Information Technology

Mergers and acquisitions in cybersecurity grew to $77.5 billion in 2021, according to research from cybersecurity consultancy Momentum. In a report on 2021, the firm said 83 cybersecurity company capital raises surpassed $100 million. There were fourteen $1 billion mergers and acquisitions, including deals involving McAfee, Augh0, Mimecast, Thycotic, Proofpoint, and Avast. 

ZDNet Recommends

Proofpoint was acquired in August 2021 for $12.3 billion in cash, while NortonLifeLock merged with Avast PLC in a $8.4 billion deal. Okta acquired Auth0 for $6.4 billion, and Symphony Technology Group bought McAfee’s enterprise security business for $4 billion. There were more than 1,000 financing deals involving cybersecurity companies and 286 mergers and acquisitions. There were five cybersecurity IPOs in 2021 — KnowBe4, DarkTrace, SentinelOne, Riskified, and Forgerock — with an average IPO raising $467 million.The numbers far surpassed 2020, which saw 728 deals with cybersecurity companies and $19.7 billion in mergers and acquisitions activity. 
Momentum
The top categories for financing, mergers, and acquisitions include security consulting/MSSP, risk and compliance, cloud security, data security, and threat intel/incident response. The top categories for VC financing ranged from risk and compliance to data security, network security, and infrastructure security. Dave DeWalt, founder of late-stage cybersecurity VC firm NightDragon and a contributor to the report, told ZDNet that the industry is in the midst of a perfect storm of factors that are causing the greatest level of cybersecurity risk that we have ever seen. 

“This includes factors like geopolitical tensions and crises, increasing digitization of technology, work from home, spread of IoT devices, cloud and more. The cybersecurity industry must innovate to match these new trends, and we are seeing a significant increase in funding to fuel that growth,” DeWalt said.”We are entering a new era of cyber ubiquity, where cybersecurity needs to be a piece of every technology and service available, from the cars we drive, to our corporate networks to our mobile devices. I expect we will see cybersecurity investment continue to increase for at least the next decade as we evolve into this new era.”
Momentum
Bob Ackerman, founder of VC firm AllegisCyber Capital, added that the venture ecosystem “has a herd mentality” and will tend to over-capitalize sectors they believe have tremendous promise.  Investment capital is flooding into the cybersecurity ecosystem, driven largely by explosive demand for cyber defense, according to Ackerman. 

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

“The level of investment is a pure reflection of both the need and the opportunity. In cyber, the stakes are incredibly high; the consequences of getting it wrong — unacceptable; the landscape complex; and the pace of change hard to fathom. You cannot over-invest in cutting edge innovation in this environment. That said, you can over-invest in commodity capabilities and under-invest in essential next generation innovation,” he explained. “The digitization of the Global Economy has fueled explosive growth in the cyber attack surface. Seeking to exploit this environment, the entire spectrum of bad human behavior at every level is also digitizing. The consequence is that every aspect of our lives — business, education, healthcare, critical infrastructure, government, travel, finance, etc. is at extreme risk. Cyber is truly one of the existential risks of the 21st century. The stakes could not be higher, and that drives the demand for effective cyber defenses, which in turn fuels investment in cyber innovation.”The report comes amid news that Microsoft was considering acquiring Mandiant and that Cisco was mulling a $20 billion deal for Splunk. 

Tech Earnings More

Adobe has released an emergency patch to tackle a critical bug that is being exploited in the wild. 

On February 13, the tech giant said that the vulnerability impacts Adobe Commerce and Magento Open Source, and according to the firm’s threat data, the security flaw is being weaponized “in very limited attacks targeting Adobe Commerce merchants.” Tracked as CVE-2022-24086, the vulnerability has been issued a CVSS severity score of 9.8 out of 10, the maximum severity rating possible.  The vulnerability is an improper input validation issue, described by the Common Weakness Enumeration (CWE) category system as a bug that occurs when a “product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.” CVE-2022-24086 does not require any administrator privileges to trigger. Adobe says the critical, pre-auth bug can be exploited in order to execute arbitrary code.  As the vulnerability is severe enough to warrant an emergency patch, the company has not released any technical details, which gives customers time to accept fixes and mitigates further risks of exploit.  The bug impacts Adobe Commerce (2.3.3-p1-2.3.7-p2) and Magento Open Source (2.4.0-2.4.3-p1), as well as earlier versions. 

