The threat of ransomware hasn't gone away. But law enforcement has struck a blow by adjusting its tactics and taking out some of the biggest adversaries in the ransomware scene.

Source: Andreas Prott via Alamy Stock Photo

COMMENTARY

The year to date has been particularly eventful across the ransomware landscape, with prolific ransomware groups, including LockBit, seeing their operations seized and dismantled. The strategies used to take down these groups were meticulously planned and executed, successfully undermining the most accomplished cybercriminal experts.

The fight against ransomware has for years felt like an uphill battle. Each takedown faces the inevitable criticism that these actions are temporary, resulting in groups reforming and coming back.

However, the past year has seen some of history's biggest takedowns, with international collaborative efforts from law enforcement employing new tactics. Are we seeing the balance of power beginning to shift?

**The Development of Law Enforcement's Strategy**

Law enforcement agencies have had to change their approach to remain successful in an environment where cybercriminal gangs adapt and develop constantly. Although previous takedowns have shown initial success in disrupting gangs on a technical level, law enforcement agencies have recognized the need to go further and think outside of the box.

Adding a twist, ransomware takedown teams are focusing on publicly damaging groups' credibility, acknowledging the fact that reputation and trust are (somewhat counterintuitively) valued commodities on the Dark Web.

Law enforcement's new approach was rolled out with Operation Cronos, the disruption campaign against one of the most prolific ransomware gangs, LockBit.

With a force of 10 countries' law enforcement agencies, the highlights of the takedown included 34 servers being seized, 200 cryptocurrency accounts being frozen, and two arrests taking place, and it didn't stop there.

The National Crime Agency (NCA) deployed psyops methods, using LockBits' own site, which it had hijacked, to publish images of LockBit's administration system and leak internal conversations, while publishing the usernames and login details of 194 LockBit "affiliate" members. Then, the unmasking of "LockBitSupp" — the gang's leader — was teased with a countdown timer on the LockBit website, eventually naming him as Dmitry Khoroshev. Law enforcement also implied that he had collaborated with them by leaking the affiliate's details, creating more doubt among Dark Web associates. 

When logging in to their systems, LockBit members were greeted with personalized messages stating that the authorities had details regarding their IP addresses, cryptocurrency wallet details, internal chats, and their personal identity.

Law enforcement's strategy undermined LockBit's reputation and emphasized its fragility. Hijacking the website exposed infrastructure weaknesses, unmasking LockBit's leader proved he had weak operations security, and leaking the affiliates demonstrated the risks of associating with LockBit. These methods dethroned LockBit's reputation further. Although the group is still active, recent data shows that the average number of monthly LockBit attacks in the UK has reduced by 73% since February.

**The Snowball Effect in the Dark Web Community**

The LockBit takedown has caused a ripple effect and garnered a lot of attention across the ransomware landscape, eliciting the message that if LockBit can be taken down, anyone could be next. Targeting the biggest ransomware group was law enforcement's message that no group is beyond its reach.

Two weeks later, BlackCat, the second biggest ransomware group, claimed to have been disrupted by law enforcement, even uploading a fake seizure banner. However, law enforcement quickly denied its involvement. In fact, the group appears to have closed itself down after stealing a large sum of money from its affiliate, following a ransomware attack on Change Healthcare. The timing of BlackCat's retirement suggests a potential reaction to the LockBit takedown, showing a newfound sense of fear on the Dark Web.

**What Comes Next?**

Disrupting some of the world's most dangerous and prolific ransomware groups such as LockBit and BlackCat, which have dominated the ransomware landscape in recent years, is a huge achievement. 

Of course, these successes have not immediately led to the collapse of the ransomware underground. In fact, our statistics show that there were 73 ransomware groups in operation in the first half 2024 compared with the same period for 2023, representing a 56% increase in the number of ransomware groups. 

However, although there are more groups, we have seen a 16% decrease in victims listed between the second half of 2023 and the first half of 2024, which suggests that taking on the big groups with new tactics has had a measurable impact. It appears that what we are actually observing is a diversification — rather than growth — in the ransomware landscape.

A recent Europol report also highlighted a fragmentation of the ransomware landscape. While the threat is no longer coming primarily from a group of three to four dominant ransomware-as-a-service (RaaS) groups, the affiliates who led a mass exodus have started their own operations, developing their own ransomware tooling and lessening their reliance on the big players. 

This creates its own challenges for security professionals. A more diverse ransomware ecosystem means a more diverse landscape for cybersecurity teams to navigate. As things move quickly in the ransomware world, collecting up-to-date intelligence on ransomware groups is more important than ever before.

The threat of ransomware hasn't gone away. However, law enforcement has certainly struck a blow by adjusting its tactics and has potentially created some breathing room for security professionals by taking out some of the biggest adversaries in the ransomware scene.

**About the Author**

CTO & Co-founder, Searchlight Cyber

Dr. Gareth Owenson is the CTO and co-founder of the Dark Web intelligence company Searchlight Cyber. Gareth completed his Ph.D. in computer science in 2007 and is a world leader in Tor Dark Web research. He advises governments, military, and law enforcement on Dark Web technologies and guides the development of a suite of technologies that have put Searchlight Cyber in the forefront of Dark Web investigative and intelligence efforts. Gareth co-founded Searchlight Cyber in 2017 to help governments, law enforcement, and enterprises in the fight to protect society from threats that emanate from the Dark Web.

How Law Enforcement's Ransomware Strategies Are Evolving

In the "PixHell" attack, sound waves generated by pixels on a screen can transmit information across seemingly impenetrable air gaps.

