US State Department warns that Kremlin-backed media outlets in democracies around the world are hiding Russian cyber spies and actively working to sow discord.

Source: Postmodern Studio via Alamy Stock Photo

Long understood as a Kremlin-backed propaganda machine, RT News, based in the US, has been far more nefarious than officials once believed.

Just last week, the Biden administration charged two Russian nationals with pumping $10 million into RT International, a media company the US said was used by the Russian government to meddle in the upcoming US elections.

But these robust Russian interference and disinformation operations aren't unique to the US. In fact they're in full swing around the world, according to a new warning from US Secretary of State Antony Blinken.

Blinken explained in Sept. 13 statements that the US has recently discovered RT included an embedded Russian cyber unit, operating since the spring of 2023 with the full knowledge of RT leadership, adding the news outlet was "functioning like a de facto arm of Russia's intelligence apparatus."

The RT leadership team is also accused by the US of running a large crowdfunding campaign to procure equipment like weapons and generators for Russian soldiers fighting against Ukraine.

Details about RT's espionage participation and equipment fundraising were provided by RT employees, Blinken added.

**RT Tactics Replicated Around the World**

Blinken warned a similar Kremlin strategy is being used to spread disinformation and undermine democracies around the world, most acutely in Africa, Germany, and Moldova.

RT and similar influence outlets, like German outlet Red (formerly Redfish), feed intelligence gathered not just to the Russian government but media outlets and mercenary groups as well, Blinken said. Across Africa, a social media-based news organization called African Stream is being used by the Kremlin to spread disinformation in a similar fashion, he added.

"We urge every ally, every partner, to start by treating RT's activities as they do other intelligence activities by Russia within their borders," Blinken said. "Our most powerful antidote to Russia's lies is the truth."

RT News Hosted Russian Cyber Spy Unit, US Says

Hydden's platform detects and classifies an organization's identities, accounts, and privileges, regardless of where they reside in the IT environment.

Source: poptika via Shutterstock

As organizations diversify their IT environments to include cloud applications and software-as-a-service, protecting identity is paramount. In fact, identity is the new perimeter — but for many organizations, securing identity is complicated by the fact that they don't know what they have.

Hydden, a new identity management startup coming out of stealth with a $4.4 million seed funding round led by Access Venture Partners, bridges the identity gap by giving security teams visibility across the organization's entire identity environment. Hydden's platform connects to existing identity and access management (IAM) tools, cloud applications, and on-premises applications to give organizations complete visibility into their identities, accounts, and privileges. The time capsule feature can be used in proactive threat management as it identifies patterns and aids in post-event analysis.

"We acknowledge the reality that CISOs are under unbelievable amounts of pressure. There's not enough resources and not enough hours," says Jai Dargan, CEO and co-founder of Hydden. "We are going to take care of this one task."

Modern identity involves more than just keeping track of passwords and implementing multifactor authentication (MFA). Security teams have to manage accounts for both cloud-based applications and internal applications. Non-human identities, such as service accounts used by automated processes, API keys, and application tokens must also be managed.

Gaps in identity management also pose additional risks, such as overprovisioned or overprivileged accounts, misconfigured MFA schemes, and unused accounts. Credentials that were stored in places security teams didn't even know about are being exposed.

Hydden addresses these gaps by creating a single data layer across IAM, identity governance and administration, privileged access management (PAM), and identity threat detection and response products, the company said.

Several of the better-known established PAM and IAM tools on the market are focused on on-premises applications, which make them less effective for organizations that are cloud-first or have hybrid environments. The technology may be proven, notes Dargan, but they are not designed for cloud environments.

Hydden's goal is to be the continuous source of truth, Dargan says. The platform is constantly looking at the IT environment to detect and classify identities and issues warnings when identity-related risks are identified. Identity needs to evolve into real time, Dargan says, noting how the industry has evolved authentication into continuous authentication and network monitoring into continuous monitoring.

"We have network discovery and asset discovery," he says. "Now we need continuous identity asset discovery."

