Operations at Synnovis medical labs have been disrupted for more than a week, prompting the NHS to implore the public to donate blood.

Source: Cavan Images via Alamy Stock Photo

England's most senior physicians appealed to the public for help in the aftermath of a cyberattack that has threatened the ability of London's National Healthcare Service hospitals to provide life-saving treatment.

Since a ransomware cyberattack against UK pathology lab services provider Synnovis knocked the company offline on June 3, hospitals across London have been struggling with delays in matching patient blood types, among other critical pathology functions.

Pathology labs provide tests on blood and other bodily fluids to diagnose, treat, and prevent a wide variety of illnesses. Synnovis is operated in partnership with Guy's and St Thomas' NHS Foundation Trust and King's College Hospitals NHS Trust, and SYNLAB, Europe's largest provider of medical testing and diagnostics, according to the NHS.

A week later with services still not restored, Dr. Gail Miflin, chief medical officer, NHS Blood and Transplant, decided to put out a call to the public for blood donations.

"When hospitals do not know a patient's blood type or cannot match their blood, it is safe to use O type blood," Miflin said a statement. "To support London hospitals to carry out more surgeries and to provide the best care we can for all patients, we need more O Negative and O Positive donors than usual. Please book an urgent appointment to give blood at one of our 25 town and city donor centres which currently have good appointment availability."

Synnovis is working with law enforcement as well as the National Cyber Security Centre, the company said.

"We are incredibly sorry for the inconvenience and upset this is causing to patients, service users, and anyone else affected," Synnovis said in a statement. "We are doing our best to minimise the impact and will stay in touch with local NHS services to keep people up to date with developments."

Synnovis did not respond to Dark Reading's request for comment.

Blood Shortages Hit London Hospitals After Ransomware Attack

The fresh-baked malware is being widely distributed, but still specifically targets individuals with tailored lures. It's poised to evolve into a bigger threat, researchers warn.

Source: Weyo via Alamy Stock Photo

A purpose-built Windows backdoor appears to be the new flavor of the month for giving attackers entry into targeted systems; after initial access, they pivot to ransomware delivery and system compromise in a wave of recent attacks.

Dubbed WarmCookie by researchers at Elastic Security Labs, the backdoor has been distributed widely in a spate of phishing emails starting in late April by a campaign called REF6127. It uses recruitment and potential jobs as lures, the researchers revealed in a blog post today.

While the malware itself isn't particularly sophisticated — it's mainly an initial backdoor tool for scouting out victim networks and deploying additional payloads — "it shouldn't be taken lightly as it's actively being used and impacting organizations at a global scale," Daniel Stepanic, Elastic Security principal security research engineer, wrote in the post.

The backdoor's code overlaps with a sample that was previously reported by eSentire, suggesting that WarmCookie may be an update to malware that already was in circulation since 2022. However, the latest version of the backdoor represents a different, more pervasive threat, Stepanic noted.

"While some features are similar, such as the implementation of string obfuscation, WarmCookie contains differing functionality," he wrote. "Our team is seeing this threat distributed daily with the use of recruiting and job themes targeting individuals.

**Targeting Specific Appetites**

Phishing lures that use job recruitment are a common theme for attackers, which have found success previously in targeting various professionals with fake promises of new employment positions. North Korean APT Lazarus is among attackers that has been particularly active with this tactic.

The emails in the REF6127 campaign put a twist on this with lures that are specific to the individuals that the attackers are targeting, the researchers said. Indeed, the campaign uses info about targets' current employers attempt to lure them with a type of position that might pique their interest, "enticing victims to pursue new job opportunities by clicking a link to an internal system to view a job description," Stepanic wrote.

In terms of the infection routine, one screenshot included in the post shows a message telling the recipient there is an "exciting opportunity" in the form of a new position open with one of the recruiter's clients. The message includes a "View Position Details" link which eventually leads to the process for deploying WarmCookie.

If a target clicks on the link, it goes to a landing page that looks like a legitimate page specifically targeted for the intended victim using his or her name, and that prompts the user to download a document by solving a CAPTCHA challenge. The landing pages used in the campaign resemble previous campaigns discovered by Google Cloud's security team in a campaign used to spread a new variant of the URSNIF malware, Stepanic noted.

Solving the CAPTCHA challenge downloads an obfuscated JavaScript file that runs PowerShell, kicking off the first task to load WarmCookie. The PowerShell script abuses the Background Intelligent Transfer Service (BITS) to download the malware and run the DLL with the Start export.

To keep defenders on their toes, attackers continuously generate new landing pages rapidly on IP address 45.9.74\[.\]135, targeting different recruiting firms in combination with keywords related to the job search industry with their malicious activity. Moreover, before hitting each landing page, "the adversary distances itself by using compromised infrastructure to host the initial phishing URL, which redirects the different landing pages," Stepanic noted.

