A local government resource for helping Japanese citizens cut ties with organized crime was successfully phished in a tech support scam, and could have dangerous consequences.

Source: Robert Gilhooly via Alamy Stock Photo

Japan's web of ruthless Yakuza organized crime syndicates continues to operate, threatening the country's citizens with everything from extortion to gangland murders. Local agencies within communities are set up to help those who get involved with gangsters — but unfortunately, one of them has been hacked, potentially leading to physical safety consequences for the victims.

The Kumamoto Prefecture Violence Prevention Movement Promotion Center said that 2,500 people who have used its counseling services (which aid with everything from evading extortion to disentangling romantically from Yakuza members) have been impacted by a data breach following a successful phishing effort.

"On November 15th, a center staff member was directed to a support fraud website while working and was illegally accessed," according to an "apology" notice on the agency's website (via Google Translate). "When the staff member noticed something was wrong, he immediately cut off the power and network connection of the computer terminal, but we cannot deny the possibility that data including personal information used in work may have been leaked."

That information could include addresses, phone numbers, and names: “If you receive a phone call or mail using the name or staff of the 'Violence Prevention Movement Promotion Center' at your address or workplace, please immediately report it … without responding to the request of the other party or opening the mail.”

Beyond follow-on phishing or fraud calls however, the information could be valuable for syndicates looking for those who have left "the life" or extortion victims who got away. The center is contacting those who may have been affected.

**About the Author**

Yakuza Victim Data Leaked in Japanese Agency Attack

While the need for cybersecurity talent still exists, the budget may not. Here's how to maximize security staff despite hiring freezes.

Source: imtmphoto via Alamy Stock Photo

Talk of the talent gap in cybersecurity continues, with ISACA, ISC2, and even the Biden administration releasing new publications addressing the problem. Indeed, the US alone has almost half a million open cybersecurity positions, and ISC2 estimates a shortfall of 4.8 million professionals needed to secure the world's computing resources.

However, all that the surveys and studies tell us is that the cybersecurity sector is inadequately staffed, not that companies are looking to hire or that there are no people to fill positions. What exists is a disconnect between companies and candidates over issues like pay and required certifications, as well as budgeting struggles within organizations.

The recent "ISC2 2024 Cybersecurity Workforce Study" quantifies the budget issue inside companies. "In 2024, 25% of respondents reported layoffs in their cybersecurity departments, a 3% rise from 2023, while 37% faced budget cuts, a 7% rise from 2023," the report states. That means fewer job openings and less money to fill those positions that are opened.

Among a sea of qualified candidates, job seekers are struggling to figure out how to stand out to recruiters and hiring managers.

"I do tons of networking," says Xavier Ashe, a job seeker with more than 30 years' experience targeting director-level and CISO roles. "That's allowed me to get a number of opportunities to interview, but the competition is tough. Everyone is looking, and there are a lot of great folks I'm competing against."

**Hiring Expectations Are Misaligned**

In a Dark Reading article on this year's "Service for America" cybersecurity push, Shane Fry, CTO of RunSafe Security, blamed the employment gap on large organizations' tendency to favor highly skilled cyber workers with college degrees.

"This can lead to some great candidates, but it also ostracizes a large group of folks that are so passionate about cyber that they picked up the skills on their own and don't have a degree to put on a resume," Fry wrote. "There's a ton of opportunities for businesses to provide on-the-job training and external training courses to get people from the fringes of cybersecurity into the cybersecurity fold."

CyberSeek, a joint project between tech certification organization CompTIA, labor market analyst Lightcast, and US federal cybersecurity program NICE, shows that external training might require better alignment between job seekers and hiring organizations. Its cybersecurity career heat map compares certifications held and certifications requested. Some certs, like CompTIA+ and Certified Information Systems Security Professional (CISSP), are overrepresented in the hiring pool, while others — such as Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM) — do not have enough certification holders to meet employer demand.

CyberSeek illustrates a further misalignment in its Career Pathway graphic, which represents entry-level, mid-level, and advanced-level positions with circles proportionally sized to the number of job openings. All of the entry-level and all but one of the mid-level job types are tiny dots representing fewer than 7,000 jobs nationwide in the US; the big circles representing north of 24,000 job openings are out of reach of people making a career switch or just starting out.

