Reddit on Thursday informed users that its systems were hacked as a result of what the company described as a sophisticated and highly targeted phishing attack aimed at employees.
According to Reddit, the intrusion was detected on February 5. The hackers gained access to some internal documents, source code, internal dashboards and business systems.
Up until this point in the investigation, Reddit has determined that the exposed information includes limited contact information for hundreds of contacts and current and former employees, as well as some advertiser information.
“Based on several days of initial investigation by security, engineering, and data science (and friends!), we have no evidence to suggest that any of your non-public data has been accessed, or that Reddit’s information has been published or distributed online,” Reddit said.
There is no indication that user passwords or accounts have been compromised. The company also said there is no evidence of a breach of production systems, where the platform runs and where a majority of its data is stored.
The data breach was discovered after an employee informed Reddit’s security team that they had fallen for a phishing attack. The attackers targeted Reddit employees with “plausible-sounding prompts” that led them to a phishing website mimicking its intranet gateway.
A Reddit representative noted in an AMA (Ask Me Anything) thread that the employee whose credentials were phished did have two-factor authentication (2FA) enabled on their account, as the company requires it for all employees.
However, it seems that the phishing page targeted not only employee credentials, but also their second-factor tokens.
Several major tech companies were targeted in sophisticated phishing attacks in the past months. One of them is Zendesk, which revealed recently that some employees handed over their credentials to threat actors in the fall of 2022.
At around the same time, companies such as Twilio, Cloudflare and at least 130 others were targeted in a phishing campaign dubbed Oktapus, which appeared to be the work of financially-motivated threat actors.
There have been some new developments in the case of the ESXiArgs ransomware attacks, including related to the encryption method used by the malware, victims, and the vulnerability exploited by the hackers.
After the US Cybersecurity and Infrastructure Security Agency (CISA) announced the availability of an open source tool designed to help some victims of the ESXiArgs ransomware recover their files without paying a ransom, the FBI and CISA released a document providing recovery guidance.
The FBI and CISA are aware of more than 3,800 servers that were compromised around the world in ESXiArgs ransomware attacks.
Currently, the Shodan and Censys search engines show 1,600-1,800 hacked servers, but there is indication that many impacted organizations have started responding to the attack and cleaning up their systems.
Reuters has conducted an analysis and determined that the victims include Florida’s Supreme Court and universities in the United States and Europe.
An analysis of the file-encrypting malware deployed in the ESXiArgs attacks showed that it has targeted files associated with virtual machines (VMs). However, experts noticed that the ransomware mainly targeted VM configuration files, but did not encrypt the flat files that store data, allowing some users to recover their data.
The tool released by the US government reconstructs the encrypted configuration files based on the unencrypted flat files.
However, Bleeping Computer reported on Wednesday that some victims have been targeted with a new version of the ESXiArgs malware, one with a different encryption process that involves encrypting more data, which prevents the recovery of files.
Until now, the ransomware did not encrypt the majority of data in large files, but the new version of the malware encrypts a far more significant amount of data in large files. Up until now, researchers have not found any flaws in the actual encryption, making it impossible to restore encrypted files.
It has been assumed that the ESXiArgs attacks leverage CVE-2021-21974 for initial access. This is a high-severity remote code execution vulnerability in VMware ESXi that VMware patched in February 2021. The issue is related to OpenSLP.
VMware has not confirmed exploitation of CVE-2021-21974, but it did say that there is no evidence of a zero-day vulnerability being leveraged in the attacks.
However, threat intelligence company GreyNoise is not convinced that there is enough evidence that CVE-2021-21974 is being exploited. GreyNoise pointed out that several OpenSLP-related vulnerabilities have been found in ESXi in recent years, and any of them could have been exploited in the ESXiArgs attacks, including CVE-2020-3992 and CVE-2019-5544.
Data collected by cloud security company Wiz showed that, as of February 7, 12% of ESXi servers were unpatched against CVE-2021-21974 and vulnerable to attacks.
The attacks have yet to be attributed to a known threat actor, but the evidence collected so far suggests that the file-encrypting malware is based on Babuk source code that was leaked in 2021.
“Due to the relatively low ransom demand (2 BTC) and widespread, opportunistic targeting, we assess with moderate confidence this campaign is not tied to ransomware groups known for ‘Big Game Hunting’,” said SOC-as-a-service provider Arctic Wolf. “More established ransomware groups typically conduct OSINT on potential victims before conducting an intrusion and set the ransom payment based on perceived value.”
North Korean hackers working for the government stole record-breaking virtual assets last year estimated to be worth between $630 million and more than $1 billion, U.N. experts said in a new report.
The panel of experts said in the wide-ranging report seen Tuesday by The Associated Press that the hackers used increasingly sophisticated techniques to gain access to digital networks involved in cyberfinance, and to steal information that could be useful in North Korea’s nuclear and ballistic missile programs from governments, individuals and companies.
With growing tensions on the Korean Peninsula, the report said North Korea continued to violate U.N. sanctions, producing weapons-grade nuclear material, and improving its ballistic missile program, which “continued to accelerate dramatically.”
In 2022, the Democratic People’s Republic of Korea – the North’s official name – launched at least 73 ballistic missiles and missiles combining ballistic and guidance technologies including eight intercontinental ballistic missiles, the panel said. And 42 launches, including the test of a reportedly new type of ICBM and a new solid-fueled ICBM engine, were conducted in the last four months of the year.
