IT Brew: Stopping ‘Venus’ Ransomware Starts at Firewall Configuration

On November 30, NetSPI Security Consultant, Derek Wilson, was featured in the IT Brew article called Stopping ‘Venus’ Ransomware Starts at Firewall Configuration. Read the preview below or view it online.


Ransomware of the “Venus” variety has hit at least one hospital, leading the US Health Sector Cybersecurity Coordination Center (HC3) to remind security pros to lock down the attackers’ way in: Remote Desktop Services.

“As the ransomware appears to be targeting publicly-exposed Remote Desktop Services, even those running on non-standard TCP ports, it is vital to put these services behind a firewall,” reads an HC3 report from early November.

Microsoft’s Remote Desktop Protocol (RDP) enables remote connections to other computers, most frequently over TCP port 3389.

While adjusting the firewall for remote services may seem like a straightforward process—allow a few machines to use port 3389 and no one else—misconfigurations happen. To account for mistakes, network-level access control also calls for additional defenses, like penetration testing and detection analytics, according to industry pros who spoke with IT Brew.

Remote control. Like other employers who sent their workforces home in 2020, hospitals have remote-access scenarios requiring RDP. Maybe a vendor has to “remote in” to provide updates to some legacy equipment, which brings the device onto the internet, exposing it.

With enough time (and password tries), an attacker can guess the RDP login credentials and “talk” to the device.

Sophos survey in early 2022 found that 66% of surveyed healthcare organizations were hit by malware during the previous year, on par with the global average.

Venus ransomware appears to have begun operating in August 2022, hacking the RDP service to encrypt devices and terminate 39 processes associated with database servers and Microsoft Office applications, said the HC3 advisory.

While placing the RDP services behind a firewall is “vital,” according to HC3, mistakes happen.

  • A network engineer may intend to expose a device to the internet for only a short period of time…and then get distracted. “They forget about closing the hole that they poked to make this thing work,” said Derek Wilson, senior information security analyst at the penetration-testing company NetSPI.

You can read the full article at IT Brew!


VMBlog: 18 Security Leaders Come Together to Share Their 2023 Predictions

On November 29, both Vice President of Research, Scott Sutherland and Nick Landers, were featured in the VMblog article called 18 Security Leaders Come Together to Share Their 2023 Predictions. Read the preview below or view it online.


What will the New Year bring in cyberspace? Here’s a roundup of some of the top security industry forecasts, trends and cybersecurity predictions for 2023. Where do things go from here?

Read on as 18 industry leaders in the security space come together to provide their insights into how the cybersecurity industry will shake out in 2023.

NetSPI: Scott Sutherland, VP of Research – Can DTL Help Stop Software Supply Chain Attacks? 

“Adoption of distributed ledger technology (DTL) is still in its infancy and we’ll see some interesting use cases gain momentum in 2023. DLT can basically be used as a database that enforces security through cryptographic keys and signatures. Since the stored data is immutable, DTL can be used anytime you need a high integrity source of truth. That comes in handy when trying to ensure the security of open-source projects (and maybe some commercial ones). Over the last few years, there have been several “supply chain compromises” that boil down to an unauthorized code submission. In response to those attacks, many software providers have started to bake more security reviews and audit controls into their SDLC process. Additionally, the companies consuming software have beefed up their requirements for adopting/deploying 3rd party software in their environment. However neither really solves the core issue, which is that anyone with administrative access to the systems hosting the code repository can bypass the intended controls. DLT could be a solution to that problem.”


NetSPI: Nick Landers, VP of Research – By the end of next year every major financial institution will have announced adoption of Blockchain technology

“There is a notable trend of Blockchain adoption in large financial institutions. The primary focus is custodial offerings of digital assets, and private chains to maintain and execute trading contracts. The business use cases for Blockchain technology will deviate starkly from popularized tokens and NFTs. Instead, industries will prioritize private chains to accelerate business logic, digital asset ownership on behalf of customers, and institutional investment in Proof of Stake chains. 