**How the Cookie Crumbles**

WarmCookie is a two-stage "lightweight backdoor" that ultimately provides "relatively straightforward" functionality — such as retrieving victim info and screenshot recording — for monitoring victims and further deploying more damaging payloads, such as ransomware, according to the post.

In the first stage, which occurs after the PowerShell download of the malware, the backdoor sets itself up to run with System privileges from the Task Scheduler Engine. "A critical part of the infection chain comes from the scheduled task, which is set up at the very beginning of the infection," Stepanic noted. "The task name (RtlUpd) is scheduled to run every 10 minutes every day."

The malware's second stage contains the backdoor's core functionality and is one in which the DLL is combined with the command line (Start /p) to set execution in motion.

Along the way, WarmCookie uses several tactics to avoid detection. One is to protect its strings using a custom string decryption algorithm in which "the first four bytes of each encrypted string in the .rdata section represent the size, the next four-bytes represent the RC4 key, and the remaining bytes represent the string," Stephanic wrote. Developers also made the "interesting" choice not always to rotate the RC4 key between the encrypted strings.

WarmCookie also uses dynamic API loading to prevent static analysis from identifying its core functionality, and includes a few anti-analysis checks commonly used to target sandboxes "based on logic for checking the active number of CPU processors and physical/virtual memory values," he added.

**Evolving Recipes for Malware**

Elastic is urging organizations to be on the lookout for WarmCookie, which will likely evolve over time as its developers enhance it with advanced functionality.

"Our team believes this malware represents a formidable threat that provides the capability to access target environments and push additional types of malware down to victims," Stepanic wrote.

The post includes a screenshot of YARA rules that organizations use to identify the presence of WarmCookie in an environment. Elastic also specifically addresses various behavior of the backdoor — including its Powershell download and execution and Scheduled Task creation — to provide insight on how to detect this activity on an organization's network.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

WarmCookie Gives Cyberattackers Tasty New Backdoor for Initial Access

If CEOs want to avoid being the target of government enforcement actions, they need to take a personal interest in ensuring that their corporation invests in cybersecurity.

Joe Sullivan, CEO, Ukraine Friends, & CEO, Joe Sullivan Security LLC

June 11, 2024

5 Min Read

Source: Michael Burrell via Alamy Stock Photo

COMMENTARY

One day soon, a government agency will very publicly seek to hold a corporate CEO personally liable for a failure to ensure their organization invested sufficiently in cybersecurity. The surprising thing won't be that it happens, but rather how many people who work for and look up to the CEO will be happy when it does.

When a company gets hacked, the real costs often land on consumers. The company's stock price typically rebounds quickly, but end users are left with their identities stolen, accounts locked, money lost, or children exposed to harm.

The consumers who are harmed from breaches rightfully expect our governments to protect us. The contract between people and their governments is simple: We contribute some of our wealth and you keep us safe. That model has worked pretty well for centuries.

But things have gotten a lot more complicated in the Internet age. Our digital fingerprints are held in the hands of private companies. In the name of personal privacy, we don't want our governments to have that level of access to and control of that information. So, the government can't solely protect us, and companies aren't properly incented to do it either. It's a unique catch-22: No single entity has the power to protect us on the Internet.

Something must give, which is why we're experiencing a movement toward regulation by enforcement. The trend has been developing over the past decade, since the Obama administration developed a policy instructing prosecutors to expand enforcement actions against "responsible corporate officers,” on the theory that the best way to encourage better corporate behavior is to bring actions directly against executives.

The Biden administration has now taken that approach to cyberspace. Look no further than the National Cybersecurity Strategy, which, at its core, demands that corporate America do more to protect citizens from cyberattacks. Realizing it cannot stop cyber harm by asking for voluntary cooperation from companies, it is also using the enforcement tools it believes it has under existing law to force changes in behaviors. A current example is the Securities and Exchange Commission's (SEC) action against the software company SolarWinds and its head of security. The case has raised eyebrows, specifically because the security leader was sued personally.

**Why the CEO Is Next**

Inside every major company is a security team full of smart, technically savvy professionals dedicated to fighting criminals and despotic governments to protect their customers. Most are understaffed and push hard for more investments to make their jobs easier. Leading those teams are senior security practitioners, many of whom are not given the title of chief information security officer (CISO). And recently, our government has turned its enforcement eye toward those team leaders.

