Had the bill become a law, it would have given consumers the right to sue companies that violate their privacy.

Source: Wangkun Jia via Alamy Stock Photo

The Vermont General Assembly this week failed to override Gov. Phil Scott's veto of H.121, a bill that would have given the state one of the strongest data privacy protection laws in the US. While the Vermont House voted 128-17 to override, the state Senate voted 14 yeas to 15 nays, leaving the governor's veto standing and killing the bill.

The bill, officially named "An act relating to enhancing consumer privacy and the age-appropriate design code," notably contained a right-of-action provision that would allow consumers to sue companies that misused their sensitive data. The other half of the bill, dubbed "Kids Code," would have required online services targeted at people under 18 years old to account for privacy and to ensure that all content kids could access was appropriate for children.

In his June 13 letter to the General Assembly, Gov. Scott said he was vetoing the bill because the data privacy component would create a hostile business environment in the Green Mountain State. Scott also noted that the Kids Code part of the bills brought up First Amendment issues that California was already dealing with in courts. He recommended that Vermont adopt Connecticut's less litigious data privacy law to address the first half and wait for California to straighten out legal challenges to the second.

Companies might breathe a sigh of relief to avoid having to meet yet another set of data privacy requirements. If an organization conducts business in the European Union, for example, it has to comply with the General Data Protection Regulation (GDPR). As many as 19 US states have passed data privacy laws of their own, according to an industry interest group. And while federal data privacy legislation is still under development, US President Joe Biden issued an executive order at the end of February to firm up policies about how user data is handled nationally and internationally.

**About the Author(s)**

Dark Reading

The Edge is Dark Reading's home for features, threat data and in-depth perspectives on cybersecurity.

Consumer Privacy Bill Fails in Vermont

The "Markopolo" threat actors built a convincing brand and Web presence for fake software to deliver the dangerous Atomic macOS stealer, among other malware, to carry out cryptocurrency heists.

Source: Klaus Ohlenschlaeger via Alamy Stock Photo

A widespread campaign aimed at stealing cryptocurrency is spreading a wave of infostealers through fake virtual meeting software for both macOS and Windows platforms, particularly targeting the former with the dangerous Atomic stealer.

Discovered by Recorded Future's Insikt Group, the campaign attributed to a threat actor dubbed "Markopolo" is responsible for an elaborate Web and social media presence for a fake app called Vortax, according to a report (PDF) published this week.

Vortax is purported to be virtual meeting software for various platforms but actually is a delivery mechanism for three infostealers: Rhadamanthys, Stealc, and Atomic, the researchers found. Attackers target cryptocurrency users in the campaign through social media and Telegram channels for the purpose of stealing credentials, so they can in turn steal crypto from them, according to Insikt.

The campaign is connected to a previously reported attack by Markopolo, identified then only as a Russian-speaking threat group, that previously targeted the Web3 gaming community. The group is known for using shared hosting and command-and-control (C2) infrastructure in order to be able to pivot agilely to new scams when detected, according to Insikt.

"The campaign indicates a widespread credential-harvesting operation, potentially positioning Markopolo as an initial access broker or 'log vendor' on Dark Web shops like Russian Market or 2easy Shop," Insikt Group wrote in a blog post associated with the report.

The activity also demonstrates an uptick in infostealers that target macOS, which traditionally have been less prevalent than their Windows counterparts, Insikt Group noted in its report. Reports of Atomic stealer in particular have been on the rise based on recent research.

"The high volume of \[Atomic\] activity observed in this campaign builds on previous Insikt Group reporting, which found that mentions of macOS malware and exploit kits increased by 79% year-on-year from 2022 to 2023," according to the report. This "may indicate" a link between the overall number of references to macOS malware and the increased frequency of Atomic stealer campaigns observed in the wild, the researchers noted.

**Vortax: Threats Hiding Behind a Convincing Brand**

The foundation of the campaign is in Vortax, a fake "self-proclaimed" virtual meeting software marketed as cross-platform and AI-enhanced for which attackers built a convincing online brand. All major search engines index Vortax, which has a presence (@VortaxSpace) on social media platforms and even maintains a Medium blog using what are likely AI-generated articles.

The company behind the software claims to operate out of an address in Toronto that is actually an apartment building, and even boasts online about bogus awards from respected publications such as Forbes. However, closer inspection revealed that Vortax is a fraud, particularly shown by related website domains, vortax.io and vortax.space — the latter of which has since been suspended — that are rife with spelling and grammatical errors, according to Insikt.