Adobe’s patches can be downloaded and manually applied here.  Earlier this month, Adobe issued security updates for products including Premiere Rush, Illustrator, and Creative Cloud. The patch round tackled vulnerabilities leading to arbitrary code execution, denial-of-service (DoS), and privilege escalation, among other issues.  Last week, Apple released a fix in iOS 15.3.1 to squash a vulnerability in Apple’s Safari browser that could be exploited for arbitrary code execution. In February’s Patch Tuesday, Microsoft resolved 48 vulnerabilities including one publicly-known zero-day security flaw. 
Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Getty Images
At the end of last year, Australia’s Security Legislation Amendment (Critical Infrastructure) Act 2021 became law to give government “last resort” powers to direct an entity when responding to cyber attacks, which included introducing a cyber-incident reporting regime for critical infrastructure assets. Those laws were originally drafted to be wider in scope, with Home Affairs proposing other obligations for organisations within critical infrastructure sectors. Provisions seeking to enshrine those obligations were eventually set aside, however, with the federal government deciding to follow a recommendation made by the Parliamentary Joint Committee on Intelligence and Security (PJCIS) to have those omitted aspects introduced under a second Bill. That second Bill, Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022, was introduced into Parliament by Home Affairs Minister Karen Andrews last week. In this second Bill, the federal government is seeking to introduce risk management programs for critical infrastructure entities and enhanced cybersecurity obligations for those entities most important to the nations, which include providing reports of system information and risk assessments to the Australian Signals Directorate (ASD). The risk management program obligation, if it were to become law, would apply to entities within the 11 sectors classified as critical infrastructure sectors in the first Bill. The enhanced cybersecurity obligations, meanwhile, would apply to a smaller subset of entities that hold assets that are classified as systems of national significance. Appearing before Senate Estimates on Monday morning, Home Affairs Secretary Mike Pezzullo said the Bill before Parliament would create a standardised critical infrastructure framework to enable the ASD to approach cyber attacks in a precautionary fashion due to the additional information it would receive.

“Up until now, we haven’t had common nomenclature, we haven’t had common reporting cadences, we haven’t had common reporting thresholds. Should the second Bill pass, obviously, we’re in the hands of the Parliament, what that will do is provide a standardised framework for both regulating and operating across the 11 designated sectors,” Pezzullo said. He also likened the pair of critical infrastructure legislation to being Australia’s “defence” against cyber attacks, whereas the national ransomware plan acts as the “offence”. “You’ve got to go on the offence, which is where the government ransomware action plan takes you. We’ve also got to play defence, that is to say, you’ve got to mitigate the risk as much as you can because today the attack vector is ransomware. The criminal and state actors who use ransomware will, once [it’s been thwarted], will then find another way,” he said. Home Affairs also made a submission to the Parliamentary Joint Committee on Intelligence and Security (PJCIS), which commenced a new inquiry to scrutinise the Bill on the same day it was introduced into Parliament. In the submission, Home Affairs said the cost for each entity to run the risk management program, on average, would consist of a one-off AU$9.7 million for setting it up and an annual ongoing cost of AU$3.7 million. Due to the cost and additional regulatory burden that the Bill would place onto these critical infrastructure entities, which includes universities, Home Affairs said it has been working closely with industry experts and stakeholders from across the designated sectors for how best to handle that regulatory burden. Home Affairs said the program was drafted following over 100 engagement with those experts and stakeholders.  Later in the day, another Home Affairs representative provided Senate Estimates with more information about its search for a vendor to perform work on the country’s identity-matching services. Home Affairs National Resilience and Cybersecurity deputy secretary Marc Ablong said his department’s search is for a vendor to manage the country’s identity-matching services and the underlying infrastructure.”It’s not about moving forward on the identity matching services beyond what we currently have approval for,” Ablong said.  The country’s identity-matching services currently consist of three components, with one being the DVS, a national online service used to check in real time whether a particular evidence-of-identity document is authentic, accurate, and up to date. The other two are a face-matching services hub and a national driver licence facial recognition solution.”[Home Affairs] does not collect the images, nor do we have a database of those images. They are all kept within the state registry,” he added, when explaining the department’s remit for these services.Other Home Affairs movements included confirmation that a version of the Digital Passenger Declaration (DPD) would be released tomorrow, which will be the first use case to be built on the Permissions Capability Platform. When the DPD was first announced, the federal government said the DPD would replace the current Australia Travel Declaration (ATD) and the paper-based incoming passenger card. For tomorrow’s launch, however, the DPD will only replace the COVID-19 ATD for the moment, with the transition of replacing the incoming passenger card to come at a later date. Functionally, the DPD will link with a person’s QR code vaccination certificate and capture essential information up to 72 hours prior to a person boarding a plane. While the DPD will be launched tomorrow, travellers will still have to submit their travel declarations using the ATD until the end of this week with the new form of submission to be available from February 18 onwards.Updated at 6:23pm AEST, 14 February 2022: added information about DPD release.Related CoverageHome Affairs releases second Critical Infrastructure Bill with leftover obligationsThis new Bill contains obligations that were excluded from the Security Legislation Amendment (Critical Infrastructure) Act 2021.Critical Infrastructure Bill should be split to swiftly give government step-in powers: PJCISAmong the measures the PJCIS wants to have introduced immediately are step-in powers and mandatory reporting requirements.PJCIS concerned TSSR’s ‘do your best’ requirements are not enough anymoreCommittee recommends an Australian telecommunications security working group be established as it says the Telco Act is not enough to secure the nation.PJCIS backs expansion of intelligence oversight powers for IGIS and itselfThe PJCIS wants its intelligence oversight responsibilities to eventually expand to the Australian Federal Police and AUSTRAC.Home Affairs seeking support to build out Australia’s identity-matching systemA government tender has been published seeking new components to build, deploy, and host the country’s identity-matching services. More

