time in some projects.”
The physical supply chain
Despite all companies’ need to be wary of potential software supply chain attacks via the code they develop for their own use, we should not forget that there is a potentially more catastrophic physical supply chain threat. We need only consider the effect the prevention of grain supplies leaving Ukraine (because of the Russia/Ukraine conflict) had on global food supplies to see the potential. Covid-19 also affected many different global supply chains, causing panic buying and popular distress in its early days.
These were not the result of cyberattacks – but many of those physical supply chains could be disrupted by cyberattacks. The Colonial Pipeline incident, although a financially motivated attack, had an immediate effect on the supply of oil to eastern USA. The longer the Ukraine/Russia conflict continues, and the greater that east/west tensions increase, the possibility of physical supply chain cyber disruption will equally increase through 2023, and possibly beyond.
SecurityWeek discussed one such possibility in May 2022: The Vulnerable Maritime Supply Chain – a Threat to the Global Economyhere.
Lorri Janssen-Anessi, director of external cyber assessments at BlueVoyant notes that in the utilities and energy sector, “99% of energy companies say they have been negatively impacted by at least one supply chain breach in the past year, representing the highest rate of overall impact in any other industry. Because it remains one of the most frequently attacked verticals, it is especially crucial that it rises to the challenge of supply chain defense in 2023.”
Taylor Gulley, senior application security consultant at nVisium, comments, “The past few years have shown that both the digital supply chain, as well as the physical world supply chain, are very fragile. This fragility is due to a lack of redundancy and resources due to economic constraints or skill gaps. For 2023, this situation will still stand true. Supply chain security is a weak link that needs to be strengthened.”
Solutions and the way forward
Sam Curry, Cybereason
Sam Curry, CSO at Cybereason, believes the SBOM will be an important part of solving the software supply chain problem. “It would be naive in the extreme to think that with thousands of trusted software and service providers to choose from… that the handful of known supply chain compromises were the sum total of them. No. 2023 will show us more, and we will be lucky to learn of them because the attacker can quietly exploit these without tipping their hands.”
He added, “We need to use 2023 to be innovative and vigilant and to find new answers to the supply chain problem, to build on software bills of material, to innovate with the men and women building our software and to find the solutions to deter, to detect and to remove the vulnerabilities and exposures that enable this most insidious and trust eroding of attacks.”
Sharon Chand, Deloitte US’ cyber risk secure supply chain leader, believes that software supply chain security will require continuous realtime monitoring of third-party risks and vulnerabilities in inbound packaged software and firmware components. “For instance,” she said, “this includes implementing leading practice techniques around ingesting SBOMs and correlating the output to emerging vulnerabilities, identifying risk indicators such as geographical origin of the underlying components, and providing visibility to transitive dependencies.”
Christian Borst, EMEA CTO at Vectra AI, suggests collaboration and cooperation across the software industry will be required. “A holistic approach may help turn the tables on the matter: supply chain means partnership – partnership means collaboration and supporting each other. Only as a ‘mesh’ interconnected structure with consistent resiliency can companies thrive in the digital economy. This includes ensuring that they review the security policies of all those in the chain.”
Sounil Yu, CISO at JupiterOne, makes a fitting summary, referencing a paper written by Richard Danzig in July 2014 (Surviving on a Diet of Poisoned Fruit: Reducing the National Security Risks of America’s Cyber Dependencies). “To borrow Richard Danzig’s analogy,” says Yu, “we are on a diet of poisoned fruit with respect to our software supply chain. This poison is not going to go away, so we will need to learn how to survive and thrive under these conditions. Being aware of the risks, through efforts such as SBOM, and managing the risks through compensating controls such as egress filtering, will be a priority in 2023 and the foreseeable future.”
Google Analytics è un servizio di analisi web fornito da Google Ireland Limited (“Google”). Google utilizza i dati personali raccolti per tracciare ed esaminare l’uso di questo sito web, compilare report sulle sue attività e condividerli con gli altri servizi sviluppati da Google. Google può utilizzare i tuoi dati personali per contestualizzare e personalizzare gli annunci del proprio network pubblicitario. Questa integrazione di Google Analytics rende anonimo il tuo indirizzo IP. I dati inviati vengono collezionati per gli scopi di personalizzazione dell'esperienza e il tracciamento statistico. Trovi maggiori informazioni alla pagina "Ulteriori informazioni sulla modalità di trattamento delle informazioni personali da parte di Google".
Cloudflare Web Analytics è un servizio di statistica anonimizzata fornito da Cloudflare Inc. che permette al Titolare di ottenere informazioni sull’utilizzo di questo sito web.
Google Maps è un servizio di visualizzazione di mappe gestito da Google Ireland Limited. Questo servizio serve ad integrare tali contenuti all’interno delle proprie pagine.
Gravatar è un servizio di visualizzazione di immagini gestito da Automattic Inc. che permette a Automattic Inc. di integrare tali contenuti all’interno delle proprie pagine.