North Korea’s leader Kim Jong Un ordered an “exponential increase of the country’s nuclear arsenal” in January, and the panel said “a new law discussed an increased focus on tactical nuclear capability, a new first-use doctrine, and the `irreversible nature’ of the DPRK’s nuclear status.”
“The ability to carry out an unexpected nuclear strike on any regional or international target, described in DPRK’s new law on nuclear doctrine and progressively in public statements since 2021, is consistent with the observed production, testing, and deployment of its tactical and strategic delivery systems,” the experts said in the report to the U.N. Security Council.
The panel said that South Korean authorities quoted in media reports “estimated that state sponsored DPRK cyber threat actors had stolen virtual assets worth around $1.2 billion globally since 2017, including about $630 million in 2022 alone.”
The experts monitoring sanctions against North Korea said an unnamed cybersecurity firm “assessed that in 2022, DPRK cybercrime yielded cyber currencies worth over $1 billion at the time of the threat, which is more than double the total proceeds in 2021.”
The variation in the U.S. dollar value of cryptocurrency in recent months is likely to have affected these estimates, the panel said, “but both show that 2022 was a record-breaking year for DPRK virtual asset theft.”
The panel said three groups that are part of the Reconnaissance General Bureau, North Korea’s primary foreign intelligence organization, “continued illicitly to target victims to generate revenue and solicit information of value to the DPRK including its weapons programs” – Kimsuky, Lazarus Group and Andariel.
Between February and July 2022, the panel said, the Lazarus Group “reportedly targeted energy providers in multiple member states using a vulnerability” to install malware and gain long-term access. It said this “aligns with historical Lazarus intrusions targeting critical infrastructure and energy companies … to siphon off proprietary intellectual property.”
Lazarus Group’s primary focus is on specific types of industry, aerospace and defense and conventional finance and cryptocurrencies, with the objective of accessing the internal knowledge bases of the compromised companies, the experts said. They quoted the cybersecurity section of an internet technology company as saying Lazarus has been targeting engineers and technical support employees “using malicious versions of open source applications.”
In December 2022, the panel said, South Korea’s national police agency announced that Kimsuky had targeted 892 foreign policy related experts “in an effort to steal personal data and email lists.”
The police reported that the hackers didn’t manage to steal sensitive information, but they “laundered IP addresses of the victims and employed 326 detour servers and 26 member states to make tracing difficult,” the experts said. The police noted it was the first time they detected Kimsuky using ransomware, saying 19 servers and 13 businesses were affected, of which two paid 2.5 million South Korean won ($1,980) in Bitcoin to the hackers.
On military-related issues, the experts said they investigated the “apparent export” of military communications equipment from a North Korean company under U.N. sanctions to Ethiopia’s defense ministry in June 2022.
The panel said it has not yet received a reply from Ethiopia’s government about a photo published by the Ethiopian media in November allegedly showing a piece of equipment from the Global Communications Co., known as Glocom, being used by a top military official. Eritrea also hasn’t responded to questions about its alleged procurement of Glocom equipment, the experts said.
North Korea may also have illegally traded arms and related material with a number of countries, including sending artillery shells, infantry rockets and missiles to Russia – claims Pyongyang and Moscow have consistently denied, the panel said. And the experts said they are investigating the reported sale of weapons from a North Korean company on the U.N. sanctions list to the Myanmar military through a Myanmar company.
MSSPs took the lead in cybersecurity M&A in 2022 with twice as many deals as in 2021
An analysis conducted by SecurityWeek shows that more than 450 cybersecurity-related mergers and acquisitions were announced in 2022.
In 2022, we tracked a total of 455 deals, compared to 435 in 2021. The US and UK continue to lead in terms of the number of deals, but Israel and Australia were overtaken last year by Canada and Germany.
The number of deals involving companies from the United States increased from 341 to 358, and the UK dropped from 70 to 61 deals.
As for regional data, North America and Europe continue to lead with roughly the same number of M&As as in the previous year. The number of deals involving companies in Asia and Oceania dropped compared to 2021, but M&A activity more than doubled in Latin America.
Financial details of the transaction were disclosed in 62 cases in 2022, significantly less than the 88 deals that had financial terms disclosed in 2021.
In 2022, we saw transactions totaling more than $63 billion in disclosed deal value. Ten companies were acquired for more than $1 billion, roughly the same as in 2021. The most significant deal for the cybersecurity industry was Google’s acquisition of Mandiant.
Thoma Bravo acquired SailPoint, Ping Identity, and Forgerock for more than $1 billion, and reportedly sold Barracuda Networks for $4 billion. Vista Equity Partners acquired two companies for over $1 billion: KnowBe4 and Citrix (Citrix was acquired with Evergreen Coast Capital).
Other major deals include Kaseya’s acquisition of Datto, Carlyle Group’s acquisition of ManTech International, and AMD’s acquisition of Pensando.
Roughly the same number of companies as in 2021 was acquired for millions of dollars, but the number of deals for tens and hundreds of millions has dropped from 64 to 38.
As for the types of companies involved in 2022’s cybersecurity M&A deals, managed security services providers (MSSPs) lead by far, with over 150 deals, more than double compared to 2021. Many MSSPs are looking to buy other managed services providers as part of their expansion efforts.
In addition, a recent survey showed that many MSPs are focusing on growing their cybersecurity practices, with many planning to invest in threat intelligence, detection and response, real-time attack visibility, and forensics and incident response.