**About the Author**

As Dark Reading’s managing editor for features, Fahmida Y Rashid focuses on stories that provide security professionals with the information they need to do their jobs. She has spent over a decade analyzing news events and demystifying security technology for IT professionals and business managers. Prior to specializing in information security, Fahmida wrote about enterprise IT, especially networking, open source, and core internet infrastructure. Before becoming a journalist, she spent over 10 years as an IT professional -- and has experience as a network administrator, software developer, management consultant, and product manager. Her work has appeared in various business and test trade publications, including VentureBeat, CSO Online, InfoWorld, eWEEK, CRN, PC Magazine, and Tom’s Guide.

Startup Finds 'Hydden' Identities in IT Environment

Despite more US sanctions against spyware operators, Apple decided the cost in terms of disclosures about its own anti-spyware efforts was too great.

Source: stLegat via Alamy Stock Photo

Stopping the spread of commercial spyware is shaping up to be too big of a job even for tech titans like Apple.

The company dropped its years-long legal effort against Pegasus spyware dealer NSO Group, declining to hand over sensitive threat intelligence that it said could be used by adversaries against its own security defenses.

Pegasus spyware is a zero-click espionage malware deployed against iPhones, including that of Russian journalist Galina Timchenko, among others.

Meanwhile, international governments continue to hammer individuals and entities affiliated with commercial spyware operations with sweeping sanctions that have have little effect, leaving the digital espionage market wide open for investors, operators, and dictators around the globe.

Cupertino's brass is also encouraged by the work the US, international governments, and the tech sector at large have done to fight the rise of commercial spyware, Apple explained in its Sept. 13 motion to dismiss.

"When it filed this lawsuit nearly three years ago, Apple recognized that it would involve sharing information with third parties," Apple said. "Because of the developments since this suit was filed, proceeding forward at this time would now present too significant a risk to Apple's threat intelligence program."

Apple laid out other factors in the changed the landscape that made it increasingly dangerous for the company to release sensitive information.

First, Apple claimed that in the years since it first brought legal action against NSO Group it has continued to develop its threat intelligence to actively defend its users from threat actors. Handing over details about how Apple fights spyware to known spyware operators would be a bad idea. Apple added that NSO Group had been stingy with disclosures it made during the case's discovery process.

Further, Apple noted the commercial spyware sector has become more decentralized and that NSO Group is no longer a single actor in the cyber-espionage space; any action against the Israeli company would simply strengthen other spyware sellers as authoritarian governments pivot from Pegasus to numerous competing spyware brands.

Finally, Apple explained to the court that international governments have come around in the past three years and taken up the fight against spyware and the threat it poses to human rights around the world.

**Spyware Sanctions Aren't Working**

As if on cue, the US Department of the Treasury dropped a new round of sanctions just days later, on Sept. 16, this time against what the department calls "enablers" of the Intellexa commercial spyware consortium, identified to be behind Predator spyware. Sanctioned individuals include Felix Bitzios, Andrea Nicola Constantino Hermes Gambazzi, Merom Harpaz, Panagiota Karaoli, Artemis Artemiou, and the Aliada Group Inc.

These sanctions prohibit any US transactions with those named as well as any entities in which they own 50% or more, bar them from obtaining a US visa, and more.

But research shows sanctions have had little impact on stymieing the broader commercial spyware market. Digital eavesdropping continues to be deployed against diplomats, journalists, and ordinary citizens and vendors while intelligence gatherers have improved their ability to operate in the shadows, easily gaming sanctions and restrictions.

This past March, two individuals and five entities the US government said were associated with Predator mobile spyware operators were sanctioned as a result of Predator's network and infrastructure's spread into Botswana and the Philippines.

Nonetheless, it seems the cost of stopping spyware in the courtroom is too high even for the deepest-pocketed actors like Apple. Instead Apple said it will dig in on defense and leave offense to the feds.

"Apple has made the decision to prioritize its expert security resources and advanced threat-intelligence program to continue to stop destructive spyware through technical methods," the company said.

Apple Abandons Spyware Suit to Avoid Sharing Cyber Secrets

It is imperative to develop robust policies for new tech and future-proofing by favoring investments in security.

Sébastien Cano, Senior Vice President, Cloud Protection & Licensing Activities, Thales

September 17, 2024

5 Min Read

Source: Skorzewiak via Alamy Stock Photo

COMMENTARY

From economic turbulence to a relentless surge in cyber threats, today's cybersecurity landscape requires enterprises to remain resilient by adapting to security risks. Many organizations have chosen to adapt to these risks by embracing modern technology such as generative artificial intelligence (GenAI), which can present new risks if not implemented properly.