As the government digs into these types of cases more deeply, it's inevitable it will conclude it was a mistake to target the greatest champion for the public inside a company. The current focus on security leaders is flawed because it assumes that rather than delivering security at the highest standards, these leaders have instead chosen to mislead. In response, nearly every CISO I talk to is worried about being held personally accountable for a lack of corporate investment. Some great CISOs are now stepping out of the role because their desire to help others is losing out to their desire for self-preservation.

With very few exceptions, the CISO or senior-most security leader is simply not the "responsible corporate officer.” It's the CEO. Security leaders rarely, if ever, get the budget needed to do their job well. CEOs and boards that do control the corporate budget rarely invest the time to understand their cyber-risks, and instead allocate resources in other directions.

The government's attention has already started to shift toward the CEO. At the final hearing in the case in which I was charged with covering up a security incident at Uber, the judge made it a point to challenge the Department of Justice and ask why the CEO was not brought to court. The Federal Trade Commission (FTC) reached the same conclusion and entered into a settlement with the CEO of Drizly for failing to invest adequately in security. The Cybersecurity and Infrastructure Security Agency (CISA) now asks that CEOs, not CISOs, sign its pledge to use secure by design principles when selling software when selling software. And the SEC will see it when it peels back the layers and reviews what happened during budget time at SolarWinds. It will realize it is not enough to look at how a security team responded to an incident or tried to prevent it. To assign culpability, it must look at how the company allocated resources from the top down. Sen. Ron Wyden (D-Ore.), in his recent letter to the FTC and SEC, also asked them to focus on the CEO level when investigating the United Health Group over the Change Healthcare ransomware case.

Security leaders are starting to ask more forcefully for resources. When they fail to receive them, they are documenting those budget decisions clearly. They are also pushing forward policies that bring CEOs and other executives more directly into cyber-incident response processes and deploying new products like those from BreachRx (full disclosure: I've recently joined the company as a senior advisor) that document how security incidents are handled in a cross-functional manner. All these steps will make it easier to show that the security leader wasn't standing alone or, in many cases, even involved in the decisions that led to consumers getting hurt.

Ultimately, the only way the CEO avoids being the target of government enforcement actions is if he or she takes a personal interest in ensuring that the corporation invests properly in cybersecurity.

**About the Author(s)**

CEO, Ukraine Friends, & CEO, Joe Sullivan Security LLC

Joe Sullivan provides security, AI safety, and leadership advice to executives across various industries and serves as the CEO of Ukraine Friends, a nonprofit providing humanitarian aid to Ukrainian children in a war zone. Joe spent eight years with the US Department of Justice, including as the first federal prosecutor dedicated to prosecuting technology-related crimes. He then spent seven years in senior roles at eBay and PayPal, before joining Facebook in 2008 as its chief security officer, building its safety and security team from a handful of people to hundreds. In 2015, he joined Uber as its first CSO, and in 2018, Cloudflare as its first CSO, helping it blossom from pre-IPO to a thriving public company. Joe has advised many companies, including AirBnB, DoorDash, and Whoop, and currently advises nine pre-IPO companies. He has testified before global government bodies, and served on President Obama’s Commission on Enhancing National Cybersecurity.

The CEO Is Next

The US government launched a self-attestation form asking software developers to affirm their software was developed securely. Compliance starts today for software used in critical infrastructure.

Source: miniartkur via Alamy Stock Photo

Starting June 11 — today — US government contractors providing software that is considered part of the critical infrastructure will need to fill out a form asserting that their software followed secure-by-design principles and that each component was under their scrutiny in the form of software bills of material (SBOMs). The Cybersecurity and Infrastructure Agency's (CISA) published the Secure Software Development Attestation Form back in March, though a recent study at RSA Conference by supply chain security management company Lineaje suggested that many vendors are not ready.

When asked whether they were prepared to meet the deadline for federal cybersecurity attestation, only about 20% of the respondents said they were, Lineaje said. Even worse, only 16% said their company had incorporated SBOMs into software development — a key part of compliance.

In May 2021, after widely publicized incidents such as the SolarWinds saga and the Log4j exploit, US President Joe Biden put government contractors on notice that they needed to start meeting tougher standards for cybersecurity practices. President Biden's Executive Order on Improving the Nation’s Cybersecurity (EO 14028) set a roadmap for making the US government more secure by making its systems, and all the software on them, traceable and auditable.

That resulted in the Secure Software Development Attestation Form, which a CEO or authorized designee must sign to swear that their company "presently makes consistent use of the following practices, derived from the secure software development framework (SSDF)," including "maintaining provenance" of all components and instituting a vulnerability reporting system. The form is available for download as a fillable PDF or as an online form through the Repository for Software Attestations and Artifacts portal.

For all other software — those not deemed critical — vendors don't have to start with self-attestation until Sept. 11.

**About the Author(s)**

Dark Reading

The Edge is Dark Reading's home for features, threat data and in-depth perspectives on cybersecurity.