SecurityWeek is tracking MSSP deals separately. While it’s important to keep track of these transactions as they play a significant role in the cybersecurity industry, we are currently tracking them separately in an effort to get a better view of the other categories.
Deals in the governance, risk and compliance (GRC) category come in second place, with 58 mergers and acquisitions announced in 2022 involving these types of companies. It’s worth noting that GRC exceeded MSSP in 2021, when nearly 80 transactions were announced.
Companies providing network security and identity-related services were, just like in 2021, the third and fourth most common in cybersecurity deals, but the number of deals related to data protection nearly doubled, moving from the tenth position on the chart to the fifth.
Even in the first half of 2022 it was clear that data protection would be in the M&A spotlight, with the number of deals announced in H1 reaching the same level as in the entire 2021.
The number of deals involving government contractors dropped slightly in 2022 compared to 2021, from 43 to 36, but it remained one of the top types of transactions. This includes Carlyle Group’s acquisition of ManTech International for $4.2 billion.
The US government continues to invest in improving its cyber capabilities. As a result, IT and cybersecurity contractors are scrambling to extend and enhance their capabilities through strategic acquisitions that can pay off down the line.
The data collected by SecurityWeek shows that private equity (PE) companies continue to bet big on cybersecurity, with 18 of the mergers and acquisitions announced in 2022 involving PE firms, approximately the same as in the previous year.
PE firms have acquired companies specializing in cloud security, data protection, threat intelligence, risk management, application security, identity, network security, security operations center (SOC), mobile security, secure access, and managed services.
Three of the 2022 cybersecurity M&A deals involved a special purpose acquisition company (SPAC).
There were more than 10 deals for each of the following types of companies: cloud (32), application (24), specialized (22), consulting (21), incident response (20), training (20), threat intelligence (17), and web and email (16).
The ‘specialized’ category includes companies that provide highly focused security services. The list includes — but is not limited to — blockchain, quantum, payment, PR, healthcare, hardware, education, certification, design and automotive.
We are seeing a similar start in terms of the number of M&A deals in 2023. On one hand, the global economic slowdown may lead to a drop in the number of deals in 2023 as companies may be more cautious and delay expansions fueled by acquisitions. On the other hand, we predict that some firms will be keeping a close eye on the market in hopes of buying startups with promising technologies at a discount.
Methodology: The data was collected from news distribution services, Google and pitches from PR companies. The data includes companies that issued press releases announcing or mentioning acquisitions, as well as deals that have been privately reported to SecurityWeek. All deals that had a cybersecurity component have been taken into account for this study. Mergers and acquisitions that did not have an English-language announcement may not be included. The data could also include deals that may have not been completed after they were announced.
The GRC category includes governance, compliance, risk management, audit, assessment, vulnerability management, penetration testing, attack surface management, and cyber insurance. Network security includes endpoint security, MDR, XDR, NDR, and SASE. Identity includes IAM, PAM, secure access, authentication, authorization and fraud. Incident response includes SOAR, SIEM, SOC, and forensics. ‘Other (specialized)’ includes hardware, blockchain, quantum, payment, healthcare, PR, education, certification, design, and automotive. Data protection includes encryption/cryptography, VPN, privacy and backup. MSSP includes cybersecurity solution distributors and companies that provide security services but do not develop their own products or solutions.
Unpatched and unprotected VMware ESXi servers around the world have been targeted over the past few days in a large-scale ransomware attack exploiting a vulnerability patched in 2021.
The attacks, dubbed ESXiArgs, are still being analyzed by the cybersecurity community, but based on the information available to date, it appears that threat actors are exploiting CVE-2021-21974, a high-severity ESXi OpenSLP heap-overflow vulnerability that VMware patched in February 2021.
“A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution,” VMware said in its advisory at the time.
Proof-of-concept (PoC) code and technical details on CVE-2021-21974 were made public a couple of months after the patches were announced, but there do not appear to be any previous reports of the vulnerability being exploited in the wild.
In the ransomware attacks that surged over the weekend, threat actors exploited the flaw to hack ESXi servers and deploy a piece of malware that encrypts files associated with virtual machines, including files with the .vmdk, .vmx, .vmxf, .vmsd, .vmsn, .vswp, .vmss, .nvram, .vmem extensions, according to an analysis by French cloud company OVH.
The attacks seem to target vulnerable ESXi servers that are exposed to the internet on port 427.
OVH noted that the malware shuts down VM processes before initiating its encryption routine, but the function does not seem to work properly. In some cases, files are only partially encrypted, allowing victims to recover them without paying a ransom. There is no evidence of data being stolen in the attacks.
The attacks were initially incorrectly attributed to ransomware named Nevada and Cheerscrypt (Emperor Dragonfly), but they were later linked to a new ransomware operation named ESXiArgs.
More than two thousand ESXi instances appear to be impacted according to Censys. Shodan shows roughly 800 compromised servers.
Government agencies in the United States and Europe are looking into these attacks and assessing their impact.
While the malware does not appear to have file exfiltration capabilities, the ransom note dropped in the ESXiArgs attack informs victims that their data will be sold unless a payment is made. Victims are instructed to pay 2 bitcoins ($48,000) to receive the encryption key needed to recover files.
Ransomware expert Soufiane Tahiri has been keeping track of the Bitcoin wallet addresses used by the cybercriminals.