The speed at which companies innovate and adopt new technology is far outpacing the security measures that must be addressed first. This issue is compounded by the fact that innovation is moving faster than ever before, emphasizing go-to-market over producing secure technology.

Recent insights gleaned from the "2024 Thales Data Threat Report" ("DTR") shed light on the intricate challenges facing organizations today. Almost all (93%) respondents report an uptick in attacks such as malware, ransomware, and phishing among the many pressing concerns presented by emerging technologies. There is a critical need for a proactive and comprehensive approach to cybersecurity. Amid the backdrop of technological advancement, three prominent focal points for effective cybersecurity arise in the modern era.

**Keep Compliance Top of Mind in the Race to AI**

The rise of AI yields a new era of innovation, with 22% of enterprises planning to integrate AI into their products and services within the next 12 months. An additional 33% are gearing up to experiment with this transformative technology. However, with this innovation comes unknown vulnerabilities to a company's security posture.

Because large language models (LLMs) are trained by data, the input information potentially could be stored and resurfaced if prompted by a certain query. Should employees enter confidential information into an AI platform, it runs the risk of this form of extraction. Additionally, prompt injection is a proven threat to AI, where hackers trick chatbots by inputting deceptive triggers to override their instructions. This exploits the predictive nature of LLMs, which drive AI responses.

Ultimately, facing the pressure to innovate quickly, companies rushing to implement AI could strain operational systems, making them more susceptible to cyberattacks or abuse. This is a probable scenario for many, despite numerous industry examples showing the dangers of prioritizing adoption speed over security. 

It is essential for organizations to create robust policies or adhere to published guidance from organizations like the Cybersecurity and Infrastructure Security Agency (CISA) to ensure the LLMs being leveraged or developed internally don't have access to sensitive data. Otherwise, pausing to focus on compliance as regulations come down the pipeline is a strong course of action, as the DTR found that companies with better compliance are 10 times less likely to experience a breach.

**PQC Prototyping as a Cybersecurity Cornerstone**

Since the National Institute of Standards and Technology (NIST) approved four cipher suites in July 2022, post-quantum cryptography (PQC) has become increasingly relevant in tackling a looming threat that is gradually becoming more immediate. Despite the absence of any verified or recurring quantum computing attacks on conventionally encrypted data, there is still cause for proactive measures. Though quantum computing is not yet a threat to cryptographic standards, the data encrypted using traditional methods today potentially could be gathered now with the intention of decrypting it in the future in "harvest now, decrypt later" attacks.

For these threats, PQC presents itself as the primary defense against the looming threat of quantum computing. Almost half (48%) of respondents have not recognized PQC as the cornerstone of future cryptographic strategies. Consequently, many companies aren't investing in PQC because it seems years away from tangible adoption, but the reality is, data is presently being harvested.

Businesses can future-proof their technology by making the proper investments. Soon, customers will be looking for products built only with PQC to thwart sophisticated cyberattacks or elevate their cybersecurity efforts otherwise. While we still may be a few years out from quantum, the organizations that will be ready when that innovation comes are preparing now.

**Adding Security to Secrets Management**

Given the adoption of new technologies, the need for security to be integrated seamlessly into digital products and/or services has never been higher. Specifically, when assessing cloud and DevOps environments, secrets management was the greatest security concern for 56% of DTR respondents, followed by workforce identity and access management (IAM) and authorization.

For developers, these three challenges are closely related, as they all require tasks for both privileged users and the workload lifecycle that they manage. However, the common difficulty with secrets is that they are designed as "bearer tokens," granting access to whoever possesses said token, password, API (application programming interfaces) key, encryption key, or any other credential. When secrets are "lost" — for instance, included in code as plain, readable text — hackers won't need to impersonate internal users to gain access. Thus, the consequences are severe. 

Adopting a data-centric security architecture is key to improving security across these environments. Organizations can mature their DevSecOps practices by leveraging new frameworks such as the NIST "Guide to Operational Technology (OT) Security" standards to improve the quality and resilience of overall engineering performance. Security champions are also crucial to the development team and should provide clear, practical security guidance to better manage privileges and store secrets.