Besides how the field tilts away from early-career job seekers, senior-level candidates are running into a different issue: disparity between what they expect to be paid for their experience level and what job listings offer. Budget cuts affect the hiring environment, even leading to layoffs, according to ISC2's study. "In 2023, the top causes for talent and skills gaps were an inability to find the talent or skills they needed to succeed," the ISC2 said. "But today, it's not about supply, it's about limited resources for hiring."

That matches Ashe's job-hunting experience. "The big companies are lowballing executive compensation," he says. "I turned down one offer this summer due to the pay cut I would have to take."

The ISC2 study found a 0.1% increase in global cybersecurity workers in 2024 over 2023. Compared to the 8.7% increase in 2023 over 2022, "This year's numbers suggest that hiring has slowed for 2023–2024," the study concludes.

**If You Can't Hire, Improve the Tech**

So if nobody is hiring entry-level people, and nobody can hire higher-level professionals because of salary requirements, how can an organization maintain its cybersecurity team? By keeping existing workers from jumping ship, says Steve Wilson, chief product officer at Exabeam.

One way to create a better working environment, Wilson says, is to make the workload less crushing by automating more. Machine learning algorithms analyze raw data as it flows through the network, continuously learning patterns of normal behavior and identifying anomalies. When a suspicious case emerges, traces of unusual activity are summarized and presented in natural language, making it easier for analysts to interpret the data without sifting through dense logs. This approach saves time and allows security professionals to focus their efforts where they matter most.

"It's about reaching the point where we can identify what's abnormal and worrisome, and then get that in front of a human analyst to take action," says Wilson. "That's where the real work starts and where the time saved becomes so valuable."

For the beginning analyst, these kinds of tools allow them to understand exactly what is suspicious about a flagged issue, in the process learning to understand the technical points, Wilson says. This gives Tier 1 analysts a chance to fix the problem themselves rather than escalate it to a Tier 3 analyst. By reducing escalations, the workload for Tier 3 analysts is eased, and they can use the LLM to search for obscure data points for tougher problems.

"It builds the skills for those younger ones because they can ask the dumb question without feeling like they're exposing themselves," Wilson says. "And then it frees up the time on those senior ones to actually go work the really tricky problems."

Notes Bryan Kissinger, CISO and senior VP at Trace3: "People get burned out when they're doing a job they don't like or their team around them is not supportive of work/life balance," he says. "The more repetitive and mundane activities ... a lot of that can be taken up by tools and automation."

**The Right People, If You Can Keep Them**

While poor salaries dropped as the reason cybersecurity talent left a job, from 54% in 2023 to 50% in 2024, work stress levels pushed 46% of staff to leave their cybersecurity jobs this year (up from 43% in 2023). That's according to the ISACA's "Global State of Cybersecurity 2024," which also cited lack of support from management (34%), poor work culture (32%), and return-to-office initiatives (32%) as reasons people quit.

Retention is key to Trace3, Kissinger adds. "Sometimes it's very challenging to tell when someone's burning out," he says. "\[An employee was\] ready to leave because they were burning out, and I said, 'This is the first I've heard about it. Can we bring on some contractors to help us moderate the workload?' Unless people speak up, you're really doing yourself a disservice."

Adds Wilson: "Sometimes these automation products, whether they're cybersecurity or marketing or whatever, there's a value proposition that says you can have less people on your staff. I don't think there's anybody saying, 'I'm spending too much on my SOC team — I'm going to reduce that by bringing in automation.' What they're saying is, 'My SOC team is overwhelmed, and people are quitting because they're burned out.'"

**About the Author**

Karen joined Dark Reading in January 2022 as features editor. She's been in tech editing since before the img tag was introduced, working for outlets such as the IEEE Computer Society, CNET Download.com, and TechTV. She lives in Los Angeles with her husband, son, and two cats. Find her on Mastodon.

What Talent Gap? Hiring Practices Are the Real Problem

The Shadowserver Foundation reports over 2,000 Palo Alto Networks firewalls have been hacked via two zero-day vulnerabilities: CVE-2024-0012…

The Shadowserver Foundation reports over 2,000 Palo Alto Networks firewalls have been hacked via two zero-day vulnerabilities: CVE-2024-0012 & CVE-2024-9474, enabling admin bypass and root access. Top targets: US & India.