While it has become increasingly common for threat actors to target ESXi servers, the exploitation of ESXi vulnerabilities is rare.
President Joe Biden said on Saturday that he ordered U.S. officials to shoot down the suspected Chinese spy balloon earlier this week and that national security leaders decided the best time for the operation was when the it got over water.
“They successfully took it down and I want to complement our aviators who did it,” Biden said after getting off Air Force One en route to Camp David.
Fighter jets shot down the giant white balloon off the Carolina coast after it traversed sensitive military sites across North America and became the latest flashpoint in tensions between Washington and Beijing.
Defense Secretary Lloyd Austin said in a statement that Biden approved the shootdown on Wednesday, saying it should be done “as soon as the mission could be accomplished without undue risk to American lives under the balloon’s path.”
Austin said that due to the size and altitude of the balloon , which was moving at about 60,000 feet in the air, the military had determined that taking it down over land would pose an undue risk to people on the ground.
The balloon was spotted Saturday morning over the Carolinas as it approached the coast. In preparation for the operation, the FAA Administration temporarily closed airspace over the Carolina coastline, including the airports in Charleston and Myrtle Beach, South Carolina, and Wilmington, North Carolina. The FAA rerouted air traffic from the area and warned of delays as a result of the flight restrictions.
An operation was underway in U.S. territorial waters in the Atlantic Ocean to recover debris from the balloon, which had been flying at about 60,000 feet and was estimated to be about the size of three school buses. The balloon was downed by Air Force fighter aircraft, according to two officials who were not authorized to publicly discuss the matter and spoke on condition of anonymity.
President Joe Biden had told reporters earlier Saturday that “we’re going to take care of it,” when asked about the balloon. The Federal Aviation Administration and Coast Guard worked to clear the airspace and water below the balloon as it reached the ocean.
Television footage showed a small explosion, followed by the balloon descending toward the water. U.S. military jets were seen flying in the vicinity and ships were deployed in the water to mount the recovery operation.
Officials were aiming to time the operation so they could recover as much of the debris as possible before it sinks into the ocean. The Pentagon had previously estimated that any debris field would be substantial.
The balloon was spotted Saturday morning over the Carolinas as it approached the coast. In preparation for the operation, the FAA Administration temporarily closed airspace over the Carolina coastline, including the airports in Charleston and Myrtle Beach, South Carolina, and Wilmington, North Carolina. The FAA rerouted air traffic from the area and warned of delays as a result of the flight restrictions.
The Coast Guard advised mariners to immediately leave the area because of U.S. military operations “that present a significant hazard.”
Biden had been inclined to down the balloon over land when he was first briefed on it on Tuesday, but Pentagon officials advised against it, warning that the potential risk to people on the ground outweighed the assessment of potential Chinese intelligence gains.
The public disclosure of the balloon this week prompted the cancellation of a visit by U.S. Secretary of State Antony Blinken to Beijing scheduled for Sunday for talks aimed at reducing U.S.-China tensions. The Chinese government on Saturday sought to play down the cancellation.
“In actuality, the U.S. and China have never announced any visit, the U.S. making any such announcement is their own business, and we respect that,” China’s Ministry of Foreign Affairs said in a statement Saturday morning.
China has continued to claim that the balloon was merely a weather research “airship” that had been blown off course. The Pentagon rejected that out of hand — as well as China’s contention that it was not being used for surveillance and had only limited navigational ability.
The balloon was spotted over Montana, which is home to one of America’s three nuclear missile silo fields at Malmstrom Air Force Base.
The Pentagon also acknowledged reports of a second balloon flying over Latin America. “We now assess it is another Chinese surveillance balloon,” Brig. Gen. Pat Ryder, Pentagon press secretary, said in a statement.
China’s Ministry of Foreign Affairs did not immediately respond to a question about the second balloon.
Blinken, who had been due to depart Washington for Beijing late Friday, said he had told senior Chinese diplomat Wang Yi in a phone call that sending the balloon over the U.S. was “an irresponsible act and that (China’s) decision to take this action on the eve of my visit is detrimental to the substantive discussions that we were prepared to have.”
Uncensored reactions on the Chinese internet mirrored the official government stance that the U.S. was hyping the situation. Some used it as a chance to poke fun at U.S. defenses, saying it couldn’t even defend against a balloon, and nationalist influencers leapt to use the news to mock the U.S.
China has denied any claims of spying and said it is a civilian-use balloon intended for meteorology research. The Ministry of Foreign Affairs emphasized that the balloon’s journey was out of its control and urged the U.S. not to “smear” it based on the balloon.
After the French satirical magazine Charlie Hebdo launched a cartoon contest to mock Iran’s ruling cleric, a state-backed Iranian cyber unit struck back with a hack-and-leak campaign that was designed to provoke fear with the claimed pilfering of a big subscriber database, Microsoft security researchers say.
The FBI blames the same Iranian cyber operators, Emennet Pasargad, for an influence operation that sought to interfere in the 2020 U.S. presidential election, the tech giant said in a blog published Friday. Iran has in recent years stepped up false-flag cyber operations as a tool for discrediting foes.
Calling itself “Holy Souls” and posing as hacktivists, the group claimed in early January to have obtained personal information on 200,000 subscribers and Charlie Hebdo merchandise buyers, according to Microsoft’s Digital Threat Analysis Center.
