The 12-member group will compete at the first all-women's capture-the-flag competition this November at the Kunoichi Cyber Games in Tokyo.

Source: Dmytro Sidelnikov via Alamy Stock Photo

Do they have what it takes to capture the flag? 

The 12 members of a new cyberteam will find out this fall, when four international teams meet at the Kunoichi Cyber Games to see whose cybersecurity athletes have what it takes to win in an intense cyberskills tournament. These cyber athletes will have to demonstrate their mastery of forensics, Web security, reverse engineering, binary exploitation, and cryptography in competition at the 2024 Code Blue Conference, Nov. 14 to 15, in Tokyo.

The cyber athletes come from across the United States. Some are college students, participating in their first cyber-gaming competitions. Others are cybersecurity professionals, who have been working in the industry. All of them are women. 

The Women's Cyber Team will be officially commissioned at Cybersecurity Career Week, an event sponsored by the House Cybersecurity Caucus, NICE, and SANS, in Washington, DC, on Sept. 19, kicking off the cyber season of competition for the fledgling team.

The US team will take on the teams from Japan, the United Kingdom, and the European Union during the competition. Five members and two substitutes will compete for eight hours in a capture-the-flag (CTF) contest, as well as an attack-and-defense competition. Each team member has a specialty area of focus and a subspecialty. 

**Developing Skills, Confidence**

The team is helmed by cybersecurity gaming veteran Ken Jenkins, CTO of Cymonix. A participant in many CTF and cyber tournaments held over the years, Jenkins was the head coach of the co-ed US Cyber Team in season 2 and the assistant head coach in season 3. The co-ed team is preparing for season 4's international competition later this year in Chile. 

For Jenkins, cyber gaming gives athletes the ability to flex their cyber muscles while developing skills and confidence – without their activities posing a threat to any actual business operations. 

"I think it really helps overcome imposter syndrome. It's also very validating of skills. They help you identify gaps and weaknesses. It also brings you together in a very safe place where you can make mistakes, and it doesn't cause a business outage, he says. "I remember days of defending a network where I did the same 30 things, right? I logged into this system, checked these alerts, did this, analyzed this file. Wash, rinse, repeat, for weeks on end."

Gamers, however, get the ability to reverse engineer a piece of malware or participate in red-team engagements that give them a plethora of new skills that they don’t get to exercise every day. 

**How the Team Came Together**

Choosing the 12 competitors for the team was no easy task, notes Chelsie Cooper, the team's assistant head coach and a senior intelligence analyst at CrowdStrike. 

Around 50 hopeful athletes participated in season IV of the US Cyber Open CTF in June. This initial pool was then culled to a smaller group based on an assessment that included scores from participating in any of the National Cyber League or US Cyber Open competitions. A smaller pool of candidates were interviewed, and their soft skills were as important as their cybersecurity chops, focusing on leadership and communication skills. 

"All of that came together in a very, very, very hard decision to only pick 12 of them because of all of them, they are very talented – well beyond their years," Cooper says. "They are going places."

Cooper's role as assistant head coach isn't to motivate the team, she says, because they're already incredibly driven. Rather, the focus is on strengthening existing skills and identifying knowledge and skills gaps.

"It's more so of a mentoring opportunity for us than it is anything else because they have the talent and they have the drive," she says. "We're just there to help guide them along the way to the competition."

Leading up to the November competition, the team has been holding biweekly virtual office hours with the coaches, discussing logistics and working on competition skills. Each team member also has a buddy. The older, more experienced players who have competition experience are mentoring younger members to bolster their weak spots and build confidence. 

**Building a Talent Pipeline**

While the co-ed US Cyber Team is for players ages 18 to 25, this new team recruited women ages 18 to 29 for the first year in an effort to build a pipeline of experienced women who could serve as coaches and mentors for future teams, says US Cyber Games Commissioner Jessica Gulick.

"In our field, with cyber games, even though you know cybersecurity and you're a cybersecurity professional, it doesn't automatically make you a good player for the game," Gulick says. "So having that experience is incredibly valuable."

The US Cyber Games program is in its fourth year; the co-ed team has 30 athletes, three of whom are women. Two of those women are also on the US Women's Cyber Team, including Shiloh Smiles, 24, a graduate of The Citadel in Charleston, SC. Smiles is pursuing a graduate degree in computer and electrical engineering at George Mason University, while also working as a penetration tester for the US Navy. 

For Smiles, the women's cybersecurity team offers a unique opportunity to combine a skill-building competition with social ambassadorship – and a way to make friends who share a common interest and will face some of the same workplace challenges. Women make up less than a quarter of the cybersecurity workforce. 