Cybersecurity researchers at Shadowserver have revealed that approximately 2,000 **Palo Alto Networks** firewalls have been compromised. The breaches leverage two recently identified zero-day vulnerabilities in the company’s PAN-OS software. These vulnerabilities have been labeled as CVE-2024-0012 and CVE-2024-9474.

****The Vulnerabilities****

**CVE-2024-0012**: This vulnerability is an authentication bypass in the PAN-OS management web interface. It allows remote attackers to gain administrator privileges without authentication. This means attackers can tamper with firewall settings, making them more susceptible to further exploitation.

**CVE-2024-9474**: This flaw is a privilege escalation issue. Once exploited, it lets attackers execute commands with root privileges, giving them full control over the compromised firewall.

> Heads-up! Thanks to collaboration with the Saudi NCA we are now scanning & reporting Palo Alto Networks devices COMPROMISED as a result of a CVE-2024-0012/CVE-2024-9474 campaign. Found ~2000 instances compromised on 2024-11-20: dashboard.shadowserver.org/statistics/c… Top affected: US & India
> 
> — The Shadowserver Foundation (@shadowserver.bsky.social) November 21, 2024 at 9:45 AM

****Operation Lunar Peek – Ongoing Threat Activity****

Palo Alto Networks has **named** the initial exploitation of these vulnerabilities “Operation Lunar Peek.” Palo Alto Networks initially warned customers on November 8 about restricting access to their next-generation firewalls due to an unspecified remote code execution flaw.

Since then, the company has observed a notable increase in threat activity following the public release of technical insights by third-party researchers on November 19, 2024.

Unit 42, Palo Alto Networks threat intelligence team, assesses with moderate to high confidence that a functional exploit chaining CVE-2024-0012 and CVE-2024-9474 is publicly available, which could lead to broader threat activity.

The company is currently investigating the ongoing attacks, which involve chaining these two vulnerabilities to target a limited number of device management web interfaces. The company has observed threat actors dropping malware and executing commands on compromised firewalls, indicating that a chain exploit is likely already in use.

****Recommendations for Users****

Palo Alto Networks has provided several recommendations to mitigate the risk:

*   **Monitor and Review:** Users should monitor for any suspicious or abnormal activity on devices with a management web interface exposed to the internet. After applying the patch, it is crucial to review firewall configurations and audit logs for any signs of unauthorized administrator activity.
*   **Patch Immediately:** Customers are advised to update their systems to receive the latest patches that fix CVE-2024-0012 and CVE-2024-9474. Detailed information about affected products and versions can be found in the Palo Alto Networks Security Advisories.
*   **Restrict Access:** To reduce the risk, Palo Alto Networks recommends restricting access to the management web interface to only trusted internal IP addresses. This is in line with their recommended best practice deployment guidelines.

****Expert Insights****

**Elad Luz**, Head of Research at Oasis Security, emphasizes the importance of immediate action even before patching. He advises affected customers to restrict access to the web management interface, preferably allowing only internal IPs. Luz also stresses the need to ensure that devices are free from any potential malware or malicious configurations after patching.

1.  Palo Alto Patches 0-Day Exploited by Python Backdoor
2.  Authentication bypass Flaw found in NATO approved firewall
3.  Critical RCE Vulnerability Puts 330,000 Fortinet Firewalls at Risk
4.  CISA Urges Patching of Palo Alto Networks’ Expedition Tool Flaw
5.  Backdoor account found in 100K+ Zyxel Firewalls, VPN Gateways

Operation Lunar Peek: More Than 2,000 Palo Alto Network Firewalls Hacked

Learn how to prevent payment fraud with effective fraud detection, online prevention solutions, and secure payment orchestration strategies.…

Learn how to prevent payment fraud with effective fraud detection, online prevention solutions, and secure payment orchestration strategies.

****The Basics of Fraud Prevention in Online Payments****

With the surge in e-commerce and digital payments, fraudulent transactions have become more sophisticated, costing businesses billions annually. For businesses, effective **fraud prevention tools** and solutions have become a necessity.

This article explores the essentials of payment fraud prevention, highlighting common threats, the role of payment orchestration platforms with advanced security measures, and best practices to safeguard transactions.