As proof of the data theft, “Holy Souls” released a 200-record sample with names, phone numbers and home and email addresses of Charlie Hebdo subscribers that “could put the magazine’s subscribers at risk for online or physical targeting” by extremists. The group then advertised the supposed complete data cache on several dark web sites for $340,000.
Microsoft said it did not know whether anyone purchased the cache.
A representative for Charlie Hebdo said Friday that the newspaper would not comment on the Microsoft research. Iran’s mission to the United Nations did not immediately respond to a request for comment Friday.
The Jan. 4 sample release coincided with the publication of Charlie Hebdo’s cartoon contest issue. Entrants were asked to draw offensive caricatures of Iran’s supreme leader, Ayatollah Ali Khamenei.
The French newspaper Le Monde verified multiple victims of the leak from the sample, Microsoft said. The Iranian cyber operators sought to boost news of the hack-and-leak operation — and fuel outrage at the cartoon edition — through fake French “sock-puppet” accounts on social media platforms that included Twitter, Microsoft said.
The operation coincided with verbal attacks by Tehran condemning Charlie Hebdo’s “insult.”
The provocatively irreverent magazine has a long history of publishing vulgar cartoons which critics consider deeply insulting to Muslims. Two French-born al-Qaida extremists attacked the newspaper’s office in 2015, killing 12 cartoonists, and it Charlie Hebdo has been the target of other attacks over the years.
The magazine billed the Khamenei caricature contest as a show of support for nationwide antigovernment protests that have convulsed Iran since the mid-September death of Mahsa Amini, a 22-year-old woman detained by Iran’s morality police for allegedly violating the country’s strict Islamic dress code.
After the cartoon issue was published, Iran shut down a decades-old French research institute. Last week, it announced sanctions targeting more than 30 European individuals and entities, including three senior Charlie Hebdo staffers. The sanctions are largely symbolic as they bar travel to Iran and allow its authorities to block bank accounts and confiscate property in Iran.
About SecurityWeek Cyber Insights |At the end of 2022, SecurityWeek liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the security issues of today – and how these issues might evolve during 2023 and beyond. The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs.
SecurityWeek Cyber Insights 2023 | Venture Capital – We are in a period of huge turmoil. Cybercrime is increasing and becoming more destructive, driven by better organized criminals and geopolitically active nation states. And many commentators believe there is a strong likelihood of a global recession before the end of 2023.
Here we have one simple question: how will these political/economic conditions affect venture funding for cybersecurity firms during 2023?
Background
The bad news in any economic downturn is that business suffers, profits dip, staff are laid off, and budgets are cut. The better news for cybersecurity vendors is that they are somewhat insulated from these effects. Cybercrime is more likely to increase than decrease during a recession, and business must retain a strong cybersecurity posture if they wish to survive. The demand for strong and proven security controls will continue.
At the same time, the availability of capital for investment in new and growing cybersecurity firms remains constant and high, and is largely unaffected by short term economic downturns. This available capital is known in the venture capital industry as ‘dry powder’ (capital that is available and ready for use).
None of this means that all cybersecurity vendors will survive the downturn, nor that all will remain profitable. At the very least, profits are likely to dip as business is forced to do more with less resources. Dry powder isn’t money to burn, and the venture capital industry will adapt its priorities for new and further investment to the current realities.
One area that will stand proud despite economic headwinds is the cloud. “Cloud software is the deflationary force enabling productivity in a high inflation environment. Cloud-native is not an option, it’s a necessity,” wrote Battery Ventures in its State of the OpenCloud 2022 report published in November 2022.
Dry powder
Dry powder is raised from the VC industries’ limited partners (LPs). These might be pension funds, endowments, family offices, sovereign wealth funds, and corporations. “Most funds operate on a ten-year lifecycle, with funds typically being deployed over the first four or five years of a fund’s life,” explains Sidra Ahmed, investment principal at Munich Re Ventures – explaining the continued availability of investment funds despite current economic conditions.
According to Pitchbook data, there was approximately $290 billion of cumulative dry powder committed to venture capital as of the first half of 2022. It is these funds that are called on when venture capitalists invest in companies. It must be said, of course, that VC’s dry powder isn’t committed solely to cybersecurity firms although cybersecurity remains a favored investment area.
Different VC organizations tend to specialize in different areas. For example, “YL Ventures raised its $400 million fifth fund at the beginning of 2022, dedicated exclusively to investing in Israeli cybersecurity startups,” explains Yoav Leitersdorf, managing partner at YL Ventures. “This fund has been used to invest in only a small number of companies to date, all of which are still in stealth, in line with our very disciplined strategy of investing strategically in a select number of exceptional startups.”
VC organizations try to use all the funds they get from their LPs – but not at any cost. They still need to demonstrate value to the LPs. Bad investments will lead to difficulties in raising new funds, while not using the funds raised is like a business unit not using its whole annual budget – it might lead to a lower budget next year.
The difficulty for cybersecurity firms in raising investment funds in 2023 will not be because the funds don’t exist, but because the VC firms will be taking more concern over where the funds are invested.
Effect of an economic downturn
“The pace of investing is certainly going to change,” comments Ahmed. “With more uncertainty around budgets and sales cycles, investors will spend more time assessing deals that are able to withstand a time of austerity – companies with critical productions and solutions will be prioritized. There will be a lot more scrutiny of deals, valuations, and co-investors. Investors will also be focused on supporting their own portfolios.”