**Meeting Old and New Threats With Upgraded Security Tricks**

The pace of technological development is astounding, with innovation emerging rapidly through recent years. While enthusiasm to adopt the latest technology is understandable, this excitement can't overshadow critical security considerations. Despite the variety of new threats that invariably accompany modern technology, many of the mistakes being encountered are recurring issues.

It is imperative to develop robust policies for new tech and future-proofing by favoring investments in security. Trusting device security out of the box is no longer viable; evaluation and strong security practices should precede adoption. The industry can and should continue to embrace innovation, but with the understanding to remain vigilant against evolving vulnerabilities by demonstrating security as priority.

**About the Author**

Senior Vice President, Cloud Protection & Licensing Activities, Thales

As the senior vice president of cloud protection and licensing activities at Thales, Sébastien Cano leads a global business focused on helping organisations and the most respected brands in the world protect their most sensitive data, secure the cloud, and create more value for their software in the devices and services used by billions of consumers every day. He is responsible for the business and strategy for the company’s industry-leading data encryption, identity and access management, and software monetizations solutions. Over the past 20 years Sébastien has proved himself as a global leader of high growth businesses in the highly competitive cybersecurity, telecommunications, and financial services industries. Previously, he served as executive vice president of Gemalto’s enterprise and cybersecurity business unit. Before that he was president of Gemalto North America, responsible for all business operations across the region, and previously, he managed the company’s telecommunications business unit in North America.

The Current Cybersecurity Landscape: New Threats, Same Security Mistakes

Hacktivists love to target financial services companies, and their attacks are growing both larger and longer.

Source: Daniren via Alamy Stock Photo

Financial services organizations have faced nearly twice as many distributed denial of service (DDoS) attacks this year as any other industry, thanks in part to a rise in hacktivism.

According to a new report from Akamai, between Jan. 1 and June 30, there were nearly 3,000 Layer 3 and 4 DDoS attack events in the financial services sector (Layer 3 and 4 attacks occur at the network and transport layers of Internet communication). The next most-targeted industries — gaming, then high tech, then manufacturing — suffered around 1,000 to 1,500 events each.

A number of factors contribute to the sheer scale of the threat, experts say, including a general rise in DDoS across the board, a surge in hacktivist activity in association with high-profile geopolitical conflicts, emerging threats to application programming interfaces (APIs), and more.

And at the end of the day, it's just easy. "They don't have to find a vulnerability. They don't have to find that gap in your armor. They can just literally sit there and hit a button," says Richard Hummel, director of threat intelligence for Netscout.

**Hacktivism Drives DDoS**

On July 15, beginning at 10:05 a.m. local time, the full weight of a globally distributed botnet was turned against a major financial services company in Israel.

The vectors of attack were numerous: UDP flooding, UDP fragmentation, DNS reflection, PUSH and ACK floods, and more. At its peak, the flood of data registered at 789GB per second — equivalent to millions of documents, or hundreds of thousands of photos, streaming in with each passing moment.

The peak of the event lasted until around 1 p.m. local time, but activity persisted for around 24 hours. "This attack was very exceptional in terms of total duration," Akamai researchers wrote, after helping abate the attack. "This requires significant resources and is an indication of a very sophisticated aggressor."

Remarkably, despite that aggressor dedicating so much power to one attack, a number of other Israeli financial institutions experienced outages that same day, in what researchers assessed was likely a politically motivated campaign.

It wasn't the only politically motivated DDoS campaign that happened around this time, nor was it the worst. Those Israeli companies might have considered themselves lucky compared to a UAE bank, whose website was attacked by the pro-Palestinian group BlackMeta (aka DarkMeta). In a six-day romp, the group sent 10 waves of Web requests lasting between four and 20 hours each, averaging 4.5 million per second and peaking at 14.7 million.

DDoS has surged in correlation with the wars in Gaza and Ukraine, Akamai says, particularly against European banks with connections to Ukraine. Even if a financial institution doesn't consider itself political in any way, they nonetheless serve as a useful punching bag for hackers to achieve their dogmatic goals.

**Why Hacktivists Target Finserv**

Being so central to, and interconnected with, wider society, attacks against finance tend to cause more harm and panic than those against other industries.