Process to Verify Software Was Built Securely Begins Today

In response to recent public outcry, Recall is getting new security accouterments. Will that be enough to quell concerns?

Source: Photo 12 via Alamy Stock Photo

Microsoft is adding new security measures to assuage widely publicized concerns over its new "Recall" AI feature. Some, though, still aren't convinced the company went far enough.

It's now just eight days until Microsoft releases Recall, a new artificial intelligence (AI)-driven program that will periodically take, store, and analyze screenshots of Copilot+ PCs as they're being used day-to-day. Recall is supposed to act like a kind of memory bank, allowing users to instantly find and reference things they've come across recently: apps, websites, images, and documents.

From the outset, Recall has been criticized as a potential goldmine for personal data theft. The noise got loud enough that, on Friday, Microsoft announced three new security-oriented updates for it:

*   In a reversal of its initial stance, Microsoft will now ship Recall turned off by default.
    
*   Users will need to enroll in Windows Hello in order to enable it, and so-called "proof of presence" will be required to use its primary features.
    
*   Recall data will be encrypted, and only decrypted and accessible once a user authenticates via Windows Hello.
    

Though they may represent a step in the right direction, experts remain skeptical that these changes will be enough to protect users' most sensitive passwords, photos, personally identifying information (PII), and financial information from hackers.

**Risks in Recall: A Case Study**

Many security experts cringed when Recall was announced, but few more than Marc-André Moreau, CTO of Devolutions. He worried that Windows' newest toy would inevitably capture and store visible passwords from his company's software for managing remote connections. With such passwords in hand, hackers would be able to easily connect to and manipulate any victim PC.

"Looking at documentation for how Recall works," he recalls, "it literally said that it wouldn't make an effort of removing sensitive information, credentials, or PII — anything which you would want scraped out, it would just keep in local files."

Microsoft's logic, it seemed, was that because Recall screenshots were stored only on the user's machine, they would remain safe from remote access. "Microsoft has this new chip which makes it possible to do the processing locally, and they thought that everybody would be fine since the data isn't uploaded to the cloud," Moreau explains. "But you wouldn't install a keylogger on your machine just because the files are stored locally. Files can be grabbed by malware. So why would you enable Recall?"

To demonstrate the point, he performed a simple red team exercise. In his telling, "I didn't have to do much. I just set up an environment, used some tool that somebody made online to force-install it, and then I installed \[Devolutions'\] Remote Desktop Manager. I clicked 'view password,' then 'record,' and then I found the database. I opened it, and I could see the extracted password alongside the screenshot that includes the password."

> Here's Recall capturing temporarily visible passwords from Remote Desktop Manager in a test Azure VM. It's less effective that I would have thought, the search results are screenshots, and it's unclear how one can obtain the full OCR text it used for the match pic.twitter.com/RUiLs57bKz  
> — Marc-André Moreau (@awakecoding) June 3, 2024

Other researchers have also found simple ways of accessing sensitive data in Recall screenshots. One has already developed and released an open source tool to help speed up the job.

To try to protect his customers, Moreau next looked for a way to exclude his company's software from Recall by default. He came up short.

**Are Microsoft's New Updates Enough?**

Users will have more control over their data privacy now, thanks to Microsoft's turning off Recall by default.

Moreau is skeptical, though, that Windows Hello can be fully and properly integrated into Recall without delaying its preview release, which is mere days away. "I'm in software, things don't happen that fast," he says.

Dark Reading reached out to Microsoft for comment on how it will be able to marry Windows Hello and Recall in time for June 18. In response, Microsoft said in a statement: "As we shared in our May 3 blog, security is our top priority at Microsoft, in line with our ⁠Secure Future Initiative (SFI), and we are evaluating Recall through that lens. As we implement SFI across Microsoft, we may shift some feature release dates and will update our public roadmaps as this happens."

In the barely a month since that blog post, and Satya Nadella's letter "prioritizing security above all else," for some critics, Recall recalls other AI products that are getting rushed to market.

Ironically, AI could well solve these programs' most pressing security flaws. "I could upload a Recall screenshot to ChatGPT today and tell it to identify the data which looks sensitive, and it will be able to," Moreau notes. "They could have used their AI chip to help solve this \[data leakage\] but they didn't even try. They were too eager to ship."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Microsoft Modifies 'Recall' AI Feature Amid Privacy, Security Failings

A threat actor has accessed data belonging to at least 165 organizations using valid credentials to their Snowflake accounts, thanks to no MFA and poor password hygiene.

Source: Ulrick-T via Alamy Stock Photo

A Mandiant investigation of recent account compromises at Snowflake, a data warehousing platform, has confirmed that all of them resulted from a failure by customers to implement multifactor authentication (MFA) and proper access control to their accounts.