"Working in the military community, there are not many women, so it's very rare that I meet another woman who is technical," Smiles says. "That's been the best part of the team so far – to meet 11 other women who are highly technical. I just think it is super-duper cool. And we have the upcoming competition in November, which is going to be an all-women competition. So that's another opportunity to meet women from all over the world that are, again, highly technical. That's definitely what I'm most excited for – the networking in the community."

For 19-year-old Sarah Ogden, a student at Northern Kentucky University and one of the team's younger athletes, the opportunity to learn and develop her cybersecurity skills has been a motivating factor. She had participated in CTFs in the past, so she jumped at the chance to join the team – and travel internationally. Ogden says she is looking forward to checking out the variety of vending machines in Tokyo, but when it comes to the games itself, she is keeping her expectations in check.

"What I'm most looking forward to is trying to learn as much as I can," Ogden says. "I feel like my expectations are kind of low, so I'm not trying to stress myself out too much, just doing our best."

Head coach Jenkins would love for his team to come in first place in Tokyo, but winning isn't the only focus.

"We're really more focused on bringing the countries together, bringing the women together, having them share their experiences," Jenkins says. "I used to be dead-set on, 'We have to win, right?' But it's not the only thing that matters in this inaugural year."

**About the Author**

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

Ready to Rumble: US Women's Cyber Team Preps for Global CTF Contest

Regulators fine AT&T $13 million for failing to protect customer information held by a third-party vendor, and extend consumer data protections to the cloud.

Source: B Christopher via Alamy Stock Photo

The Federal Communications Commission fined AT&T $13 million and ordered it to tighten up its privacy and security practices in the wake of a catastrophic third-party compromise.

The commission also used its authority under the Communications Act of 1934 to extend consumer protections to the cloud, finding AT&T failed to maintain proper oversight of a third-party provider.

That vendor, data warehousing provider Snowflake, reportedly was compromised in January 2023, exposing a host of organizations' sensitive data, among them AT&T's. In the weeks that followed the breach, AT&T acknowledged "nearly all" its customers were affected by exfiltrated call and text records, phone numbers, and other personally identifiable information.

Following an investigation, the FCC ruled on Sept. 16 that Snowflake should have been required to "destroy or return" the information years prior to the incident, and finding AT&T responsible for failing to appropriately protect its customer data.

"The Commission expects carriers to meet the requirement of the \[Communications Act of 1934\] and the Commission's rules, including to take 'every reasonable precaution' to protect customers' proprietary or personal information," the agency said in its ruling. "That includes reasonable practices as they relate to cloud security, data retention, and disposal."

In addition to the fine, the FCC ordered AT&T to improve its overall information security controls and practices, including "multifaceted vendor controls and oversight."

**About the Author**

FCC: AT&amp;T Didn't Adequately Protect Customers' Cloud Data

Hackers sent a convincing lure document, but after 20 years of similar attacks, the target organization was well prepared.

Source: elifbayraktar via Alamy Stock Photo

A meeting of influential figures in and around the US and Taiwanese defense industries has been targeted by a phishing attack carrying fileless malware.

The 23rd US-Taiwan Defense Industry Conference will be held next week in Philadelphia's Logan Square neighborhood. Closed to the press, it will feature speakers from government, defense, academia, and commercial sectors in the US and Taiwan. The focus, according to its website, will be "addressing the future of US defense cooperation with Taiwan, the defense procurement process, and Taiwan's defense and national security needs."

Recently, the US-Taiwan Business Council — the organization behind the event — was sent a malicious forgery of its own registration form. The form was paired with information-stealing malware designed to execute entirely in memory, making it more difficult to detect with traditional antivirus software. Thanks to diligent anti-phishing preparations, however, the council quickly rebuffed the attack.

**Threats to a Taiwan Defense Conference**

Eight years ago, a Chinese phishing email was sent to members of Taiwan's defense industry, including some attendees of the 15th US-Taiwan Defense Industry Conference. Even by then, though, it was old hat.

"In the period from 2003 to 2011, we were heavily targeted with spear-phishing emails constantly," reports Lotta Danielsson, vice president of the US-Taiwan Business Council. "There was an uptick in 2016-2017, but it has been very quiet for the last several years. Usually, it increases in the leadup to and right after the annual defense conference, then it subsides again."

In the leadup to this year's conference, rather than attendees, the attack seemed to target the council itself. It came in an email, from an individual posing as a potential attendee. Rather than use the event's online form, the impersonator sent a filled out copy of the registration form as a PDF, which attendees can do if they experience technical issues with the site.

Source: Cyble

The document, according to analysis from Cyble, came with a ZIP file that was supposed to drop a malicious Windows shortcut (LNK) file. If opened, the LNK would have established persistence on its targeted machine by placing an executable file in the Windows startup folder. Upon reboot, the executable would download additional payloads to be executed directly in the machine's memory, without saving any files to disk. Ultimately, the malware could exfiltrate data back to an attacker-controlled server through Web requests designed to blend with normal network traffic.