Hours before the Super Bowl kicks off, the San Francisco 49ers were added to the list of victims of the Blackbyte ransomware group. The San Francisco 49ers were within a few plays of making it to the Super Bowl two weeks ago.The team did not respond to requests for comment but confirmed the attack to The Record and Bleeping Computer. The San Francisco 49ers showed up on the group’s leak site late Saturday evening and said in a statement that only its corporate IT network was affected by the attack. Law enforcement has been contacted and the company said it is still in the process of investigating the incident. The attack comes just one day after the FBI released a warning about the BlackByte ransomware group. “As of November 2021, BlackByte ransomware had compromised multiple US and foreign businesses, including entities in at least three US critical infrastructure sectors (government facilities, financial, and food & agriculture). BlackByte is a Ransomware as a Service (RaaS) group that encrypts files on compromised Windows host systems, including physical and virtual servers,” the FBI said. “Some victims reported the actors used a known Microsoft Exchange Server vulnerability as a means of gaining access to their networks. Once in, actors deploy tools to move laterally across the network and escalate privileges before exfiltrating and encrypting files. In some instances, BlackByte ransomware actors have only partially encrypted files.”The group emerged last year but cybersecurity company Trustwave was able to make a BlackByte decryptor available for download at GitHub in October. Research by the company showed that the first version of the BlackByte ransomware downloaded and executed the same key to encrypt files in AES — rather than unique keys for each session — like those usually employed by more sophisticated ransomware operators. A second, less vulnerable version of the ransomware was released in November, as the FBI noted. 

Emsisoft ransomware expert Brett Callow said Blackbyte is a Ransomware-as-a-service (RaaS) operation and the individuals who use it to carry out attacks may or may not be based in the same country as the primary team. “Like multiple other types of ransomware, Blackbyte does not encrypt computers which use the languages of Russia and post-Soviet countries,” Callow said.  A Red Canary analysis of the ransomware found operators gained initial access by exploiting the ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) present on a customer’s Microsoft Exchange server.  More

StackCommerce
When you give your partner the gift of learning, you also provide valuable opportunities. And we have 10 amazing e-learning course bundles that are an extra 15% off during our Valentine’s Day Sale. Just use coupon code VDAY2022 at checkout to score your partner the opportunity to learn a new skill.This bundle has 18 courses, but you can qualify for a well-paid ethical hacking position after completing the first one. And you don’t need any tech experience whatsoever to take it.Get The All-In-One 2022 Super-Sized Ethical Hacking Bundle for $36.54 (reg. $3,284) with code VDAY2022.With this bundle, you can train to become certified to teach English as a foreign language. It also includes lessons on how to develop your coaching and mentoring prowess, among other skills.Get The Complete 2021 TEFL Certification Training Bundle for $33.99 (reg. $250) with code VDAY2022.First, this bundle teaches the fundamentals of blockchain technology and how to use it to drive more revenue. You’ll find training material on how to become a Certified Blockchain Solutions Architect (CBSA) or Certified Blockchain Developer (CBDH).Get The Blockchain Bootcamp Certification Training Bundle for $16.99 (reg. $297) with code VDAY2022.

