VC investments in cybersecurity cools off in Q2 of 2022

The cybersecurity startup market has cooled in recent months amid a broader tech slowdown:

• PitchBook stated that infosec market funding was $3.2b in Q2 2022, down 45% from Q1. Exits fell to 13 in Q2 2022 -- their lowest level since 2018.
• Separately, DataTribe reported that median valuations for cyber startups fell to $12m in Q2, down 33% from $18m in Q1.

From a broader perspective:

• The cyber market's long-term prospects remain strong -- the global cybersecurity market is projected to grow at a 13.4% CAGR through 2029.
• The industry is now inundated with vendors -- most venture-backed, many cash-flow negative. Scores of these new vendors will have layoffs/merge/fail. Some tips to manage this turmoil for enterprise customers:
• Create a 2x2 with “Criticality to our Ops” vs. “Financial Viability” as the axes -- plot your vendors.
• Focus on high-risk vendors & ask leadership (not the sales reps): “What’s your monthly cash burn?” and “How much money is in your account?”
• Start scenario-planning on what you would do if “Vendor X” cuts staff, gets bought or shutters.

Nokia's equipment is powering Putin’s surveillance apparatus

 

• Despite stopping sales in Russia, Nokia’s equipment continues to power Moscow’s digital surveillance apparatus:
• For 5+ years, Nokia provided equipment to link the System for Operative Investigative Activities (SORM) to MTS, Russia’s largest telecom provider:
• FSB -- Russia’s main intelligence service -- uses SORM to listen in on phone conversations & it is being used to crack down on domestic dissent against the invasion of Ukraine.
• Nokia acknowledged providing the equipment & stated that Russian law required it to make products enabling Russian telecoms to connect with SORM.
• Nokia executives first pled innocence. When confronted with internal docs, they suggested that if they had not served the FSB, then Huawei would have.

 

• The FBI issued a warning to crypto investors about the risks of decentralized finance (DeFi) platforms:
• Between Jan. & March 2022, cybercriminals stole $1.3 billion in cryptocurrencies -- almost 97% of which came from DeFi platforms.
• Unlike traditional banks, DeFi platforms aren’t backed by govt insurance policies, meaning investors have little recourse to recover hacked/stolen funds.

• Fraud, illicit transactions & hacks are pervasive in the crypto market -- hackers now manipulate DeFi platforms’ own governing mechanisms to steal funds:
• DeFi systems incurred $10.5 billion in criminal losses in 2021.
• 99% of hacked cryptocurrencies in Q1 2022 were stolen as a result of software exploits.

Mailchimp hacked to target cryto customers

 

Hackers gained access to internal customer support and account management tools to steal audience data and conduct phishing attacks. Then the hackers targeted users of the Trezor hardware cryptocurrency wallets.

Users of such wallets received emails that the wallet company suffered a data breach and were prompted to reset their hardware wallet PINs by downloading malicious software that allowed the hackers to steal the cryptocurrency stored in the wallet. 

Latest report on cost of breaches

 

In a recent survey conducted by IBM, based on data from 550 global organizations across 17 sectors that experienced data breaches between March 2021-2022, the average cost of a breach was $4.35 million. By industry sector:

 

• Healthcare: $10.1m
• Financial: $6.0m
• Pharmaceuticals: $5.0m
• Technology: $5.0m
• Energy: $4.7m
• Industrial: $4.5m
• Education: $3.9m
• Transportation: $3.6m
• Retail: $3.3m
• Public Sector: $2.1m

The numbers from last year's IBM survey were: 

• Healthcare: $9.2m
• Finance: $5.7m
• Pharmaceuticals: $5m
• Technology: $4.9m
• Energy: $4.7m
• Services: $4.7m
• Industrial: $4.2m
• Global average: $4.2m
• Entertainment: $3.8m
• Education: $3.8m
• Transportation: $3.8m

Crypto hacking has become North Korea's key source of income

North Korea’s army of 6,800 hackers have stolen millions in cryptocurrency in recent years -- helping the  regime withstand economic sanctions & run its nuclear program.

• North Korean hackers stole $400m in cryptocurrency in 2021 & close to $1B so far in 2022 (the country earned only $89m in official exports in 2020).
  
  
• In April 2022, the U.S. Treasury Dept. linked North Korea’s Lazarus hacking group to the theft of $620 million in cryptocurrency from videogame Axie Infinity.

The lack of regulation and compliance rules, as well as the decentralized nature of cryptocurrency platforms have made it easier for North Korean hacker to move the stolen funds around and eventually cash out.

NYT Article: https://www.nytimes.com/2022/06/30/business/north-korea-crypto-hack.html?