Cyble researchers were unable to tie the attack to any specific threat actor. They noted, however, that Chinese entities in particular have a long history of targeting Taiwan.

"We've seen very clearly in the last few years that there are a lot of problems in East Asian geopolitics — military-related movements in the South China Sea, very sharp comments coming from Taiwan and China. And it looks like nation states are interested in US-Taiwan defense cooperation," says Kaustubh Medhe, head of research and intelligence for Cyble.

This latest phishing attempt fits neatly into that picture. "We have a strong suspicion that this could be used as a stealthy technique to perform long-term surveillance of people with a specific interest in this particular topic," he says.

**A Textbook Case of How to Prevent Phishing**

As Danielsson recalls, "We have been targeted by these types of spear phishing emails for a long time — more than 20 years — so we flagged it as suspicious right away. We did not open the file. Instead, we submitted it to VirusTotal and confirmed that it was malicious. Then we deleted it, and that was pretty much it."

She highlights a few keys to success that have helped the Council easily swat away its many phishing attacks over the years. "One is educational, so the entire staff is well educated on these types of attacks. Nobody clicks links in emails, or opens documents sent via email, unless we have talked to people directly and are expecting them. Even then, we often scan them before opening, unless the presumed content is very sensitive, in which case we will call people to double-check that they sent them," she says.

Besides that, she adds, "We keep our email clients text-only so it's easy to see any obfuscation of links right away. I log all traffic in and out of our system and keep an eye out for anomalies. We also take our entire system offline at night and on weekends, air-gapping our computers and internal IT systems. This is doable because we are a small office with three people, something that might be harder for a larger organization. I also have some relationships with people who work in the cybersecurity industry, and they have helped us think through what to do if we do end up failing to prevent an issue. We want to be prepared if it does."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Phishing Espionage Attack Targets US-Taiwan Defense Conference

Despite security updates to protect data, 45% of total enterprise instances of the cloud-based IT management platform leaked PII, internal system details, and active credentials over the past year.

Source: Rafa Press via Shutterstock

One-thousand instances of enterprise knowledge bases (KBs) hosted by ServiceNow were found to be exposing sensitive corporate data over the past year, despite improvements in data protection that the company put in place last year to avoid such security issues.

Based on security research conducted by software-as-a-service (SaaS) security firm AppOmni, nearly 45% of total enterprise instances of ServiceNow KBs leak sensitive data, including personally identifiable information (PII), internal system details, and active credentials/tokens to live production systems.

AppOmni chief of SaaS security research Aaron Costello in an analysis published on Sept. 17 attributed the security holes to "outdated configurations and misconfigured access controls in KBs," likely indicating "a systematic misunderstanding of KB access controls or possibly the accidental replication of at least one instance's poor controls to another through cloning," he wrote.

In fact, in many of the cases, organizations with more than one instance of ServiceNow had consistently misconfigured KB access controls across each one, the researchers found.

ServiceNow is a cloud-based IT service management platform. Last year, the company introduced security updates to its platform to prevent unauthenticated users from getting access to data, including default enhancements to access control lists (ACLs). However, the improvements didn't seem to have a great impact on its KBs, a "treasure trove of sensitive internal data" not meant to be seen by those outside of the organization, Costello noted.

**Why Leaks Despite Security Improvements?**

AppOmni revealed its findings to ServiceNow, which worked with its customers to evaluate the instances of customer data leaks and "appropriately configure the accessibility of KB articles," ServiceNow CISO Ben De Bont said in a statement published with AppOmni's analysis.

"We are committed to protecting our customers' data, and security researchers are important partners in our ongoing efforts to improve the security of our products," De Bont said. He thanked Costello and AppOmni not only for identifying the security gap, but also delaying publication of their findings until ServiceNow could coordinate mitigations with customers.

As mentioned, ServiceNow made two key changes to its data protections last year in an effort to improve the security of data hosted on its platform. One was to add properties to prevent select widgets from granting unauthenticated users access to data unless explicitly set to do so, while the second was a new feature called Security Attributes, which is applied to most ACLs by default. It includes specific verifications to ensure unauthenticated users are not allowed access to data.

These updates did not protect data in KBs for two reasons, Costello noted. One is that public widgets that can be used to access the content of KB articles did not receive the update, he wrote. The second reason is that the majority of KBs are secured using a feature called User Criteria as opposed to ACLs, "rendering the addition of the 'UserIsAuthenticated' Security Attribute redundant since it is an ACL-exclusive feature," Costello noted.

Though this may explain the issues found with ServiceNow's KB exposure, it doesn't necessarily explain why organizations in general struggle to lock down KBs. What Costello found in his research is that most enterprise instances — or 60% of the cases he examined — retain an insecure KB security property to "allow public access by default," Costello said.

