The Gately Report: CyberFox Cybersecurity Strategy Leader Focused on Helping MSPs
More threat actors are adopting source code stolen and leaked on a Russian hacking forum.
![Cybersecurity strategy Cybersecurity strategy](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blt52bda7da4920237c/6523fa4c606c0c94ea6b88ee/Cybersecurity-Strategy.jpg?width=700&auto=webp&quality=80&disable=upscale)
Pixels Hunter/Shutterstock
Channel Futures: How will your previous experience with Perch Security and ConnectWise come into play in this new role?
CyberFox’s Wes Spencer: There’s so many lessons from all of those years on the Perch side of the house. We were a very young startup. It was our very first time building anything, and I like to joke and say that at Perch we mistaked our way to success. But one thing we were really good at was listening to partners, listening to their feedback and building to suit them.
So the lessons I learned out of that were listen to partners, help them in their journey and take their feedback very seriously, and build the product around what they’re asking you to do. When you listen well, you’ll never go wrong. So that was the big lesson learned there.
At ConnectWise, I think the big lesson was taking a company that has become wildly successful and extremely large, but how do we communicate to the partner the value of security and how do we help them solve that journey? MSPs in particular are stuck in security so often because they don’t come from security backgrounds. Threats have come down-market to where SMBs are under attack like never before, and MSPs need to solve this for their clients, and they don’t know how. And so my journey at ConnectWise was very much focused on working with partners every single day, helping them in that cybersecurity journey. So I really see CyberFox as a culmination of all of this together in a really exciting way.
CF: What’s your take on CyberFox’s current channel strategy and partner program, and will you be making any changes?
WS: I’m still in learning mode for sure. You’re going to see me be somebody that’s a learner first and a listener first, versus someone that wants to come in and change anything. I wouldn’t have come to CyberFox if I didn’t already believe the vision of identity management being at the center point for MSPs. So I’m going to be a listener first. Now I think there are a lot of things that we can work toward. We’re at the beginning of this journey, not the end. And so I’m sure there are things that we’re going to really want to enhance and help with the partners.
But my first job here is to listen internally and then listen externally second. In other words, I want to find out what we’re doing, what we’re building and what’s working. And then I want to talk to all our partners, which I’ve already talked to many of them. I want to hear how they are using CyberFox every single day. What are things that we could do to make your life easier? What are some things that are very similar to what we’re already doing that we could build in that would make your life even better?
So I don’t have a strong answer on mega changes at this point. But I’ve just learned I want to be a listener first and then we’re going to really figure out what the next part of that journey is.
CF: What can CyberFox’s MSP partners expect from you and what are you like to work with?
WS: One of the things that MSPs have come to expect out of me is I’m an educator at heart. I personally am not interested in selling CyberFox. I am interested in helping MSPs succeed in security. And if I can do that, then we’ll be able to sell CyberFox. That’s how it should go. And so what I’m really well known for, and what I love to do and really where I get so much job satisfaction, is helping MSPs in that journey. I’m already doing that, and Adam and David are just really excited for me to continue that journey at CyberFox and continue to help us as a company continue to do that for them. So that’s going to be a large part of it.
The other thing you’ll see us do is [focus on the] vision for CyberFox. We’re already established as one of the leaders in identity management. How do we continue to grow that and not let our partners down by making sure that we’re staying innovative, making sure that we are listening to partner feedback and growing the product where it needs to grow? So eventually you’ll see that component out of me as well. It’s not about, how do I help you sell CyberFox? It’s how do I help you succeed?
CF: What sort of growth potential do you see for CyberFox’s two flagship products, Password Boss and AutoElevate?
WS: There is currently no end in sight. From what I’ve been told, we’re getting very close to 2,000 partners. That’s incredible. We never hit that mark at Perch before we sold. But there are still thousands and thousands of partners that are out there. So we’re still growing like crazy and we’re still excited to continue to bring more and more partners into the ecosystem every single day. We don’t lose many. We keep our partners. What we always say is cyber is simple and elegant. And so we want to keep that mantra. If we keep that mantra of simple and elegant, we’re going to continue to grow. And then what’s going to happen is we then begin to look and say, what else do we begin to focus on to help in that journey?
One of the things I can tease a little bit is just from my background in cyber insurance. We’re doing a lot in the very beginning stages of what CyberFox can do to help with the cyber insurance challenges that MSPs have today. And if we can help in that, that’s one of the most troublesome areas that MSPs have. So I’m interested in helping to solve that and bringing the right parties on board to begin some of that.