15.3-M RPS DDOS attacks blocked at Cloudflare

This attack is at the application layer, which is more expensive to launch as the attacker would have to first establish the TLS handshake.

The attack was against a crypto launchpad. 

This attack was launched from a botnet of approximately 6,000 unique bots. It originated from 112 countries around the world. Almost 15% of the attack traffic originated from Indonesia, followed by Russia, Brazil, India, Colombia, and the United States.

https://blog.cloudflare.com/15m-rps-ddos-attack/

Security operations functions

- Threat intelligence: 

        identify the adversary, extract TTPs, create a plan (e.g will the procedure the adversary uses trigger alerts?). Good source for TTPs: https://www.thedfirreport.com

- Security operations centers

- Threat hunting

- Incident response

- Forensics

- Vulnerability management/Blue team

- Red team (offensive. Stealth engagement)

- Purple team (virtual team)

Below is the procedure for the purple team exercise against a TTP. It is important to measure how quickly an attack can be detected and responded to, to limit the potential damage. 

Another crypto hack via cross-chain bridge

Ronin is a sidechain of Ethereum. It is where the play-to-earn game Axie Infinity runs. 

The reason that the game runs on Ronin instead of directly on Ethereum is simple: Ethereum is slow and expensive.

To help people swap between their tokens in the Axie ecosystem (SLP, AXS, RON, WETH) and mainstream tokens people use popular digital wallets such as MetaMask to manage, Ronin developed a bridge between the Ronin network and Ethereum. A bridge is a pair of smart contracts that run on both sides of the bridge, locking and releasing tokens and guaranteeing payment versus payment (PvP).

The only problem is that Ronin only has nine nodes using a POA protocol. The hacker was able to compromise 5 nodes and therefore gain majority control to issue bogus transactions. 

The end result: 173,600 ETH and 25.5 million USDC that had been locked in the bridge were drained. At prices as of the hack, this was worth more than $625 million.

https://blog.mollywhite.net/axie-hack/

https://rekt.news/

Third-party, social engineering, cryptocurrencies

This attack is hitting multiple buzzwords.

MailChimp has confirmed that some of their employees fell for a social engineering attack that led to the theft of their credentials.

"The incident was propagated by an external actor who conducted a successful social engineering attack on Mailchimp employees, resulting in employee credentials being compromised."

These credentials were used to access 319 MailChimp accounts and to export "audience data," likely mailing lists, from 102 customer accounts.

In addition to viewing accounts and exporting data, the threat actors gained access to API keys for an undisclosed number of customers, which have now been disabled and can no longer be used.

Using these compromised API keys, a threat actor can create custom email campaigns, such as phishing campaigns, and send them to mailing lists without accessing MailChimp's customer portal.

This attack is reminiscent of recent breaches by the Lapsus$ hacking group, who used social engineering, malware, and credential theft to gain access to numerous well-known companies, including Nvidia, Samsung, Microsoft, and Okta.

The Okta breach was accomplished through a similar method as MailChimp, by social-engineering a contractor who had access to internal customer support and account management systems.

Hydra was shut down

U.S. & German law enforcement announced the shutdown of Hydra -- a Russian “darknet” marketplace that facilitated ransomware, drug deals & other crimes.
- Hydra accounted for 80% of all darknet-related cryptocurrency transactions in 2021 & cleared $5.2b in crypto since 2015.
- German authorities secured Hydra’s servers, closed the service & seized $25 million worth of bitcoin.
In the context of sanction against Russia, shutting down Hydra became a priority  as the U.S. & its allies want to cut off any potential backdoor funding for Putin’s regime.

In this area, the following are recent accomplishments:

• In Feb. 2022, the DoJ’s seized $3.6b in bitcoin stolen during a 2016 hack of Bitfinex -- the agency’s largest ever financial recovery.

• In Nov. 2021, U.S. & EU authorities arrested multiple hackers affiliated with REvil & the DoJ recovered $6.1m tied to REvil ransom profits.

• In June 2021, U.S. law enforcement recovered $2.3m of the ransom Colonial Pipeline paid when it was hit by ransomware.

Additional actions that should be considered:

• Shut down support infrastructure: including the hardware/software vendors, malware developers, money launderers & others that enable criminal gangs.

• Regulate exchanges: Regulate crypto exchanges under the same rules as U.S. brick-and-mortar banks.

• Sanction offshore exchanges: Deny offshore crypto exchanges access to U.S. markets if they don’t prevent ransomware payouts.

• Require ransomware disclosures: Breach disclosures by private companies would improve the chances of decrypting data or tracing payments.

New hacking activities by APT-41 (China)

APT41 spies broke into 6 US state networks via a livestock app. The China-affiliated state-sponsored threat actor used Log4j and zero-day bugs in the USAHerds animal-tracking software to hack into multiple government networks.