Vortax advertises applications for Windows, Linux, macOS, iOS, and Android on its sites, though users cannot actually download the applications without a “Room ID," which functions as a meeting invitation.

Accounts associated with Vortax have four primary methods for sharing Room IDs — the most common of which are R12307012, R39264552, R87103129, and R71231209. These methods include: replies to the Vortax account on social media; direct messages on social media; posting in cryptocurrency-related Telegram channels; and posting in cryptocurrency-themed Discord channels.

These IDs ultimately lead to an installer for downloading Vortax, which as described just a front for delivering infostealing malware. On Windows platforms, the fake software delivers Rhadamanthys and Stealc, while it loads the Atomic stealer on macOS platforms.

To the user, it appears that Vortax is never actually installed, with the installation process "claiming that it encounters critical errors that impede it from running," while the software is actually "running many malicious processes" in the background, according to the report.

**Mitigation Against Malware-Hiding Software**

Insikt made a number of suggestions for mitigating the campaign, particularly across the macOS platform — which increasingly is being targeted and thus demands new vigilance and "robust defense strategies," according to the report.

Indeed, the distribution of Atomic stealer, previously distributed via fake software updates, demonstrates a pivot by by infostealing threat actors to macOS. One mitigation for the campaign, then, is to ensure that detection systems for Atomic infostealer are regularly updated to prevent infections, according to Insikt.

Organizations also should educate users on the risks of downloading unapproved software, especially from social media or search engines, and implement strict security controls to prevent employees from doing so. They also should encourage corporate network users to report suspicious activities encountered on social media and other platforms.

According to Insikt Group, using intelligence and monitoring platforms that scan for malicious domains and IP addresses associated with Atomic stealer and other macOS malware also can help prevent infection.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

'Vortax' Meeting Software Builds Elaborate Branding, Spreads Infostealers

The updated framework is an equalizer for smaller organizations to meet the industry at its breakneck pace of innovation.

Jamie Moles, Senior Technical Manager, ExtraHop

June 20, 2024

4 Min Read

Source: Skorzewiak via Alamy Stock Photo

COMMENTARY

The National Institute of Standards and Technology's Cybersecurity Framework 2.0 (NIST CSF 2.0) could not have come at a better time. Ransomware attacks have already built up a devastating track record on businesses and institutions across all industries in the past year: 58% of respondents to a recent survey experienced six or more ransomware attacks in the past 12 months. This comes among other concerns, including data breaches, generative AI threats, insider threats, and more, proving that cybersecurity needs to be more accessible than ever.

Historically, industry guidance to prevent these attacks was aimed at critical infrastructure or larger enterprises in high-risk industries. But cybersecurity is an "everyone" problem, and many organizations are beginning to catch on to the idea that cyber-risks are just as important as all other business risks. The same survey found that the average incident downtime is 56 hours, and considering that a survey conducted by ABB in 2023 puts the median cost of downtime at nearly $125,000 per hour, this downtime would cost $7 million — per incident. 

NIST's CSF 2.0, released this February, provides an important resource for organizations of all sizes to avoid these far-reaching costs by reexamining their security initiatives, fending off evolving threats, and preparing to meet today's innovations with a more guided approach. While just a framework, it can be used to inform three critical changes all organizations should make in the year ahead.

**Three Critical Changes Everyone Should Make in the Coming Year****1\. Building a New Approach to Securing Infrastructure**

The path to securing infrastructure may seem like an obvious route: Get the right tools to detect, defend, and respond to security incidents. But one area organizations often miss, and one of the most significant additions to NIST CSF 2.0, is governance. 

A strong governance strategy establishes all people, process, and organizational concerns for cybersecurity. This includes the development of a cybersecurity strategy and policies, oversight for the strategy and policies, controls for supply chain, and more. 

This is especially important for smaller companies with plans to continue scaling. Having a set plan in place to quickly and efficiently react to a potential security breach can alleviate the capital losses that come with the territory: Net income, quarterly earnings, and stock prices all drop significantly after data breaches. An effective plan can possibly reduce those effects.

**2\. Investing to Fit Specific Business Needs**

An organization may choose to handle risk in one or more ways, and this all depends on its specific business needs. NIST CSF 2.0 can help determine areas and levels of risk, and from there, organizations can decide on the right solutions. This can feel overwhelming for many organizations, especially as solution providers are continuously innovating and developing new tools.