Plus, more so than in the US, "in European countries or Asian countries, oftentimes government and finance go hand-in-hand, so you will often see that adversaries will walk the stack of what they perceive as government-affiliated," Hummel explains.

As an example, he points to Moldova, a country with manifold conflicts with Russia. "Moldova has been hammered over and over for the past six, seven months now by NoName057 and various other groups. They started with government targets, but then they started looking at finance, at commercial banking, education, public transportation. It's a natural extension."

And as if DDoS weren't already easy enough, in Europe, it's become easier in recent years thanks to Payment Services Directive 2 (PSD2), which came into effect in January 2016. Among other things, the European Union (EU) directive required that financial services providers offer open APIs to third-party services.

PSD2 was designed to better integrate the EU payments market but, Akamai points out, it also widened the surface through which attackers could attack affected companies. APIs offer yet another opening for more sophisticated, application-layer DDoS attacks, particularly when they're poorly accounted for.

"What we're finding is that many financial institutions don't know the expanse of their API ecosystem," says Cheryl Chiodi, industry strategy manager for financial services at Akamai. "There could be developers that were working on a project and left what we call a 'rogue' API, or 'shadow' APIs that are connected to the network but aren't really doing anything. And the cybercriminal can find those entry points and use them to do their infiltration of the network."

In its report, Akamai noted "sharp increases" in DDoS attacks targeting APIs. For this reason, Chiodi urges financial services companies to perform API discovery. "That then opens up the aperture, the visibility, so that you know what the API ecosystem \[in your organization\] is in the first place," she says.

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Ukraine, Gaza Wars Inspire DDoS Surge Against Finservs

Attackers could have exploited a dependency confusion vulnerability affecting various Google Cloud services to execute a sprawling supply chain attack via just one malicious Python code package.

Source: Aleksia via Alamy Stock Photo

Google has patched a flaw in its Google Cloud Platform (GCP) that attackers could have exploited to execute a supply chain attack on millions of customer cloud servers, simply by deploying a single malicious code package.

Researchers from Tenable discovered the remote code execution (RCE) vulnerability, dubbed "CloudImposer," that attackers could have used to hijack an internal software dependency affecting GCP services, they revealed in analysis published Sept. 16.

Specifically, the flaw was found in GCP's Cloud Composer service for orchestrating software pipelines, but it also affected the Google services App Engine and Cloud Function. The flaw created a scenario called a dependency confusion, a technique discovered several years ago but widely misunderstood even by cloud platform providers, according to Tenable.

A dependency confusion attack, first discovered by security researcher Alex Birsan in 2021, starts when an attacker creates a malicious software package, gives it the same name as a legitimate internal package, and publishes it to a public repository.

"When a developer's system or build process mistakenly pulls the malicious package instead of the intended internal one, the attacker gains access to the system," Tenable senior security researcher Liv Matan explained in the analysis. "This attack exploits the trust developers place in package management systems and can lead to unauthorized code execution or data breaches."

He added: "There’s a surprising and concerning lack of awareness about it and about how to prevent \[dependency confusion\], even among leading tech vendors like Google. And unfortunately, this type of dependency can be exploited to execute supply chain attacks in the cloud that "are exponentially more harmful than on-premises."

"For example, one malicious package in a cloud service can be deployed to — and harm — millions of users," Matan observed. In essence, then, one single faulty command in GCP could potentially have created a ripple affect across myriad cloud deployments, giving attackers access to customers' enterprise cloud environments.

Tenable's findings were first presented in a session by Matan at Black Hat USA in August called "The GCP Jenga Tower: Hacking Millions of Google's Servers With a Single Package (and More)," — one a Dark Reading expert advised not to miss at the conference. However, he published his full analysis on Tenable's blog only this week.

**Risky Documentation Leads to Flaw**

The first sign of the flaw was Google documentation regarding GCP and the Python Software Foundation that introduced the possibility of dependency confusion in cloud deployments, according to Tenable. The researchers dug further and found that Google itself applied the same risky implementation advice to GCP, introducing the flaw.

Specifically, Google advised users who want to use private Python packages in the GCP services App Engine, Cloud Function and Cloud Composer services to use what's called the "--extra-index-url" argument.

"This argument looks for the public registry (PyPI) in addition to the specified private registry from which the application or user intends to install the private dependency," Matan explained. "This behavior opens the door for attackers to carry out a dependency confusion attack."