Jake Heller, Partner & Head of Tech Growth, Americas at KKR
Jake Heller, partner at KKR and head of tech growth equity Americas, believes the impact is unlikely to be felt evenly. “We have already seen the pullback in public markets affecting fundraising for some growth and early-stage companies,” he said. “In general, we expect the tightening of funding conditions to continue into 2023; however, we believe that capital will continue to be available to entrepreneurs and management teams who are able to effectively manage costs and allocate capital to growth opportunities with high potential for returns.”
Translated to the market, this all implies that startups don’t necessarily have sales targets that they can miss and can possibly ride out a recession before they need to show sustained profits; mid-growth companies seeking growth funding are likely to suffer with lower-than-expected profits and be less attractive to VCs; while established firms preparing for an IPO will likely need to survive the recession before proceeding.
“Market conditions had a dramatic impact on 2022 funding rounds, and we aren’t out of the woods yet,” says Leitersdorf. “The fallout is trickling from the top down. IPOs dropped this year from thousands to just over 100, the lowest number since 2016. There was a near stall in growth stages and a significant slowdown in Series C and D rounds, a steep decline in Series B rounds and a struggle to raise significant Series A rounds.”
In short, money is still available for attractive startups (seed and possibly A rounds), will require deeper consideration for growth equity (B, C and D rounds), and is much more difficult for pre-IPO companies (E rounds and above). In the last case, venture firms are looking closely at M&As to consolidate and strengthen their existing investments – but in all cases (apart from startups) venture firms will concentrate on further investments in their existing portfolios.
Outlook for startups
Leitersdorf remains upbeat on the prospects for investment in cybersecurity startups in 2023. “In today’s threat landscape, cybersecurity risks have become business risks. Organizations cannot afford to be lenient with threats to their assets, and executives now understand that security has a direct impact on their company’s reputation, business continuity and revenue,” he explains.
“Therefore, security will continue to be top-of-mind, as long as attacks continue to grow and evolve, demanding new and equally sophisticated security solutions. We see that investors are still eager to invest in the most promising startups in our industry with the greatest potential to lead their categories in the future. Capital will continue to flow to this necessary sector, as new and more challenging problem spaces continue to emerge.”
DataTribe, which describes itself as a cyber startup foundry (both an incubator and VC firm), is more circumspect. Funding will be harder, but potentially higher. John Funge, MD, explains, “Looking ahead, 2023 will be a slog for startups raising money. It will take longer for startups to complete next rounds as venture firms are both focusing more attention on their current portfolio as well as being more selective in new investments.”
He believes there will be fewer deals. “There will be a ‘flight to quality’ and the bar for attracting funding will be higher. Top startups that are hitting performance metrics will get funded at valuations not too far off historical. However, startups with a few words that previously would have gotten funded may find it hard to get funded at all — versus getting funded on less attractive terms.”
But he adds, “Historically, some of the most successful technology companies started during downturns. We don’t see it being any different this time around. It will be a tricky period to be a pre-IPO company, but likely an excellent time to be starting a new venture.”
Outlook for growth funding
Growth funding will become more difficult in 2023, and potentially more necessary. “We’ve already seen growth rounds plummeting in 2022, and this trend will most likely continue into 2023,” explains Leitersdorf. “Capital is available, but it will become increasingly expensive, and investors will prefer to use it in order to fuel innovative, early-stage startups that will require less capital at lower valuations.”
A particular problem for growth companies is in part historical. “The valuations of many growth-stage startups were significantly inflated in 2021 and were not based on sustainable growth metrics, revenue, or performance,” he continued. “Many of these growth-stage startups will be forced to raise funding in 2023 after scaling rapidly and burning through their capital in 2022. We, therefore, foresee an increase in growth rounds next year, most probably with unfavorable terms for founders, employees, and existing investors.”
But, adds Ahmed. “There is still a lot of capital available. Investors will be holding companies to their performance so we might see more down rounds into 2023.”
Bob Ackerman, founder of AllegisCyber
Bob Ackerman, founder of AllegisCyber and member of the board at DataTribe, agrees with this sentiment. “Undifferentiated and sub-critical mass cyber companies without truly compelling solutions are likely to be challenged as they go to the VC community for capital,” he said. “Investors will be materially more discriminating in the deployment of capital.”
Outlook for M&A consolidation
M&A activity has increased rapidly over the last few years. This trend will continue, driven by a number of different factors: desire among security users to consolidate their existing disparate security controls; a rush to the nearest exit point among startups; declining valuations making attractive targets; and a safe haven for further VC investments.
“The cybersecurity market is approaching bloated status,” comments Hank Thomas, CEO at Strategic Cyber Ventures. “There are too many vendors chasing the same dollars with similar technology. People in charge of purchasing decisions, often CISOs, are looking for more integrated security platforms and less point solution tools. PE firms and other later-stage investors are looking to bring in bigger players to serve as anchors for rollups and bolt on acquisitions.”
Will Lin, Venture Partner at Forgepoint Capital
Will Lin, venture partner at Forgepoint Capital, agrees. “I believe that we’ll see security M&A significantly pick up in 2023. The main reason being that so many security companies have been created in the past couple of years. When so many of these companies, full of amazing talent, come up to the crossroads of M&A or raising their next round, I believe the market dynamics will re-shuffle in a way where M&A will be considered the best next step.”