****Common Types of Payment Fraud****

Understanding the **types of fraudulent payments** is the first step in implementing an effective fraud prevention strategy. Here’s the list of the most common types of online payment fraud:

*   **Identity theft:** Fraudsters use stolen identities to make unauthorised purchases or access accounts.
*   **Phishing scams:** Cybercriminals trick users into revealing sensitive payment data and further misuse it.
*   **Card-not-present or CNP fraud**: This occurs during online transactions without the physical card, making verification more difficult.
*   **Chargeback fraud**: Fraudsters make purchases and later dispute the charges to reclaim the funds.

Each of these threats underscores the need for robust online fraud prevention solutions and payment fraud detection systems.

****Essential Security Features for Fraud Prevention****

Investing in advanced security measures is key to mitigating payment fraud risks. Online businesses often implement tokenisation and encryption to secure sensitive payment information by converting it into protected formats that are unusable to fraudsters.

Also, two-factor authentication adds an extra layer of security by requiring dual forms of identification, while AI-powered payment fraud analytics enhance fraud detection by analysing patterns to identify and block fraudulent transactions in real-time.

Traditionally, compliance with PCI DSS standards ensures adherence to the highest levels of payment data protection. Payment processing solutions, including **white-label ISO/MSP** platforms, often incorporate these features, enabling businesses to safeguard against fraudulent transactions effectively.

****Best Practices for Fraud Prevention****

Implementing a comprehensive **fraud prevention strategy** requires a mix of technology, policies, and education. The following list will help you understand the basics.

*   Adopt advanced fraud detection tools. **Utilise AI and machine learning** for real-time monitoring and alerts.
*   Regularly update security protocols. Cyber threats evolve rapidly, necessitating frequent updates to your systems.
*   Educate your team and customers. Training employees and informing customers about common fraud tactics helps mitigate risks.
*   Leverage payment orchestration. Streamlined payment routing with fraud checks reduces vulnerabilities.
*   Conduct payment fraud analytics. Regular analysis of transaction data can reveal patterns indicative of fraud.

By adopting these practices, businesses can better protect themselves against payment fraud while keeping transactions smooth and secure for everyone.

**Conclusion**

Payment fraud is a growing threat that demands businesses to invest in **anti-fraud strategies** and leverage advanced technologies like payment fraud detection and analytics to protect their revenue and reputation. Staying alert and regularly updating fraud prevention strategies is key to long-term success in the world of digital payments.

1.  Best Paid and Free OSINT Tools for 2024
2.  How ID Scanning Apps Can Prevent Fraud
3.  Leveraging AI for Enhanced Threat Detection – Prevention
4.  Imperative of Automating Fraud Detection in Financial Institutions
5.  Why Incident Response Plans Are Key to Cybersecurity Resilience

Fraud Prevention in Online Payments: A Practical Guide

Meta provided some insight into their fight against pig butchering scammers, who are often victims of organized crime themselves

Meta provided insight this week into the company’s efforts in taking down more than 2 million accounts that were connected to pig butchering scams on their owned platforms, Facebook and Instagram.

Pig butchering scams are big business, with hundreds of millions of dollars involved every year. The numbers are not precise because some researchers see these scams as a special kind of romance scam, while others classify them as investment fraud, muddying the numbers based on which group is counting what type of loss.

Still, the general idea is that scammers use elaborate storylines to fatten up victims into believing they are in a romantic or otherwise close personal relationship. Once the victim places enough trust in the scammer, they bring the victim into a cryptocurrency investment scheme. Then comes the “butchering”—an attempt to “bleed” a target dry of their money.

Pig butchering, however, isn’t always a simple case of cybercriminals preying on unsuspecting victims. As Meta described, sometimes the scammers themselves are victims that work in scam centers, mainly located in Asia.

> “These criminal scam hubs lure often unsuspecting job seekers with too-good-to-be-true job postings on local job boards, forums, and recruitment platforms to then force them to work as online scammers, often under the threat of physical abuse.”

These workers not only work on pig butchering scams. They are also forced to engage in a wide range of malicious activities that can involve cryptocurrency and gambling, or they can be tasked to carry out impersonation scams.

