NIBS (credit image/Pixabay/ Ryan McGuire)Last week EnterpriseTime covered the appointment by Securiti of Jack Berkowitz as its Chief Data Officer. Other news came from Action1, ESET, Gatewatcher, Groundlabs, LiveAction, Malwarebytes, Reco.AI, Secureworks, Tenable, Veeam, Xalient and Zimperium.


Action1 announced its expansion into the European market after significant year-over-year growth in the USA. It has established a datacentre in Frankfurt, Germany.

Mike Walters, President and co-founder of Action1, said, “We are excited to bring our proven expertise in vulnerability remediation to European organizations and assist them in staying ahead of emerging threats. In the future, we plan to strengthen our presence within the EU market by expanding further, hiring additional personnel, and growing our partner network.”

ESET reveals more details of OilRig APT

There were two pieces of research this week from ESET. One looks at Iranian APT, OilRig. The other focuses on how malicious packages in the official repository for the Python language were downloaded over 10,000 times.


ESET researchers have revealed more details of how the OilRig APT infects its targets. The threat actor is based in Iran, according to ESET. To date, its targets appear to be exclusively Israeli. More importantly, its latest set of downloaders all seem to end up deploying malware into previous targets. What is not clear is whether this is due to insufficient cleaning of previous attacks or undetected mechanisms.

According to the researchers, “The new lightweight downloaders – SampleCheck5000 (SC5k v1-v3), OilCheck, ODAgent, and OilBooster – are notable for using legitimate cloud storage and cloud-based email services for command and control (C&C) communications and data exfiltration, namely, the Microsoft Graph OneDrive or Outlook Application Programming Interfaces (API), and the Microsoft Office Exchange Web Services API.”

ESET researcher Zuzana Hromcová, who analyzed the malware along with ESET researcher Adam Burgher, said, “On par with the rest of OilRig’s toolset, these downloaders are not particularly sophisticated. However, the continuous development and testing of new variants, experimentation with various cloud services and different programming languages, and the dedication to re-compromise the same targets over and over again, make OilRig a group to watch out for.”


ESET researcher Marc-Étienne Léveillé, has discovered 116 packages in Python (source distributions and wheels) across 53 projects that contain malware. The malicious Python projects are being distributed through PyPI, the official Python (programming language) package repository. It targets users of Windows and Linux machines allowing for remote command execution, data exfiltration and taking of screenshots.

According to Léveillé, “Some malicious package names do look similar to other, legitimate packages, but we believe the main way they are installed by potential victims isn’t via typosquatting, but social engineering, where they are walked through running pip to install an ‘interesting’ package for whatever reason.”

In the last year, the affected files have been downloaded more than 10,000 times. Léveillé reports that “from May 2023 onward, the download rate was around 80 per day.” While most packages have now been taken down, others are marked as offline, presumably awaiting removal. It will be interesting to see a full list of affected packages published so that those who may have downloaded them can take action.


Europol reports that there has been an increased use of Bluetooth trackers by organised crime. But, unlike many reports of Apple AirTags and the equivalent for Android, this is not about tracking individuals. Instead, Europol reports that criminals are using it to geolocate the goods they are shipping.

According to Europol, “The vast majority of cases reported to Europol relate to cocaine smuggling. These trackers have been discovered most frequently alongside cocaine in container shipment of food products, but have also been found hidden in sea chests within sea vessels.”


Gatewatcher has announced a strategic partnership with Evvo Labs. It is aimed at improving cybersecurity measures across industries in Singapore. It sees Evvo Labs combine its expertise in managed security with Gatwatcher’s NDR solution. The two companies say that it will establish a comprehensive cybersecurity framework. More importantly, it aligns with Gatewatcher’s international expansion.

Cristofer Quek, Regional Sales, APAC, Gatewatcher, said, “Government and private sector enterprises are confronted with the rise of advanced persistent threats, requiring a more circumspect, probing attitude that looks for the early signs of larger, longer-term attacks.

“Our partnership with Evvo Labs is a strategic move to bolster defenses of companies in the APAC region. By helping them integrate and define our NDR solution as a pillar of their cyber strategy, we aim to provide enhanced visibility and a proactive defense approach, crucial for mitigating the impact of cyber-attacks.”