In a report published by Mandiant on Tuesday, researchers described a prolonged incursion conducted by APT41. They detected the activity in May 2021 and tracked it through last month, February 2022, observing the spy group pry open vulnerable, internet-facing web apps that were often written in ASP.NET.

APT41 – aka Winnti, Barium, Wicked Panda, or Wicked Spider – is an advanced persistent threat (APT) actor known for nation-state-backed cyber espionage, supply-chain hits, and profit-driven cybercrime.

Back in 2020, DoJ indicted five Chinese nationals linked to APT-41 for allegedly hacking into more than 100 companies in the U.S. and abroad, including social-media firms, universities & telecoms.

https://www.mandiant.com/resources/apt41-us-state-governments

Toyota halted production at all 14 of its Japanese factories due to a cyberattack against Kojima Industries -- an auto parts supplier. The supplier Kojima, whose website remains down as of Tuesday, first identified the attack on Saturday & subsequently shut down its entire computer network to prevent the malware from spreading. Overall, one-third of Toyota’s annual production is represented by Japanese factories.

Lessons learned: you are only as secure as your least-secure vendor. Recommendations on managing supply chain risks:

• Incorporate a higher probability of third-party attacks into threat models & vendor risk management policies.
• Review third-party MSPs’, cloud providers’ & software vendors’ access levels -- minimize to the extent possible.
• When existing partners don’t measure up, require them to make improvements.
• Do not do business with third-parties whose security practices are inadequate.

https://www.nytimes.com/2022/02/28/business/toyota-stoppage-cyberattack.html?

US DoJ's Virtual Asset Exploitation Unit

 Deputy AG Lisa Monaco announced the creation of the Virtual Asset Exploitation Unit -- a team tasked with training FBI agents to trace the flow of illicit cryptocurrency transactions:

The team will work with the DoJ’s newly launched National Cryptocurrency Enforcement Team to investigate & prosecute criminal misuses of cryptocurrency:

“This unit will combine cryptocurrency experts into one nerve center,” Monaco stated. 

Monaco’s announcement follows the DoJ’s largest ever financial recovery last week -- $3.6b in bitcoin stolen during the 2016 hack of Bitfinex.

“My message to cybercriminals is clear: The long arm of the law can and now will stretch much farther into cyberspace than you think,” Monaco stated.

Criminal groups -- often protected by nation states -- use cryptocurrencies because of their anonymity, appreciation & transaction ease:

• Stealing from exchanges: Hackers stole $14 billion in cryptocurrency in 2021 via theft & fraud -- a 79% increase over 2020.
• Ransomware payments: Hackers obtained $602m in cryptocurrency via ransomware in 2021.

https://www.nytimes.com/2022/02/17/us/politics/justice-department-cybersecurity.html?

Recent hacking activities by APT-27 (China)

International Committee of the Red Cross (ICRC) put out the below press release in mid-Feb of 2022.  An APT group had been in their systems for a while.  The initial compromise appears to be cve-2021-40539 which is a flaw in a web authentication module.  APT27 is known to exploit this CVE and use the webshells in question.

https://www.icrc.org/en/document/cyber-attack-icrc-what-we-know

Earlier in 2022, the German government warned of APT-27 hackers backdooring business networks, using the HyperBro remote access trojans (RAT) to backdoor into their networks.

https://www.bleepingcomputer.com/news/security/german-govt-warns-of-apt27-hackers-backdooring-business-networks/

A case of Hacktivism

 With the recent Canadian truckers events, a group of angry anonymous hackers leaked details of 92,000 donations supporting the truckers through the crowdfunding website GiveSendGo.

The data leak included a video in which the hackers complained that the protests had “held a city hostage.

The leaked data contained a record for each donation that included the donor’s name, ZIP code, & email address.

https://www.nytimes.com/2022/02/14/world/canada/canada-trucker-protests-donations.html?

The Chinese govt is repurposing its COVID health and contact tracing app to elevate its surveillance effort on citizens, including against criminals and dissidents. The government can make a person's health app to turn red to prevent the person from travelling.

In a recent case, a human-rights lawyer’s health app was suddenly switched to “red” when he attempted to travel to Shanghai to meet a dissident. 

This authoritarian approach has been consistent ever since the Chinese Communist Party took control of the mainland in 1949, only becoming more powerful in the last twenty years or so with the installation of millions of cameras to watch every street corner, and now with these apps to watch and control every citizen's movement.

For people living in China, there is no escape in sight. Perhaps they can get some freedom in the metaverse space? It's not hard to imaging that even that may soon be under the surveillance by the CCP.

https://www.nytimes.com/2022/01/30/world/asia/covid-restrictions-china-lockdown.html?