CF: What are the biggest pain points facing MSPs, and how can you and CyberFox help them with those?
WS: One of the biggest pain points that MSPs have is they feel like they don’t have their hands on the wheel when it comes to cybersecurity. In other words, everyone is pushing them in multiple different directions. You have cyber insurance that’s pushing MSPs and their clients into doing certain things that they may not be ready for. You have regulations. While MSPs largely are not regulated themselves, they’re working with so many industries — banks, health care, manufacturing — [that are]. The new FTC safeguards are now coming into play.
All of these regulations are forcing clients to force their MSP to do new and different things. And so MSPs feel like, “Wait a second, I’m trying to navigate these cybersecurity waters and it’s almost like a sailboat in the wind.” I think the other big problem they have today is, how do we grow and scale? They still struggle with clients that say things like, “I’m not paying for that. I’ve never been hacked before. Why should I care about this now? I thought you were already doing security for me.” And so that lack of authority, they feel like they’re imposters and the reality is they’re not imposters.
If you’re just one step ahead in your security journey than your clients, that makes you the leader. So when the client crosses their arms and says, “I’m not paying for that, I’ve never been hit before, and I’m not going to be hit now,” they can say, “Let’s talk about what clients of your size look like and why we’ve seen so many breaches happen to clients just like you, and why it’s responsible for you to maintain and manage your risk to your company by putting some of these controls in place.” If we can help and begin to solve that, we will not only see a reduction in breaches, we will see our economy better.
CF: Has economic uncertainty impacted CyberFox? Also, how can CyberFox help MSPs that are being impacted by it?
WS: I know CyberFox has been doing nothing but growing just month over month, record-breaking growth, which is really, really good. There are definitely no worries there. For us, it’s just constant growth. I think for MSPs … with an impending worry over recession, it’s causing businesses to start to more than ever shift from capex to opex. When you start thinking through opex, you start to think … “I don’t have the ability to build a security team out as a small business. I can’t afford it. I can’t do all of this.” So SMBs are looking to do more with less, and that’s where MSPs come into play. So I’m actually really bullish through this. I think the MSPs that really grasp security well and can convey its value can actually stand through a recession. This is where MSPs come in and solution-solve for that, and really become the hero that their clients need. And so I’m very bullish. I’m actually not pessimistic at all that an economic downturn will be bad for MSPs. I think it will be a watershed moment for them.
CF: What do you find most dangerous about the current threat landscape?
WS: So right now we’re in a period of bliss. When you look at the threat landscape right now, we have seen a reduction in attacks and a reduction in damages over the past year. Now, that does not mean that we take our hand off the wheel. That does not mean that we just say, “Well, mission accomplished, we’re good to go.” It doesn’t mean that we start becoming lackadaisical. There are two reasons I think we’ve seen a reduction in attacks. The first reason is the conflict in Ukraine has had a significant impact on this because most of the ransomware threat operators that we see are operating out of Russia and Ukraine. And so with a war there, we’re now seeing a cyber war accompany a kinetic war. In other words, their eyes are now drawn inward. They’re not focused on ransomware; they’re focused on attacks against each other. So I believe the data points very strongly to a reduction in attacks because of that conflict. Now, when that conflict is over, and I hope and pray that it will be over as soon as possible, I think we will see a resurgence in attacks like never before. And I think that for some companies that have … backed off their care of security because of the reduction in attacks, that could be really bad.
Secondly, look at what’s been happening in cyber insurance in particular over the past two years. Cyber insurance has been requiring SMBs to do more than ever before. And because of that big push to those five or six controls, we are seeing fewer claims. There are actually fewer cyber insurance claims, partially because of the conflict in Ukraine, but also partly because these new controls are raising the security. So when we talk about the threat landscape, I’d actually I’d say we’re doing a lot of the right things.
CF: What can MSPs expect from CyberFox in the months ahead further into 2023?
WS: We have the new version of Password Boss coming out very soon, so we’re really excited about what that’s going to hold. We’re really excited about AutoElevate, where it’s going. It’s always been a very simple, elegant solution. Partners love it, but we’re beginning to explore at the very beginnings of where we go with that from there. Those are the flagship products that we have and we’re going to continue to expand on those. We’re going to continue to make them better. We’re going to continue to have partner integrations and ecosystem-first approaches to all of it. We have some splashes that should be coming out in the next maybe three to four months that you will see around some partnerships. You will see us really continuing to double down on partnerships with our friends in the ecosystem.