One universal truth in the industry is that security operations center (SOC) analysts are overwhelmed and resource strapped. AI- and ML-based solutions have arisen as a helpful bridge in combating this industry burnout to effectively manage risk and build business resilience against threats. Additionally, tools that enhance visibility are essential in further securing the attack surface. Despite investments in vulnerability management, endpoint detection and response (EDR), and security information and event management (SIEM) tools, there are many blind spots in the network, cloud, and more that organizations need to address as well.

**3\. Developing an Organizationwide Approach to Security Hygiene**

While the right tools are essential, a critical part of NIST CSF 2.0's "Protect" focuses on awareness, training, and identity and access management as critical safeguards to managing risk. While the framework calls out a great number of risk factors, overall cyber hygiene is a critically undervalued part of cybersecurity.

This is an age-old method that works for attackers time and time again, and the costs add up. Luckily, for smaller organizations, they typically perform best on the cyber hygiene bell curve, with midsize organizations lagging behind. But one successful attack can be all it takes to financially destabilize a small organization, as respondents paid an average of nearly $2.5 million in ransom in 2023, and generative AI has only made social engineering attacks easier. 

**Taking Advantage of Industry Resources**

Though it provides essential guidelines, keep in mind that NIST's CSF 2.0 is meant to be used in conjunction with other frameworks and guidance, and is not a catch-all solution. It's also designed to be customized as an organization grows and evolves.

However, the framework is an equalizer for smaller organizations to meet the industry at its breakneck pace of innovation now that it is designed for organizations of all sizes. This includes understanding how threat actors are advancing and the new tools to defend against them, both of which are essential to building business resilience in the long run.

**About the Author(s)**

Senior Technical Manager, ExtraHop

Jamie Moles is senior technical manager at ExtraHop. He brings more than 30 years of cybersecurity experience helping customers understand and mitigate the risk contemporary threats pose to their business.

Catching Up on Innovation With NIST CSF 2.0

By integrating environmental initiatives, social responsibility, and governance into their strategies, security helps advance ESG goals.

John Donegan, Enterprise Analyst at ManageEngine

June 19, 2024

4 Min Read

Source: Aleksandr Davydov via Alamy Stock Photo

COMMENTARY

Inadequate cybersecurity architecture can cause irreparable damage to an organization, which is why boards and C-suite executives are heeding recommendations to implement policies and procedures to mitigate risk. In addition, boardrooms are also paying attention to other hot topics, including diversity, equity, and inclusion (DEI) and sustainability. So it's worth asking what cybersecurity personnel can do to support these initiatives.

Security leaders are in a unique position to not only protect the organization, but also to help direct it toward a more sustainable future. There are several ways they can support the three pillars of ESG: environmental initiatives, social responsibility, and corporate governance.

**Cybersecurity & Environmental Initiatives**

By "environmental initiatives," we're talking about how organizations affect the environment, such as carbon emissions, resource consumption, and waste output. Security personnel can make a palpable, positive impact on their organization's environmental initiatives with a few key implementations.

Endpoint management solutions. At the beginning of the hardware and software life cycle, cybersecurity personnel should make judicious purchases. Endpoint management software, for example, can be helpful, as such tools save energy by automatically installing patches and putting endpoints into sleep mode when devices are idle or threatened. \[Editor's note: The author's company is one of many that sell endpoint management software.\]

E-waste management. Cybersecurity teams already monitor corporate devices to maintain compliance and robust network security; they should collaborate with IT personnel to prolong these devices' lifespans via patching and software updates. By reusing and refurbishing hardware, security personnel and IT folks can work together to lower operational costs and reduce their company's environmental footprint.

Supply chain audits. To reduce greenhouse gas emissions effectively, it is also necessary to conduct supply chain audits. Security personnel should periodically orchestrate environmental audits of all the vendors within their supply chain. This entails an assessment of vendors' energy consumption and waste management, among other things.

Energy-efficient data storage and processing. Security personnel should make data center cybersecurity a priority. Data centers use a ton of energy and often contain sensitive information. A successful cyberattack on a data center would likely result in fines, loss of trust, and a rise in energy consumption to get operations back on track.

**Cybersecurity & Social Responsibility**

This pillar is concerned with the relationships that one's company has with various people and communities. In addition to diversity and inclusion, we believe that companies should consider digital inclusion and the ability to contribute to economies in underdeveloped regions.