Source: Miscellaneoustock via Alamy Stock Photo

A newly devised covert channel attack method could undermine diligently devised air gaps at highly sensitive organizations.

In industrial control systems security, the term "air gap" is contested. It typically describes a total physical separation between networks — a literal gap through which no Wi-Fi signals, wires, etc., can pass. The most critical military, government, and industrial sites use air gaps to prevent Internet-based cyber threats from penetrating the kinds of networks that protect state secrets and human lives.

But any medium capable of transmitting information can, in theory, be weaponized to transmit the bad kind. Mordechai Guri of Israel's Ben-Gurion University has long researched ways of crossing air gaps with sound waves: via computer fans, hard disk drives, CD/DVD drives, and more. His latest attack scenario, "Pixhell," enables data theft using sounds produced by specially generated, rapidly shifting bitmap patterns on an LCD screen.

**How Pixhell Works**

It's midnight, and everyone working at the top secret intelligence facility has long gone home for the night, when all of a sudden a computer screen flashes with what appears to be random noise, as if it's missing a signal. It isn't missing a signal — the apparent noise is the signal.  

Pixhell only works if an attacker can infect or control at least one device on each side of an air gap.

Air gaps typically connect critical networks with less critical networks, so the latter half of that job might be achieved by an Internet-based attack, while the former will require more stringent measures. Still, a machine behind an air gap can be infected in any number of ways: via supply chain compromise, a removable drive in the hands of a malicious or unwitting insider, or assorted other options.

Then, with no other obvious means of communicating — not Wi-Fi, Bluetooth, a speaker, or anything else — a computer can be made to transmit information over an air gap via the sounds generated by its screen.

Simplified, LCD screens have capacitors — which store and release electrical charge — and inductors — which help manage the voltage to those capacitors. While they're working, these components generate the faintest of high-pitched frequencies, inaudible to the human ear.

However, "Speakers and microphones generally have a frequency range that is broader than human hearing," explains Andrew Ginter, vice president of industrial security at Waterfall Security Solutions. "The high end of the frequency range is where you can encode the greatest amount of information — the largest number of bits per second — and it's ultrasound. Dogs might freak out in the room, but humans can't hear it."

In experiments, the Pixhell malware manipulated pixels on a screen in such a way as to cause its inductors and capacitors to vibrate at specific frequencies. In so doing, they generated sound waves translating stolen, encoded data to the machine on the other side of an air gap, with varying fidelity at distances of up to two and a half meters. As Ginter puts it, "An attacker can send information from either computer to the other's microphone, and you can be sitting in the room and not realize information is being communicated."

**The Wide World of Covert Channel Attacks**

Besides acoustics, there are any number of other, equally creative means to carry out covert channel attacks in theory.

"It's been reported that with sufficient effort, you can use Ethernet wiring as software-defined radio transmitters and receivers," Ginter notes. Some 20 years ago, 56-kilobit-per-second modems had an LED on the front so users could see if their data was moving. Ginter says you could turn the LED on when there was a one bit being transmitted, or off when it was a zero bit. "And it turned out that the LED was extremely responsive — so responsive that if you had a fast enough camera or detector, you could actually detect every bit that was being sent through the modem by watching the LED," he adds. 

Countless other fun examples can be found in the annals of computer research archives. "Some computers have the ability to do detailed measurements on the voltage that's coming into the battery. And what that means is that if you have two computers plugged into the same circuit, even if they're using different outlets, one computer can consume more power briefly and less power a fraction of a second later, and the other one can detect these very tiny changes in voltage, so they can signal to each other that way. Even though they're electrically connected to different networks, they're both connected to the same power," he explains.

**What the Best Air Gaps Look Like**

For the overwhelming majority of organizations, a physical air gap is sufficient to protect against even high-level adversaries, who aren't likely to pull off Pixhell-style attacks.

Those few most sensitive sites on the planet that have to worry about covert channel attacks — spy agencies, military headquarters, power plants — have already dedicated significant time and resources to building not just air gaps, but air gaps that make these scenarios impractical.

"At some extremely sensitive OT sites, they will have all of the OT equipment in one server room, and they'll have the IT equipment in another server room down the hall. And the only connection between the server rooms is a single fiber-optic connection that is a unidirectional gateway from OT to IT," Ginter explains.

Past that, he adds, the greater the distance between communicating computers, the more difficult it is to exploit covert channels. "If it's an electrical \[channel you're worried about\], you've got electrical noise between rooms. If it's audible, there are closed doors in the way. If it's temperature, you can heat up the room in a region very slightly \[at intervals\], so there's so much thermal noise that it becomes impractical to send any information out." The operative idea is signal-to-noise ratio (SNR): How much noise does one have to generate to make a covert channel attack impractical?

Whether such science-fiction-level defenses are warranted will depend on the organization at risk. "Some of the countermeasures were given for scientific discussion, but they are less practical to deploy in real life," Guri says. As an example, he points out that acoustic jammers would stop Pixhall right in its tracks: "Such a noise jammer may work in countering the attack, but it will make the environment too noisy for people to work."

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa and forced to spend the night in jail -- just for doing their pen-testing jobs. Listen now!

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Air-Gapped Networks Vulnerable to Acoustic Attack via LCD Screens

An attack dubbed "WordDrone" that uses an old flaw to install a backdoor could be related to previously reported cyber incidents against Taiwan's military and satellite industrial supply chain.