Security vendors are seeking to support their users by consolidating point products from different vendors into integrated solutions from single vendors. “The rapid expansion of new security products has led to many organizations purchasing the ‘latest and greatest’ without having a strong integration plan in place,” explains Dave Gerry, CEO at Bugcrowd. “Without a clear deployment and integration plan, even the best security product will go underutilized. For the past few years, the industry has seen an incredible amount of M&A consolidation.”
This process will continue through 2023. “Security organizations are looking internally for ways to leverage existing tool sets or upgrade existing tool sets versus adding to their ever-growing technology stack,” he continued. “This growing need for security vendor consolidation will continue to be driven by both the cost of the security products and the limited internal resources to effectively operate the products.”
Ackerman agrees with this sentiment. “Investors will be materially more discriminating in the deployment of capital with a significant pick up in M&A activity as the market looks to consolidate point products into broader security platforms,” he suggests.
The second driver for M&A activity comes from the transition from early stage to growth requirements. Early stage is still attractive to investors — growth stage is more difficult. As startups burn through their early financing, they will find it more difficult to secure further growth funding — and may find an early exit an attractive option, bumping into the consolidation driver.
This process may be actively promoted by the VC industry. “A new wave of innovation is needed in the security industry. Things have become stale,” explains Thomas. “VC investment will still drive innovation since larger companies often lose the ability to innovate, especially in security. As a result, we will see large entities acquiring VC backed companies earlier as established PE backed platform companies make tuck in and bolt-on acquisitions to remain relevant.”
Leitersdorf expands on this possibility. “Large security vendors such as Microsoft, SentinelOne, Akamai, CrowdStrike, IBM, CyberArk and Okta are strengthening their corporate development divisions and doubling down on in-house investment funds (CVCs), looking for strong talent and tech,” he said. “These venture arms of large security vendors will most likely become increasingly active in both investments and M&A deals in the coming years and make the option of acquisition more attractive for struggling startups.”
One effect of a downturn in the economy is that company valuations are lowered. This is already happening, and is likely to get worse in 2023. On December 14, 2022, the Federal Reserve raised interest rates by half a point — and US stock markets fell. The intention was to put a curb on high inflation rates, but it simultaneously increases the likelihood of a recession in 2023.
If this happens, company valuations will go lower. This in turn will make companies with good products but reduced valuations an attractive target for larger companies with money — and of course VC firms. VC firms will likely be driven to use their dry powder on their own existing portfolios rather than look for different companies in which to invest.
The current market conditions look set to promote increasing M&A activity through 2023. “The current state of the global economy will also encourage hyperscalers to move toward an M&A cyber strategy,” summarizes Simon Chassar, CRO at Claroty. “Furthermore, start-ups will struggle as we see less investment from PE or VCs, therefore creating an opportunity for some of the larger cash-strong security control companies to gain market share at a relatively low price.”
What VCs look for…
2023 will be a year when the VC firms have money to invest, but the economic conditions will force them to be careful where they invest it. Cybersecurity will remain an attractive sector, but the security vendors will need to work harder to get new funding. Two questions come to mind: which security sectors are most attractive to the investors, and how do they choose a specific vendor?
Favored cybersecurity sectors
Heller believes that continuing digital transformation will provide new opportunities. “We believe that digital transformation, which has been accelerated by the global pandemic, will continue to create significant opportunities and challenges across industries and geographies,” he said. “These broader trends span new methods of collaboration, workforce transformation, cloud migration, automation and testing, supply-chain disruption, and digital adoption.”
Sidra says her firm is focusing on data and the threats it faces. “With rapid cloud adoption, companies are struggling to understand where their data sits and how to put sufficient security and controls around it.” Furthermore, she adds, “The penalties regarding sensitive data being breached are increasing at an exponential rate globally, making it even more of a priority for companies to be sufficiently protected.”
And there are new and still evolving threats to data. “As more companies adopt machine learning and analytical models to make data-driven decisions,” she continued, “there is now a need to protect data (and the models we build on the data) from being compromised. There are also questions around the validity of data and how to discern true data and information from coordinated disinformation campaigns and narratives.”
Leitersdorf adds identity to data as an area attractive to investors. “Malicious cyber actors have focused their most egregious attacks on two specific vectors in the past two years – data and identity,” he says. Attackers have leveraged the gaps, misconfigurations and problems surrounding credentials, identity, and access provisions to steal data. This will continue.
“Therefore,” he continued, “we have been focusing our attention on innovative security solutions that strive to tackle these problems and ensure that organizational security postures are strengthened accordingly.”
Favored companies
While different VCs may be attracted to different cybersecurity sectors, they must still choose which individual companies to support. “A large part of the decision is based on the management team and our perception of its ability to execute on the vision effectively, and evolve that vision over time,” said Ahmed. “Other criteria include tech differentiation, product vision, competition, size of market and TAM [total addressable market], and path to exit.”
Leitersdorf takes an almost identical stance. “The technology must be remarkable, deep, and innovative – that’s a given. However, even the most groundbreaking idea and cutting-edge tech won’t develop into a top-tier startup without an exceptional team,” he explained.
“We invest in strong teams that combine determination, talent, and an unrelenting passion for solving the most acute problem spaces in cybersecurity. The cybersecurity market is saturated with startups solving niche problems, and we’re looking for founders that stand out, go big and break the mold.”