By the end of next year, I would expect every major financial institution will have announced adoption of Blockchain technology, if they haven’t already. Nuanced technologies like Hyperledger Fabric have received much less security research than Ethereum, EVM, and Solidity-based smart contracts.Additionally, the supported features in business-focused private chain technologies differ significantly from their public counterparts. This ultimately means more attack surface, more potential configuration mistakes, and more required training for development teams. If you thought that blockchain was “secure by default”, think again. Just like cloud platform adoption, the promises of “secure by default” will fall away as unique attack paths and vulnerabilities are discovered in the nuances of this tech.”

You can read the full article at VMblog!


VentureBeat: Why API Security is a Fast-growing Threat to Data-driven Enterprises

On November 23, NetSPI Managing Director, Nabil Hannan, was featured in the VentureBeat article called Why API Security is a Fast-growing Threat to Data-driven Enterprises. Read the preview below or view it online.


As data-driven enterprises rely heavily on their software application architecture, application programming interfaces (APIs) occupy a significant position. APIs have revolutionized the way web applications are used, as they aid communication pipelines between multiple services. Developers can integrate any modern technology with their architecture by using APIs, which is highly useful for adding features that a customer needs.  

By nature, APIs are vulnerable to exposing application logic and sensitive data such as personally identifiable information (PII), which makes them an easy target for attackers. Often available over public networks (accessible from anywhere), APIs are typically well-documented and can be quickly reverse-engineered by malicious actors. They are also susceptible to denial of service (DDoS) incidents. 

The most significant data leaks are due to faulty, vulnerable or hacked APIs, which can reveal medical, financial and personal data to the general public. In addition, various attacks can occur if an API is not secured correctly, making API security a vital aspect for data-driven businesses today.

The Future of API Security

“We’re most likely going to see a different software paradigm shift in the next five years that combines features from REST and SOAP security. I believe there will be a software development paradigm where features from each method are used to create a combined superior method,” Nabil Hannan, managing director at NetSPI, told VentureBeat. “This combination will take security out of the hands of the developers and allow for better ‘secure by design’ adoption.”

Hannan said that the concept of identity and authentication is changing, and we need to move away from usernames and passwords and two-factor authentication, which relies on humans not making any errors. 

“The authentication workflow will shift to what companies like Apple are doing around identity management with innovations like the iOS16 keychain. This will be developed through APIs in the near future,” he said.

You can read the full article at VentureBeat!


Why KKR is Increasing its Investment in NetSPI

On October 5, NetSPI announced that global investment firm KKR is increasing its investment in the company with $410 million in new funding. The investment was officially completed on November 4. Upon completion, the KKR Tech Growth team and I spent time reflecting on the past year working with NetSPI and looking forward to the future of the offensive security leader. 

1. Why did you choose to invest in NetSPI? 

We believe penetration testing is an increasingly important and strategic aspect to any enterprise’s security posture. We believe NetSPI is a category-defining player in the space through their core “Resolve” technology, Pen-Testing as a Service (“PTaaS”) delivery model and innovative new software products.  

Since our initial investment 18-months ago, we have been very impressed by the performance of the company and the exceptional execution by the entire NetSPI team. The company has experienced an impressive trajectory of strong and accelerating organic growth coupled with strong unit economics and profitability.  We are excited about the opportunity to continue to build upon this momentum with further investments in technology, people, geographical expansion and strategic acquisitions. 

2. What makes NetSPI so compelling? 

We believe NetSPI is compelling for a number of reasons, but the NetSPI team and technology are key differentiators. 

  • The Team: We’ve been impressed by the strength and execution of the NetSPI management team, even before we made our initial investment. We had built a dialogue with Aaron Shilts well before our initial investment in early 2021 and he came highly referenced from his previous large company experience.  We view Aaron as an experienced CEO who has been able to combine his large company experience with an impressive vision on how to take NetSPI to the next level.  Aaron has also assembled a remarkable team of other C-suite level of VP-level execs, many of whom have come up through the organization organically. NetSPI has taken this experience of cultivating A+ talent and built their NetSPI University training program, which we believe is one of the most comprehensive training and certification programs in offensive security and has resulted in a strong pipeline for developing top talent internally.   
  • The Technology: NetSPI has continued to carve a leading position in the pen-testing space through their continuous, tech-enabled pen-testing services, underpinned by their Resolve Platform which aggregates, manages and correlates vulnerability data for pen-testers and internal security teams to discover, identify and fix vulnerabilities – reducing risk exposure at scale. This technology, coupled with their differentiated delivery model and strong reputation in the market, has created a truly differentiated offering in the market. NetSPI also recently launched an Attack Surface Management (“ASM”) software platform, which provides continuous detection and reporting of vulnerabilities across all owned assets, and is highly complementary with their core pen-testing offering.  The company has a significant pipeline of new products to come in 2023 and beyond, which should allow NetSPI to continue offering a distinguished offensive security platform.   