The researchers inferred that there are "numerous GCP customers" who followed Google's risky guidance, as well as ultimately discovered that Google itself took its own advice when installing private packages in their own internal services.

Specifically, Tenable researchers found that Google used the risky --extra-index-url argument to install a private code package missing from the public registry in a way "that allows attackers to upload a malicious package to the public registry, and take over the pipeline," Matan wrote.

**Google Fix & Other Mitigations**

The researchers responsibly disclosed both the documentation and the CloudImposer RCE vulnerability to Google, which promptly responded and took action, according to Tenable. Specifically, Google fixed the vulnerable script in Google Cloud Composer that was utilizing the --extra-index-url argument when installing a private package from a private registry.

The company also inspected the checksum of vulnerable package instances and notified Tenable that, as far as Google knows, there is no evidence that the CloudImposer was ever exploited, Matan noted.

Google also acknowledged that while the exploit code that Tenable developed ran in Google's internal servers, it's likely that it would not have run in customers' environments because it wouldn't pass the integration tests.

Further, the company fixed the risky documentation, now recommending that GCP customers use the --index-url argument instead of the --extra-index-url argument, and the tech giant has adopted Tenable's suggestion to recommend that GCP customers use the GCP Artifact Registry's virtual repository to safely control the Python package manager search order, Matan noted.

GCP customers should analyze their environments for their package installation process to prevent breaches, specifically searching for the use of the --extra-index-url argument in Python to ensure they are not vulnerable to a dependency confusion attack.

Matan concluded: "A combination of responsible security practices by both cloud providers and cloud customers can mitigate many risks associated with cloud supply chain attacks."

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

'CloudImposer' Flaw in Google Cloud Affected Millions of Servers

Attackers have been using the Windows MSHTML Platform spoofing vulnerability in conjunction with another zero-day flaw.

Source: Anucha Cheechang via Shutterstock

Microsoft has recategorized a bug that the company fixed in this month's Patch Tuesday update as a zero-day vulnerability, which the "Void Banshee" advanced persistent threat group has been exploiting since before July.

The bug, identified as CVE-2024-43461, is a remotely exploitable platform-spoofing vulnerability in the legacy MSHTML (Trident) browser engine that Microsoft continues to include in Windows for backward compatibility purposes, and it's one of two very similar issues that Void Banshee is using in its attacks.

**Affects All Supported Windows Versions**

The vulnerability affects all supported versions of Windows and gives remote attackers a way to execute arbitrary code on affected systems. An attacker, however, would need to convince a potential victim to visit a malicious Web page or to click on an unsafe link for any exploit to work.

Microsoft assigned the flaw a severity rating of 8.8 on the 10-point CVSS scale when it initially disclosed the bug on Sept. 10. At that time, the company's advisory made no mention of the vulnerability being a zero-day bug. Microsoft revised that assessment on Sept. 13 to indicate attackers had, in fact, actively been exploiting the flaw "as part of an attack chain \[related\] to CVE-2024-38112," a MSHTML platform spoofing vulnerability that the company patched in July 2024.

"We released a fix for CVE-2024-38112 in our July 2024 security updates which broke this attack chain," Microsoft said in its updated advisory.

The company wants customers to apply its patches from both the July 2024 update and the September 2024 update to fully protect themselves against exploits targeting CVE-2024-43461. Following Microsoft's Sept. 13 update, the US Cybersecurity and Infrastructure Security Agency (CISA) on Sept. 16 added the flaw to its known exploited vulnerabilities database with a deadline of Oct. 7 for federal agencies to implement the vendor's mitigations for it.

CVE-2024-43461 is similar to CVE-2024-38112 in that it allows an attacker to cause a user-interface — in this case, the browser — to display erroneous data. Check Point Research, which Microsoft has credited with discovering CVE-2024-38112, has described the flaw as allowing an adversary to send a crafted URL or Internet shortcut file that when clicked would trigger Internet Explorer — even when disabled — to open a malicious URL. Check Point said it had observed threat actors also use a separate novel trick for dressing up malicious HTML application (HTA) files as innocuous-looking PDF documents when exploiting the flaw.