In other cybersecurity news …
New Proxyrack research shows the transportation and warehousing industry taking the top spot on its list of sectors with the biggest increase in fraudulent cases.
There was a 20.6% increase in fraud cases in this industry between 2016 and 2022. Common types of fraud in the industry include falsifying delivery documents and posing as an authentic carrier to help assist criminals in stealing cargo loads.
In 2022 alone, there was an estimated $3.6 billion lost globally due to occupational fraud, according to Proxyrack.
Other sectors with the biggest increase in fraudulent cases between 2016 and 2022 include:
Technology, up 13.51%.
Religious, charitable or social services, up 11.5%.
Arts, entertainment and recreation, up 10.8%.
Mining, up 10%
Insurance, up 3.5%.
Manufacturing, up 1%.
Case numbers in construction, as well as banking and financial services, have gone down since 2016 by 9.3% and 4.6%, respectively.
The real estate industry is losing the most money as a result of fraud, with a 117.50% change in financial losses since 2016. In addition, 64% of all fraud cases in the energy industry are as a result of corruption, followed by the manufacturing industry (59%) and the transportation and warehousing industry (59%).
The United States recorded considerably more cases of fraud than any other country. Some 625 cases were recorded in 2022, which is 437 more than South Africa, the second-highest country.
A new SentinelLabs report shows more threat actors are adopting the source code that was stolen and leaked on a Russian hacking forum in September 2021.
SentinelLabs identified 10 ransomware families using VMware ESXi lockers based on the 2021 Babuk source code leaks. These variants emerged through the second half of 2022 and the first half 2023, which shows an increasing trend of Babuk source code adoption.
Lockers contain files used to install and update VMware tools on all the virtual machines running on the given ESXI host.
Leaked source code enables actors to target Linux systems when they may otherwise lack expertise to build a working program. Source code leaks further complicate attribution, as more actors will adopt the tools.
“Ransomware groups have experienced numerous leaks, so it is plausible smaller leaks occurred within these circles,” said Alex Delamotte,” senior threat researcher at SentinelOne. “Additionally, actors may share code to collaborate, similar to open-sourcing a development project. There is a noticeable trend that actors increasingly use the Babuk builder to develop ESXi and Linux ransomware. This is particularly evident when used by actors with fewer resources, as these actors are less likely to significantly modify the Babuk source code.”
Mike Parkin, senior technical engineer at Vulcan Cyber, said it’s “always fascinating” to get insight into how cybercriminal organizations operate, both in how they function and how they develop code.
“It’s not surprising that other threat actors continued to develop the leaked Babuk code to suit their own needs,” he said. “While the Babuk leak may have hurt that specific group, it became an opportunity for other threat actors to incorporate new tools and techniques into their own attacks. It becomes a challenge for defenders because even though we now have access to the original attack code, there will be more iterations of it that we’ll have to counter and the new variants will be harder to associate with a specific threat group”
John Bambenek, principal threat hunter at Netenrich, said with modern ransomware, attackers don’t want to infect one machine. It is their goal to cripple an entire organization so they can warrant large ransoms. That said, with many organizations heavily investing in virtualization, if you manage to ransom the VMware environment, you accomplish the same result of crippling an organization.
“As organizations move to the cloud (both on-premises and external), attackers will move as well,” he said. “The problem is that you can’t protect these assets the same way. Endpoint detection and response (EDR) on a host doesn’t protect the hypervisor. The good news is that cloud technologies have built-in features to allow rapid recovery, if implemented correctly. This can help soften the blow of a successful attack.”
The FBI and Cybersecurity and Infrastructure Security Agency (CISA) released a joint cybersecurity advisory (CSA) in response to active exploitation of a vulnerability that occurs in certain versions of PaperCut NG and PaperCut MF print management software.
The vulnerability enables an unauthenticated actor to execute malicious code remotely without credentials. PaperCut released a patch in March 2023. The vulnerability is being exploited in ransomware attacks targeting the education sector.