According to Mandiant, part of Google Cloud, a financially motivated threat actor that it is tracking as UNC5537 appears to have systematically accessed accounts belonging to at least 165 Snowflake customers, using valid account credentials obtained from elsewhere.

**Compromised Credentials the Sole Factor**

The attacker has stolen data from the accounts and has either attempted to extort victims with it or has made the data available for sale on cybercrime forums. Though Mandiant has not named any victims, other security vendors have identified Ticketmaster and Santander Bank as being among the many victims of the massive campaign.

"Mandiant's investigation has not found any evidence to suggest that unauthorized access to Snowflake customer accounts stemmed from a breach of Snowflake's enterprise environment," the security vendor said. "Instead, every incident Mandiant responded to associated with this campaign was traced back to compromised customer credentials."

Mandiant has assessed that UNC5537 aggregated credentials for Snowflake accounts from multiple previous information stealer campaigns. In several incidents that Mandiant investigated, the credentials that the threat actor used to access Snowflake customer accounts were obtained from spy Trojans installed on contractor systems. Such credentials are often available for sale and for free on the Dark Web and multiple other sources, Mandiant said.

Significantly, many of the credentials that UNC5537 used to access Snowflake accounts haven't been rotated in at least a couple of years. In one instance, the threat actor leveraged a credential from a November 2020 information stealer campaign to access the associated Snowflake account, meaning the victim had not updated that credential for the past four years at least.

"UNC5537’s campaign against Snowflake customer instances is not the result of any particularly novel or sophisticated tool, technique, or procedure," Mandiant stressed. "The affected customer instances did not require MFA, and in many cases, the credentials had not been rotated for as long as four years. Network allow lists were also not used to limit access to trusted locations."

**The Growing Information-Stealer Threat**

Mandiant's findings are another reminder of the enormous and growing exposure to organization from credential theft, and the booming market for information stealers. In recent years, the trend has heightened calls from security experts about the need for organizations to implement MFA and best practices like using zero-trust models and limited allow lists to control access to data in the cloud.

"Mandiant assesses MFA would have prevented compromise of Snowflake accounts in this campaign," says Austin Larsen, senior threat analyst at Mandiant. "Mandiant has not identified evidence of the actor being able to bypass MFA" in any of the observed incidents.

Larsen says Snowflake's status as a multicloud data warehousing platform that organizations use to store and analyze large amounts of structured and unstructured data, likely made it a good target for the attackers. "Often these databases contain valuable and sensitive information, which is an attractive target for financially motivated actors," he says. "This increases the likelihood of the threat actor monetizing this data via extortion and/or sale through underground forums."

Interestingly, while the compromise of Snowflake accounts has received a lot of attention, Mandiant has identified non-Snowflake customers as well that UNC5537 has targeted going back at least six months, Larsen adds.

Jason Soroko, senior vice president of product at Sectigo, says that while Mandiant's Snowflake findings should be on billboards, the message itself has been repeated a countless number of times, continuing to fall on deaf ears.

"We must implement stronger forms of authentication than passwords and move past even needing MFA," he says. "We have already learned these lessons many times. We have also heard the excuses why doing this is so difficult. Nothing will change until the will to do the right thing exists."

Julianna Lamb, chief technology officer and co-founder of Stytch, says companies that continue using passwords as a form of authentication need to ensure proper controls over their use. This means not permitting password reuse and by making it was easy as possible for users to generate string passwords.

She also recommends that organizations monitor sites such as HaveIBeenPwned’s database to ensure that users aren’t using a breached password. "It’s also important to invest in multiple layers of protection beyond passwords, such as bot prevention measures to identify when bots are on-site and being used for credential stuffing, and implementing two-factor authentication."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Snowflake Cloud Accounts Felled by Rampant Credential Issues

VoIP gear, hypervisors, medical equipment, building automation, printers, and more pose broad risk to organizations, with many facing danger from a combo of IT, IoT, and OT all at once. This listicle breaks it down.

Source: NicoElNino via Alamy Stock Photo

For nearly every organization, the cyberattack threat landscape is made up of a mix of IT, Internet of Things (IoT), and operational technology (OT) like HVAC systems, offering plenty of "ways in" for cyber threat actors. Plus, the medical field has its own specialized set of IoT equipment, extending the targeting options for would-be bad guys even further.

To help organizations assess where danger might be lurking this modern, complex device landscape, Forescout Research–Vedere Labs examined nearly 19 million devices to determine which categories represent the greatest risk to organizations. The findings are based on the potential for misconfiguration, the number of vulnerabilities found, exposure to the Internet, and the potential impact to an organization in the case of compromise.