This course provides an overview of cryptocurrency and explains how to open accounts. Then it covers the most popular methods of generating passive income from cryptocurrency.Get Cryptocurrency Wealth Creation: Staking, Lending & Trading Course for $16.99 (reg. $200) with code VDAY2022.This bundle thoroughly covers Bitcoin and cryptocurrency trading. But you will also learn about non-fungible tokens (NFTs), including how to create an NFT of your own.Get The Complete NFT & Cryptocurrency Wealth Building Masterclass Bundle for $25.49 (reg. $1,200) with code VDAY2022.The US government created the Risk Management Framework to make cyber supply chain management more secure. This course will teach you the process of qualifying for a range of government cybersecurity positions.Get NIST Cybersecurity & Risk Management Frameworks for $33.15 (reg. $295) with code VDAY2022.The 2022 Ultimate Cybersecurity Analyst Preparation Bundle provides training for a wide variety of cybersecurity certifications. Start with one, and each one afterward will advance your career another step up.Get The 2022 Ultimate Cybersecurity Analyst Preparation Bundle for $25.49 (reg. $1,600) with code VDAY2022.Python is one of the most popular programming languages and easiest to learn. These 12 courses cover an entire career of Python training, but you can start applying for positions after completing just one. Python skills are excellent for remote work, so you may also want to learn a new language or two if you end up working abroad.Get The 2022 Premium Python Programming PCEP Certification Prep Bundle for $29.74 (reg. $2,400) with code VDAY2022.This is the ultimate e-learning bundle. You get more than 1,000 courses covering a wide variety of industries with StackSkills, another 800 tech courses from Stone River, and over 90 specialized courses on cybersecurity from Infosec4TC, which has an impressive rating of 4.8 out of 5 stars on Trustpilot.Get The Ultimate Lifetime Bundle of StackSkills + Infosec4TC + Stone River for $97.75 (reg. $13,994) with code VDAY2022.Cybersecurity is more crucial than ever, and these six courses will help you prepare for the IT certifications needed to pursue a career in this field. Each course focuses on CompTIA certifications, ensuring you’ll develop a vendor-neutral understanding of IT and security.Get The 2022 Premium CompTIA CyberSecurity & Security+ Exam Prep Bundle for $25.50 (reg. $1,200) with code VDAY2022.

More ZDNet Academy Deals More

One of Europe’s biggest car dealers, Emil Frey, was hit with a ransomware attack last month, according to a statement from the company. 

ZDNet Recommends

The Swiss company showed up on the list of victims for the Hive ransomware on February 1 and confirmed that they were attacked in January. “We have restored and restarted our commercial activity already days after the incident on January 11, 2022,” a spokesperson said, declining to answer more questions about whether customer information was accessed. The company — which has about 3,000 employees — generated $3.29 billion in sales in 2020 thanks to a variety of automobile-related businesses. It was ranked as the number 1 car dealership in Europe based on revenue and the total number of vehicles for sale. The FBI spotlighted the Hive ransomware group in August 2021 after their members attacked dozens of healthcare organizations last year. In 2021, Hive attacked at least 28 healthcare organizations, including Memorial Health System, which was hit with a ransomware attack on August 15. The FBI alert explains how the ransomware corrupts systems and backups before directing victims to a link to the group’s “sales department” that can be accessed through a TOR browser. The link brings victims to a live chat with the people behind the attack, but the FBI noted that some victims have even been called by the attackers demanding ransoms. 

Most victims face a payment deadline ranging between two and six days, but others were able to extend their deadlines through negotiation. On Wednesday, the FBI, National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA), the UK’s National Cyber Security Centre (NCSC), and the Australian Cyber Security Centre (ACSC) released a warning indicating that a growing wave of increasingly sophisticated ransomware attacks poses a threat to critical infrastructure and organizations around the world.”We live at a time when every government, every business, every person must focus on the threat of ransomware and take action to mitigate the risk of becoming a victim,” said CISA Director Jen Easterly.  More