Combined with an excellent and growing team across the organization and innovative technology, we are excited about NetSPI’s potential as they continue to advance their products. 

3. Where do you believe there may be opportunity for NetSPI to disrupt the offensive security market? 

From a macro perspective, we believe the demand for tech‐enabled, continuous pen‐testing has increased as legacy vulnerability management platforms can often give companies a false sense of security and traditional pen-testing consultancies often lack a tech-first approach to testing and remediation. With the ever‐changing threat landscape, we believe constant and persistent testing is paramount to maintaining an optimum security posture. Given the additional compliance requirements mandating human intervention and “hands on keyboard” to complete these complex tests, along with the proliferation of zero-day vulnerabilities, we believe NetSPI’s approach to tech & services positions them to be a defining player in this emerging PTaaS category. 

4. How do you plan to support NetSPI’s continued growth? 

We are increasing our investment in NetSPI to support their continued growth. We see this as an opportunity to put more capital to work behind  i) New product development; ii) Geographic expansion in EMEA and APAC; iii) Go-to-market and partnership related initiatives; and iv) Growing headcount to serve the company’s fast growing enterprise customer base. 

5. What does this acquisition mean to KKR? 

For KKR, the Tech Growth strategy is about identifying platforms – management teams, businesses, and sectors – where we can invest, seeking to build leading global enterprises. Since the beginning, we have been impressed with and excited about our strategic partnership with the management team and continued acceleration of NetSPI’s organic growth. We believe the KKR portfolio, network and value-add resources can enrich NetSPI’s existing capabilities and we are looking forward to the many opportunities ahead. 


The views expressed in each blog post may be the personal views of each author and do not necessarily reflect the views of KKR and its subsidiaries (“KKR Group”). Neither KKR Group nor the author guarantees the accuracy, adequacy or completeness of information provided in each blog post. No representation or warranty, express or implied, is made or given by or on behalf of KKR Group, the author or any other person as to the accuracy and completeness or fairness of the information contained in any blog post and no responsibility or liability is accepted for any such information. Nothing contained in each blog post constitutes investment, regulatory, legal, compliance or tax or other advice nor is it to be relied on in making an investment decision. Blog posts should not be viewed as a current or past recommendations or solicitations of an offer to buy or sell any securities or to adopt any investment strategy. The blog posts may contain projections or other forward-looking statements, which are based on beliefs, assumptions and expectations that may change as a result of many possible events or factors. If a change occurs, actual results may vary materially from those expressed in the forward-looking statements. All forward-looking statements speak only as of the date such statements are made, and neither KKR Group nor each author assumes any duty to update such statements except as required by law. To the extent that any documents, presentations or other materials produced, published or otherwise distributed by KKR Group (collectively, “KKR Materials”) are referenced in any blog post, such KKR Materials should be read with careful attention to any disclaimers provided therein. 


Datamation: 5 Top Penetration Testing Trends in 2022

On November 20, NetSPI Managing Director, Nabil Hannan, was featured in the Datamation article called 5 Top Penetration Testing Trends in 2022. Read the preview below or view it online.


Penetration testing is based on the premise that one of the best ways to safeguard the enterprise is to pretend to be a hacker and find the number of ways you can break into a business. 

The FBI uses this strategy. It often recruits criminals such as forgers and thieves who proved especially effective at crime and in thwarting the efforts of law enforcement. These former criminals become consultants who are highly skilled at spotting scams. Frank Abagnale is one of the most famous, the subject of the movie, “Catch Me If You Can”.  

Penetration testing is a formalization of this approach. A series of tools have been developed that are designed to automatically probe the network and systems for different weaknesses. 

1. Understand The External Attack Surface 

Nabil Hannan, managing director, NetSPI, has noted a greater focus on testing and understanding the external attack surface of organizations. 