Source: Ron Ardity via Alamy Stock Photo

Attackers are weaponizing an "ancient" version of Microsoft Word in a recent wave of attacks on Taiwanese drone makers that's delivering malware aimed at cyber espionage and disrupting the military- and satellite-related industrial supply chains.

Researchers from the Acronis Threat Research Unit have discovered an attack they've dubbed "WordDrone" that uses a dynamic link library (DLL) side-loading technique common in the installation process of Microsoft Word, to install a persistent backdoor called ClientEndPoint on infected systems.

The Acronis team members discovered the unusual attack vector when they investigated a customer escalation from Taiwan "about a strangely behaving process of an ancient version of Microsoft Word," they wrote in a blog post published Sept. 10.

"Three files were brought to the system: a legitimate copy of Winword 2010, a signed wwlib.dll file, and a file with a random name and file extension," they wrote in the post. "Microsoft Word was used to side load the malicious 'wwlib' DLL, which acts as a loader for the actual payload, the one residing inside the encrypted file with a random name."

They eventually found similar two-stage attack scenarios across multiple environments between April and July this year. The first stage of the attacks focuses on Windows desktop machines, while the second stage sees attackers trying to move over to Windows servers, the researchers said.

**Similarities to "TIDrone" Campaign**

It's unclear if the attack vector is related to a similar wave of cyber incidents against Taiwanese drone makers by a threat actor dubbed "TIDrone" reported by researchers at Trend Micro. That actor, linked to other Chinese-speaking threat groups, uses enterprise resource planning (ERP) software or remote desktop tools to deploy proprietary malware.

Similarly, the WordDrone attack also appears to have an ERP component, the researchers said. While they couldn't find "definitive evidence about how attackers were gaining initial access," the first appearance of the malicious files in the attack was inside the folder of a popular Taiwanese ERP software called Digiwin.

"Upon further investigation, we found multiple components of Digiwin … being deployed in the target environments," the researchers wrote. Moreover, some of Digiwin's components contained known vulnerabilities like CVE-2024-40521, a remote code execution (RCE) flaw with a CVSS score of 8.8.

"Based on all the information collected, we believe that there is high probability of exploitation or a supply chain attack being involved with the ERP software in question," the researchers noted.

**Targeting a Side-Loading Flaw**

The attack leverages a side-loading vulnerability in an old version of Winword (v14.0.4762.1000) allowing attackers to use it to load a DLL that has a name matching the original supplied by Microsoft.

"In the very same directory where Winword was located, we could see only two additional files, a ... DLL called wwlib.dll, which is normally part of a standard Microsoft Office installation package — this time having an unusually small size — and another file called 'gimaqkwo.iqq' which already looked suspicious," the researchers explained.

Upon further inspection, the wwlib library turned out to be acting as a loader with the sole purpose of reading the main payload that is stored in the encrypted "gimaqkwo.iqq" file in the same directory, they said. The file name of the payload — the ClientEndPoint backdoor — is stored in an encrypted form in the loader.

The backdoor has functionality typical to this type of malware, including the ability to listen in on user sessions, send and receive commands from the attacker-controlled command and control (C2), and exfiltrate data and send it back to the C2. It also has a proxy configuration mode in which one infected host can receive data and commands from another infected host on the local network while only one of them is in direct communication with the C2.

**Why Target Taiwanese Drone Makers?**

The fact that two separate security research teams have been investigating a spate of cyberattacks against Taiwanese drone makers brings up the question of motive on the part of attackers, which the Acronis team attempted to address.

Drone manufacturing has increased remarkably in Taiwan since 2022, with significant financial backing from the government, the researchers noted. There currently are about a dozen Taiwanese companies in the space  — often providing components for original equipment manufacturers (OEMs) — and even more if the country's global aerospace industry is taken into consideration, they said.

This investment in drone manufacturing and the considerable technological prowess of Taiwan, as well as its position as a US ally, "make them a prime target for adversaries interested in military espionage or supply chain attacks," the researchers observed.

"The extreme growth of the drone industry in the past decade also had an unfortunate side effect — even consumer models are used for military purposes now," they wrote in the post.

The research team shared their intelligence with Taiwan's appropriate cybersecurity authorities and included a list of indicators of compromise (IoCs) in the blog post. As drone makers of all sizes could be targeted by WordDrone attacks, defenders should be mindful of any suspicious activity, especially as it relates to older versions of Microsoft Word that might be present in their environment. Small businesses in the sector in particular should be mindful and shore up defenses, the researchers wrote, "as traditional AV solutions are no longer efficient against the type of advanced threats they might face in the near future."

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa and forced to spend the night in jail -- just for doing their pen-testing jobs. Listen now!

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

'Ancient' MSFT Word Bug Anchors Taiwanese Drone-Maker Attacks

As attacks on satellites rise with nation-state conflicts, the South Asian nation joins other space-capable countries in doubling down on cybersecurity.

Source: NicoElNino via Shutterstock

A year ago, India landed a spacecraft — the Chandrayaan-3 — on the moon, becoming only the fourth nation to accomplish such a feat.

Yet, while the country continues to invest in its space capability and ground-based support infrastructure, a greater focus on cybersecurity is necessary to protect the software and hardware on which the systems rely, Dr. Sreedhara Panicker Somanath, chairman of the Indian Space Research Organization, said in a speech last week at the groundbreaking for a cybersecurity training center.

With nearly five dozen satellites in orbit, large nationwide networks for collaboration, and command-and-control networks that connect across the globe for 24-hour access to space-based assets, India needs to focus on cybersecurity for the entire system, he said.