Working with expert NGOs and law enforcement partners in the US and Southeast Asia, Meta has focused on investigating and disrupting the activities of the criminal scam centers in Southeast Asia. This has led to the take-down of over two million accounts linked to scam centers in Myanmar, Laos, Cambodia, the United Arab Emirates, and the Philippines.

Despite their location, the targets of the scams can be found all over the globe. The scammers follow playbooks to gain the trust of the targets. Contacting victims initially on social media, dating apps, email, or messaging apps, the scammers later move their interactions to more private channels like scammer-controlled accounts on crypto apps or scam websites masquerading as investment platforms. This pushes victims further into a trap and it removes their ability to report their conversations to a platform that takes this type of abuse seriously.

From here, scammers will continue the charade that they’ve set up wise investments for the targets. But once enough trust has been built to seriously rob a victim, scammers will steal what they can and disappear. As Meta said:

> “Typical of ‘pig butchering’ schemes, the target may be allowed to withdraw small amounts to build trust, but once they start asking for their ‘investment’ back or it becomes clear that they do not have more funds to send to the scammer, overseas scammers typically disappear with all the money.”

**How to avoid becoming the pig**

The good thing about pig butchery scams is that they mostly follow a narrow pattern, with few variations. If you recognize the signs, you stand a very good chance of going about your day with a distinct lack of pig-related issues. The signs are:

*   Receiving stray messages for “someone else” that appear out of the blue. This can be a message directed to someone who does not have your name.
*   The profile picture of the person you’re talking to looks like someone who is a model.
*   Common scam opening lines may involve: Sports, golfing, travel, fitness.
*   At some point they will ask you about investments and/or cryptocurrency.
*   They will ask you to invest or take some of their money and use that instead.

As you can see, there is a very specific goal in mind for the pig butcher scammers, and if you find yourself drawn down this path, the alarm bells should be ringing by step 4 or 5. This is definitely one of those “If it’s too good to be true” moments, and the part where you make your excuses and leave (but not before hitting block and reporting them).

Here’s what you can do to keep yourself safe:

*   Don’t give scammers the information they need. Scammers rely on what you volunteer about yourself online to tweak their script and lure you in. Use tools such as the Malwarebytes Personal Data Remover to minimize the amount of data accessible through search engine results, spam lists, and people search sites.
*   Perform an image search of the photo and the name of the person you’re in touch with. Scammers often steal someone else’s image to use as bait, and stolen identities are rife.
*   Go slow. Scammers tend to rush, building rapport with their victims as quickly as possible before moving in for the money-themed kill.
*   Never give money to anyone you’ve met online
*   Get a second opinion from someone you trust
*   If in doubt, back away and report the account.

If you’ve been impacted by a romance scam, pig butchering, or crypto investment fraud, you can report the crime to the Internet Crimes Complaint Center (IC3), which is run by the FBI, or the FTC on its reporting and resources page.

**We don’t just report on threats – we help protect your social media**

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

 Meta takes down more than 2 million accounts in fight against pig butchering 

The threat actor known as Mysterious Elephant has been observed using an advanced version of malware called Asynshell.
The attack campaign is said to have used Hajj-themed lures to trick victims into executing a malicious payload under the guise of a Microsoft Compiled HTML Help (CHM) file, the Knownsec 404 team said in an analysis published today.
Mysterious Elephant, which is also known as

APT-K-47 Uses Hajj-Themed Lures to Deliver Advanced Asyncshell Malware

At least 97 major water systems in the US have serious cybersecurity vulnerabilities and compliance issues, raising concerns that cyberattacks could disrupt businesses, industry, and the lives of millions of citizens.

Source: Clare Louise Jackson via Shutterstock

Despite a spate of recent cyberattacks raising the awareness of water-infrastructure vulnerabilities, nearly 100 large community water systems (CWS) continue to have serious security weaknesses in Internet-facing systems, putting the water supply of nearly 27 million Americans at risk.

The critical and high-severity vulnerabilities affect more than 9% of the 1,062 water systems in the United States that serve at least 50,000 people, according to an Environmental Protection Agency (EPA) report released on Nov. 13. The vulnerabilities were discovered through passive assessments conducted in October that looked at more than 75,000 IP addresses and 14,400 domains.

Overall, millions of citizens — along with businesses, schools, and hospitals — rely on the affected water systems. "If malicious actors exploited the cybersecurity vulnerabilities we identified in our passive assessment, they could disrupt service or cause irreparable physical damage to drinking water infrastructure," the EPA stated.