Over the last two years, with the shift to working from home, businesses had to make drastic and rapid transformations in the way they operate. As a result, not only did the threat model of their business change, but the external facing attack surface of their organization evolved.

Enterprises now have assets that are exposed to the internet and are regularly changing — and these changes are occurring more rapidly with cloud-hosted systems. That’s one of the drivers behind attack surface management solutions, such as NetSPI’s ASM. They are being leveraged by organizations to continuously monitor attack surfaces and proactively identify any areas of risk in a timely manner.

“Creating and managing an accurate inventory of internet-facing assets and being able to identify potential exposures and vulnerabilities have become key focuses for many organizations,” Hannan said. 

You can read the full article at Datamation!


Cyber Security Summit: A Conversation with Cody Wass and Cody Chamberlain of NetSPI

On November 17, NetSPI Head of Product, Cody Chamberlain, and VP of Services, Cody Wass, were featured in the Cyber Security Podcast on Spotify. Read the preview or listen to the full episode online.


Today’s glimpse is with Cody Wass, Vice President of Services, and Cody Chamberlain, Head of Product, of NetSPI hosted by Wendy Meadley, CEO, Next Phase Studio. The Cody’s as they are “affectionately nicknamed” shed light on how technology alone cannot solve the greatest cyber security challenges. It is achieved when you effectively leverage technology to maximize the value of human creativity, experience and ingenuity.


NetSPI Joins AWS Marketplace to Simplify Procurement of its Offensive Security Solutions

NetSPI is now on the AWS Marketplace, simplifying the procurement of our attack surface management, penetration testing, and breach and attack simulation solutions for mutual customers.  

The AWS Marketplace enables companies with existing AWS contracts to purchase software and services from third-party vendors. This partnership allows NetSPI to simplify the procurement process for enterprise organizations worldwide by allowing them to purchase any of our solutions directly from the Marketplace.   

Now that we are listed on the AWS Marketplace, companies gain more visibility into our various offensive security services. Companies searching for any of NetSPI’s offerings, products, or key phrases like Penetration Testing as a Service (PTaaS) or Attack Surface Management (ASM) will see our public listing appear.  

Companies can get the NetSPI sales cycle started by going through our Public Offer, which is a listing that someone can access via Google or searching on the AWS Marketplace. Here you will get connected with a representative that will share more information on our services, schedule a demo of our technology, and scope your engagement.  

NetSPI also offers unlimited flexibility by transacting custom engagements through the AWS Marketplace as Private Offers. Private Offers are custom scoped engagements that we create for clients based on their unique use cases and needs.  

There are two main benefits for a client to purchase NetSPI’s offensive security services via the AWS Marketplace: utilizing unused budgets and ease of procurement.  

Utilizing Unused Budgets

As companies build their annual budgets, they will dedicate a certain amount toward their AWS spend. Normally this spend is dedicated to cloud data storage. However, companies can also use this budget toward purchases in the AWS Marketplace. Often, we see companies that are nearing the end of their AWS contract with extra budget leftover. They can then go through the Marketplace to purchase any number of solutions to max out on their AWS contract commitments. In the case of offensive security testing, companies can now search, find, and use their leftover budget to purchase attack surface management, penetration testing, breach and attack simulation engagements from NetSPI. 

We also see companies that commit to large AWS contracts are given unique perks, special contract terms, and other discount benefits. One example of these perks is the Enterprise Discount Program (EDP), where Amazon provides significant program discounts and incentives to enterprises that commit a specific amount of dollars toward AWS. In consumer goods, this would look like a “spend $100, and we’ll give you a $25 gift card” campaign. These remaining dollars can be used by companies to provide resources for under-funded departments or to tackle unexpected projects, such as penetration testing. 

Companies often require unexpected security resources in the middle of their fiscal year. Maybe a small- or medium-sized business decides to achieve SOC2 compliance before the end of the year, or a mid-market company experienced a data breach. In either case, if they have unused budget dedicated toward their AWS spend, they can purchase any of NetSPI’s services by transacting in the Marketplace, without requiring new budgetary approvals. This is incredibly helpful for companies that have limited budgets or have difficulty allocating funds toward new projects in the middle of their fiscal year. 