"When the Chandrayaan-3 was landing, our data was coming from Australia and Spain and South Africa and many other places, and we have been coordinating to work with all of this during the landing process," he said. "You should all realize that such command and control of satellites from across the globe could be very, very vulnerable, and ... many of our satellites can become ... easily targets of such attacks."

India is one of perhaps a dozen nations with space ambitions. The competition between nations has bred threats to ground- and space-based infrastructure, and attacks on space systems have increased as nation-state conflicts have heated up. In 2022, Russian attacks on Ukraine's connection to the Viasat KA-SAT network caused communications outages as the Russian army invaded the country. Soon after, Russia cyber-operators attempted to hack and jam the Starlink network, SpaceX CEO Elon Musk stated at the time, while hackers claimed responsibility for delivering malware to a host of satellite terminals, taking communications offline in 2023.

The attacks demonstrated to the world that the cyberthreat to satellites is real, although attackers to date have mostly focused on disrupting communications. However, an emerging space effort, such as India's, could attract regional attackers, says Patrick Lin, director of the Ethics + Emerging Sciences Group at California Polytechnic State University in San Luis Obispo, which received a grant in 2022 from the National Science Foundation to study cybersecurity for space systems.

"India doesn't have as many adversaries as the United States does — its main competitor and sometimes adversary is China, but it also has tense relations with Pakistan," he says. "China has advanced cyber capabilities as well as a strong space program, and it doesn't like regional competition much, so it's not a stretch to think that China and others might target India's rise as a major space power."

**Space: The Next Frontier for Cyberattacks**

India's current effort aims to develop the cybersecurity tools and expertise to protect its space-focused systems and software, much of which are created in-house or by domestic firms. India already sees more than 3,300 attacks per week per organization, which is 81% higher than the global average of 1,830 attacks, according to data from Check Point Software.

Rapid digitization makes India a growing target, says Omer Dembinsky, data research group manager at Check Point Software.

"Indian organizations face double the global average of cyberattacks due to rapid digitalization, which has outpaced the implementation of robust cybersecurity measures, creating a large attack surface," he says. "A fast-growing Internet user base, underdeveloped cybersecurity infrastructure not able to keep up with the growing sophistication of cyberattacks, and lack of cybersecurity awareness within organizations also make them attractive targets."

The aerospace and defense sector is ranked as the fifth most-attacked industry, and India's space agency reportedly faces more than 100 attacks daily.

Other space-based nations are rapidly researching the potential of cyberattacks targeting space assets and how to defend against those attacks. The US National Institute of Standards and Technology (NIST) has teamed up with MITRE Corp. to create a version of its NIST Cybersecurity Framework for the space sector, while The Aerospace Corp. has created the Space Attack Research and Tactics Analysis, or SPARTA, matrix. The Aerospace Corp. also worked with the US military to create a satellite that can act as a testbed for real-world cyberattacks on space assets, called "Moonlighter."

**India Needs Cybersecurity Training**

Space is not the only industry that needs cybersecurity professionals, so government initiatives such as Atmanirbhar Bharat — or "Self-Reliant India" — hope to create more startups and a larger ecosystem of homegrown software. Indian organizations have more than 40,000 openings for skilled cybersecurity workers, according to tech staffing firm TeamLease. The country had only about 100,000 cybersecurity professionals in 2021, which tripled to 300,000 in two years.

The need for increased cybersecurity expertise is acute, says Check Point Software's Dembinsky. The country needs to support more training for cybersecurity professionals and emphasize a focus on cyber-awareness training programs.

"The demand for proficient cybersecurity professionals surpasses the qualified talent pool, creating a significant industry void," Dembinsky says. "Currently, a lot of focus on skilled cybersecurity professionals burnout is being reported on, due to the consistent nature of managing these evolving threats."

In addition, the focus on research and development in space technology means that most projects are novel and lack rigorous security testing. The reality of these obscure technologies is that they both benefit — and suffer — from their uniqueness, says CalPoly's Lin.

"Many space projects today are ... one-of-a-kind prototypes in this new era of experimentation with space technologies," he says. "This provides a 'security by novelty' layer of protection, but the flip side of that is, if your technology is under-studied by threat actors, that means you don't know where your system's vulnerabilities are, either."

The lesson for India should be that critical infrastructure — whether it supports scientific research, corporate intellectual property, or financial transactions — is not safe, says ISRO's Somanath.

"Nothing is safe in the world — I think anybody can hack or create havoc in our system," he said. "The data that we have collected, especially the design data, or the personal data or the scientific data that we are created over the years, could all be very vulnerable."

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa and forced to spend the night in jail -- just for doing their pen-testing jobs. Listen now!

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

India Needs Better Cybersecurity for Space, Critical Infrastructure

The combination of immutability, indelibility, centralized governance, and user empowerment provides a comprehensive backup strategy, Google said.

Source: Aleksei Gorodenkov via Alamy Stock Photo

Google has announced three enhancements to its Google Cloud Backup and Disaster recovery service to enhance customers' ability to manage backups simply and securely, while boosting agility and reducing the workload on IT teams.

Backup and disaster recovery technologies are key components of ransomware defense. The first enhancement allows users to create backup vault storage systems that cannot be modified or accidentally deleted. Backup vault data is stored in Google-managed projects and "logically air-gapped" from Google Cloud projects, the company stated in a blog post. Compute Engine virtual machines (VMs), VMware Engine VMs, Oracle databases, and SQL Server databases are supported.