Eco-friendly product procurement. While procuring software and hardware, cybersecurity professionals are usually focused on robust security, compliance, and cost. However, they should also be cognizant of their potential vendors' sustainability practices. In addition to making sure that downstream vendors don't introduce any cyber-risks, security teams should assess the overall environmental and social impacts of their third-party products.

It's important to assess the average lifespan of third-party vendors' products, as well as any applicable energy efficiency ratings or environmental certifications. By choosing energy-efficient vendors that are committed to sustainable manufacturing practices, cyber personnel can bolster their own corporate reputation and attract environmentally conscious customers.

For organizations that sell cybersecurity tools, it's wise to consider digital inclusion. A component of social responsibility, digital inclusion is the idea that people of all socioeconomic backgrounds should have access to technologies. By keeping cybersecurity software prices affordable, security companies can provide more tools to more people.

Effective data management. Cybersecurity personnel are responsible for ensuring the confidentiality, integrity, and availability of their organization's data. Without adequate cybersecurity tools, such as endpoint management solutions, identity and access management tools, and security information and event management software, organizations cannot protect their customers' data, which, of course, they have a social responsibility to do.

**Cybersecurity & Governance**

Governance refers to an organization's internal procedures, its ability to comply with laws, and how well the company is managed. When it comes to governance, cybersecurity professionals' knowledge and guidance is indispensable.

Materiality assessments and regulatory compliance. Given that cybersecurity professionals are well-versed in dealing with compliance requirements, the executive branch should consult with them in their efforts to comply with regulations.

Besides helping establish cybersecurity compliance and data-handling protocols, security professionals can also ensure that the organization is in compliance with environmental legislation across the globe. To do so, they should help with their organization's ESG materiality assessments.

In addition to assessing sustainability from a financial angle, ESG assessments list how operations affect society and the environment. Organizations need to have cyber personnel on their steering committees to bring a risk management lens to the conversation. By sitting on these committees, cybersecurity team members remind upper management just how invaluable they are to the organization.

Adherence to data privacy laws. Again, organizations have a social — and legal — responsibility to adhere to all data privacy laws. By doing so, cybersecurity personnel help the organization properly manage customer data, while also mitigating threats from bad actors.

**Cybersecurity Is ESG**

As the examples above show, corporate sustainability initiatives cannot be successful without the active participation of cybersecurity personnel. Whether we are talking about environmental initiatives, social responsibility issues, or governance, cybersecurity professionals need to take their seats at the table.

**About the Author(s)**

Enterprise Analyst at ManageEngine

John Donegan is an enterprise analyst at ManageEngine. He covers infosec and cybersecurity, addressing technology-related issues and their impact on business. John holds several degrees, including a B.A. from New York University, an M.B.A. from Pepperdine University, an M.A. from the University of Texas at Austin, and an M.A. from Boston University.

How Cybersecurity Can Steer Organizations Toward Sustainability

The service, likely a rebrand of a previous operation called "Caffeine," mainly targets financial institutions in the Americas and EMEA and uses malicious QR codes and other advanced evasion tactics.

Source: ronstik via Alamy Stock Photo

A highly organized phishing-as-a-service operation (PhaaS) is targeting Microsoft 365 accounts across financial firms with business email compromise (BEC) attacks that leverage a two-factor authentication (2FA) bypass, QR codes, and other advanced evasion tactics to maximize success, researchers have found.

Security analysts from EclecticIQ in February discovered a broad phishing campaign targeting financial institutions, in which threat actors used embedded QR codes in PDF attachments to redirect victims to phishing URLs, according to a blog post published June 18. Specific organizations targeted included banks, private funding firms, and credit union service providers across the Americas and Europe, Middle East and Africa (EMEA) regions.

EclecticIQ eventually tracked the origin of the campaign to a PhaaS platform called ONNX Store, "which operates through a user-friendly interface accessible via Telegram bots," Eclectic IQ threat intelligence analyst Arda Büyükkaya wrote in the post.

A key part of the ONNX service is a 2FA bypass mechanism that intercepts 2FA requests from victims using encrypted JavaScript code, to decrease the likelihood of detection and bolster the success rate of attacks, Büyükkaya noted. Moreover, the phishing pages delivered in the attacks use typosquatting to closely resemble Microsoft 365 login interfaces, making them more likely to trick targets into entering their authentication details.