Ease of Procurement

Purchasing software via the AWS Marketplace expedites the procurement cycle by shortening finance and legal processes.  

Often, especially in the enterprise space, companies have lengthy procurement cycles for new vendors. If a company chooses to purchase from a new vendor directly, they’ll often need to go through lengthy legal contract reviews, get onboarded into financial systems, complete numerous forms, and so on. 

Instead of onboarding a new vendor, customers can purchase NetSPI via AWS directly. For companies that are already AWS customers, AWS has already been approved as a vendor in their systems, meaning they can complete their purchase quickly and simply by transacting through the Marketplace. On another note, purchasing through a single vendor also helps companies stay organized by helping them consolidate the number of companies they’re purchasing from.  

NetSPI’s joining the AWS Marketplace has helped clients simplify their purchasing cycles. Companies can now improve their security posture with NetSPI’s offensive security services by accessing unused budgets as well as shortening procurement processes via the AWS Marketplace.  

Learn how your company can take advantage of these options, contact us, or visit our page on the AWS Marketplace


Six Reasons Why Vulnerabilities are Increasing, Despite Greater Cybersecurity Investments

At NetSPI we are often asked, “Will our cybersecurity spend plateau or decrease?” or “Our security testing quantity and frequency continues to rise year over year, shouldn’t our vulnerabilities findings decrease over time?” – or a variation of these questions.

Many assume that, over time, operational scale and efficiencies would generate this result. But we do not expect to see this correlation in the foreseeable future.

If you look at the macro numbers, we are in a never-ending race against sophisticated adversaries, and organizational attack surfaces are growing exponentially. As companies continue to grow, innovate, acquire, divest, and hire, the threat landscape evolves at the same rate – or faster.

Vulnerabilities, cybersecurity spending, and threats are all on the rise.

According to the NIST National Vulnerability Database vulnerability count has historically fluctuated – until 2017, where we saw a massive spike in total vulnerabilities. Since then, vulnerabilities have steadily increased year-over-year and are on track to trend upwards throughout the remainder of 2022.

Data also shows that high/critical vulnerabilities slightly decreased in 2021. However, the most critical vulnerability category is not included within this data but would impact the number of vulnerabilities drastically: people. According to a study by IBM, human error is the primary cause of 95% of cyber security breaches.

At the same time, cybersecurity remains a budgetary priority and spending continues to increase industry wide. Gartner predicts end-user spending in the information security and risk management market to grow at a compound annual growth rate (CAGR) of 11 percent through 2026.

Adversaries are no longer limited to individual actors and include highly sophisticated organizations that leverage integrated tools and capabilities with artificial intelligence and machine learning. While sophistication increases, so does activity. McKinsey & Company saw an exponential increase in the number and types of threats over the past decade. Additional reports have validated this over the past few years: Phishing increased 220 percent at the onset of COVID-19, governments and healthcare organizations worldwide saw an increase in ransomware attacks (1,885% and 755%, respectively), three in five companies were targeted by supply chain attacks in 2021, the list goes on.

Traditional penetration testing is compliance driven – and most compliance frameworks are 2-5 years behind current threat vectors. By evolving from compliance driven to risk and compliance driven testing, enterprises will identify more critical risks and vulnerabilities… but this does come at an increased cost.

It is highly unlikely that vulnerabilities will decrease year-over-year, based on your security testing investments alone.

It is important to understand that penetration testing does not directly reduce vulnerabilities, it identifies exposures and security issues. To reduce vulnerabilities, it requires fingers on a keyboard to change application code, reconfigure an operating system, update device configurations, among other activities. The number of vulnerabilities can also be impacted by external factors that organizations cannot control.

Let’s explore six core factors, beyond security testing investments, that can be attributed to the increasing number vulnerability findings organizations globally are observing today.