Trend Micro's Zero Day Initiative (ZDI), which has also claimed credit for discovering CVE-2024-38112 — and has a beef with Microsoft for not acknowledging them — later reported Void Banshee as exploiting the vulnerability to drop the Atlantida malware on Windows systems. In the attacks that Trend Micro observed, the threat actor lured victims using malicious files spoofed as book PDFs that they distributed via Discord servers, file-sharing websites and other vectors. Void Banshee is a financially motivated threat actor that researchers have observed targeting organizations in North America, Southeast Asia, and Europe.

**A Two-Bug Microsoft Attack Chain**

According to Microsoft's updated advisory, it turns out that attackers have been using CVE-2024-43461 as part of an attack chain also involving CVE-2024-38112. Researchers at Qualys previously noted that exploits against CVE-2024-38112 would work equally well for CVE-2024-43416, because both are near-identical flaws.

Peter Girnus, senior threat researcher at ZDI who Microsoft has credited for CVE-2024-43461, says the attackers used CVE-2024-38112 to navigate to an HTML landing page through Internet Explorer using the MHTML protocol handler inside of a .URL file. "This landing page contains an <iframe> which downloads an HTA file where the HTA extension is spoofed using CVE-2024-43461" to make the file appear to be a PDF to the victim, he says.

Girnus says ZDI was aware that the attackers were exploiting CVE-2024-43461 but assumed the patch for CVE-2024-38112 fixed the issue. "We however reversed this patch to realize that the spoofing vulnerability was not fixed. We promptly alerted Microsoft," he says.

In its July report on Void Banshee exploiting CVE-2024-38112, Trend Micro said the flaw is a prime example of how organizations can get tripped up by "unsupported Windows relics" such as MSHTML, and end up having attackers drop ransomware, backdoors, and other malware on their systems. The attack surface is significant, too: A study that Sevco conducted of 500,000 Windows 10 and Windows 11 systems in the immediate aftermath of Microsoft's disclosure of CVE-2024-38112 showed that more than 10% are missing any kind of endpoint protection control and nearly 9% are missing controls for patch management, leaving them completely blind to threats.

“Environmental vulnerabilities such as missing endpoint security or patch management controls on devices combined with CVE vulnerabilities compound the risk that companies will leave paths to data exposed and allow malicious actors to exploit vulnerabilities like \[CVE-2024-43461\]," says Greg Fitzgerald, co-founder of Sevco. "It's critical for enterprises to take the first step of patching this vulnerability, but it can't stop there."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

'Void Banshee' Exploits Second Microsoft Zero-Day

The sanctions are unlikely to affect the growing network of criminals who lure victims into working for cybercrime sweat shops around the world.

Source: Feng Yu via Alamy Stock Photo

Cambodian business tycoon and senator Ly Yong Phat, along with the business conglomerate he runs and O‑Smach Resort, have been sanctioned for using forced labor to run a center perpetuating cryptocurrency scams.

According to a report from the US Treasury Department's Office of Foreign Assets Control (OFAC), workers from countries including China, India, Thailand, and Vietnam have been lured to the O-Smach resort under the pretense of legitimate work.

Upon arrival, their passports are confiscated, and victims are forced to work up to 15-hour days perpetuating online scams.

"People who called for help reported being beaten, abused with electric shocks, made to pay a hefty ransom, or threatened with being sold to other online scam gangs," the report noted. "There have been two reports of victims jumping to their death from buildings within O‑Smach Resort." 

As a result of the sanctions, which designate the L.Y.P. Group conglomerate, O-Smach, and three other hotels as being "directly or indirectly engaged in, serious human rights abuse," Ly's properties and interests are blocked and any transactions must be reported to OFAC.

US citizens, financial institutions, and businesses that deal with L.Y.P. could themselves face sanctions.

**Cyber Scam Forced-Labor Rings Difficult to Root Out**

Stephen Kowski, field chief technology officer at SlashNext Email Security+, says sanctions send a "strong message" that the international community is acting against human trafficking and forced labor in cybersecurity scams.

"However, their effectiveness will ultimately depend on rigorous enforcement and cooperation from other countries and financial institutions, particularly given the endemic corruption that has hindered previous investigations," he says.

He added that the phenomenon is challenging to combat due to its transnational nature, the use of sophisticated technology, and the involvement of corrupt officials.

