Week in review: 10 cybersecurity startups to watch, admins urged to remove VMware vSphere plugin

Week in review

Here’s an overview of some of last week’s most interesting news, articles, interviews and videos:

Inside the strategy of Salesforce’s new Chief Trust Officer
In this Help Net Security interview, Arkin discusses a collaborative approach to building trust among customers, employees, and stakeholders, focusing on transparency, shared responsibility, and empowering others to integrate trusted and responsible technologies.

How decentralized identity is shaping the future of data protection
In this Help Net Security interview, Patrick Harding, Chief Architect at Ping Identity, discusses the promises and implications of decentralized identity (DCI) in cybersecurity.

CVE Prioritizer: Open-source tool to prioritize vulnerability patching
CVE Prioritizer is an open-source tool designed to assist in prioritizing the patching of vulnerabilities. It integrates data from CVSS, EPSS, and CISA’s KEV catalog to offer insights into the probability of exploitation and the potential effects of vulnerabilities on your systems.

TruffleHog: Open-source solution for scanning secrets
TruffleHog is an open-source scanner that identifies and addresses exposed secrets throughout your entire technology stack.

10 cybersecurity startups to watch in 2024
Help Net Security decided to spotlight companies breaking new ground, attracting top talent, and leading innovation in key areas. We are focusing on those who are not just responding to current trends but are actively setting them.

RCE vulnerabilities fixed in SolarWinds enterprise solutions
SolarWinds has released updates for Access Rights Manager (ARM) and (Orion) Platform that fix vulnerabilities that could allow attackers to execute code on vulnerable installations.

Critical ConnectWise ScreenConnect vulnerabilities fixed, patch ASAP!
ConnectWise has fixed two vulnerabilities in ScreenConnect that could allow attackers to execute remote code or directly impact confidential data or critical systems.

LockBit disrupted by international law enforcement task force
On Monday afternoon, LockBit’s leak site has been taken over by a coalition of law enforcement agencies and is showing a seizure notice that promises more details today, at 11:30 GMT.

LockBit takedown: Infrastructure disrupted, criminals arrested, decryption keys recovered
In the wake of yesterday’s surprise law enforcement takeover of LockBit’s leak site, the UK National Crime Agency (NCA) and Europol have shared more information about the extent of the takedown.

The importance of a good API security strategy
In 2024, API requests accounted for 57% of dynamic internet traffic around the globe, according to the Cloudflare 2024 API Security & Management Report, confirming that APIs are a crucial component of modern software development.

VMware pushes admins to uninstall vulnerable, deprecated vSphere plugin (CVE-2024-22245, CVE-2024-22250)
VMware Enhanced Authentication Plug-in (EAP), a plugin for VMware vSphere, has two vulnerabilities (CVE-2024-22245, CVE-2024-22250) that could be exploited by attackers to mount authentication relay and session hijack attacks.

Attackers exploiting ConnectWise ScreenConnect flaws, fixes available for all users (CVE-2024-1709, CVE-2024-1708)
The two ScreenConnect vulnerabilities ConnectWise has recently urged customers to patch have finally been assigned CVE numbers: CVE-2024-1709 for the authentication bypass, CVE-2024-1708 for the path traversal flaw.

Microsoft begins broadening free cloud logging capabilities
After select US federal agencies tested Microsoft’s expanded cloud logging capabilities for six months, Microsoft is now making them available to all agencies using Microsoft Purview Audit – regardless of license tier.

Balancing “super app” ambitions with privacy
When Elon Musk’s ambitions to transform X into an “everything app” were divulged last year, he joined several companies known to be exploring or actively working on developing super apps, suggesting there’s clearly a niche to be filled.

How to make sense of the new SEC cyber risk disclosure rules
SEC’s new cybersecurity risk management, strategy, governance, and incident disclosure rules, which require increased transparency around cybersecurity incidents, have been in effect since December 18, 2023.

A step-by-step plan for safe use of GenAI models for software development
If you are a large-scale company, the recent AI boom hasn’t escaped your notice. Today AI is assisting in a large array of development-related and digital-related tasks, from content generation to automation and analysis.

Why identity fraud costs organizations millions
In this Help Net Security video, Bojan Simic, CEO of HYPR, offers insights on how these challenges could impact the identity security sector amid shifting threats in the first half of the new year.

A closer look at Israeli cybersecurity funding and M&A activity in 2023
In this Help Net Security video, Merav Ben Avi, Content Manager at YL Ventures, talks about how the Israeli cybersecurity industry, much like the global one, skyrocketed in 2021 with record-breaking capital and an exceptional number of new startups and unicorns.

Wire fraud scams escalate in real estate deals
In this Help Net Security video, Tyler Adams, CEO at CertifID, illustrates how the real estate sector needs to invest significant effort in educating consumers and implementing protective measures to safeguard real estate transactions.

Fraudsters have found creative ways to scam some businesses
70% of businesses report that fraud losses have increased in recent years and over half of consumers feel they’re more of a fraud target than a year ago, according to Experian.

Clean links and sophisticated scams mark new era in email attacks
Analysis of 7 billion emails shows clean links are duping users, malicious EML attachments increased 10-fold in Q4, and social engineering attacks are at all-time highs, according to VIPRE Security.

36% of code generated by GitHub CoPilot contains security flaws
Security debt, defined as flaws that remain unfixed for longer than a year, exists in 42% of applications and 71% of organizations, according to Veracode.

Active Directory outages can cost organizations $100,000 per day
Nearly every organization has core systems services tied to Active Directory that will go down during an outage, according to Cayosoft.

Cybersecurity fears drive a return to on-premise infrastructure from cloud computing
42% of organizations surveyed in the US are considering or already have moved at least half of their cloud-based workloads back to on-premises infrastructures, a phenomenon known as cloud repatriation, according to Citrix.

MSPs undergo transformation in response to persistent cyber threats
Organizations are increasingly turning to Managed Service Providers (MSPs) to alleviate pressure on IT departments, according to SonicWall.

Attack velocity surges with average breakout time down to only 62 minutes
The speed of cyberattacks continues to accelerate at an alarming rate, according to CrowdStrike.

92% of companies eyeing investment in AI-powered software
In 2024, buyers are increasingly focused on cost efficiency, AI functionality, and enhanced security, according to Gartner.

2024 will be a volatile year for cybersecurity as ransomware groups evolve
Hackers have significantly increased demands for ransomware, rising over 20% year-over-year to $600,000, according to Arctic Wolf.

Secure email gateways struggle to keep pace with sophisticated phishing campaigns
In 2023, malicious email threats bypassing secure email gateways (SEGs) increased by more than 100%, according to Cofense.

Avast ordered to pay $16.5 million for misuse of user data
The Federal Trade Commission will require software provider Avast to pay $16.5 million and prohibit the company from selling or licensing any web browsing data for advertising purposes to settle charges that the company and its subsidiaries sold such information to third parties after promising that its products would protect consumers from online tracking.

New infosec products of the week: February 23, 2024
Here’s a look at the most interesting products from the past week, featuring releases from ManageEngine, Metomic, Pindrop, and Truffle Security.

More about

Don't miss