Baseline data points include the fact that IT devices still account for most vulnerabilities (58%), but that the category is down from 78% in 2023. IoT vulnerabilities, however, were up a whopping 136%, increasing the percentage of known bugs from 14% last year to 33% today.

Overall, the most vulnerable device types are: wireless access points (WAPs), routers, printers, voice-over-IP (VoIP) devices, and IP cameras. The most-exposed unmanaged gear includes VoIP devices, networking infrastructure, and printers.

Meanwhile, the top three riskiest verticals are: technology, education, and manufacturing. Healthcare had the biggest decline in risky devices for 2024, but the most-problematic devices in the Internet of Medical Things (IoMT) are all new entries for this year, indicating that this is a swiftly changing landscape.

Overall, it's important to take a holistic view when risk-assessing one's environment, according to Forescout.

"It is not enough to focus defenses on risky devices in a single category since attackers can leverage devices of different categories to carry out attacks," according to Forescout's report, out today, which includes a proof-of-concept attack dubbed "R4IoT" that starts with an IP camera, moves to a workstation (IT), and disables programmable logic controllers (PLCs).

 "Modern risk and exposure management must encompass devices in every category to identify, prioritize and reduce risk across the whole organization," according to the firm. "Solutions that work only for specific devices cannot effectively reduce risk because they are blind to other parts of the network being leveraged for an attack."

Here's a breakdown of 2024's most-risky connected devices:

**IT Devices**

IT endpoints have traditionally been the category most targeted by cyberattackers for initial access, but since the beginning of 2023, network infrastructure devices have outpaced endpoints in terms of riskiness, according to Forescout — largely due to increase in the number of vulnerabilities found and exploited in this category.

*   Thus, routers and wireless access points top the list of riskiest IT devices, followed by servers and computers, then hypervisors.
    

The hypervisors that host virtual machines (VMs) have become a favorite target for ransomware gangs since 2022 because they allow attackers to encrypt several VMs at once. Also, they're typically unmanaged and do not support traditional endpoint protection agents.

**The Internet of Things (IoT)**

The list of the riskiest IoT devices includes one new entry: network video recorders (NVRs).

"NVRs sit alongside IP cameras on a network to store their recorded video," according to the report. "Just like IP cameras, they are commonly found online and have significant vulnerabilities that have been exploited by cybercriminal botnets and advanced persistent threats (APTs)."

*   The "riskiest" list is rounded out with some usual suspects, with the top five being: network-attached storage (NAS), VoIP, IP cameras, printers, and NVRs.
    

NAS devices have been a growing target for ransomware actors thanks to a series of bugs and the valuable data they store; VoIP and IP cameras are commonly exposed on the Internet without proper defenses like strong passwords. But Forescout pointed out that printers are less well-known as conduits for cyber threats — a potentially catastrophic oversight.

"Printers include multifunctional printing and copying devices used in the connected office," researchers explained in the report. "They also include specialized devices for printing receipts, labels, tickets, wristbands and other uses. Printers are also often connected to sensitive devices, such as point of sales systems and conventional workstations with privileged users."

**Operational Technology**

With the Cybersecurity and Infrastructure Security Agency (CISA) issuing regular alerts regarding the rising tide of threats like Volt Typhoon to the OT footprint in the US, this is one area that organizations should prioritize for defense improvements, Forescout researchers noted.

*   The riskiest devices in this sector are: uninterruptible power sources (UPS), distributed control systems (DCS), PLCs, robotics, and building management systems.
    

The issues are myriad. For instance, UPSes, which are involved in power monitoring and data center power management, are often left with default credentials in place. Plus, the consequences of an attack could include power loss in a critical location or tampering with voltage to damage sensitive equipment.

Meanwhile, the PLCs and DCSes responsible for controlling industrial processes are "critical and insecure-by-design … often allowing attackers to interact with them and even reconfigure them without the need for authentication," according to the report.

Robots have become ubiquitous in electronics and automotive manufacturing, and they're on the rise for logistics and in the military. Still, they suffer from outdated software, default credentials, and lax security postures.

"Attacks on robots range from production sabotage to physical damage and human safety," the researchers warned.

And last but not least, building automation and management systems, including things like smart lighting, HVAC, elevator operations, surveillance, door locks, and more, present a big risk to companies. Forescout warned that attacks could "render controllers unusable, recruit vulnerable physical access control devices for botnets, or leverage management workstations for initial access … they are often found exposed online even in critical locations."

**Internet of Medical Things (IoMT)**

Forescout's IoMT device breakdown contains all new devices this year, and includes a mix of IT equipment and dedicated embedded devices, all of which could pose enormous risk to patient safety and personal health information (PHI).  