Moreover, many administrators are unaware that there are various criteria that grant access to unauthenticated users in KB configurations, allowing "external users to slip through the cracks and be granted access," Costello wrote.

**How to Mitigate KB Data Exposure**

Indeed, ServiceNow isn't the only hosting provider to have issues with data leakage from KBs, notes Roger Grimes, data-driven defense evangelist at security awareness training firm KnowBe4. Microsoft, too, experienced a similar issue with leaking client data, "including complete memory dumps, exposed in help desk-type data," he says.

However, pointing fingers at SaaS providers when security issues like KB data leaks arise isn't going to help combat the problem, and organizations also need to take responsibility for the security of their own KBs.

"The reality is that we are all learning how to best secure our data in this world of hyper-connectivity and always online accessible content," he says. "Instead of blaming the vendor, let's use this additional instance of the type of problem to examine our own policies and processes."

Costello suggested ways organizations can do that, including running regular diagnostics on KB access controls to keep security configurations updated, and using business rules to deny unauthenticated access to KB content by default.

They also should be aware of the relevant security properties of KBs, which act as important security guardrails affecting how access control is dictated when both internal and external users attempt to access data, he said.

Keeping in contact with ServiceNow (as well as other SaaS providers that are responsible for hosting sensitive corporate data), and ensuring security updates and efforts are up-to-date can help prevent data exposure, Costello added.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Thousands of ServiceNow KB Instances Expose Sensitive Corporate Data

Ultimately, the goal of businesses and cyber insurers alike is to build more resilient IT environments to avoid cyberattacks and the ransom, downtime, and reputation hit that come along with them.

Source: Olekcii Mach via Alamy Stock Photo

COMMENTARY

The rising cost of cyberattacks, including downtime, investigations, lawsuits, ransoms, and more are prompting cyber insurers to re-examine underwriting and encourage greater cyber resiliency in their customer bases. With the influx of cyber-insurance claims stemming from the CrowdStrike IT outage and the exorbitant price of recovering from data breaches — $4.88 million, on average, according to IBM — the cyber-insurance industry will continue to self-correct and evolve to fit market needs while maintaining profitability.

Insurers will come away from July's widespread IT outage relatively unscathed, as the outages were caused by a vendor error, not a cyberattack, and because it was fixed fairly quickly. Still, insurer Parametrix estimates insured losses from US Fortune 500 companies will total $540 million to $1.08 billion, not even including Microsoft. Now, imagine this is a cyberattack that goes through a third-party software-as-a-service (SaaS) provider and takes down a similar swath of business, but recovery is slower, and companies must pay ransoms to recoup their data. How many billions of dollars will cyber insurers be out then? 

Because cybersecurity is still a relatively new corner of the insurance market, ambiguity remains around what should be covered, the role cyber insurance plays in potentially encouraging ransom payments, etc. There's no doubt that it's still finding its footing, figuring out in real-time and on a world stage how to insure companies against rapidly changing and advancing cybersecurity threats.

This evolution will be what finally causes businesses to face reality and prioritize cyber resiliency to ensure data is always recoverable in the event their primary network is taken offline or data is held for ransom. Companies may not take it upon themselves to invest in better data protection practices, and the cyber-insurance market ultimately will force their hand.

**Cyber Insurers Drag Us Into the Future**

Over the past five years, the rise of ransomware has shifted not only an organization's risk profile but also the estimated payouts. In many insurance policies, it's all about risk mitigation, but unless an underwriter can accurately assess the risk or implement requirements to mitigate the threat, it becomes a financial business risk for the insurance company. Therefore, cyber-insurance prices have significantly risen along with the bar to qualify for coverage.

Many of the new requirements focus on data storage and backups. Segmented, encrypted, and immutable backups are the industry standard, but because of limited resources, unawareness, or segmented cybersecurity teams, it hasn't always been a prioritized industry standard. Now, companies will have no choice but to up their game if they want coverage. Those who fail to adopt these requirements will be left without insurance or an effective recovery plan, unable to financially recover when the inevitable ransomware attack hits.

However, in June, businesses stood before the House Homeland Security Committee and told Congress that they are struggling to obtain cyber insurance, and even once insurance is secured, they struggle to understand the nuances of what's covered. Plus, ransom payments themselves are increasing as cybercriminals learn they can demand, and receive, large payouts. According to Chainalysis, the median ransom payment in 2024 was $1.5 million as of July, a huge increase from $200,000 in early 2023.

Because such a significant portion of companies are uncertain what is actually covered by their cyber insurance — around 40%, according to Sophos — they can't risk having to pay the whole ransom themselves or face never recovering their valuable data. Companies must do what they can to reduce their own risk.