**Snapshot of an ONNX Attack**

A typical email used in the attack shows a threat actor purporting to send the employee a human resources-related PDF document, such as an employee handbook or a salary remittance slip. The document impersonates Adobe or Microsoft 365 to try to trick a recipient into opening the attachment via a QR code that, once scanned, directs victims to a phishing landing page.

The use of QR codes is an increasingly common tactic for evading endpoint detection, Büyükkaya noted: "Since QR codes are typically scanned by mobile phones, many organizations lack detection or prevention capabilities on employees' mobile devices, making it challenging to monitor these threats."

The attacker-controlled landing page is designed to steal login credentials and 2FA authentication codes using the adversary-in-the-middle (AitM) method, analysts found.

"When victims enter their credentials, the phishing server collects the stolen information via WebSockets protocol, which allows real-time, two-way communication between the user's browser and the server," Büyükkaya wrote. In this way, attackers can quickly capture and transmit stolen data without the need for frequent HTTP requests, making the phishing operation more efficient and harder to detect, he noted.

Another PhaaS operator, Tycoon, also has used a similar AitM technique and a multifactor authentication (MFA) bypass involving a Cloudflare CAPTCHA, demonstrating how malicious actors are learning from each other and adapting strategies accordingly, Büyükkaya said.

ONNX also shares overlap in both Telegram infrastructure and advertising methods with a phishing kit called Caffeine (first discovered by researchers at Mandiant in 2022), the researchers found — so it could be a rebranding of that operation, according to ElecticIQ.

Another scenario is that the Arabic-speaking threat actor MRxC0DER, who is believed to have developed and maintained Caffeine, is providing client support to the ONNX Store, while the broader operation "is likely managed independently by a new entity without central management," Büyükkaya wrote.

**JavaScript Encryption Adds Level of Evasion**

Another anti-detection measure in the ONNX phishing kit is the use of encrypted JavaScript code that decrypts itself during page load, and includes a basic anti-JavaScript debugging feature. "This adds a layer of protection against anti-phishing scanners and complicates analysis," according to the analysis.

EclecticIQ researchers observed a functionality in the decrypted JavaScript code that's specifically designed to steal 2FA tokens entered by the victims and relay them to the attacker, who then uses the stolen credentials and tokens in real time to log in to Microsoft 365.

"This real-time relay of credentials allows the attacker to gain unauthorized access to the victim's account before the 2FA token expires, circumventing multifactor authentication," Büyükkaya wrote.

**Mitigating and Preventing ONNX Phishing Attacks**

ElecticIQ provided countermeasures for combatting specific tactics used by ONNX Store. To mitigate threats from embedded QR codes in PDF documents, organizations should block PDF or HTML attachments from unverified external sources in email server settings. They also can educate employees on the risks associated with scanning QR codes from unknown sources.

To combat the typosquatted domains used by the threat actor to impersonate Microsoft, organizations can implement domain name system security extensions (DNSSEC), which protects domains from multiple cyber threats, including typosquatting.

There are also measures that defenders can take to combat the theft of 2FA tokens, such as implementing FIDO2 hardware security keys for 2FA; setting a short expiration time for login tokens that limits a cyberattacker's window of opportunity to use them; and using security monitoring tools to detect and alert for any unusual behavior, such as multiple failed login attempts or logins from unusual locations.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

'ONNX' MFA Bypass Targets Microsoft 365 Accounts

By offering to buy Atos' big data and cybersecurity operations. Paris is trying to make sure key technologies do not fall under foreign control.

Source: Aleksandar Malivuk via Shutterstock

The government of France's recent bid to acquire the big data and cybersecurity division of Atos for some $750 million is an indication of the financially beleaguered company's vital importance to the country's defense interests.

It's a move that analysts say is about retaining domestic control over technology integrated into sensitive government, defense industrial base systems, supercomputers for simulating nuclear bomb tests, and a range of other critical infrastructure. Atos is also the primary cybersecurity provider to the upcoming Olympic Games in Paris.

The French government has similar stakes in multiple other entities such as Air France, Airbus, Renault, and aviation, space, and defense giant Safran. So, the move to invest in Atos is not unprecedented.  Even so, it demonstrates the French government's keen interest in keeping information technology of strategic national security importance out of foreign hands.