Backup vault storage isn’t visible to users inside the organization, preventing direct attacks, and Google manages access through its Google Cloud Backup and DR service application programming interfaces (APIs) and user interface (UI). Users can set vault backup rules on modification and deletion when creating vaults. The backups are fully self-contained, giving users the opportunity for recovery when a source resource is no longer available, helping teams keep production applications online.

Google is also making updates to its centralized backup management system. Its new fully managed service is an integrated, developer-centric, self-service model that allows app developers to back up their VMs while the teams managing storage and backup systems retain governance and oversight. Monitoring and reporting capabilities include scheduled backup jobs and restore jobs, customizable reporting, and alerts and notifications. 

The system, integrated with Google Cloud Identity and Access Management (IAM), lets developers create backups during the creation of Compute Engine VMs so that users have correct data protection policies deployed from the outset of project creation. 

Both products are currently available in preview, Google said. The backup vault feature will be generally available in the coming months. During preview, users will be able to access these features through the UI and Google Cloud CLI to protect Compute Engine VMs. Once it is generally available, users will have access to APIs and Terraform.

**About the Author**

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

Google Updates Cloud Backup, Disaster Recovery Service

Wiz Code identifies and flags cloud risks in code to help improve collaboration between security and development teams.

Source: peachshutterstock via Shutterstock

Cloud security provider Wiz has announced Wiz Code, its new cloud application security product to help security and development teams identify and fix cloud risks directly in code before they become critical issues. Wiz Code helps improve collaboration between security and development teams, the company said.

Wiz Code integrates with developer environments and traces cloud issues back to their source in code, the company said. This way, it can identify issues in code and continuous integration and continuous delivery/continuous deployment (CI/CD) pipelines. It aligns security issues with the developer who introduced the issue, giving companies insight into their security posture and helping eliminate potential threats faster.

In addition, Wiz Code provides developers with fix suggestions in the tools they're using and gives real-time security feedback. 

Wiz Code joins a fairly crowded marketplace of plug-ins and other tools that provide security information directly in developer environments. The idea is to provide security context and proposed fixes right where developers are working. Other tools put the information in pull requests and other parts of the development process.

**About the Author**

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

Wiz Launches Wiz Code Application Security Tool

This month's Patch Tuesday contains a total of 79 vulnerabilities — the fourth largest of the year.

Source: CHIEW via Shutterstock

Attackers are already actively exploiting four of the 79 vulnerabilities for which Microsoft issued a patch this week as part of its monthly security update.

Two of the zero-day bugs give attackers a way to bypass critical security protections in Windows and therefore should be at the top of any organization's priority list for remediation.

One of the remaining zero-days is an elevation of privilege flaw that enables access to system-level privileges; the other is a bug that rolled back, or reintroduced, vulnerabilities in certain versions of Windows 10 for which Microsoft had previously issued patches.

In total, Microsoft's September update contained seven critical remote code execution (RCE) and elevation of privilege vulnerabilities. The company assessed 19 of the CVEs in its latest updates as vulnerabilities that attackers are more likely to exploit because they enable remote code execution, involve attacks that are low in complexity, require no user interaction, and exist in widely deployed products, as well as other factors.

**Security Bypass Zero-Days**

One of the security bypass vulnerabilities, tracked as CVE-2024-38226, affects Microsoft Publisher. It allows an attacker with authenticated access to a system to bypass Microsoft Office macros for blocking untrusted and malicious files. "An authenticated attacker could exploit the vulnerability by convincing a victim, through social engineering, to download and open a specially crafted file from a website which could lead to a local attack on the victim computer," Microsoft said. The company gave the vulnerability a moderate CVSS severity score of 6.8 of 10, presumably because an attacker would need to convince a user to open a malicious file in order for any exploit to work.

The other security bypass zero-day bug in Microsoft's September update is CVE-2024-38217, in the Windows Mark of the Web (MoTW) feature that is designed to protect users against potentially harmful files and content downloaded from the Web. The vulnerability allows an attacker to sneak malicious files past MoTW defenses and cause what Microsoft described as "limited loss" of integrity and availability of application reputation checks and other security features. Microsoft assigned CVE-2024-38217 a severity rating of 5 because to exploit it an attacker would need to convince potential victims to visit an attacker-controlled site and then download a malicious file from there.

"Exploitation of both CVE-2024-38226 and CVE-2024-38217 can lead to the bypass of important security features that block Microsoft Office macros from running," Satnam Narang, senior staff research engineer at Tenable, said in a statement. "In both cases, the target needs to be convinced to open a specially crafted file from an attacker-controlled server. Where they differ is that an attacker would need to be authenticated to the system and have local access to it to exploit CVE-2024-38226," he said.

**RCE and Privilege Escalation Zero-Days**

The two other bugs in Microsoft's latest update that attackers are already actively exploiting are CVE-2024-38014 and CVE-2024-43491. CVE-2024-38014 is an elevation of privilege vulnerability in Windows Installer that attackers can use to gain system-level privileges. As with the other zero-days, Microsoft's advisory offered no details on the exploit activity targeting the bug or when it might have started. Despite the ongoing attacks targeting CVE-2024-38014, Microsoft assessed the flaw as only moderately severe (7.8 on 10 on the CVSS scale) because an attacker would already need to have compromised an affected system to exploit the vulnerability.