The US Cybersecurity and Infrastructure Security Agency (CISA) updated its catalog of known exploited vulnerabilities this week, adding 15 vulnerabilities based on evidence that threat actors are actively exploiting them.The list includes a Microsoft Windows SAM local privilege escalation vulnerability with a remediation date set for February 24. Vulcan Cyber engineer Mike Parkin said the vulnerability — CVE-2021-36934 — was patched in August 2021 shortly after it was disclosed. “It is a local vulnerability, which reduces the risk of attack and gives more time to deploy the patch. CISA set the due date for Federal organizations who take direction from them, and that date is based on their own risk criteria,” Parkin said. “With Microsoft releasing the fix 5 months ago, and given the relative threat, it is reasonable for them to set late February as the deadline.”The rest of the list covers a range of Microsoft, Apache, Apple, and Jenkins vulnerabilities with remediation dates of August 10.While some experts questioned CISA’s new additions to the list, Netenrich’s John Bambenek explained that anything that provides a straightforward path to elevated privileges and is being exploited by the kind of threat actors CISA is concerned about needs to be remediated immediately.  
CISA
Pravin Madhani, CEO of K2 Cyber Security, noted that more than half of the vulnerabilities are classified as remote code execution (RCE) vulnerabilities.  

“RCE is one of the most dangerous types of vulnerabilities as it gives the attacker the ability to run almost any code on the hacked site. RCE, and other flaws such as XSS (Cross Site Scripting), have long been included on the OWASP Top 10 list, so why aren’t companies better equipped to protect against these attacks?” Madhani asked. Viakoo CEO Bud Broomhead said he believes cybercriminals are using older vulnerabilities in exploits against new device targets, specifically IoT devices. As an example, Broomhead mentioned vulnerabilities that enable man-in-the-middle (MitM) attacks. “Virtually all IT systems are protected against this threat, but IoT systems often are not, leading threat actors to revisit these older vulnerabilities knowing that network-connected IoT devices can be exploited through them,” Broomhead said. “This would lead to a vulnerability discovered years ago being added recently to the CISA catalogue. With close to 170,000 known vulnerabilities priority should be given to the ones that are causing real damage right now, not ones that in theory could cause damage.” More

Google announced this week that its Vulnerability Reward Programs doled out $8,700,000 for vulnerability rewards in 2021. Researchers donated $300,000 of their rewards to a charity of their choice, according to a blog from Sarah Jacobus of Google’s Vulnerability Rewards Team.For Android vulnerabilities, payouts doubled compared to 2020, with almost $3 million being rewarded to researchers for a variety of bugs. The company also handed out its largest Android payout ever at $157,000. The company also launched the Android Chipset Security Reward Program, an invite-only program for researchers looking through manufacturers of certain popular Android chipsets. The program paid $296,000 for over 220 unique security reports, specifically shouting out Aman Pandey of the Bugsmirror Team, Yu-Cheng Lin, and researcher gzobqq@gmail.com, who secured the $157,000 award. The company noted that it is also offering $1,500,000 for bugs found in the Titan-M Security chip used in their Pixel device. 
Google
When it comes to Chrome, the company set a new record as well. Google gave out $3.3 million in VRP rewards to 115 researchers that found 333 unique Chrome security bugs. “Of the $3.3 million, $3.1 million was awarded for Chrome Browser security bugs and $250,500 for Chrome OS bugs, including a $45,000 top reward amount for an individual Chrome OS security bug report and $27,000 for an individual Chrome Browser security bug report,” Jacobus said. 

“Of these totals, $58,000 was awarded for security issues discovered by fuzzers contributed by VRP researchers to the Chrome Fuzzing program. Each valid report from an externally provided fuzzer received a $1,000 patch bonus, with one fuzzer report receiving a $16,000 reward.”Jacobus also spotlighted Rory McNamara, Leecraso, and Brendon Tiszka for their work on Chrome bugs. Google Play paid out $550,000 in rewards to more than 60 security researchers. The tech giant was also eager for exploit research on their kCTF cluster, raising their reward amounts in November from up to $10,000 to up to $50,337. Several participants brought in $175,685 in rewards. The Google Cloud Platform awarded Ezequiel Pereira the top prize for finding an RCE in Google Cloud Deployment Manager, awarding him $133,337. In total, the Google Cloud Platform paid winners of the 2020 competition $313,337. Google said they partnered with researchers to find and fix thousands of vulnerabilities throughout 2021 and launched bughunters.google.com to help move the effort along. The platform gives researchers a place to submit bugs for Google, Android, Chrome, Google Play, and more. The platform gamifies the bug hunting process by offering per-country leaderboards, company swag, awards, and more. The company also explained that the Vulnerability Research Grant program awarded $200,000 in grants to more than 120 security researchers around the world. “With the launch of the new Bug Hunters portal, we plan to continue improving our platform and listening to you – our researchers – on ways we can improve our platform and Bug Hunter University,” Jacobus said. “Thank you again for making Google, the Internet, and our users safe and secure!” More