**Atos: A Pivotal Govt. Player in France**

Atos is a pivotal entity in France, says Morgan Wright, chief security advisor at SentinelOne: "It has constructed the supercomputers for the nuclear-deterrent program, secured a 2019 contract to establish a big-data platform for the armed forces, and is a driving force in the development of the Scorpion combat-information system." Wright adds, "the French government's \[planned\] acquisition of these assets \[is\] a strategic move to maintain control and prevent potential competitors from developing technology that could be used against the country or its allies."

Atos last week disclosed that it had received what it described as a non-binding offer from the French government for its advanced computing, mission-critical systems and cybersecurity products businesses. Atos' board of directors and the company's top management will discuss the $750 million offer, but there is no guarantee that negotiations will lead to a definitive agreement between both parties, the company said in the statement.

The nearly $12 billion Atos provides a wide range of information technology products and services worldwide. In recent years the company has struggled financially and has accumulated a debt load that currently stands at over $5 billion. Airbus earlier this year offered between $1.65 billion and $2 billion to buy Atos' big data and cybersecurity business for between $1.65 billion and $2 billion — or more than twice what the French government has currently offered. But the aerospace giant abruptly walked out of the deal midway through discussions, tanking Atos' already degraded stock values in the process. Some European analysts had perceived Airbus as acting as sort of proxy for the French government when it made the offer.

**A Bid to Protect Self Interests**

The French government's subsequent direct bid to buy Atos' cybersecurity business is not entirely unsurprising in that context. Some in France had actually called for the government to nationalize Atos prompting a government denial.

"Atos delivers critical services to multiple departments within the French government, some of which are highly critical or require a specific skill set or authorization — \[like\] top secret security clearance," says Luigi Lenguito, founder and CEO, BforeAI. "Ensuring the know-how and workforce Atos has built, stays as consolidated as possible, is a primary concern," for the French government, he says.

In Europe, moves by the government to take a direct stake in companies deemed as providing critical value are not unusual, he says pointing to examples such as Air France and ITA (formerly Alitalia). Italy's Leonardo SpA — which like Atos provides a wide range of IT and security services — is an example even within the technology realm, he notes. The Italian government currently holds a 30% stake in Leonardo.

"This is not new; other large security organizations in Europe have some form of public 'golden share,'" as well, Lenguito says. "These arrangements have already been established in other critical sectors like telecommunication and utilities."

In other cases, governments have used legislation limiting who can tender specific services, he says.

**The US Approach to "PubSec"**

The chances of the US government stepping in to buy a stake in a critically important private sector IT or cybersecurity company are significantly lower. However, the government does have close oversight over foreign investments through the Committee of Foreign Investments in the United States (CFIUS), says SentinelOne's Wright.

"China has been blocked several times from acquiring certain US companies for national security reasons, because of the technology they are involved with," he says, i.e., Huawei's blocked bid to become a top 5G infrastructure provider for US telecoms. But for the federal government to buy a private cybersecurity company would be an exceptional circumstance, he notes.

"It could happen in the US, but I think the company would have to be so strategic that the transfer of ownership to an adversarial interest would harm the national security of the country," he says.

Dave Gerry, CEO at Bugcrowd, says that while the government buying a cybersecurity provider isn't exactly commonplace in the US, there is some precedent for it reviewing what technologies and companies can end up being owned by foreign buyers. He too points to the role by the CFIUS in reviewing transactions that could impact a national security interest.

"Recently, we've seen this play out in the non-cyber world when Japan's Nippon Steel attempted to acquire US Steel," he says. "In this case, it appears the French government has a strong reason to believe that Atos' acquisition by a foreign buyer would jeopardize France's national security interests."

Importantly, if the deal goes through, the French government will have a direct stake in a company that can help significantly bolster its technology and cybersecurity capabilities. "It makes sense for the French government to upgrade its defenses," says Mike Janke, co-founder of DataTribe. "For years, we have seen governments invest in critical companies through numerous means, but it has been rare for them to buy a company. We'll see if this emerges as a trend."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

France Seeks to Protect National Interests With Bid for Atos Cybersec

Cops decimate cybercrime infrastructure used to steal data from nearly 2,000 people in Singapore last year.

Source: dpa picture alliance via Alamy

Singapore police scored a win with the arrests of two men accused of operating servers that enabled cybercrimes against Singaporeans and the dismantling of their supporting infrastructure.

In 2023, nearly 2,000 victims in Singapore downloaded malicious Android applications that allowed the scammers to steal device data, including bank information, according to a statement from the Singapore police.