*   The riskiest IoMT devices include: medical information systems, electrocardiograph machines, DICOM workstations, picture archiving and communication systems (PACS), and medication-dispensing systems.
    

Medical information systems store and manage clinical data; they also connect to electronic health records and billing information. In addition to the criticality of the data, thousands of these systems are exposed online, according to the researchers.

Meanwhile, "electrocardiographs are risky because of their fundamental role and large impact in acute patient care. A peer-reviewed study showed that data breach remediation efforts in hospitals led to a 2.7 minute delay in performing ECGs, thus increasing patient mortality by 0.36%." They're the third most-vulnerable IoMT device in the dataset, after medication-dispensing systems and infusion pumps.

Furthermore, DICOM workstations and PACS used in medical imaging tend to run legacy vulnerable IT operating systems, have extensive network connectivity to allow for sharing imaging files, and are often unencrypted, "which could allow attackers to obtain or tamper with medical images, including to spread malware," according to the report.

And finally, medication-dispensing systems are the second most-exposed IoMT device type in the dataset, the researchers warned, and their disruption can affect patient care.

**About the Author(s)**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

A Look at the Riskiest Connected Devices of 2024

Pseudonymous masking has made credit card transactions more secure, but Visa has even greater plans for tokenization: giving users control of their data.

Source: basiczto via Shutterstock

In 2014, Visa introduced its tokenization service, allowing customers to pay for goods and services without giving away their credit card details.

A decade later, the shift to tokenization has become a great success. The company has issued more than 10 billion tokens, which typically replace a card number in a digital wallet, such as Apple Pay or Google Pay. These tokens — fueled more than $40 billion in e-commerce transactions in the past year, according to Visa, accounting for 29% of all transactions processed by the financial giant. Perhaps even more significantly, tokens see 60% less fraud, leading to the prevention of more than $650 million in fraud in the past year, the company said.

The success is driven by the security technology's ease of use, with digital wallets playing host for most consumers' tokens, says Mark Nelsen, senior vice president and head of consumer platform products for Visa.

"Merchants like it because you get less abandonment, you get higher conversion rate, and, oh, you get lower fraud at the same time," he says. "It seems simple in theory, but there's a lot of technology — as you can imagine — behind the scenes that makes it work at scale."

The tokenization of digital payments has arguably been the greatest success to date for the pseudonymous technology. But the future holds new applications, including the increase of user privacy and the decrease of data loss in case of breach.

**What's Accelerating Tokenization**

In 2020, Visa marked the issuance of its 1 billionth token, a milestone that took six years to reach. Social distancing during the pandemic and consumers' greater comfort with the technology accelerated adoption, leading to 9 billion more tokens created for payment cards in the past four years, according to the financial giant.

The next great push for tokenization will be to improve privacy and data quality, Nelsen says. Passkeys are essentially a tokenization technology that replaces a password with an authentication process using a user's device and, typically, a biometric.

In the future, Visa aims to make tokenization even more widespread, replacing more user data with tokens. The upcoming Visa Token Service can be used to protect nearly any data, including sensitive data, and gives consumers full control over with whom they share their data. At any point in time, the consumer could log into their issuer's banking app, see all of the places where they have shared their data, and revoke some of those permission, Nelsen says.

"Because it's tokenized, they now have life cycle management, and so they could say to the bank, 'Hey, I want to disable or revoke access to my data for these merchants because they don't need to have access to my data anymore,'" he says. "We think it creates a really nice framework for how we could manage data going forward."

The company plans to launch its first Visa Token Service pilots later this year.

**How Tokenization Hides Data**

While tokenization of nonpayment data has gradually grown in popularity, especially as the discipline of data science has taken off over the past decade, managing the process is often complex.

Unlike encryption, tokens can directly replace sensitive data, adhering to the data format so that legacy systems can store the data. Financial institutions, for example, can use tokens to replace credit cards because a 16-digit token can be generated and stored in the place of the 16-digit account number.

A combination of tokenization and encryption can help companies comply with regulations and protect sensitive data, says Brent Johnson, CISO at Bluefin, a data security firm.

"Without an authenticated API to 'detokenize' the data and decode the token, the token is useless to hackers," he says.

**Vaulted or Vaultless Tokenization?**

Most businesses are data pack rats — throwing away perfectly good data is antithesis to their strategy. Yet keeping data around poses risks in the case of a data breach. So companies typically use one of two methods of tokenization: Vaulted systems store the mapping of tokens to data in a vault but allow employees to use the tokenized version, while vaultless systems use an encryption-like mapping that can restore data for authorized users.

There is no reason for companies to leave nontokenized data around, says Todd Moore, global head of data security products at Thales, a data protection firm.