The same goes for Heller. “Once we have found a sector we like, we generally look for companies that are market leaders or have a real competitive advantage. Cultural fit and alignment is also very important to us and in many cases, we have built relationships with the entrepreneurs and management teams we’re investing in over multiple years.”
The basic conclusion is that prospective vendors won’t get consideration without an excellent product in an expanding or vital sector. But where two attractive companies exist, the one with the stronger management team is more likely to succeed.
Summary
Acquiring venture capital in 2023 may be more difficult than it has been in recent years, but it remains viable and available. “In 2023, cyber will be softer but will remain a bright spot for investing,” explains Funge. “Compared to the nearly 24% year-on-year decline in deal activity across all verticals, cyber deal activity across all investment stages is down only 3%.”
What will change most is the decision-making process of the VC firms. They will still wish to invest, and probably at the same overall levels they have been investing. But fears of bad investments in a down economy will make them concentrate on areas that give them the greatest confidence. This may mean more money going to fewer companies. While B, C and D rounds might be left with difficult, declined, or down rounds. seed and startup A rounds might reach new heights. Any money left over will be focused into M&A.
About SecurityWeek Cyber Insights |At the end of 2022, SecurityWeek liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the security issues of today – and how these issues might evolve during 2023 and beyond. The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs.
Exploitation attempts targeting a critical-severity Oracle E-Business Suite vulnerability have been observed shortly after proof-of-concept (PoC) code was published.
One of the major Oracle product lines, the E-Business Suite is a set of enterprise applications that help organizations automate processes such as supply chain management (SCM), enterprise resource planning (ERP), and customer relationship management (CRM).
Tracked as CVE-2022-21587 (CVSS score of 9.8), the exploited flaw was identified in the Web Applications Desktop Integrator of Oracle’s enterprise product and was addressed as part of Oracle’s October 2022 Critical Patch Update.
According to a NIST advsory, unauthenticated attackers with network access via HTTP can easily exploit the security defect to compromise the Web Applications Desktop Integrator and take it over.
This week, CISA added CVE-2022-21587 to its Known Exploited Vulnerabilities (KEV) catalog, urging Oracle customers to apply the available patches as soon as possible.
The first exploitation attempts, however, were observed on January 21, Shadowserver warned last week.
“Since Jan 21st we are seeing exploitation attempts in our honeypot sensors for Oracle E-Business Suite CVE-2022-21587 (CVSS 9.8 RCE) shortly after a PoC was published,” Shadowserver said.
The PoC came from Vietnam-based cybersecurity firm Viettel Cyber Security, which on January 16 published a detailed analysis of the vulnerability and potential exploitation venues.
According to Shadowserver data, the number of observed exploitation attempts is currently low. However, threat actors are known to target unpatched Oracle products, and the number of attacks may increase shortly.
This week, CISA also warned of observed exploitation of CVE-2023-22952, a high-severity remote code execution flaw in SugarCRM.
Impacting the EmailTemplates, the vulnerability is described as a missing input validation defect that allows an attacker to inject custom PHP code using crafted requests. Patches for this vulnerability were released on January 11, 2023.
In January, shortly after exploitation began, Censys reported seeing hundreds of SugarCRM servers being hacked using CVE-2023-22952.
Users of the GoAnywhere secure managed file transfer (MFT) software have been warned about a zero-day exploit that malicious actors can target directly from the internet.
The GoAnywhere MFT is made by Fortra, known until recently as HelpSystems, and it’s designed to enable organizations to automate and secure the exchange of data with their trading partners.
An advisory obtained by Krebs — it can only be accessed by authenticated users — describes it as a zero-day remote code injection exploit and says that “the attack vector of this exploit requires access to the administrative console of the application”.
According to the vendor, the vulnerable admin console should in most cases only be accessible from within a company’s network, through a VPN, or only by trusted IP addresses. However, the company has admitted that some GoAnywhere users may be exposing the console to the public internet.
Fortra noted that the web client interface, which is typically accessible from the internet, is not affected by the exploit.
The advisory doesn’t clearly say that the vulnerability has been exploited in the wild, but active exploitation is likely, considering that it has been described as a zero-day. In addition, the vendor provides instructions on how customers can check if their system has been compromised.
The best indicator of compromise (IoC), according to the advisory, is the presence of suspicious administrator accounts that may have been created by malicious actors.
The advisory does not mention a patch, but it does recommend mitigations that should prevent exploitation. There is also no mention of a CVE identifier for the vulnerability in the advisory obtained by Krebs.
Security researcher Kevin Beaumont has conducted a Shodan search and found roughly 1,000 internet-exposed systems, a majority located in the United States. However, some of the results are clearly labeled as being associated with the web client, which Fotra says is not impacted.
Google Analytics is a web analytics service provided by Google Ireland Limited ("Google"). Google uses the collected personal data to track and examine the usage of this website, compile reports on its activities, and share them with other Google services. Google may use your personal data to contextualize and personalize the ads of its advertising network. This integration of Google Analytics anonymizes your IP address. The data sent is collected for the purposes of personalizing the experience and statistical tracking. You can find more information on the "More information on Google's handling of personal information" page.
Cloudflare Web Analytics is an anonymized analytics service provided by Cloudflare Inc. that gives the owner insight into the use of this website by users.
Google reCAPTCHA is a SPAM protection service provided by Google Ireland Limited. The use of reCAPTCHA is subject to the Googleprivacy policyandterms of use.