Following a deep analysis of the malware by cybersecurity officials in Singapore, Hong Kong, and Malaysia, where the arrests were made, police were able to track the entire organization behind the attacks, including a syndicate accused of operating a fraudulent customer service center in Taiwan.

"In addition, the HKPF (Hong Kong Police Force) successfully took down 52 malware-controlling servers in Hong Kong and arrested 14 money mules who had allegedly facilitated the malware-enabled scam cases by relinquishing the use of their bank accounts to the scammers for monetary reward," the Singapore police added.

The two arrests included a 26-year-old man who faces up to seven years in prison. The other, a 47-year-old man, will stand trial for the same crimes, plus an additional charge carrying up to 10 years in prison, police said.

**About the Author(s)**

Singapore Extradites Suspected Cybercrime Scammers from Malaysia

The consortium of private companies and academia will focus on ways to protect hardware memory from attacks.

Source: Science Photo Library via Alamy Stock Photo

A new chip security consortium named CHERI Alliance is focused on protecting data stored in hardware memory from cyberattackers.

The alliance backs a protection model that isolates the hardware and software to prevent hackers from injecting code into memory that would allow them to take over systems or steal data.

"Memory issues represent approximately 70% of the routes taken by cyber attackers," said CHERI Alliance in a statement.

CHERI is an acronym for Capability Hardware Enhanced RISC Instructions. The alliance will formally launch in September.

Memory issues are usually addressed through software techniques or coarse-grained hardware memory protection, says alliance spokesperson Tora Fridholm.

"These methods either leave holes or are not very practical," Fridholm says. "What is unique about CHERI is that the technology adds fine-grained memory protection, with the ability to prevent these issues completely without adding a major overhead."

The alliance focuses on securing memory in ARM, MIPS, and RISC-V architectures, which dominate edge devices.

The backing entities include University of Cambridge, the FreeBSD Foundation, Capabilities Limited, lowRISC, and SCI Semiconductor. While ARM dominates the microcontroller and mobile markets, the company is currently not part of the consortium.

ARM has been victim to many memory-bound vulnerabilities, including one earlier this month that allows hackers to access GPU memory. ARM-based processors also had vulnerabilities related to Meltdown and variants of Spectre, which allowed hackers to take over memory.

**Research on Memory Protection**

The CHERI program originally started off in 2010 as a research program between the University of Cambridge and SRI International; and was funded by DARPA's CRASH.

As part of the program, researchers developed CHERI-based hardware with memory protection features. ARM's prototype Morello board with CHERI extensions was reviewed by the Microsoft Security Response Center, which provided recommendations to improve the design. CHERI was described in a research paper published earlier this year as a "hardware-software capability-based system that extends the ISA, toolchain, programming languages, operating systems, and applications in order to provide complete pointer and memory safety."

CHERI researchers also provide toolkits so C and C++ programmers can add memory protection to code. C++ doesn't have automatic memory protection mechanisms, unlike newer development tools, such as Rust, which leaves space for coders to inject malicious code. Coders need to add specific code to protect memory.

**About the Author(s)**

Agam Shah has covered enterprise IT for more than a decade. Outside of machine learning, hardware, and chips, he's also interested in martial arts and Russia.

CHERI Alliance Aims to Secure Hardware Memory

The US passenger rail giant said attackers used previously compromised credentials to crack accounts and access a freight train of personal data.

Source: Peter Titmuss via Alamy Stock Photo

Amtrak has disclosed a data breach affecting train travelers' Guest Rewards accounts.

In a breach-disclosure notice filed with the state of Massachusetts, the national passenger rail service noted that an unknown third party gained unauthorized access to users' account information during the time period of May 15-18.

The transport giant determined that compromised usernames and passwords from prior breaches were likely used to access certain accounts, and stressed in the breach notice that there was no hack of Amtrak systems.

Even so, the information that the threat actor accessed includes a social engineering bonanza of data, including "name, contact information, Amtrak Guest Rewards account number, date of birth, payment details (such as partial credit card number and expiration date), gift card information (such as card number and PIN) and/or information about your transactions and trips."

In some cases, the hackers took over accounts and changed emails and passwords to lock legitimate users out. Amtrak was able to nip that in the bud, though: "We have changed the email address for your Amtrak Guest Rewards account back to your email address and initiated a reset of your account password."

Amtrak didn't elaborate on how many rail aficionados are affected, but urged riders to rotate their passwords and implement multifactor authentication to prevent account access and takeovers.