CVE-2024-43491, meanwhile, is a high-severity (CVSS score 8.5) RCE in Microsoft Windows Update. The vulnerability rolls back fixes that Microsoft issued in March for certain versions of Windows 10. According to Microsoft, the vulnerability gives attackers a way to exploit vulnerabilities that Microsoft previously mitigated in Windows 10, version 1507, between March and August. "Customers need to install both the servicing stack update (KB5043936) AND security update (KB5043083), released on September 10, 2024, to be fully protected from the vulnerabilities that this CVE rolled back," Microsoft said.

Kev Breen, senior director of threat research at Immersive Lab, advocated that administrators pay close attention to Microsoft's Official Notes for CVE-2024-43491. "There are a lot of caveats to this one," Breen said in emailed comments. "The short version is that some versions of Windows 10 with optional components enabled was left in a vulnerable state," since March.

This is the second month in a row where Microsoft has given administrators multiple zero-days to contend with. In August, the company disclosed six of them — equal to the total for the entire year up to that point.

**Other High-Priority Bugs**

Other bugs of note in the latest update according to security researchers include CVE-2024-43461, a Windows spoofing vulnerability; CVE-2024-38018, a Microsoft SharePoint Server RCE; and CVE-2024-38241 and CVE-2024-38242, two elevation-of-privilege vulnerabilities in Kernel Streaming Service Driver.

CVE-2024-43461 affects all supported versions of Microsoft Windows. It is similar to CVE-2024-38112, a zero-day bug that Microsoft patched in July after at least two threat groups had been exploiting it for 18 months. Attackers could leverage the exploits for CVE-2024-38112 in attacks against the new CVE-2024-43416, according to Saeed Abbasi, manager of vulnerability research at Qualys. "There exists a high likelihood of exploitation, as this vulnerability enables attackers to spoof legitimate web content, leading to unauthorized actions such as phishing and data theft," Abbasi said in emailed comments.

Organizations need to prioritize patching the Microsoft SharePoint Server RCE vulnerability (CVE-2024-38018) because no mitigations or workarounds are available for it, said Tom Bowyer, director IT security of Automox, in emailed comments. "The potential impact of this CVE is significant, especially given the business-critical nature SharePoint servers play in organizations that utilize them," and the ease of exploitation.

Ben McCarthy, lead cybersecurity engineer at Immersive Labs, identified the Kernel Streaming Service Driver flaws (CVE-2024-38241 and CE-2024-38242) as important to address because they are present at the kernel level and give attackers a way to bypass security controls, escalate privileges, execute arbitrary code, and take over the whole system.

So far this year, Microsoft has disclosed a total of 745 vulnerabilities across its products, according to numbers maintained by Automox. Microsoft has identified just 33 of them as critical.

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa and forced to spend the night in jail -- just for doing their pen-testing jobs. Listen now!

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Microsoft Discloses 4 Zero-Days in September Update

In this case study, a 180-year-old life and pension insurer brought its security infrastructure into the modern age.

Source: M-Production via Alamy Stock Photo

LV=, the leading pension, savings, insurance, and retirement company in the UK, has a long and storied history. Over the years, the 180-year-old company has expanded its portfolio to provide every type of insurance, investment, pension, and retirement offering imaginable. It has continued to push the boundaries of what's possible, investing in new technology.

By 2021, much of the new infrastructure and other digital modernization was complete. At the same time, company leaders suspected that its approach to security wasn't as effective as it could be. To find out, the company hired one of the Big 4 accounting firms to assess the situation by comparing it to the NIST cybersecurity framework.

What came back was sobering.

"It became apparent how low the maturity was," says Dan Baylis, the chief information security and data officer LV= hired to fix the situation. "That's when they realized that they needed to invest and address the sins of the past."

**Assessing the Existing Security Stack**

As soon as Baylis was hired, he assessed the entire security stack, along with processes and procedures.

He found plenty of issues. Most importantly, the infrastructure lacked modern security controls. For example, the system still had signature-based antivirus controls, and the email gateway wasn't aware of modern threats.

Baylis also determined that there was no way to measure the effectiveness of security controls. In addition, each individual security control, such as anti-malware, wasn't fully connected to the entire infrastructure. Instead, it could monitor only what it was directly connected to. And because there was no central view, the security team could only be reactive to things like vulnerability disclosures.

The relatively rudimentary security infrastructure also prevented company executives from making data-driven security decisions.

"Being data-driven takes the emotion out of things. For example, if we're telling someone that they don't have the right patching levels or are missing security controls in a certain area, the data should back it up," Baylis says.

Baylis also believed that LV= needed the protection of continuous security validation but that it couldn't get there with its legacy security controls.

"Continuous security validation would enable us to have the evidence to underpin the investments and improvements we needed," he says. "So I could explain, 'This is how attacks happen, and this is how resilient we are to them.' So instead of asking them to trust me, I could show them."

**Overhauling the Security Infrastructure**

With his assessment complete, Baylis started rebuilding the company's security infrastructure from the ground up.

The first order of business was implementing a breach attack and detection system (BAS) to help monitor for security blind spots and provide continuous security testing.

More organizations than ever are using security tools that provide attack path management and security control validation like BAS, pen testing as a service (PTaaS), and continuous automated red teaming (CART). In a recent survey (subscription required), Omdia found that 71% of 400 security decision-makers consider these tools important or extremely important.

BAS is a methodology for determining how well security tools are working so they can be optimized, explains Andrew Braunberg, principal analyst at Omdia. BAS tools do this by simulating attacks, often using established threat models such as the MITRE ATT&CK framework. BAS tools can also typically perform automated simulations, threat model mapping, and continuous testing.