**Recoverable Data Is Its Own Form of Cyber Insurance**

Companies can reduce the cost of attacks by ensuring data remains recoverable, mitigating operational downtime, and preventing the need to pay ransoms. Ransomware relies on the fact that production or backup data is made useless for organizations to recover following an attack, but with immutable backup in place, organizations ensure access to their data remains. This is especially true as ransomware is now targeting backups specifically.

Immutability is a must-have for any type of backup storage because it is time-based, not key-based like encryption. This means that there is truly no way (outside of destruction of the physical hardware) to alter or remove the backup data once it is written into a device that has object lock, i.e., immutability, enabled. You can truly maximize this strategy by encrypting backup data before writing it to immutable storage; that way, it's unreadable (unless you have the key) and unalterable. 

It's also important to ensure that a disaster recovery plan is in place that includes a multilevel backup solution and disaster recovery testing on a weekly and monthly basis to get ahead of any potential issues. Once these are implemented, keep copies of all the backup tests to prove to an insurance company that you have a lower risk factor. 

Ultimately, the goal of businesses and cyber insurers alike is to build more-resilient IT environments to avoid cyberattacks and the ransom, downtime, and reputation hit that come along with them. Law enforcement will continue to fight cybercrime, but there's no indication it will let up. Changes in the cyber-insurance market have the potential to disrupt the threat landscape by prompting the ubiquitous adoption of backup best practices and cyber resiliency.

**About the Author**

CEO, Object First

Object First CEO, David Bennett is a tech veteran and a seasoned channel executive with more than 30 years of IT channel leadership. Before joining Object First, he was CEO of Axcient and chief revenue officer at Webroot. Bennett has also held international leadership roles within such companies as Lenovo, Sony, and Kingston. British-born, he now resides in Colorado with his wife and family.

How Shifts in Cyber Insurance Are Affecting the Security Landscape

Can cyber defenders use the presence of infostealers as a canary in the coal mine to preempt ransomware attacks?

Source: Jim West via Alamy Stock Photo

Nearly a third of companies that fell victim to ransomware last year had at least one infostealer infection in the months prior to their attack.

Cyberattacks, but particularly ransomware attacks, only work when they're a surprise. It's why ransom notes through history have almost always opened by simply stating the facts: "Your network has been penetrated," or "Oops, your files have been encrypted." Companies with any notion that an attack is about to come can easily rebuff it simply by backing up and encrypting their files. That's why it's so interesting that, as SpyCloud notes in its 2024 "Malware and Ransomware Defense Report," nearly a third of all ransomware events last year were foreshadowed by an infostealer infection in the 16 weeks prior.

Infostealers before ransomware is a useful combination for attackers. What's less clear is whether it could be useful for defenders, to help reduce attackers' surprise advantage.

**Ransomware's Canary?**

In a recent attack observed by Sophos, the Qilin ransomware gang breached its target via a VPN portal. It waited 18 days, then deployed a custom infostealer to grab credentials from Google Chrome. Only later did it drop any actual ransomware.

High-level groups like Qilin might have the capacity for turnkey jobs, but perhaps more common are cases where initial access brokers (IABs) partner with ransomware actors to split things up.

Stephen Robinson, senior threat intelligence analyst at WithSecure, was investigating such a case last year. The perpetrator was a Vietnamese malware-as-a-service (MaaS) operation, delivering payloads like the DarkGate remote access Trojan (RAT) against companies in digital marketing. "The thing with \[tools like\] DarkGate is that it's one of those pieces of malware that will do infostealing or credential stealing, but also a bunch of other functions like cryptocurrency theft, and delivering ransomware," Robinson explains. The Vietnamese threat actors didn't have to perform ransomware attacks themselves. Instead, IABs like them can plant DarkGate — or RedLine, Qakbot, or Raccoon — far and wide, then sell the access they afford to the next baddies down the line, allowing both sides of the exchange to specialize in what they do best.

In its 2024 "Crypto Crime Report," blockchain analysis firm Chainalysis discovered "a correlation between inflows to IAB wallets and an upsurge in ransomware payments." For example, the ransomware group depicted in the chart below spent thousands of dollars with multiple IABs in the course of its multimillion-dollar campaigns.

Source: Chainalysis

"It definitely seems, to me at least, that this is trending upward," says Trevor Hilligoss, vice president of SpyCloud Labs. "It makes sense if you think about it. Malware-as-a-service is easy, it's cheap. A couple hundred bucks a month gets you access to a pre-built package for attacks, and a lot of these stealers have been adding more functionality."

**Can Infostealers Be Used to Predict Ransomware?**

The literally million-dollar question is this: If 30% of ransomware attacks are preceded by infostealers, can the presence of an infostealer in one's network be used to predict oncoming ransomware, giving defenders a window of time to prepare?