New Attack Vectors and Increasing Sophistication
  • The volume of vulnerabilities is directly related to the increase in volume of attackers.
  • Threat actors are no longer individuals, they are well-funded enterprise organizations. They can develop new technologies at a faster clip than ever before. Even our most sophisticated cyber controls, policies, and regulations will soon be obsolete.
  • Criminal enterprises have discovered that attacks like Ransomware can be very profitable. As a result, more than ever they are focusing on developing and advancing those capabilities.
  • 99 percent of the codebases contain at least one open-source component. While organizations do have control over where and how open-source code is used. The ubiquitous code can open floodgates for future vulnerabilities and the severity of this risk is highly variable (e.g. Log4j, SolarWinds).
  • Supply-chain and third-party risk has led to some of the largest breaches (e.g. Kaseya, Colonial Pipeline, Kronos, SaaS providers). The supply chain continues to expand with new features and functionality that inserts the potential for additional vulnerabilities. The quality of third-party talent, business decisions, and priorities directly impacts the number of potential vulnerabilities they could introduce to your organization.
Adoption of New Technologies
  • The volume of vulnerabilities is directly related to the adoption of new technologies.
  • The adoption of new technologies offers many advantages from a business perspective. But with new technologies comes new risks that may not be fully understood by the groups implementing them. For example, cloud technologies today represent a very wide and deep attack surface that is still not fully understood by much of the security community. Technology helps organizations innovate, but as you layer more systems onto your IT networks to enable business growth, new vulnerabilities may arise.
  • Organizations are seeing a substantial increase in the number of apps in use. On average, companies have 254 SaaS applications, 56 percent of which are managed outside of IT (shadow IT).
Infrastructure and Development Practices
  • An agile development lifecycle pushes smaller snippets of code into production. In agile, testing policies are not triggered given there is not a large amount of code being released. These small snippets over time add up and we have seen organizations discovering more critical and high vulnerabilities in production.
  • Legacy code and systems add complexity and cause exceptions that further increase an organization’s risk.
  • System integrations are much more prevalent than before, such as (e.g., vertical – creating silos, horizontal – enterprise service bus, and point-to-point – star integrations). In addition, organizations continue to increase their dependency on third parties for development practices.
  • Digital transformation can change an organization’s infrastructure and IT footprint drastically. A common example of this is cloud migrations.
  • Lack of collaboration between development and security teams. Security is not always at the table during application design processes.
Organizational Change
  • Major business changes across organizations may bring new vulnerabilities. Changes could include mergers, acquisitions, divestments, or eradication of legacy apps/systems.
  • Historically, security was not mature enough to be part of the change. This mindset has changed, and budgets may need to be realigned to efficiently mitigate risk.
  • Access changes continue to evolve (e.g. work-from-home – as companies shifted, cyber-attacks increased by 20 percent). Mobile platforms, remote work, and other shifts increasingly hinge on high-speed access to ubiquitous and large data sets, exacerbating the likelihood of a breach.
  • With organizational change, comes new attack surfaces, such as cloud migrations and shadow IT. We’re also seeing significant changes to the existing attack surface in the form of new system and applications.
Talent Shortage
  • The technology shortage amplifies all the above preexisting factors.
  • Many organizations lack sufficient cybersecurity talent, knowledge, and expertise—and the shortfall is growing. The number of unfilled cybersecurity positions globally grew by 350 percent over the past eight years. In 2021, a survey reported 3.5 million unfilled roles. The software developer talent shortage is also concerning. By 2030, the number of software job vacancies would rise by almost 22 percent. And the software engineer shortage in the USA is expected to hit 1.2 million by 2026, according to the Bureau of Labor Statistics.
  • Secure coding expertise in developers is highly variable.
  • Outsourcing development vs. in-house development can influence the number of vulnerabilities found in your software. Organizations generally have more visibility and control over in-house development practices.
  • With the talent shortage, comes burn out, insufficient training, employee turnover, and keeping pace with workloads, all of which can influence vulnerability count through recurring vulnerabilities, unpatched issues, and higher likelihood for error.
Evolving Testing Approaches and Technologies
  • Pentesting is time-boxed, so breadth and depth are limited compared to an adversary that has unlimited time to achieve its objective. We must continue embracing technology as our force multiplier.
  • Shifting left is a great practice to catch vulnerabilities earlier in the SDLC, however, this methodology can alter the number of vulnerabilities that are found based on how far left your organization is testing and at what depth – and is dependent on the quality of the code output.
  • Changes in the capabilities, depth of access, and reporting output of automated testing tools. As testing technology advances, it is uncovering more paths to manually discover critical vulnerabilities.

Discover how NetSPI ASM solution helps organizations identify, inventory, and reduce risk to both known and unknown assets.