Ground Labs

Ground Labs has announced Enterprise Recon 2.9.1. It comes with a range of new deployment options.

According to the release, this new version supports two ways to install and run Enterprise Recon:

  1. As an appliance running on top of an Oracle Linux 8 operating system (OS).
  2. As an RPM software package to be installed on a server running the Red Hat Enterprise Linux (RHEL) 8.6 / 8.8 (LTS) OS.

Don Kaye, Ground Labs’ chief commercial officer, said, “Enterprise Recon is designed to help organizations discover and secure their sensitive data across a wide range of platforms and environments. By offering more flexibility and choice in how customers deploy Enterprise Recon, we are making it easier for them to protect their data and comply with data privacy regulations.”


LiveAction has appointed Paul Gray as Chief Product Officer. Gray has 20 years’ experience in the IT industry. Prior to joining LiveAction, Paul held executive leadership positions at SolarWinds, Aruba Networks, and AirWave Wireless. As Chief Product Officer, Paul will lead LiveAction’s Product and Engineering strategy and execution globally.

Gray said, “I look forward to building LiveAction’s Product and Engineering strategy, helping a broad range of partners and customers take advantage of LiveAction’s network performance monitoring solutions, to gain visibility into their networks and remediate problems quickly.”


Malwarebytes has announced new offerings for its multi-tenant console, ThreatDown OneView. Aimed at Managed Security Providers (MSPs), it has a new Security Advisor dashboard. Malwarebytes says this will give greater visibility across customers and more robust reporting options.

Brian Thomas, SVP of Global Channels, Malwarebytes, said, “Malwarebytes provides our partners with a powerful and affordable security management platform that puts maximum control, alongside AI- and human-powered guidance, in the hands of security teams.

“This year, our commitment to a channel-first approach has been instrumental in fostering remarkable growth and delivering substantial value to our partners. We have an exciting lineup planned for 2024, aiming to amplify value and strengthen our channel partnerships even further.”

The company also said that its continued channel-first mindset drove double-digit, year-over-year growth in the MSP sector. It achieved 33% growth of its ThreatDown Endpoint Detection and Response (EDR) solution by MSPs, year-over-year, and 54% average growth of its ThreatDown Managed Detection and Response (MDR) service, quarter-over-quarter.


Reco.AI has added an Identity-First approach to its SaaS Security Posture Management (SSPM). Using its API, the AI-based graph technology provides continuous discovery of every application and identity, controlling access, and seamlessly prioritizing actions to reduce the risk of data exposure.

According to Reco.AI “A proprietary and patented AI algorithm powers the Reco Identities Interaction Graph, which correlates every interaction between people, applications, and data and then assesses potential risk from misconfigurations, over-permission users, compromised accounts, risky user behavior, and the use of generative AI applications.”

According to Ofer Klein, CEO and Co-Founder of Reco, “Adding new apps to your technology stack has never been easier, but the challenge is maintaining security while still driving the business forward.

“One major issue resulting from the proliferation of apps is employees adding apps without their company’s knowledge. Take for example a highly-regulated public financial company that had a team member connect an AI app to their Zoom to transcribe calls. This misconfiguration could have been catastrophic if left unaddressed, but by leveraging Reco, it was able to gain visibility into who had access and what actions had been taken by the user to restore security.”

Of interest, since Reco was founded in 2020, the team has conducted analysis of millions of identities. It claims to have found that 7% of former employees still had access to core apps. In addition, 108 admins were discovered on Salesforce, and 8,000 unsanctioned apps and services were connected. All of this widened the attack surface.


Secureworks announced a joint go-to-market program with SentinelOne. It sees the two companies combine Secureworks Taegis ManagedXDR and SentinelOne Singularity Complete. The goal is to “simplify risk management and reduce time to value by utilizing cyber expertise, threat intelligence and technology.”

Chris Bell, VP Strategy and Corporate Development, Secureworks, said, “Organizations know that they can’t afford to elevate their cybersecurity posture after a breach. They want to understand their risk and break down silos because overcomplexity is enabling threat actors to lurk unseen.”