"Tokenization should be a part of an organization's overall security strategy, \[but\] encryption and associated key management remains the best way to protect long-term sensitive data," he says. "Many global privacy regulations recognize the combination of using encryption and tokenization, like pseudonymization, as an adequate form of data protection."

Tokenization should not just be used for databases but also to mask privacy-regulated data with tokenization, which can help companies retain some use of the information while meeting their regulatory obligations, says Bluefin's Johnson.

In fact, by pushing tokenization out to the user's machine, companies can make their data life cycles more secure, he says.

"Companies should ... use tokenization to immediately tokenize data upon entry into a Web form or e-commerce page, further extending its use beyond protecting data in storage," Johnson says. "Vaultless tokenization provides the easiest way to secure an organization's data as most of the organization's systems will never see the original data strings, and only a very few, limited, heavily controlled systems are allowed to transform tokens back to sensitive data."

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Tokenization Moves Beyond Payments to Personal Privacy

The tranche of data, lifted from underprotected GitHub repositories, reportedly includes source code, though the country's paper of record has not yet confirmed the nature of the data accessed.

Source: Michele D'Ottavio via Alamy Stock Photo

A 4chan user has leaked 270GB of internal New York Times data — allegedly including source code for the popular Wordle game and other parts of the business — as part of an incident that the media outlet partially confirmed this week.

The anonymous 4chan user claimed to have gained access to 5,000 GitHub repositories, mostly unencrypted, containing a collective 3.6 million files, including "basically all source code belonging to the New York Times Company."

Such claims from cybercriminals should always be taken with a grain of salt. But at least one researcher, Alex Ivanovs, says he has verified part of the data as legitimate, including source code for Wordle; a WordPress database of 1,500 New York Times Education site users with names, email addresses, and hashed passwords; internal Slack communications; and authentication details such as "URLs and their respective passwords, secret keys, and API tokens. … Plenty of such secrets need immediate attention."

For its part, a spokesperson for the Gray Lady confirmed that data was accessed back in January, but didn't verify the granular details of the incident.

“The underlying event related to the recent online posting of Times information occurred in January 2024, when a credential to a cloud-based third-party code platform was inadvertently made available," says Charlie Stadtlander, New York Times managing director for external communications, newsroom, and opinion. "The issue was quickly identified, and we took appropriate measures in response at the time. There is no indication of unauthorized access to Times-owned systems nor impact to our operations related to this event. Our security measures include continuous monitoring for anomalous activity.”

**Source-Code Leaks Have Wide-Ranging Implications**

If the data trove is indeed as extensive as claimed, the ramifications could be significant for the Times itself, as well as for subscribers.

"The very nature of source code means that malicious actors could examine it for vulnerabilities to exploit in cyberattacks," noted Javvad Malik, lead security awareness advocate at KnowBe4, in an emailed statement. "Additionally, the claim that only a small fraction of the repositories were encrypted highlights a potential gap in data protection strategies."

Thomas Richards, principal security consultant at Synopsys, added in an email that the exposure of source code could also allow cybercriminals to tamper with applications, games, and internal infrastructure for use in any number of nefarious attacks.

"What should be sending alarm bells through the NYTimes security team is that someone had a privileged level of access inside their network to even access the source code," he said. "If they were in the network just to view the code, they could also tamper with the code to introduce vulnerabilities or backdoors to allow additional compromise. The NYTimes should do a thorough review of all their source code to make sure it was not tampered with or that unauthorized changes were made."

Even if the data affected is less impacting than many fear, the incident is the latest, along with the recently revealed Ticketmaster breach, to showcase issues in securing third-party cloud assets.

This is a developing story.

**About the Author(s)**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

New York Times Internal Data Nabbed From GitHub

London cops make arrests in connection with scam SMS messages, purportedly from official organizations, being sent out from bespoke phone mast.

Source: Roger Bamber via Alamy Stock Photo

London police have made two arrests in connection with what the law-enforcement agency claims is a first-of-its-kind crime — bypassing mobile networks' security to send flurries of malicious text messages by standing up a homemade cellphone tower.

Commonly referred to as "smishing," using SMS text messages as phishing lures is nothing new, but the addition of the homemade tower the accused used as a "text message blaster," according to the cops, is a novel approach.

“The criminals committing these types of crimes are only getting smarter, working in more complex ways to trick unknowing members of the public and steal whatever they can get their hands on," said temporary Detective Chief Inspector David Vint, head of the Dedicated Card and Payment Crime Unit (DCPCU), in an announcement of the arrests.

The cybercriminals reportedly sent thousands of text messages posing as banks and other organizations in an attempt to harvest data from victims, the London police explained.

**About the Author(s)**

Source

DARKReading