"It really depends on who you are," Hilligoss says. When an infostealer pops up on your network, "If you are an admin of a large, multinational insurance group, I would be very concerned, and I would think that ransomware is probably not too far away. If you're \[an individual\] person or you're a small business, your alarm would go down proportionally." Chainalysis suggested the same, writing that "monitoring IABs could provide early warning signs and allow for potential intervention and mitigation of attacks."

Robinson takes the less optimistic view, arguing that the first steps in an attack chain tend to look quite similar, no matter the threat actor.

"The issue is that someone gets access, steals some credentials, or installs a remote monitoring management tool (RMM). From that first step, you can't now predict what's going to come next," he says. "We had one case where a network was compromised by five or six different groups. There was North Korea, some cryptocurrency miners, there was a ransomware group, there was an IAB. And you couldn't tell what the next step was going to be for each one of them until they took it, because those first steps were all the same. And that's the thing with infostealers."

Either way, Hilligoss advises, "If you see this happens, then rapidly remediate. Find the exposure, figure out all of the data that was stolen from your network, go through it, and reset those credentials — reset those authentication tokens, reissue those API keys — as quickly as possible. That's going to make it really hard for a ransomware actor that has access to that information to actually use it."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Infostealers: An Early Warning for Ransomware Attacks

Increasing attacks by the OilRig/APT34 group linked to Iran's Ministry of Intelligence and Security show that the nation's capabilities are growing, and targeting regional allies and enemies alike.

Source: Novikov Aleksey via Shutterstock

In its latest cyberattack on a Middle Eastern nation using its proxies in cyberspace, Iran continues to ramp up its cyber operations against rivals and allies.

In the attack, a cyberespionage group linked to Iran's Ministry of Intelligence and Security (MOIS) and known as APT34 targeted government ministries in Iraq, a nation that was once an enemy and now is sometimes a rival and sometimes an ally of Iran. The attack had all the hallmarks of the group, also known as Hazel Sandstorm: custom infrastructure using email tunneling for communications, use of two malware programs similar to previous APT34 code, and domain-naming schemes similar to previous operations.

Previous attacks by APT34 (aka OilRig, Helix Kitten, and Hazel Sandstorm) using similar tools and methods targeted other nations in the region, including Jordan, Lebanon, and Pakistan, according to an analysis by cybersecurity firm Check Point's research group.

"The goal is likely espionage, because those countries are at least, to some degree, allies of Iran, so I don't think, in this case, the main goal is destruction," says Sergey Shykevich, threat intelligence group manager at Check Point Research. "We also don't have any hints on the technological side that there is any destructive goal, and from what we do see — specifically in Iraq — we clearly see that the goal is data exfiltration and \[the like\]."

Following the start of the conflict between Israel and Hamas nearly a year ago, rivalries and relationships throughout the region have changed. In late spring, Iran criticized Jordan — and to a lesser extent other Arab nations — for reportedly helping Israel track and interdict missiles during Iran's April 13 attack on the Jewish nation. Meanwhile, Iraq continues to have strong ties to Iran through proxy networks and political parties aligned with Iran.

**Iran's Cyber Operations Grow**

At the same time, Iran has expanded its cyber operations strategy in the region. A group linked to the Iranian Islamic Revolutionary Guard Corps (IRGC) — and known variously as APT33 (Mandiant) and Peach Sandstorm (Microsoft) — has targeted communications equipment, government agencies, and the oil-and-gas industry in the United Arab Emirates and the United States, typically to gather intelligence, Microsoft stated in August.

Late last month, the US Cybersecurity and Infrastructure Security Agency (CISA) warned that the Iranian group Lemon Sandstorm, also known as Fox Kitten, had leveled ransomware attacks against various countries, and another group, Charming Kitten, or APT42, targeted individuals associated with both the Democratic and Republican presidential campaigns.

Iran is increasingly flexing its muscles in cyberspace, and especially against rivals throughout the Middle East region, says Mohamed Fahmy, a cyberthreat intelligence researcher with cybersecurity firm Trend Micro.

"Iranian APT groups, including APT34, have become very active recently in targeting the Middle East, particularly the government sector in the Gulf region," he says. "From what we’ve seen of APT34’s toolset and activities, they aim to infiltrate entities as much as possible, leveraging compromised infrastructure to launch further attacks. ... APT34's primary goals seem to be espionage and stealing sensitive government information."

**Evasive New Malware: Veaty and Spearal**

In the latest campaign, APT34 used fake document attachments targeting Iraq between March and May of this year, and likely used social engineering to convince users to open the links and run an installer. The attack results in the installation a .NET backdoor. Currently, one backdoor is called Veaty and the other Spearal, and both malware binaries allow command-and-control (C2) of compromised systems.