Over the past three years, water systems have become increasingly targeted by state-sponsored groups, ransomware gangs, and hacktivists. In 2023, Iran-linked cyberattackers compromised programmable logic controllers (PLCs) at a water utility in Pennsylvania, as well as 10 wastewater treatment plants in Israel. In 2021, a hacker targeted a water treatment plant in Florida and even changed the chemical mixture for the water, but did not have the sophistication to evade detection. In September, a water treatment plant in Arkansas City, Kan., switched to manual operation after the facility was the target of a cybersecurity incident.

Related:Dark Reading Confidential: Pen-Test Arrests, 5 Years Later

Water system vulnerabilities are a critical issue that could impact businesses, especially power-generation systems and data centers, but especially have the potential to cause human harm, says Vinod D'Souza, head of manufacturing and industry in the Office of the CISO at Google Cloud.

"Water utilities are unique in the \[operational technology\] OT world because they directly impact public health, requiring stringent security to prevent catastrophic consequences like contaminated water supplies," he says. "Their geographical spread and complex systems pose distinct cybersecurity challenges not found in other sectors."

**Water, Water, Everywhere ... Nary a Drop of Security?**

The United States has nearly 150,000 water systems, consisting of three types of public infrastructure. Community water systems (CWS) provide water to residents living in a town or city year-round and account for approximately a third (33.7%) of water systems. Transient noncommunity water systems (TNCWS) supply water to travelers and visitors to a specific location — such as a campground or gas station — but not on a permanent basis. These make up 54.3% of public water systems. The final 12% of systems consist of nontransient noncommunity water systems (NTNCWS), which provide water to people in nonresidential locations — such as schools, businesses, and hospitals.

Related:Going Beyond Secure by Demand

Because many water agencies are small and serving communities, they face the same challenges as other local government agencies: a lack of resources, legacy technology, architectures that were not designed to be defensible, and a lack of visibility, says Paul Shaver, global practice lead for ICS/OT security consulting at Google Cloud's Mandiant division.

"This is compounded by the fact that many municipal water agencies have financial constraints that make it difficult to identify risk and develop security capabilities that are appropriate for their organization size," he says.

By EPA regulation, any water systems serving more than 3,300 people must conduct risk assessments, including cybersecurity assessments, and develop emergency response plans. But most do not have the money, and without the funding, the utilities are hard pressed to comply with regulations, Shaver says.

Related:Small US Cyber Agencies Are Underfunded & That's a Problem

The criticality of these systems and their relative lack of protection has government officials worried. In May, the EPA warned that Iran and Russia had stepped up their attacks on water systems in the United States, while the Cybersecurity and Infrastructure Security Agency (CISA) released a cyber-incident response guide for the water and wastewater sector earlier this year.

The May 2024 alert from the EPA noted that "water systems had inadequate risk and resilience assessments and emergency response plans ... \[and\] found significant failures in best practices, such as failure to change default passwords, use of single logins for all staff, and failure to curtail access by former employees."

**US Needs More Investment in Water System Cyber Defense**

Even with the current requirements, many water utilities are already failing to meet their cybersecurity obligations, Google Cloud's D'Souza says.

"Simply increasing regulations won't solve this problem, and merely highlights the financial constraints preventing utilities from adequately protecting critical infrastructure," he says.

Overall, the federal government needs to do more than offer regulations and best practices. In many respects, the water sector is no different than any other critical infrastructure sector with a great deal of operational technology, says Sean Arrowsmith, head of industrials at NCC Group, a cybersecurity consultancy.

"Generally, OT protocols were designed when security was not so much of a consideration but the devices and infrastructure they run is deployed for a long lifetime and now there are business drivers to collect data from them and converge OT with IT, which is where the security challenges arise," he says.

In addition, Arrowsmith says that the amount of legacy infrastructure and breadth of the attack surface area continues to make securing water infrastructure challenging.