The two companies also believe that this simplification will reduce friction and silos within the security environment. They want to “make advanced, market-leading cybersecurity solutions more accessible, integrated and affordable to a broader range of enterprises.”

Among the benefits the joint program offers are enhanced training and access to hundreds of API integrations.


Tenable has seen two of its solutions assessed at PROTECTED level by the Infosec Registered Assessors Program (IRAP). It is part of the Signals Directorate (ASD), and it means that the two products, Tenable Vulnerability Management and Tenable Web App Scanning, can now be used across Australian government entities.

Achieving this compliance benchmark is important for Tenable. It means that as Australian government entities shift to the cloud, it is seen as a solution that is trusted to protect data.

Robert Huber, chief security officer and head of research at Tenable, said, “The persistent breaches targeting government systems, critical infrastructure and information networks represent a genuine menace to Australia’s national security.

“The IRAP program stands as a pivotal assurance mechanism, ensuring technology solutions like Tenable’s adhere to the rigorous cyber standards of the Australian government. The successful completion of this assessment solidifies Tenable’s commitment to advancing national security interests while upholding the highest echelons of security and compliance for critical government initiatives.”


Veeam has announced a further expansion of its relationship with Microsoft. Microsoft 365 users can now use Cirrus by Veeam, which delivers Backup-as-a-Service (BaaS) for Microsoft 365. It takes advantage of Veeam Backup for Microsoft 365, adding new capabilities to become a BaaS solution.

Danny Allan, CTO at Veeam, said, “Businesses today need the confidence that their critical business data is protected. We’re delighted to extend the advanced capabilities we use to protect close to 18 million Microsoft 365 users by integrating with Microsoft 365 Backup Storage.

“The recent addition of our BaaS offering for Microsoft 365 underlines our commitment to continuing to deliver new features and capabilities that take advantage of the power and reliability of the Veeam Data Platform which keeps businesses running.”

The announcement comes less than a month after Veeam previewed this new integration with Microsoft 365 Backup Storage at Microsoft Ignite. The live demo highlighted the potential to quickly and efficiently restore large amounts of Microsoft 365 data. It enables organizations to minimize downtime following a ransomware attack or other data loss threat.


Xalient has acquired Grabowsky BV, a digital identity advisory and managed services business based in Benelux. The acquisition comes less than four months after Xalient acquired Integral Partners LLC in the USA.

Sherry Vaswani, CEO and founder of Xalient, emphasises the deal’s strategic importance. “We’re delighted to welcome Grabowsky into the Xalient family. Grabowsky boasts an excellent reputation in the industry with both partners and clients. Importantly, Grabowsky reflects our own company ethos to provide customer-centric solutions, designed and delivered by trusted experts.”

Xalient sees the two acquisitions as key to accelerating its growth in the digital identity space. With Grabowsky, Xalient claims it will “deliver customer-centric identity and zero trust solutions across the security landscape.” This will be built on Grabowsky’s identity capabilities, including identity governance and administration (IGA), privileged access management (PAM), and customer identity access management (CIAM).


Zimperium found that 29 malware families targeted 1,800 banking apps across 61 countries in the last year. The details are contained in its annual Mobile Banking Heists Report (registration required). It demonstrates the evolution and success of mobile banking trojans globally.

Nico Chiaraviglio, Chief Scientist of Zimperium, said, “Mobile banking security is currently in a high-stakes scenario, with numerous threat actors posing substantial risks. This report shows the sophistication, adaptability, and scalability of banking trojans and their widespread impact on mobile applications across the globe.

“We are seeing that they are finding ways to bypass traditional defenses, which is why it is critical that banking and financial organizations employ comprehensive, real-time, on-device mobile security to combat these intelligent adversaries.”

More than twice as many US banking institutions (109) were targeted compared to any other country, such as the UK (48) and Italy (44). All in all, there were 1,103 compromised traditional banking apps detected. 19 malware families from last year have evolved considerably and 10 new families emerged in 2023. It marks the highest number of apps and potential attacks ever recorded.

Security news from the week beginning 4 December 2023



Please enter your comment!
Please enter your name here