The techniques used by Veaty and Spearal show similarities to two other malware families — known as Karkoff and Saitama — both of which are attributed to APT34, Check Point stated in its analysis.

Iranian cyber operations groups tend to use custom DNS tunneling protocols and a C2 channel based on email subject lines, according to the research: "This distinctive blend of straightforward tools, written in .NET, combined with sophisticated C2 infrastructure, is common among similar Iranian threat actors."

The capabilities of APT34 and Iran's other groups will only increase, says Check Point's Shykevich.

"They just improve it," he says. "They just use the same content, but each target, or each country they attack, they deploy a new generation of the same concept ..., where they improve it and make it more stealthy \[or add other features\]."

Companies in the Middle East should focus on implementing a zero-trust architecture to strengthen defenses, including establishing a mature security operations center (SOC) with managed endpoint detection and response (MDR) capabilities, says Trend Micro's Fahmy.

The increased geopolitical tensions in the region will only mean increasing efforts to gain intelligence through cyberattacks, he says.

"Government sectors in the Middle East and Gulf region should take this threat seriously," he says. "These groups aim to blend into the network environment by customizing their malware to avoid detection, \[so\] understanding their techniques, which have not changed significantly, is crucial."

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa, and forced to spend the night in jail — just for doing their pen-testing jobs. Listen now!

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

As Geopolitical Tensions Mount, Iran's Cyber Operations Grow

The latest Secure by Design alert from CISA outlines recommended actions security teams should implement to reduce the prevalence of cross-site scripting vulnerabilities in software.

Source: Oleksiy Maksymenko via Alamy Stock Photo

The US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are urging organizations to focus on eliminating cross-site scripting vulnerabilities in their products before shipping them.

"Vulnerabilities like cross-site scripting (XSS) continue to appear in software, enabling threat actors to exploit them," the agencies wrote in their latest Secure by Design alert. "\[XSS\] vulnerabilities are preventable and should not be present in software products."

XSS vulnerabilities occur in Web applications when the developer did not properly validate, sanitize, or escape inputs. Malicious actors can use those input fields to insert and execute malicious scripts into the application, allowing them to manipulate and steal data. XSS was rated second on MITRE's list of top 25 most dangerous software flaws in 2022 and is also included in OWASP Top 10. XSS flaws can be found in around two-thirds of all applications, according to OWASP.

CISA listed the following recommendations:

*   Review written threat models.
    
*   Ensure software validates input for both structure and meaning.
    
*   Use modern Web frameworks that offer easy-to-use functions for output encoding, to ensure proper escaping and quoting.
    
    "\[These\] frameworks make it so that the burden doesn't fall on developers to correctly escape user input every time," the alert noted. The frameworks also have guidance on preventing edge cases that may lead to XSS vulnerabilities. And in cases where Web frameworks are unavailable, teams should ensure all user input in Web applications are properly escaped or sanitized.
    

*   Implement adversarial product testing to optimize code quality and security.
    

"Senior executives and business leaders should ask their teams how they are working to eliminate these defects and whether they are implementing a secure by design approach in their products," the alert said.

CISA unveiled its Secure by Design initiative in April 2023 to urge software manufacturers to focus on shipping products that are secure by design. There is a self-attestation form and a repository that software makers can use to provide security details about their products. Over 60 vendors have signed the Secure by Design pledge, announcing their commitment to apply the seven core goals outlined by CISA, including using multifactor authentication, reducing default passwords, reducing the prevalence of certain vulnerability classes, and improving patching.

The XSS alert is the seventh Secure by Design alert from CISA. These alerts highlight vulnerabilities that persist in software despite the availability of effective mitigations. The July alert urged software companies to eliminate path OS command injection vulnerabilities. The May and March alerts focused on eliminating path traversal and SQL injection flaws. In January, CISA provided guidance on how to secure small office/home office routers against attempts to hijack them. Alerts last year recommended companies stop shipping software and devices with default passwords and secure Web management interfaces from attack.

**About the Author**

Dark Reading

The Edge is Dark Reading's home for features, threat data and in-depth perspectives on cybersecurity.

CISA Urges Software Makers to Eliminate XSS Flaws

A researcher bypassed the Calendar sandbox, Gatekeeper, and TCC in a chain attack that allowed for wanton theft of iCloud photos.

Source: Bjanka Kadic via Alamy Stock Photo

A zero-click chain of critical-, medium-, and low-severity vulnerabilities in macOS could have allowed attackers to undermine macOS's brand name security protections and ultimately compromise victims' iCloud data.

The story begins with a lack of sanitization of files attached to Calendar events. From there, researcher Mikko Kenttälä discovered he could achieve remote code execution (RCE) on targeted systems, and access sensitive data — in his experiments, he used iCloud Photos. No step in the process required any user interaction, and neither Apple's Gatekeeper nor Transparency, Consent, and Control (TCC) protections could stop it.