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Leaky Cybersecurity Holes Put Water Systems at Risk

A China-linked nation-state group called TAG-112 compromised Tibetan media and university websites in a new cyber espionage campaign designed to facilitate the delivery of the Cobalt Strike post-exploitation toolkit for follow-on information collection.
"The attackers embedded malicious JavaScript in these sites, which spoofed a TLS certificate error to trick visitors into downloading a

China-Linked TAG-112 Targets Tibetan Media with Cobalt Strike Espionage Campaign

73% of globally exposed ICS systems are in the US and Europe, with the US leading at 38%.…

73% of globally exposed ICS systems are in the US and Europe, with the US leading at 38%. Vulnerabilities in outdated protocols and exposed HMIs put critical infrastructure at severe risk, says Censys.

The Internet has revolutionized numerous industries, including manufacturing, energy, and water treatment. However, as more and more **industrial control systems** (ICS) are connected to the internet, they become increasingly vulnerable to cyberattacks. 

According to Censys’ annual State of the Internet Report, shared with Hackread.com, internet-exposed human-machine interfaces (HMIs) are the emerging new threat in ICS security. For your information, HMIs are the graphical interfaces used to monitor and control industrial systems.

The screenshot displays the HMI for a three-pump system, featuring options to monitor alarms, manage controls, and adjust system setpoints (Image credit: Censys).

Researchers at Censys, a leading internet intelligence company, observed that HMIs have become increasingly connected to the internet to enable remote access and management. This connectivity has opened the door to cyberattacks. This is concerning as in 2023 and 2024, we witnessed a series of attacks targeting internet-exposed HMIs, demonstrating the potential for significant disruption and damage.

One notable attack was carried out by the CyberAv3ngers, an Iranian hacking group, **who targeted** a water treatment facility in Pennsylvania, exploited a vulnerable HMI to gain control of the system and defaced it with an anti-Israel message. Another significant attack was from the Cyber Army of Russia Reborn, which **attacked** water facilities in Texas, manipulating HMIs to cause water storage tanks to overflow.

Censys’ report reveals that there are over 145,000 exposed ICS services worldwide, and over 40,000 Internet-connected ICS located in the United States with over half of them linked to building control and automation protocols.

“38% of these services are in North America, 35% are in Europe, and 22% are in Asia. The U.S. alone is responsible for over one-third of global ICS service exposures,” Censys’ **report** read.

The study also found that 18,000 exposed devices were more likely to control industrial systems. In the UK, approximately 1,500 control systems exposed on the public Internet were identified through scans of 18 automation protocols. Over 80% of these administration interfaces are for building controls.

Additionally, over 50% of hosts running low-level automation protocols are concentrated in ISPs, while over 80% of hosts running exposed HMIs are found in wireless networks like Verizon and AT&T. Moreover, about half of the HMIs associated with Water and Wastewater could be manipulated without authentication.

These exposed systems become a tempting target for cybercriminals and nation-state actors who could potentially disrupt critical infrastructure.

Researchers have also observed a high prevalence of outdated and insecure protocols. Many of these protocols, such as Modbus, S7, and IEC 60870-5-104, are decades old and lack advanced security features. Researchers discovered nearly 200 hosts running HMIs that were also running products from vendors explicitly prohibited by the US’s National Defense Authorization Act (NDAA) Section 889. 

The report highlights the need for operators to be mindful of what products and software they allow to run alongside industrial processes. Researchers recommend that security teams must examine the exposure of these protocols and HMIs, which for a vital component of the security of industrial control systems.

1.  **Malware can fully compromise building control systems**
2.  **Flaws can let hackers physically damage moving bridges**
3.  **Flaws in US Drinking Water Systems Put 26 Million at Risk**
4.  **Propump and Controls’ Osprey Pump Controller vulnerable**
5.  **Ransomware targeted SCADA systems of 3 US water facilities**

US and Europe Account for 73% of Global Exposed ICS Systems

This Metasploit module exploits vulnerabilities in OpenPrinting CUPS, which is running by default on most Linux distributions. The vulnerabilities allow an attacker on the LAN to advertise a malicious printer that triggers remote code execution when a victim sends a print job to the malicious printer. Successful exploitation requires user interaction, but no CUPS services need to be reachable via accessible ports. Code execution occurs in the context of the lp user. Affected versions are cups-browsed less than or equal to 2.0.1, libcupsfilters versions 2.1b1 and below, libppd versions 2.1b1 and below, and cups-filters versions 2.0.1 and below.

Latest News