"Threat actors have realized the high rewards of stealing from travel loyalty programs, which can easily be sold on the Dark Web or converted to tickets that they later sell," said Stuart Wells, Jumio CTO, in an emailed statement shared with media. "It's a reality that's particularly tough on travelers who have worked for months, or even years, to accumulate loyalty points and status through regular trips. Customers who are less frequent travelers may not notice their points disappearing for a long time."

**Multiple Cyber Incidents for Amtrak Customers**

This isn't the first time the data breach engine has left the Amtrak station. In 2020, it disclosed a Guest Rewards breach in which "some personal information may have been viewed," according to the notification, where the threat actor was noticed and booted out of the system "within a few hours."

Jumio's Wells noted that, given the weaknesses known to be present in most mainstream MFA techniques, businesses could go further to protect consumer accounts.

"As cyber threats evolve, businesses must adopt advanced verification technologies to enhance the protection of sensitive user data. Implementing a robust identity verification system is crucial to effectively combat fraud in all forms," he said.

For instance, "utilizing biometric verification methods ensures that illegitimate users and hackers are hindered before causing further harm, as they would need more than just credentials to gain access. This approach protects consumers from having their personal details disclosed from compromised accounts and provides a very effective solution to combat fraud."

**About the Author(s)**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Hackers Derail Amtrak Guest Rewards Accounts in Breach

A trio of bugs could allow hackers to escalate privileges and remotely execute code on virtual machines deployed across cloud environments.

Source: Schoening via Alamy Stock Photo

Broadcom has released fixes for three vulnerabilities affecting VMware vCenter, two of which are of critical severity and allow remote code execution (RCE). The disclosures come as virtual machines (VMs) continue to attract the notice of hackers, thanks to the rich repositories of sensitive data and applications they tend to house. Patching immediately is a good idea.

vCenter is the centralized management console for VMware virtual environments, and is used to view and manage VMs, multiple ESXi hosts, and all dependent components from a single centralized location. CVE-2024-37079 and CVE-2024-37080 are heap overflow vulnerabilities in vCenter's implementation of DCERPC — short for Distributed Computing Environment/Remote Procedure Call — used for calling a function on a remote machine as if it were a local one.

DCERPC is useful for engaging with remote machines, especially if you're a remote hacker. Using a specially crafted network packet, an attacker with network access can take advantage of these vulnerabilities to remotely execute their own code on VMs managed by vCenter. The potential for harm has earned both vulnerabilities critical 9.8 out of 10 scores on the CVSS scale.

Broadcom also patched a number of local privilege escalation vulnerabilities resulting from a misconfiguration of sudo within vCenter. Short for "superuser do" or "substitute user do," sudo allows users in Unix systems to run commands with the privileges of another user — at the root level by default. An authenticated local user can take advantage of the bug labeled CVE-2024-37081 to obtain administrative privileges on a vCenter Server appliance. It has been assigned a high CVSS score of 7.8.

As yet, there is no evidence that any of these three vulnerabilities have been exploited in the wild — though that could quickly change. Remediations can be found here, and an accompanying Q&A page here.

**The Risk in Cloud VMs**

According to its own documentation, VMware sports more than 400,000 customers, including 100% of all Fortune 500 and Fortune Global 100 companies. Its technology supports more than 80% of virtualized workloads and a good chunk of business critical applications.

"The increasing popularity of cloud computing has led to a corresponding surge in VM usage, consolidating multiple applications onto a single physical server," explains Patrick Tiquet, vice president of security and architecture at Keeper Security. "This consolidation not only enhances operational efficiency but also presents attackers with the opportunity to compromise a variety of services through a single breach."

vCenter Server epitomizes this risk. As the centralized management software supporting the VMWare vSphere and Cloud Foundation platforms, it provides a launch point for both IT administrators and hackers to reach many VMs running across organizations.

"Successful breaches not only disrupt services and dole out financial losses, but can also lead to the exposure of sensitive data and violations of regulatory requirements, severely damaging an organization’s reputation," Tiquet warns, so patching new vulnerabilities as they crop up is both necessary and insufficient for organizations to be at ease.

Besides network segmentation, vulnerability audits, and other security hardening tactics like incident response planning and maintaining robust backups, he says, it's the job of network administrators to lead from the front: "Administrators should always ensure they’re using a secure vault and secrets management solution, they must apply necessary updates as soon as possible, and they should also check their cloud console’s security controls to ensure they’re following the latest recommendations."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Source

DARKReading