**Zero-Click Exploit Chain in macOS**

The all-important first bug in the chain — CVE-2022-46723 — was awarded a "critical" 9.8 out of 10 CVSS score back in February 2023.

It wasn't just dangerous, it was simple to exploit. An attacker could simply send the victim a calendar invite containing a malicious file. Because macOS failed to properly vet the filename, the attacker could name it arbitrarily, to variously interesting effect.

For example, they could name it with the goal of deleting a specific, preexisting system file. If they gave it the same name as an existing file, then deleted the calendar event through which they delivered it, the system would delete both the malicious file and the original file it mimicked, for whatever reason.

More dangerous was the potential for an attacker to perform path traversal, naming their attachment in such a way that would allow it to escape the Calendar's sandbox, where attached files are supposed to be saved, to other locations on the system.

Kenttälä used this arbitrary file write power to take advantage of an operating system upgrade (at the time of discovery, macOS Ventura was about to be released). First, he created a file mimicking a Siri-suggested repeating calendar event, hiding alerts that would trigger the execution of further files during a migration. One of those follow-on files was responsible for migrating old calendar data to the new system. Another allowed him to mount a network share from Samba, the open source Server Message Block (SMB) protocol, without triggering a security flag. Another two files triggered the launch of a malicious app.

**Undermining Apple's Native Security Controls**

The malicious app snuck in without raising any alarm, thanks to a bypass in macOS's Gatekeeper security feature — the thing standing in the way of Mac systems and untrusted apps. Labeled CVE-2023-40344, it was assigned a medium-severity 5.5 out of 10 CVSS rating back in January 2024.

Gatekeeper, though, wasn't the only signature macOS security feature undermined in the attack. Using a script launched by the malicious app, Kenttälä successfully replaced the configuration file associated with iCloud Photos with a malicious one. This re-pointed Photos to a custom path, outside of the protection of TCC, the protocol macOS uses to ensure apps don't improperly access sensitive data and resources. The re-pointing, CVE-2023-40434 — with a "low" 3.3 CVSS severity score — opened the door to wanton theft of photos, which could be exfiltrated to foreign servers with "trivial modifications."

"MacOS's Gatekeeper and TCC are critical for ensuring only trusted software is installed and managing access to sensitive data," explains Callie Guenther, senior manager of cyber threat research for Critical Start. "However, the zero-click vulnerability in macOS Calendar showed how attackers can bypass these protections by exploiting sandbox processes." Guenther notes, though, that macOS isn't uniquely vulnerable to these types of attacks: "Similar vulnerabilities exist in Windows, where Device Guard and SmartScreen can be bypassed using techniques like privilege escalation or exploiting kernel vulnerabilities."

For example, she adds, "Attackers have used DLL hijacking or sandbox escape methods to defeat Windows security controls. Both operating systems rely on robust security frameworks, but persistent adversaries — especially APT groups — find ways to bypass these defenses."

Apple acknowledged and patched the many vulnerabilities in the exploit chain at various points between October 2022 and September 2023.

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa, and forced to spend the night in jail — just for doing their pen-testing jobs. Listen now!

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Zero-Click RCE Bug in macOS Calendar Exposes iCloud Data

The Eastern European group is actively expanding its financial fraud activities, with its pipelines representing a veritable Silk Road for the transfer of cryptocurrency, and lucrative and exploitable data.

Source: Science History Images via Alamy Stock Photo

The Marko Polo cybercrime gang represents a growing, global financial threat, steering at least 30 ongoing fraud campaigns at the same time and wielding an arsenal of sophisticated malware that has compromised tens of thousands of devices so far.

That's according to Recorded Future's Insikt research arm, which noted the group's scams are going after individuals and organizations alike by impersonating popular brands such as Zoom, Discord, and OpenSea, mostly in the online gaming, virtual meeting software, and cryptocurrency platform markets. The efforts are targeted, despite the scale of the operations, and tend to be perpetrated via various social media platforms.

The payload arsenal meanwhile is varied and comprised of about 50 largely off-the-shelf malware samples. The binaries include HijackLoader, Stealc, Rhadamanthys, and AMOS, all geared toward stealing crypto, or data to sell or use for identify theft and other fraud efforts.

In all, Marko Polo's sprawling empire of cybercrime has stolen millions from victims, according to Insikt.

"Marko Polo's reach is both impressive and alarming," according to research this week from the analysts. "Through social engineering tactics, the group has primarily targeted cryptocurrency influencers and online gaming personalities — individuals generally regarded as more cybersecurity-savvy than the average Internet user. Despite their heightened awareness, these individuals have fallen victim to well-crafted spear-phishing attacks, often involving fake job opportunities or partnerships."

**About the Author**

Source

DARKReading