Baylis started by implementing Cymulate's BAS solution. The most important features to him were the ability to test emergent threats, continuous security validation, and a consolidated view of the company's security posture.

"I wanted a tool that could not only help me demonstrate our risk exposure but tell the story of how resilient we are to cyber threats," he explains.

Using the tool, Baylis says he has been able to show decision-makers active attacks and demonstrate the company's new resiliency to them, along with the health of endpoint controls and gateways.

Next up was choosing a tool for continuous control monitoring. Baylis chose Axonius, which monitors data from different sources — like Active Directory, anti-malware controls, and patching — and provides a holistic view. With that information, the team was able to build dashboards that show the company's security-control coverage gaps.

Baylis also chose SecurityScorecard, a tool that calculates the health and effectiveness of an organization's cybersecurity infrastructure. This addition enabled the organization to benchmark its security posture against its peers.

This led to another watershed moment, when LV= received a "C" on its security rating from SecurityScorecard. As a result, the team made hundreds of changes related to issues like expired certificates and weak ciphers. The company now has an "A" rating.

Rounding out the new security infrastructure were next-generation anti-malware controls, a new email gateway, a new Web gateway, and a password manager.

**Supporting the Human Side of Security**

Now that LV='s security tooling has been modernized, Baylis is turning his attention to the human risk side of the security equation. He implemented a dedicated phishing test and training for employees. He's also thinking about hardening the company's email infrastructure.

"While we will have a continued focus on cyber resilience, we also want to encourage good security awareness," he said. "Both are critical for effective security."

**About the Author**

Contributing Writer, Dark Reading

Karen D. Schwartz is a technology and business writer with more than 20 years of experience. She has written on a broad range of technology topics for publications including ITProToday, CIO, InformationWeek, GCN, FCW, FedTech, BizTech, eWeek, and Government Executive.

How a Centuries-Old Company Reached Security Maturity

Besides operational issues connected to a talent shortage, the cost of running security platforms — and their training costs — also keeps CISOs up at night.

Source: Eddie Gerald via Alamy Stock Photo

While SecOps leaders face a variety of challenges in their roles, the two biggest standouts are the difficulty navigating the skills gap in the cyber field and the challenge of operating and investigating commonly used tools.

Researchers at Command Zero have released a report on challenges that chief information security officers (CISOs) and other leaders face, with data collected through hundreds of detailed interviews with cybersecurity professionals from 15 industries. The researchers argue that over the past 40 years, certain innovations have been markers for waves of "digital innovation," such as the creation of the Internet, cellphones, and cloud computing. Now, the latest wave of innovation comes in the form of artificial intelligence (AI). In all of these arenas, the advantages they provide come with deep security challenges.

**Where's the Talent When You Need It?**

The primary and seemingly obvious challenge is the skills shortage in cybersecurity, for all disciplines, but especially in the area of cyber investigations, according to the report.

This is likely because the average cyber investigator must meet extensive requirements to be qualified for such a position. According to the researchers, these kinds of analysts need to be "subject matter experts" when it comes to analysis and have administrator-level knowledge of data sources.

Given the ongoing shortage of cyber professionals who meet that high bar of qualifications and knowledge, existing teams are stretched thin, some working the equivalent of two jobs to keep up with the latest threats. While this may keep a business afloat, it can also lead to burnout, oversights and, ultimately, a decrease in overall effectiveness of mitigating potential threats.

In addition, part of building such a substantial wealth of knowledge to be this kind of analyst is working in an environment that stresses and fosters the importance of continuous learning. However, "this is challenging when teams are constantly in fire-fighting mode" according to the researchers.

Because of this shortage, 88% of individuals interviewed expressed concerns regarding operational issues because of the lack of staffing while threats continue to grow. Not only this, but 74% of respondents said that they felt their team lacked sufficient public cloud skills to perform "high-quality investigations."

Command Zero recommends companies prioritize and resolve these issues by investing in analysts as well as improving job satisfaction to reduce turnover and improve talent retention.

**No Absolutes Within SecOps Tools**

Three tools are amongst the most widely used SecOps tools by SOC and IR teams in the industry: endpoint and other detection and response (EDR/XDR); security information and event management (SIEM); and security orchestration, automation, and response (SOAR). All three pose their own challenges for cyber professionals.

EDR/XDR, according to the researchers, is the most heavily relied upon investigation tool, but, it has its limits when it comes to correlating network and cloud telemetry. It's also expensive — it can be costly to use EDR/XDR "at scale in cloud environments," meaning that when it is used, it's not to its full potential leading to gaps in visibility.

Some 59% of respondents pointed to the staffing costs that come with using SIEM for investigations. Three-quarters report that they have a "lack of resources and skills required for integrating data sources into SIEM and SOAR," with some of them employing the services of a third party to keep the systems operational.

There's likely a correlation between the two, as deploying, customizing, and maintaining a SIEM requires highly specialized skills; training for these skills is costly, making them expensive to grow and cultivate, even moreso to staff when they're seemingly so high in demand.

Unfortunately, none of these three tools wallow for 100% coverage of all IT systems. The researchers recommend that companies invest in conceptual and technology-based training for security operations and identify the gaps in security they might have.

**Staffing Shortage vs. Job Openings: Which Is It?**

The cyber industry has been complaining for years of a staffing shortage, encouraging individuals to apply to jobs in an industry that claims it has much to offer. But is anyone actually hiring? Apparently so, but applicants have to be well qualified.