"Cyber-scam operations often exploit jurisdictional gaps and rapidly evolve their tactics to evade detection, while victims are isolated and coerced, making it difficult for authorities to identify and rescue them," Kowski explains.

Robert Duncan, security strategist at Netcraft, says that while the US sanctions will affect Ly's business dealings in the US, it is unlikely to turn the tide by itself on the problem of scams emanating from that corner of the world.

From his perspective, cross-border cooperation is truly essential — the victim is often in the developed world, and the scammer is not.

"However, others throughout the world are often involved in these scams, including those enabling money laundering through cryptocurrencies or mule bank accounts in the same jurisdiction as the victim — not just in Southeast Asia," Duncan adds.

**Southeast Asia Teeming With Cyber Trafficking**

Southeast Asia is a global hotspot for forced-labor camps running cyber scams akin to the ones run by L.Y.P.

It's an issue that has also caught the attention of the United Nations, which estimates that 100,000 people in Cambodia alone are being forced to work for cybercrime syndicates.

International law enforcement agencies including Interpol have been working on multiple cases involving human trafficking run by cyber-fraud operators, with a recent five-month investigation leading to the arrest of 281 perpetrators.

The scale of the problem prompted the FBI to issue a warning in May 2023 to US citizens traveling or living in Southeast Asia to be aware of scam advertisements posing as legitimate work offers.

In February, Myanmar authorities handed over 10 suspects to China who were accused of running cyber-fraud and money-laundering operations in Myanmar.

John Bambenek, president at Bambenek Consulting, notes that while sanctions might seem toothless overall, for someone with the level of assets that Ly has, they can be very problematic.

"There are only a few places that handle that kind of wealth, and if any mistakes are made, the assets can be frozen or seized by regulators," he explains. "That said, it's a consolation prize from the sanction that really needs to be levied — a jail cell."

**About the Author**

Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.

Cambodian Tycoon Sanctioned for Forced Cyber Labor, Trafficking

Three days after Ivanti published an advisory about the high-severity vulnerability CVE-2024-8190, threat actors began to abuse the flaw.

Source: NicoElNino via Alamy Stock Photo

Just days after Ivanti released an advisory regarding a high-severity vulnerability in its Cloud Service Appliance (CSA), the company is alerting customers that the flaw is now being exploited in the wild. 

Ivanti initially disclosed the vulnerability, tracked as CVE-2024-8190, on Sept. 10, warning customers that it could allow unauthorized access to their devices. With a CVSS score of 7.2 out of 10, the attacker must have administrator-level privileges in order to exploit the vulnerability.

To remediate the bug, Ivanti recommended that users upgrade from Ivanti CSA 4.6 to CSA 5.0. In addition, CSA 4.6 Patch 518 customers can update to Patch 519, however, upgrading to CSA 5.0 remains the best option, the company noted.

On Sept. 13, Ivanti updated its advisory, making its customers aware that it knew of the active exploitation of the vulnerability.

"At the time of the September 13 update, exploitation of a limited number of customers has been confirmed following public disclosure," said the advisory.

Users should update to the latest version of the appliance as soon as possible.

If users find that they have been compromised before they can apply the recommended patch, according to the company, they can log a case or request a call through the Ivanti Success Portal.

**About the Author**

Ivanti Cloud Bug Goes Under Exploit After Alarms Are Raised

Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.

Are the robots really taking over? Come up with a clever cybersecurity-related caption for the cartoon above, and our favorite will win a $25 Amazon gift card.

Here are four convenient ways to submit your ideas before the Oct. 16, 2024, deadline:

*   Via social media: X, Facebook, and LinkedIn. (If you win, we'll respond to you on the same platform, requesting your email address.)
    

**Last Month's Winner**

A round of congratulations goes to Vanilla Cyber's Renen Wasserman, whose caption for August's "Security Games" contest nailed first place:

Thanks to all who participated. Some noteworthy contenders included "This new threat detection method is 10% better than our old one," "Blindfolded and Breached: The Modern Cybersecurity Nightmare," and "This 5th level of multi-authentication may be taking things too far."

**About the Author**

John Klossner has been drawing technology cartoons for more than 15 years. His work regularly appears in Computerworld and Federal Computer Week. His illustrations and cartoons have also been published in The New Yorker, Barron's, and The Wall Street Journal.

Source

DARKReading