“FBI and CISA strongly encourage users and administrators to immediately apply patches, and workarounds if unable to patch,” the advisory said. “FBI and CISA especially encourage organizations who did not patch immediately to assume compromise and hunt for malicious activity using the detection signatures in this CSA. If potential compromise is detected, organizations should apply the incident response recommendations included in this CSA.”
Shawn Surber, Tanium‘s senior director of technical account management, said this is another prime example of malware specifically targeting a traditionally vulnerable sector, one that may have felt it was protected from these attacks due to its nature.
“This gives organizations a false sense of security, resulting in the deprioritizing of cybersecurity and the reprioritization of limited funding to address other critical needs,” he said.
Andrew Barratt, vice president of Coalfire, said the vulnerability in PaperCut is an authentication that is being chained with access to scripting functionality in the product to execute further malware.
“This is prime territory for ransomware to take hold in an environment or for the PaperCut servers to be used as an initial point of ingress,” he said. “Microsoft’s intelligence team also suggested that there are Iranian state-sponsored actors leveraging this vulnerability. And with print systems typically having very wide access to broader networks, they can be a very nice pivot point and an often undermonitored device for a more advanced intruder looking to get a foothold in a environment.”
The FBI and Cybersecurity and Infrastructure Security Agency (CISA) released a joint cybersecurity advisory (CSA) in response to active exploitation of a vulnerability that occurs in certain versions of PaperCut NG and PaperCut MF print management software.
The vulnerability enables an unauthenticated actor to execute malicious code remotely without credentials. PaperCut released a patch in March 2023. The vulnerability is being exploited in ransomware attacks targeting the education sector.
“FBI and CISA strongly encourage users and administrators to immediately apply patches, and workarounds if unable to patch,” the advisory said. “FBI and CISA especially encourage organizations who did not patch immediately to assume compromise and hunt for malicious activity using the detection signatures in this CSA. If potential compromise is detected, organizations should apply the incident response recommendations included in this CSA.”
Shawn Surber, Tanium‘s senior director of technical account management, said this is another prime example of malware specifically targeting a traditionally vulnerable sector, one that may have felt it was protected from these attacks due to its nature.
“This gives organizations a false sense of security, resulting in the deprioritizing of cybersecurity and the reprioritization of limited funding to address other critical needs,” he said.
Andrew Barratt, vice president of Coalfire, said the vulnerability in PaperCut is an authentication that is being chained with access to scripting functionality in the product to execute further malware.
“This is prime territory for ransomware to take hold in an environment or for the PaperCut servers to be used as an initial point of ingress,” he said. “Microsoft’s intelligence team also suggested that there are Iranian state-sponsored actors leveraging this vulnerability. And with print systems typically having very wide access to broader networks, they can be a very nice pivot point and an often undermonitored device for a more advanced intruder looking to get a foothold in a environment.”
CyberFox‘s new cybersecurity strategy leader stands ready to address MSPs’ biggest pain points so they can succeed and grow.
Wes Spencer is CyberFox’s new vice president of cybersecurity strategy. Previously, he was co-founder and CISO of Perch Security, which was acquired by ConnectWise in late 2020. He then became vice president and external CSO at ConnectWise.
Since then, he has continued to work across the channel as an educator and advisor. He is now part of CyberFox’s executive leadership team.
Cybersecurity Strategy Leader’s Priorities
In his new role, Spencer is charged with:
Helping identify and create product focus strategies moving forward.
Leading internal and external thought leadership initiatives.
Working with product marketing and development teams on short-and long-term roadmaps for success.
Helping partners in their cybersecurity journey to continue to build cybersecurity maturity.
CyberFox launched last summer. Its focus is on providing identity access management (IAM) solutions for MSPs. It brought together under a single brand two IAM security companies — Password Boss and AutoElevate.
CyberFox’s Wes Spencer
Spencer said he’s known CyberFox co-founders Adam Slutskin and David Bellini for some time, and they wanted a cybersecurity leader to “come on board and continue to help bring the vision of where we’re going with cyber forward.”
“It’s just a perfect mix between us,” he said. “We’re very well aligned in our mission of partner first and how do we make the partner better. I only want to go to work at places where we hold that view of how do we make our MSP partners better. How do we help them in that journey? Because if we can make them better, then we will get everything we need out of that relationship, too. And they hold that viewpoint and that vision. And so that’s a place where I’m very comfortable to come in and add value to.”
Scroll through our slideshow above for a Q&A with CyberFox’s new security strategy leader, and more cybersecurity news.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like