"Most cyber roles require cross-disciplinary experience and capabilities in IT," the researchers of the report tell Dark Reading, noting that hiring is difficult. "Unlike a system administrator role, which requires specialization in only one kind of system, cyber roles require a fundamental understanding of networking, endpoint, applications, and systems. This makes these roles hard to fill."

There's also a high demand from many competitive companies for the same qualified individuals. This means that these individuals have a lot of options, creating heavy turnover in an endless vicious cycle.

Their recommendations for landing a role? Look for cyber internships and part-time jobs while in school, or aim for adjacent roles to help gain experience.

"Your path into cyber can be networking, systems engineering, or software development," the researchers say. "While this may sound counter-intuitive, a lot of security professionals started their careers as non-security professionals in IT. So, starting out as a network associate or systems engineer can give you some of the cross-disciplinary experience you need to break into cyber."

And the learning never stops. "Because of how quickly cyber evolves," they added, "you need to continue investing into professional growth throughout your career."

Cyber Staffing Shortages Remain CISOs' Biggest Challenge

A fresh wave of attacks on APAC government entities involves both self-propagating malware spreading via removable drives and a spear-phishing campaign.

Source: Chris Willson via Alamy Stock Photo

One of China's most prolific and well-known state-sponsored threat actors is back on the scene with new self-propagating malware that spreads through USB drives (along with other tools), to extend its cyber-espionage goals of system control and data exfiltration.

Mustang Panda also is using spear-phishing to spread multistage downloaders that deliver malware in its recent targeting of various government entities in the Asia-Pacific (APAC) region, Trend Micro researchers revealed in a blog post on Sept. 9.

Using malware-loaded USB drives is a strategy that experienced a revival during and in the wake of the COVID-19 pandemic, and Mustang Panda (aka Camaro Dragon, Bronze President, Luminous Moth, Red Delta, Stately Taurus, and, for Trend Micro, Earth Preta) is known for using it as a primary infection vector. The advanced persistent threat (APT) is mainly in the business of cyber espionage and has been known to collaborate with other Chinese actors on coordinated attacks. In fact, Trend Micro has recently reported a spate of fresh activity from Chinese threat actors in general, which may or may not be related.

**Mustang Panda's Quick Attacks, Custom Malware**

This time around, Mustang Panda is using the vector to deliver malware called PUBLOAD via a self-propagating variant of the worm HIUPAN, as well as other tools such as FDMTP and PTSOCKET to control systems and exfiltrate data. A concurrent spear-phishing campaign by the threat actor also is targeting the same victim demographic, using malicious attachments to distribute backdoors and other malware.

Specific targets in the campaigns include people in various government organizations: military, police departments, foreign affairs and welfare agencies, executive branches, and public education. Victims are often hit by a fast-paced approach that infiltrates their system and steals data before they have a clue as to what's happening, according to Trend Micro.

"Earth Preta’s attacks are highly targeted and time-sensitive, often involving rapid deployment and data exfiltration, with a focus on specific countries and sectors within the APAC region," Trend Micro researchers Lenart Bermejo, Sunny Lu, and Ted Lee wrote in the post.

**Evolution of Previous APT Tactics**

The new campaigns observed by Trend Micro have two distinct vectors for initial entry that show evolution in the group's typical tactics. The first is the deployment of the HIUPAN worm via USB drives to propagate PUBLOAD, which acts as a stager that can download the next-stage payload from a command-and-control (C2) server.

In previous campaigns, Mustang Panda used spear-phishing emails to deliver PUBLOAD, making the use of a self-propagating worm a novel tactic for the group. The ultimate goal of the USB campaign is to deliver end-stage malware to achieve control on a targeted environment for persistent data exfiltration.

"This HIUPAN variant has differences with the previously documented variant, which was used to propagate ACNSHELL, although its main utility within the attack chain stays the same," the researchers noted in the post.

The version of PUBLOAD used in the new campaigns is similar to ones previously delivered through spear-phishing and documented by Trend Micro. In this case, Mustang Panda is using PUBLOAD to introduce supplemental tools into the targets' environment, such as FDMTP to serve as a secondary control tool, and PTSOCKET, a which is used as an alternative exfiltration option.

**Spear-Phishing Delivers Multistage Attack**

Separately, a "fast-paced" spear-phishing campaign that researchers observed in June is delivering a chain of malware that ultimately delivers a backdoor called CBROVER, which supports file download and remote shell execution, the researchers said.

Along the way, malicious .url attachments download and execute other malware, including DOWNBAIT, a first-stage downloader for downloading a decoy document and shellcode component, and PULLBAIT, straightforward shellcode that downloads and executes CBROVER. Trend Micro also has found evidence of Mustang Panda exploiting Microsoft's cloud services for data exfiltration.

The spear-phishing campaign uses decoy documents related to foreign affairs to lure victims into continuing the attack chain. Countries likely targeted in the attacks include Myanmar, the Philippines, Vietnam, Singapore, Cambodia, and Taiwan, the researchers said.

"The quick turnover of decoy documents and malware samples on the WebDAV server hosted at 16\[.\]162\[.\]188\[.\]93 suggests that Earth Preta is executing highly targeted and time-sensitive operations, focusing on specific countries and industries within APAC region," they wrote.

The researchers included a list of indicators of compromise (IoCs) for the attacks in the post and advise "continuous vigilance" and "updated defensive measures" in the face of increasingly more sophisticated tactics by Mustang Panda and its cohorts. "Earth Preta has remained highly active in APAC," they wrote, "and will likely remain active in the foreseeable future."

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Source

DARKReading